Current location - Loan Platform Complete Network - Big data management - How to solve the problem of network border security
How to solve the problem of network border security
1, firewall technology

The initial form of network isolation is the isolation of network segments, because the communication between different network segments is connected through the router, to limit the interoperability between certain network segments do not interoperate, or conditional interoperability, access control technology appears, there is a firewall, the firewall is the initial security gateway to different network interconnections.

The security design principle of the firewall comes from packet filtering and application proxy technology, on both sides of the interface to connect different networks, the middle is the access control list ACL, the data flow should be filtered through the ACL to pass through the ACL. ACL is a little bit like the customs ID card check, checking the country you are a person, but whether you are a spy or a tourist can not be distinguished, because the ACL control is to check the country you are a person, but you can not distinguish between them. Because ACLs control Layer 3 and Layer 4 of the network, the application layer can not be recognized. Later firewalls added NAT/PAT technology, which can hide the IP address of the device on the network, veiling the internal network and making it an invisible gray box, making it more difficult to invade. But the Trojan horse technology allows the internal network of machines to actively establish contact with the outside world, thus "penetrating" the NAT "protection", many P2P applications also use this way to "break through" the firewall.

The role of the firewall is to build a network of "gates" to hold the necessary access to the network, so in the network's border security design, the firewall becomes an indispensable part.

The shortcomings of firewalls are: they can not recognize the application layer, the face of hidden in the application of viruses, Trojans are good no way. Therefore, as a network interconnection with a large difference in security level, the security of the firewall is far from enough.

2, multiple security gateway technology

Since a firewall can not solve the various levels of security protection, on more than a few security gateways, such as IPS for application layer invasions, used to deal with viruses, AV, used to deal with DDOS attacks ... At this time, the UTM device was born, the design is designed to be UTM together, separate is a variety of different types of security devices.

Multi-security gateway is to set up a few more barriers on the city gates, with a division of functions, there are verification of the pieces, there are checking luggage, there are checking drugs, there are checking spies ......

Multi-security gateway security is obviously better than the firewall, at least for a variety of common intrusions and viruses can be resisted. common intrusions and viruses. However, most multi-security gateways are recognized by features to confirm the intrusion, this way of fast, will not bring significant network delays, but also has its own inherent shortcomings, first of all, the application characteristics of the update is generally faster, the current maximum length of the week, so the gateway in a timely manner to the "feature library upgrades"; and secondly, a lot of hacker attacks using the "normal" attack, the "normal" attack, the "normal" attack, the "normal" attack, the "normal" attack. Secondly, many hacker attacks use "normal" communications, decentralized circuitous entry, no obvious features, security gateway for this type of attack is very limited; Finally, the security gateway and then more, but only a number of checkpoints, once "mixed in", into the door inside the gateway will be Once inside the gate, the gateway is useless. This is also the reason why security experts do not trust multiple security gateways.

3, gateway technology

The security idea of the gateway comes from the "non-simultaneous connection". Do not connect two networks at the same time, through an intermediate buffer to "ferry" business data, business interoperability, "not connected" in principle the possibility of invasion is much smaller.

The gate is simply ferrying data, similar to the manual "USB flash drive ferry" method. The security of the gate comes from the fact that it is ferrying "pure data" or "gray data", through the content is clearly visible, "the water is clear, there is no fish", invasions and viruses do not have a hiding place, the network is relatively safe. In other words, the gates are only open to one kind of people. That is to say, the city gate only allows a kind of people through, such as delivery of food, spies can be mixed into the probability is greatly reduced. However, the network gate as a network interconnection border, must support a variety of business connectivity, that is, the passage of certain communication protocols, so most of the gate opened on the protocol of the proxy service, like the city walls open some special channels, the security of the gate on the discount, in the security checks on these channels, the gate than the checking of the efficacy of the multi-security gateway does not seem to be high.

The idea of the gate is to block the first, according to the needs of the "city" and then open some small doors, the firewall is the first to open the door to the unwanted and then banned one by one, the two ideas are just the opposite. In the invasion of the identification technology is almost the same, so the use of multiple gateways to increase the identification of the application layer and protection of both are very good complement.

Later, the design of the network gate appeared in the storage channel technology, one-way channel technology, etc., but can not guarantee that the data "simplicity", check the technology because there is no new breakthroughs, so the security of the network gate was questioned by the experts.

But the network gate brings us two revelations:

1, the establishment of business interoperability buffer zone, since the connection has the possibility of insecurity, a separate area to narrow the scope of insecurity is also a good way.

2, the agreement agent, in fact, the firewall also has an application agent is the idea of not letting the incoming people into the into the inside, what services you want me to arrange for their own people to give you services, the ultimate purpose of network access is the application of the business, I have done it for you, do not also achieve the purpose? Hackers outside the door of the network, do not come in, the threat is much smaller.

4, data exchange network technology

Firewall to the network gate, are used in the way of the barrier, "check" the technology is different, but the hacker's latest attack technology is not very good, there is no means of monitoring the means to deal with the "people"! "The only people who can do this are the people who are the best adversaries.

The data exchange network technology is based on the idea of buffer segregation, the city gates at the construction of a "data trading market", the formation of two buffer segregation, while the introduction of the banking system to protect the integrity of the data Clark-Wilson model, in order to prevent the leakage of data in the internal network, while ensuring data integrity, that is, to prevent the leakage of data. At the same time, to ensure the integrity of the data, that is, no authorized person can not modify the data, to prevent the authorized user error modification, as well as the consistency of internal and external data.

Data exchange network technology gives a new way of thinking about border protection, using the network to realize data exchange, but also a "land for security" strategy. A buffer is created between the two networks to keep the "trade" under control.

Data exchange network technology than other border security technology has significant advantages:

1, the integrated use of multiple security gateways and gateway, the use of multi-level security "barrier".

2, with a buffer space, you can increase security monitoring and auditing, with experts to deal with hacking, the border is in a controllable range, any traces of the wind and grass can not escape the eyes of the monitors.

3, the agent of the business to ensure the integrity of the data, the business agent also allows external visitors to stop in the network of the exchange area, all the needs provided by the service personnel, as is the case of visitors can only be in a fixed reception area to discuss business, can not enter the internal office area.

The data exchange network technology for large data interoperability network interconnection, generally speaking, is suitable for the following occasions:

1, frequent business interoperability requirements:

To interoperate with a large amount of business data, or a certain amount of real-time requirements, the manual way is certainly not enough, the gateway way of protection is not enough, such as the bank's UnionPay system, Customs declaration system, social security management system, the public security of the entry and exit management system, the internal network of large enterprises (running ERP) and the Internet, the public library system and so on. The salient features of these systems are the importance of its data center is self-evident, but also closely related to the general public and enterprises, business requirements to provide access to the Internet, in the security and business adaptability requirements, business interconnections need to be guaranteed with a complete security technology, the choice of the data switching network approach is appropriate.

2, the external interconnection of highly classified network:

Highly classified network generally involves state secrets, the information can not be leaked is the first element, that is, absolutely do not allow the invasion of non-authorized personnel. However, out of the demand for public information, or the regulation of the public network and information, must be interconnected with non-security networks, if the regulation of such business, business traffic is also very large, and real-time requirements are also high, in the network interconnection on the choice of data exchange network technology is suitable.

Fourth, to summarize the "high magic, high road, high road, high magic". Network boundaries are the two long-term game "battlefield", but the security technology in the "constant patching" at the same time, but also gradually in the "active defense, three-dimensional protection" of the idea of moving forward. Border protection technology is also gradually mature, data exchange network technology is no longer just a protective gateway, but a border security network, comprehensive security protection ideas. Perhaps the topic of security is eternal, but the future of the network boundary must be more and more secure, the advantages of the network lies in the connectivity.

Related articles
  • Where is the piano going up and down?
  • Guiyang city in the eighties Jia Yuping
  • From 2021 companies should no longer use personal accounts to receive payments, suspected tax evasion! Bank tax has **** enjoy
  • Tonglu rural commercial bank da data center
  • Which durian is the best?
  • The Yellow Emperor's Mausoleum is a fun place to visit. I've been to the near Thank you~~
  • Jingdong white bar overdue 2 days is serious
  • Problems in Cold Chain Logistics
  • Is it legal for a rental agent to get an ID card from the landlord?
  • What is the content of the data analyst exam?

    • copyright 2024 Loan Platform Complete Network All rights reserved