Server Operation and Maintenance Environment Security System (Part 1)

(click to register)

There are always emergencies that remind us of the importance of cybersecurity. Follow [Rongyun Global Internet Communication Cloud] to learn more

On May 25, the news that "all Sohu employees suffered wage subsidy fraud" rushed to the hot search, which was staggering. In the afternoon, Sohu issued a statement saying that the criminals pretended to be the finance department and sent emails, and 24 employees were defrauded of more than 40,000 yuan. Judging from the amount and method, this incident is considered an ordinary level, but the point of people's attention is that it happened in a well-known Internet company. It also shows from another perspective that the public's attention to network security is increasing.

With the rapid development of the Internet, the problem of network security is becoming more and more serious. The new economic format has increased the demand for network security guarantees in key industries and important systems, and security has become the basic guarantee for the construction of a network powerhouse. At the same time, the safety production of enterprises is also inseparable from safety-related technical guarantees. Therefore, every enterprise needs to build a set of top-down complete safety solutions.

This paper focuses on the security system of the server operation and maintenance environment . Through the first and the second part, it analyzes the current situation of network security and proposes countermeasures.

State of Network Security

Defects in current hardware, software and protocols or specific implementation of system security policies allow intruders to illegally access and destroy the system and data in the system without permission. At the same time, from the point of view of access, when the system operation conflicts with the system security, there will also be security holes.

Vulnerability issues are also closely related to time. With the in-depth use of software, software vulnerabilities will continue to be exposed. Old loopholes are constantly being overcome, new loopholes are constantly emerging, and loophole problems will exist for a long time. With the continuous evolution of digitalization, a large number of new Internet products and services have emerged. Network security threats such as security breaches, data leakage, network fraud, and ransomware are also becoming increasingly prominent, and the situation of organized and purposeful network attacks is becoming more and more serious.

As shown in the following pictures, threats such as malicious program capture, computer malicious program user infection, security breaches, and DDoS attacks should not be underestimated, bringing more challenges to network security protection.

(Malicious program capture, source: National Internet Emergency Center)

(Infection of computer malicious program users, source: National Internet Emergency Center)

(Security vulnerability situation, source: National Internet Emergency Response Center)

(DDoS attack situation, source: China Internet Network Information Center)

DDoS attacks are one of the most common and serious network security threats faced by Internet users due to their low cost and obvious effects.

In order to reduce the threat of DDoS attacks to my country's basic network and infrastructure, the National Internet Emergency Response Center continues to monitor and track the large-traffic attacks on domestic targets, and focus on the management of network resources found to be used for DDoS attacks.

Domestic targets under heavy traffic DDoS attacks:
In 2020, among the large-traffic attacks detected by domestic targets with peak traffic exceeding 1 Gbit/s, the attack methods were TCP SYN Flood, UDP Flood, NTP Amplifi cation, DNS Amplifi cation, and SSDP Amplification, accounting for 91.6%;

81.8% of the incidents were targeted mainly in seven regions, including Zhejiang, Shandong, Jiangsu, Guangdong, Beijing, Shanghai, and Fujian;

December was the peak of the year, and the attacks were very active.
The analysis found that 94.4% of the attacks lasted less than 30 minutes, indicating that the current attackers tend to use attack resources comprehensively and use large-traffic attacks to instantly paralyze the attack target, so as to provide more external services and make illegal profits.

Active network resources used for DDoS attacks:
According to the "Quarterly Analysis Report on my country's DDoS Attack Resources" by the National Internet Emergency Response Center, compared with 2019, the number of domestic network resources (referred to as "attack resources") used for DDoS attacks continued to decrease, and the number of domestic active controllers The number of controlled terminals decreased by 47.6% year-on-year, the number of controlled terminals decreased by 39.9% year-on-year, active reflection servers decreased by 20.4% year-on-year, and cross-domain fake routers decreased by 59.1% year-on-year;

At the same time, the number of various overseas attack resources continued to increase. The number of overseas active control terminals increased by 27.6% year-on-year, the number of controlled terminals increased by 37.0% year-on-year, and the number of active reflection servers increased by 0.3% year-on-year. The trend of overseas migration of attack resources is obvious.

how we respond

Security Technology Architecture

According to the core implementation process of cloud computing security architecture: ingress protection, traffic auditing, and bastion constraints, a comprehensive security protection scheme is deployed from the cloud network layer, virtual machine layer, application layer to data layer.

(Comprehensive Security Protection Architecture)

Technology stack analysis

HTTPS, TLS/SSL

Service connections are securely encrypted using HTTPS. HTTPS adds the TLS/SSL layer under HTTP to encrypt the transmitted data to ensure the security during the session.

Use TCP port default is 443

(HTTPS secure encryption)

TLS: (Transport Layer Security), used to provide confidentiality and data integrity between two applications.

SSL: (Secure Socket Layer, Secure Socket Layer), a protocol layer between a reliable connection-oriented network layer protocol and an application layer protocol. SSL enables secure communication between clients and servers through mutual authentication, integrity using digital signatures, and privacy using encryption.

The SSL protocol uses both symmetric encryption and asymmetric encryption (public key encryption). When establishing a transmission link, SSL first performs asymmetric encryption on the symmetric encryption key using the public key. The transmitted content uses symmetric encryption.

Having said that, we have to talk about symmetric encryption, asymmetric encryption, certificate authority (CA), certificate, digital signature, private key, public key.

Symmetric encryption

It means that both parties hold the same key for communication, and the encryption speed is fast, but there is a security problem in the transmission of the key. Common symmetric encryption algorithms include DES, 3DES, and AES.

Asymmetric encryption

Also known as public key encryption, it consists of a public key and a private key.

The public key is open to the outside world, and the private key is owned by itself.

Data encrypted with the public key can only be decrypted with the private key.

Data encrypted with the private key can only be decrypted with the public key.

Asymmetric encryption was born to solve the security problems in symmetric encryption, but the encryption speed is slower than that of symmetric encryption.

Information Security Issues

In information security issues, we often have to do three things to ensure the security of information: confidentiality, integrity, and identification.

Confidentiality of information (encryption algorithm)

The general method is to use asymmetric encryption + symmetric encryption to complete the confidentiality of information.

The client uses the public key to encrypt the symmetric encryption key, and then passes it to the server. The server uses the private key to decrypt and confirm the key, and starts to transmit data.

(Asymmetric encryption + symmetric encryption to ensure information confidentiality)

Integrity of information (digital signature)

During the transmission process, the information is likely to be hijacked and tampered by a third party, so we need to ensure the integrity of the information. The general method is to use hash algorithms such as SHA1 and MD5.

Hash the content of the transmission to obtain the hash value, that is, the digest.

The client uses the public key of the server to encrypt the digest and information content, and transmits it to the server; the server uses the private key to decrypt to obtain the original content and digest value; the server uses the same Hash algorithm to hash the original content, and then combines the value comparison. If so, the information is complete.

(Information Integrity Algorithm Process)

Identity (Digital Certificate)

To transmit information, we usually need to verify the identity of the sender of the information, and it can be done by changing the way of thinking. The sender uses the private key to encrypt its own content and then sends it to the receiver. As long as the receiver decrypts with the sender's public key, the sender's identity is naturally verified.

(identification process)

digital certificate

Imagine, if the server sends the public key to the client at first, it is hijacked by a third party, and then the third party forges a pair of keys and sends the public key to the client.

In this way, when the server sends data to the client, the middleman decrypts the information with the public key that was hijacked at the beginning, then uses its own private key to encrypt the data and sends it to the client, and the client decrypts it with the public key after receiving it. The middleman in the whole process is transparent, but the information leakage is unknown.

(The tampering of the public key may lead to information disclosure)

In order to prevent this situation, digital certificates appear. The principle is to encrypt data based on the above-mentioned private key, and decrypt the public key to verify its identity.

The digital certificate is issued to the server by an authoritative CA (Certificate Authority) agency. The CA agency generates the certificate through the relevant information provided by the server. The content of the certificate includes the relevant information of the holder, the public key of the server, and the signature information of the signer ( digital signature), etc., the most important thing is that the public key is in the digital certificate .

How does a digital certificate ensure that the public key comes from the requesting server?
There is information about the holder on the digital certificate, through which it can be determined that it is not an intermediary. However, the certificate can also be forged, how to ensure that the certificate is true?

A certificate contains three parts: certificate content, hash algorithm, and encrypted ciphertext. The content of the certificate will be calculated by the hash algorithm Hash to calculate the Hash value, and then use the private key provided by the CA to perform RSA encryption.

(How to keep a digital certificate authentic)

When the client initiates a request, the server sends the digital certificate to the client, and the client decrypts the encrypted ciphertext through the public key provided by the CA to obtain the hash value (digital signature), and uses the same hash value for the certificate content at the same time. The algorithm performs Hash to get another hash value, and compares the two hash values. If the two are equal, the certificate is OK.

(Authentication process)

Some common certificate file types are as follows:

X.509#DER binary format certificate, commonly used suffix .cer/.crt
X.509#PEM text format certificate, commonly used suffix .pem
Some certificates contain only the public key (the server's public key), such as .cer/.crt/.pem
Some certificates contain both public key and private key (server's private key), such as .pfx, .p12

HTTPS one-way authentication

Before establishing a Socket connection, HTTPS requires a handshake. The specific process is as follows:

(one-way authentication)

①The client sends the SSL protocol version number, encryption algorithm type, random number and other information to the server.
②The server returns the SSL protocol version number, encryption algorithm type, random number and other information to the client, and also returns the certificate of the server, that is, the public key certificate.
③ The client uses the information returned by the server to verify the legitimacy of the server, including:

• Whether the certificate has expired;
• Whether the CA that issued the server certificate is reliable (by querying the browser or the CA certificate in the computer);
• Whether the returned public key can correctly decrypt the digital signature in the returned certificate (decrypted by using the CA public key built into the computer or browser);
• Whether the domain name on the server certificate matches the actual domain name of the server;
• Continue communication after verification, otherwise terminate communication.

④The client sends the symmetric encryption scheme that it can support to the server for the server to choose.
⑤ The server selects the encryption method with the highest degree of encryption among the encryption schemes provided by the client.
⑥ The server returns the selected encryption scheme to the client in plaintext.
⑦ After the client receives the encryption method returned by the server, it uses the encryption method to generate a random code, which is used as the key for symmetric encryption in the communication process, encrypts using the public key returned by the server, and sends the encrypted random code. to the server.
⑧After receiving the encrypted information returned by the client, the server decrypts it with its own private key and obtains the symmetric encryption key.
⑨ In the next session, the server and client will use this password for symmetric encryption to ensure the security of information during the communication process.

HTTPS mutual authentication

Two-way authentication is similar to one-way authentication, but additional authentication from the server to the client is added.

(Two-way authentication)

①The client sends the SSL protocol version number, encryption algorithm type, random number and other information to the server.
②The server returns the SSL protocol version number, encryption algorithm type, random number and other information to the client, and also returns the certificate of the server, that is, the public key certificate.
③ The client uses the information returned by the server to verify the legitimacy of the server, including:

• Whether the certificate has expired;
• Whether the CA that issued the server certificate is reliable (by querying the browser or the CA certificate in the computer);
• Whether the returned public key can correctly decrypt the digital signature in the returned certificate (decrypted by using the CA public key built into the computer or browser);
• Whether the domain name on the server certificate matches the actual domain name of the server;
• Continue the communication after the verification is passed, otherwise terminate the communication;

④The server requires the client to send the client's certificate, that is, the public key of the client certificate, and the client will send its own certificate to the server.
⑤ Verify the client's certificate. After passing the verification, the client's public key will be obtained.
⑥ The client sends the symmetric encryption scheme that it can support to the server for the server to choose.
⑦The server selects the encryption method with the highest degree of encryption among the encryption schemes provided by the client.
⑧ Encrypt the encryption scheme by using the public key obtained before, and return it to the client.
⑨ After the client receives the encryption scheme ciphertext returned by the server, it decrypts it with its own private key to obtain the specific encryption method, and then generates a random code of the encryption method, which is used as the key in the encryption process. The public key obtained from the server certificate is encrypted and sent to the server.
⑩After the server receives the message sent by the client, it decrypts it with its own private key and obtains the symmetric encryption key. In the next session, the server and the client will use the password for symmetric encryption to ensure the communication process. information security.

So far, this article has shared the main network security issues we are currently facing, as well as the security technology architecture and related technology stack analysis in this case. Next week, we will share the core of the countermeasures-the implementation of practical plans and protection strategies, so stay tuned.