Five years ago, on June 1, my country's first basic legal document in the field of cybersecurity, the Cybersecurity Law of the People's Republic of China, was officially implemented. Follow [Rongyun Global Internet Communication Cloud] to learn more
These five years are the five years in which network security has been paid more and more attention. The state has issued a series of policies to lay the foundation for maintaining national cybersecurity and building a strong national cybersecurity barrier.
At the enterprise level, the safety production of any enterprise is inseparable from safety-related technical guarantees. Therefore, every enterprise needs to build a complete set of top-down security solutions.
Last week, we analyzed the current situation of network security through the server operation and maintenance environment security system (Part 1), and analyzed the enterprise security technology architecture and related technology stacks. Today, we share (Part 2) - landing practice plans and protection strategies.
Implementation of practical solutions and protection strategies
DDos
DDoS (Distributed Denial of Service, Distributed Denial of Service) combines multiple computers as an attack platform, and uses malicious programs through remote connections to launch DDoS attacks on one or more targets, consuming target server performance or network bandwidth. Unable to provide service normally.
Typically, attackers use an illegal account to install a DDoS master on one computer and install agents on multiple computers on the network. Within the set time, the main control program communicates with a large number of agent programs, and the agent program launches an attack on the target when it receives an instruction. The main control program can even activate hundreds or thousands of agent program operations within a few seconds.
(Security Architecture Diagram)
There are several ways to mitigate the threat of DDoS attacks:
①Isolate resources and irrelevant services to reduce the risk of being attacked.
②Optimize the business architecture, and use the characteristics of the public cloud to design a system for elastic scaling and disaster recovery switching.
③The server security is hardened, and the performance of the server itself such as the number of connections is improved.
④ Do a good job in business monitoring and emergency response.
⑤Choose an appropriate business security plan.
WAF
WAF (Web Application Firewall, Web application protection system, also called website application-level intrusion prevention system) provides protection for Web applications by implementing a series of HTTP/HTTPS security policies. Has the following features:
①Provide Web application attack protection.
② Mitigate malicious CC attacks, filter malicious Bot traffic, and ensure normal server performance.
③Provide business risk control solutions to solve business security risks such as malicious abuse of business interfaces.
④Provide one-click HTTPS and HTTP back-to-source for websites to reduce the load pressure of the origin site.
⑤ Support precise access control for HTTP and HTTPS traffic.
Common Web Application Attack Protection
Defense against common OWASP threats: Support defense against common threats such as SQL injection, XSS cross-site, Webshell upload, backdoor isolation protection, command injection, illegal HTTP protocol requests, common web server vulnerability attacks, unauthorized access to core files, path traversal, and scanning protection.
Website incognito: Do not expose the site address to attackers and avoid direct attacks by bypassing the Web Application Firewall.
Friendly observation mode: Open the observation mode for newly launched services on the website. For suspected attacks that match the protection rules, only alarms are not blocked, which is convenient for statistics of false alarms of services.
(WAF attack protection principle)
Fortress machine
The bastion machine, that is, in a specific network environment, uses various technical means to monitor and record the operation behavior of the operation and maintenance personnel on the servers, network equipment, security equipment, databases and other equipment in the network, so as to focus on the alarm, timely processing and auditing Determining responsibility to protect the network and data from intrusion and damage from external and internal users.
The bastion machine is based on the springboard machine, which can realize the operation and maintenance of the target cluster server more safely and provide security guarantee. Its main functions are as follows:
① Centralized management of assets (unified management).
②Audit, record, video playback operation records.
③ Restrict the execution of dangerous commands such as rm and dd.
④ Restrict the identity authority to log in to the target server.
log audit
For operation and maintenance managers, these logs containing important data information (user login information, system error information, disk information, database information, etc.) are very important. These log information can be used to analyze the overall system and find the root cause of the problem to solve the problem. That is to say, through logs, IT managers can understand the health and security status of the system.
In a complete information system, the log is a very important functional component. When there are some administrator operations in the system or the error reporting behavior of the system itself, the log is equivalent to the work report of the system for the day. What does the system do every day, whether there is any alarm information, which ones have problems, and the problems can be identified; when the system is under security attack, the system login errors and abnormal accesses will be recorded in the form of logs.
By analyzing these logs and reading the work reports of these systems, you can know what attacks the system has suffered and what tasks have been completed that day. At the same time, viewing the log is also a good source of forensic information to find out who did what and what specific actions after a security incident occurs.
Vulnerability scanning and remediation
Vulnerability scanning technology is an important network security technology. It cooperates with firewalls and intrusion detection systems to effectively improve network security. By scanning the network, network administrators can understand network security settings and running application services, discover security vulnerabilities in time, and objectively assess network risk levels.
Based on the scan results, network administrators can correct network security holes and incorrect settings in the system, preventing hackers from attacking.
If firewalls and network monitoring systems are passive means of defense, then security scanning is an active preventive measure , which can effectively avoid hacker attacks and prevent problems before they occur. Regularly performing network vulnerability scans for enterprises also has the following benefits:
①Regular network security self-inspection and assessment <br>Equipped with a vulnerability scanning system, network administrators can regularly conduct network security inspection services. Security inspection can help enterprises eliminate security risks to the greatest extent possible, discover security vulnerabilities as early as possible and repair them. Effectively utilize existing systems, optimize resources, and improve network operating efficiency.
②Check after installing new software and starting new services <br>Due to the various forms of loopholes and security risks, installing new software and starting new services may expose hidden loopholes. Scan the system to ensure security.
③Assessment and effectiveness of security planning before and after network construction and network reconstruction <br>Network builders must establish an overall security plan to lead the overall situation and build a strong position. Strike a balance between tolerable risk levels and acceptable costs, and make trade-offs between a variety of security products and technologies. Equipped with a network vulnerability scanning/network assessment system, it is convenient for enterprises to conduct security planning assessments and test network security system construction plans and construction effectiveness assessments.
④Security test before the network undertakes important tasks<br>Before the network undertakes important tasks, more safety measures should be taken to prevent accidents, strengthen the emphasis on network security and information security in technology and management, form three-dimensional protection, and prevent the occurrence of accidents. The probability of accidents is minimized. The network vulnerability scanning/network assessment system is convenient for enterprises to conduct security testing.
⑤Analysis and investigation after network security incidents<br>After network security incidents, network vulnerability scanning/network assessment system analysis can be used to determine where the vulnerabilities of the network are attacked, help to remedy the vulnerabilities, and provide as much data as possible to facilitate the investigation of the source of the attack.
⑥Preparation before major network security incidents<br>Before major network security incidents, the network vulnerability scanning/network assessment system can timely find out the hidden dangers and loopholes existing in the network, and make up for the loopholes in time.
security system constraints
On June 1, 2017, the "Network Security Law of the People's Republic of China" clearly stated that "the state implements a network security level protection system". Enterprises should conduct an annual security assessment of graded protection in accordance with national requirements, and make rectifications in accordance with the Basic Requirements for Graded Protection of Network Security.
The information system security level evaluation is an evaluation process to verify whether the information system meets the corresponding security protection level. Information security level protection requires that information systems with different security levels should have different security protection capabilities.
On the one hand, it is realized by selecting the safety control suitable for the safety level in safety technology and safety management;
On the other hand, the different security controls in the security technology and security management distributed in the information system act together on the security function of the information system through interrelated relationships such as connection, interaction, dependence, coordination, and collaboration, so that the overall security of the information system is ensured. The functions are closely related to the structure of the information system and the interrelationships between security controls, levels and regions. Therefore, the information system security level assessment should include the overall system assessment on the basis of the security control assessment.
The security protection level of the information system is divided into the following five levels, and the levels from one to five are gradually increased:
At the first level, after the information system is damaged, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not damage national security, social order and public interests. Units operating and using the first-level information systems shall protect them in accordance with the relevant national management norms and technical standards.
At the second level, when the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but does not damage national security. The national information security supervision department shall guide the security level protection of the information system at this level.
At the third level, when the information system is damaged, it will cause serious damage to social order and public interests, or cause damage to national security. The national information security supervision department shall supervise and inspect the security level protection of the information system at that level.
At the fourth level, when the information system is damaged, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security. The national information security supervision department shall conduct compulsory supervision and inspection of the security level protection work of the information system at that level.
The fifth level, when the information system is damaged, will cause particularly serious damage to national security. The national information security supervision department shall conduct special supervision and inspection on the security level protection work of the information system at this level.
(Grade protection handling process)
Implement hierarchical classification to ensure the normal operation of information security and system optimization. The following is the current security management system and organizational plan.
(Security management system and organizational planning)
The purpose of formulating the security management system is to establish a scientific system for information security management, and strive to ensure the implementation of security control measures through scientific and standardized whole-process management , combined with mature and leading technologies , and provide services for the safe operation of various businesses. Assure.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。