Computer Network Technology and Application
Chapter 23 Fundamentals of Network Security
Chapter 23 Fundamentals of Network Security (2)
2. Vulnerability of network protocols
The root cause of the openness of the network protocol is the openness of the protocol, because to realize the interconnection requirements between different computer systems or different network devices, the network protocol must be open.Open protocol vulnerabilities are manifested in:
(1) The weakness of the domain name service system.
(2) Vulnerable CGI programs and server-side application extensions, mainly in WWW services.
(3) Remote Procedure Call (RPC).
(4) Microsoft's IIS security holes.
(5) Buffer overflow vulnerability of SMTP mail service.
(6) NFS and port vulnerabilities.
(7) IMAP, POP mail server buffer overflow vulnerabilities and wrong configuration.
There are many loopholes similar to the problems caused by the network protocol itself, and I will not list them here.It can be said that there are loopholes in almost every part of the TCP/IP protocol.
7.1.5 Classification of threats faced by the network
1. Natural Disaster
Natural disasters refer to natural disasters that cannot be controlled, such as earthquakes, lightning strikes, and floods.
2. Man-made threats
There are two types of man-made threats, one is non-malicious, which is the damage caused by people unintentionally; the other is malicious, such as the damage caused by intrusion into the computer network.Malicious damage can be roughly divided into the following four types.
(1) interrupt
Interruption refers to the sudden and artificial interruption of system operation, resulting in damage to or even unusability of computer network resources, suspension of data transmission or information services.
(2) Steal
Stealing refers to deliberately stealing account numbers and passwords by some illegal means, and illegally obtaining database information or network services.
(3) change
Alteration refers to stealing account numbers and passwords by some illegal means, and illegally tampering with network resources.
(4) Forgery
Forgery refers to the use of some illegal means to create fake accounts and data resources in order to defraud benefits.
3. Reasons of the system itself
The reasons for the system itself include: hardware failure reasons, software backdoors and loopholes, etc.
7.2 Security Technology and Implementation
7.2.1 Cryptography
Cryptography is an ancient and esoteric discipline.Computer cryptography is a subject that studies computer information encryption, decryption and transformation. It is an interdisciplinary subject between mathematics and computers, and it is also a practical subject.In computer communication, cryptographic technology is used to conceal information, and then the concealed information is transmitted, so that even if the information is stolen or intercepted during transmission, the thief cannot understand the content of the information, thereby ensuring the security of information transmission.
The two parties in the communication agree on a method, using specific symbols to hide the original form of the message according to the method agreed by the two parties in the communication, and the communication method that is not recognized by the third party is called encrypted communication.
1. Cryptography Terminology
(1) key
The key is the main means to realize secret communication, and it is a special symbol for concealing language, text, and image, and the password is also called the key.
(2) plaintext
Plaintext is the unencrypted message.
(3) Ciphertext
The ciphertext is the encrypted message.
(4) Encryption algorithm
An encryption algorithm is a calculation method that converts plaintext into ciphertext; a decryption algorithm is an algorithm for reverse operation and decryption.
(5) encryption code
The encryption code is a mathematical transformation with a parameter k, that is, C=Ek(P).
2. Symmetric cryptosystem
Symmetric cryptosystems are also known as single-key cryptographic algorithms.
A symmetric cryptographic algorithm refers to a cryptographic algorithm in which the encryption key and the decryption key are the same key.Therefore, the information sender and the information receiver must jointly hold the key when transmitting and processing the information, which is called a symmetric key.
The commonly used encryption algorithm is relatively simple and efficient, the key is short, and it is extremely difficult to decipher.Since the confidentiality of the system mainly depends on the security of the key, it is an important link to transmit and store the key securely on the open computer network.
3. Asymmetric cryptographic system
Asymmetric cryptographic system, also known as double-key cryptographic algorithm or public-key cryptographic algorithm, refers to a cryptographic algorithm in which the encryption key and the decryption key are two different keys.Public-key cryptography uses a pair of keys, one for encrypting information and the other for decrypting it.The encryption key is different from the decryption key, and the communicating parties can conduct confidential communication without exchanging keys in advance.Its characteristics are as follows.
(1) The encryption key is made public.
(2) Only the decryptor knows the decryption key.
(3) There is an interdependent relationship between the two keys, and information encrypted with any one key can only be decrypted with the other key.
(4) If the public key is used as the encryption key and the user's private key (private key) is used as the decryption key, the information encrypted by multiple users can only be interpreted by one user and can be used for digital encryption.
(5) By using the user's private key as the encryption key and the public key as the decryption key, the information encrypted by one user can be interpreted by multiple users.Can be used for digital signatures.
The public key cryptosystem embodies the irreplaceable superiority of the symmetric key system.For users who participate in e-commerce transactions, they hope to conduct transactions with thousands of customers through the open network.If a symmetric password is used, each customer needs to be directly assigned a password by the merchant, and the transmission of the password must pass through a separate secure channel.On the contrary, in the public key cryptography algorithm, the same merchant only needs to generate a pair of keys, and make the public key public.The customer only needs to encrypt the information with the merchant's public key to ensure that the information is safely transmitted to the merchant.
4. Use the password system to realize data confidentiality
A symmetric cryptographic algorithm refers to a cryptographic algorithm in which the encryption key and the decryption key are the same key, which has high efficiency, but the key is not easily transmitted.The public key cryptography algorithm has simple key transfer and low algorithm efficiency.Combining the two technologies and learning from each other can ensure the security of information during transmission.
7.2.2 Digital signature technology
1. Definition of digital signature
A digital signature is obtained by processing the information to be transmitted through a one-way function (irreversible algorithm). It is an alphanumeric string used to authenticate the source of the information and verify whether the information has changed.
(1) Hash function
The Hash function is a one-way hash function, which is not a strong calculation-intensive algorithm and is widely used.The signature generated using it is called a Hash signature key.This kind of key is easier to break, and there is a possibility of forging signatures.
(2) DSS and RSA signatures
DSS (Defense Security Service) and RSA (Rivest Shamir Adleman) use the public key algorithm, and there is no limitation of Hash.
RSA is the most popular encryption standard, and many products have RSA software and class libraries in their kernels.Long before the rapid development of the Web, RSA Data Security Company was responsible for the integration of digital signature software and the Macintosh operating system. It added a signature drag-and-drop function to Apple's collaboration software PowerTalk. Users only need to drag the data to be encrypted to the corresponding icon. , the digital signature in electronic form is completed. RSA can be used both for encrypting data and for identity authentication.
Compared with the Hash signature, in the public key system, since the key for generating the signature is only stored in the user's computer, its security factor is greater.
2. Digital signature principle
Digital signature is very important in e-commerce activities, and it is a typical application of cryptographic technology.Its main uses are:
(1) Use an algorithm to generate a summary of the plaintext.
(2) Encrypt the generated digest.
(3) Send the plaintext and encrypted digest to the other party.
(4) Generate a new digest with the received plaintext.
(5) Decrypt the received digest.
(6) Compare the two digests, if the comparison results are the same, the identity is considered confirmed, otherwise the identity is not confirmed.
7.2.3 Firewall technology
1. Definition of firewall
A firewall (Fire Wall) uses one or a group of network devices (computer systems or routers, etc.) and network software to strengthen access control between two or more networks, with the purpose of protecting the network from attacks from another network.It can be understood that a firewall is equivalent to digging a moat around the network, setting up a gate on the only bridge, and pedestrians and vehicles entering and leaving are subject to security checks.A network firewall can also be likened to security checks and customs at an international airport, where a series of checks must be passed before being allowed to enter or leave a country.
In the network firewall, each data packet must pass the inspection of these gateways before being allowed to continue to transmit. Legal data is allowed to pass, and illegal data is isolated or filtered out.
The composition of the firewall includes data packet filter and security policy.
A firewall can be a simple filter or a well-configured gateway, but their principles are the same. They all detect and filter all information exchanges between the internal network and the external network. The firewall protects the useful data of the internal network from being stolen. and destruction, and record relevant status information logs of internal and external communications, such as the time and operations performed by the communications.
It must be remembered that a firewall is not omnipotent, and the role of firewall managers is more important than the firewall itself.
2. Main types of firewalls
(1) Packet or packet filtering router
According to the packet filtering rules set inside the system, the router checks the source IP address and destination IP address of each packet, and decides whether the packet should be forwarded.Packet filtering rules are generally determined based on the header or the entire content of the packet.
[Example 7-1] Assume that the network security policy is as follows.
The E‐mail server of the internal network (IP address 192.168.116.20, TCP port number 25) can receive all emails from external network users.
Allow internal network users to send email to external email servers.
Deny all connections to hosts named TESTHOST on the external network.
Based on this, a packet filtering table can be established to ensure accurate implementation of assumed rules.
(2) State monitoring firewall
This firewall has very good security features and uses a software module called a monitoring engine that enforces network security policy on the gateway.
On the premise of not affecting the normal operation of the network, the monitoring engine uses the method of extracting relevant data to monitor each layer of network communication.Its working principle is to extract state information and dynamically save it as a reference for future implementation of security policies.
The monitoring engine supports multiple protocols and applications, and can easily expand applications and services.It works as follows.
①When the access request reaches the gateway, the status monitor extracts relevant data for analysis, and makes acceptance, rejection, identity authentication, alarm or encryption of the communication in combination with network configuration and security regulations.Once an access violates security regulations, the access is denied and the status is reported for logging.
②The state monitoring firewall will monitor the port information of connectionless remote procedure call (RPC) and user datagram (UDP), that is to say, it can monitor connectionless services.
(3) Application-level gateway
An application-level gateway is what is commonly referred to as a proxy server approach.It applies to specific Internet services, such as hypertext transfer (HTTP), remote file transfer (FTP), etc.
A proxy server works as follows.
①When the proxy server receives a computer access request for a certain site, it checks whether the request complies with the regulations. If the rules allow access to the site, the proxy server retrieves the required information from that site and forwards it to the requesting client.
②The proxy server usually has a high-speed cache, which is used to save the content of the site frequently visited by the user. When the next user wants to visit the same site, the server does not need to repeatedly obtain the same content, but directly sends the cached content, saving time and network resources. .
③The proxy server is like a wall that isolates internal users from the outside world. From the outside, only the proxy server can be seen but internal resource information, such as user IP addresses, can not be obtained.
④The application-level gateway is more reliable than a single packet filter, and it will record all access states in more detail.
3. Firewall construction
(1) Dual Homed Gateway
This configuration uses a dual-homed host with two network adapters as the firewall.Because the dual-homed host uses two network adapters (network cards) to connect to two networks, it is also called a bastion host.The proxy service can be provided by running firewall software (usually a proxy server) on the bastion host.
(2) host host + router firewall
(3) Screened Subnet Firewall (Screened Subnet)
This method is to establish an isolated subnet between the network (also known as Intranet) of the enterprise and the school and the Internet, and use two packet filtering routers to separate the subnet from the Intranet and the Internet respectively.Two packet filtering routers are placed at both ends of the subnet to form a "buffer zone" within the subnet.One of these two routers controls intranet data flow, and the other controls Internet data flow. Both the intranet and the Internet can access the shielded subnet, but they are prohibited from communicating through the shielded subnet.
It can be seen from the figure that installing a bastion host in the shielded subnet can provide proxy services for mutual access between the internal network and the external network, but the access from both networks must pass the inspection of the two packet filtering routers.For servers exposed to the Internet, Internet servers such as WWW, FTP, and MAIL can be installed in the shielded subnet, so that both external users and internal users can access them.The firewall with this structure has high security performance and strong anti-attack capability, but requires many devices and is expensive.
4. Enterprise internal firewall
From the perspective of enterprise network security, the threats to enterprise network security mainly come from two aspects.One is from the outside of the enterprise, and the other is from the inside. For example, employees attack the server for revenge and other reasons, or inadvertently bring the virus into the enterprise through mobile devices such as USB flash drives.According to relevant statistics, 80% of enterprise security threats come from internal behaviors of enterprises.
Only relying on a firewall is far from being able to guarantee the network security of an enterprise.
(1) Function of internal firewall
Used to control access to and from the internal network.User types may include:
① Trusted category: such as employees of the organization, it can also be internal users who want to go to the peripheral area or the Internet, external users (such as branch office staff), remote users or users who work at home.
② Partial trust category: the business partners of the organization, and the trust level of such users is higher than that of untrusted users.However, their trust level is often lower than that of the organization's employees.
③ Untrusted category: For example, users of the organization's public website.
In theory, untrusted users from the Internet should only access web servers in the perimeter area.If they need access to internal servers (for example, to check stock levels), trusted web servers query on behalf of those users, never allowing untrusted users through the internal firewall.
(2) Internal firewall rules
By default, all of the following packets are blocked or allowed.
① On the perimeter interface, block incoming packets that appear to come from internal IP addresses to prevent spoofing.
②On the internal interface, block outgoing packets that appear to come from external IP addresses to limit internal attacks.
③Allow UDP-based queries and responses from the internal DNS server to the DNS resolver host.
④ Allow UDP-based queries and responses from the DNS resolver host to the internal DNS server.
⑤Allow TCP-based queries from internal DNS servers to DNS resolver hosts, including responses to these queries.
(End of this chapter)
2. Vulnerability of network protocols
The root cause of the openness of the network protocol is the openness of the protocol, because to realize the interconnection requirements between different computer systems or different network devices, the network protocol must be open.Open protocol vulnerabilities are manifested in:
(1) The weakness of the domain name service system.
(2) Vulnerable CGI programs and server-side application extensions, mainly in WWW services.
(3) Remote Procedure Call (RPC).
(4) Microsoft's IIS security holes.
(5) Buffer overflow vulnerability of SMTP mail service.
(6) NFS and port vulnerabilities.
(7) IMAP, POP mail server buffer overflow vulnerabilities and wrong configuration.
There are many loopholes similar to the problems caused by the network protocol itself, and I will not list them here.It can be said that there are loopholes in almost every part of the TCP/IP protocol.
7.1.5 Classification of threats faced by the network
1. Natural Disaster
Natural disasters refer to natural disasters that cannot be controlled, such as earthquakes, lightning strikes, and floods.
2. Man-made threats
There are two types of man-made threats, one is non-malicious, which is the damage caused by people unintentionally; the other is malicious, such as the damage caused by intrusion into the computer network.Malicious damage can be roughly divided into the following four types.
(1) interrupt
Interruption refers to the sudden and artificial interruption of system operation, resulting in damage to or even unusability of computer network resources, suspension of data transmission or information services.
(2) Steal
Stealing refers to deliberately stealing account numbers and passwords by some illegal means, and illegally obtaining database information or network services.
(3) change
Alteration refers to stealing account numbers and passwords by some illegal means, and illegally tampering with network resources.
(4) Forgery
Forgery refers to the use of some illegal means to create fake accounts and data resources in order to defraud benefits.
3. Reasons of the system itself
The reasons for the system itself include: hardware failure reasons, software backdoors and loopholes, etc.
7.2 Security Technology and Implementation
7.2.1 Cryptography
Cryptography is an ancient and esoteric discipline.Computer cryptography is a subject that studies computer information encryption, decryption and transformation. It is an interdisciplinary subject between mathematics and computers, and it is also a practical subject.In computer communication, cryptographic technology is used to conceal information, and then the concealed information is transmitted, so that even if the information is stolen or intercepted during transmission, the thief cannot understand the content of the information, thereby ensuring the security of information transmission.
The two parties in the communication agree on a method, using specific symbols to hide the original form of the message according to the method agreed by the two parties in the communication, and the communication method that is not recognized by the third party is called encrypted communication.
1. Cryptography Terminology
(1) key
The key is the main means to realize secret communication, and it is a special symbol for concealing language, text, and image, and the password is also called the key.
(2) plaintext
Plaintext is the unencrypted message.
(3) Ciphertext
The ciphertext is the encrypted message.
(4) Encryption algorithm
An encryption algorithm is a calculation method that converts plaintext into ciphertext; a decryption algorithm is an algorithm for reverse operation and decryption.
(5) encryption code
The encryption code is a mathematical transformation with a parameter k, that is, C=Ek(P).
2. Symmetric cryptosystem
Symmetric cryptosystems are also known as single-key cryptographic algorithms.
A symmetric cryptographic algorithm refers to a cryptographic algorithm in which the encryption key and the decryption key are the same key.Therefore, the information sender and the information receiver must jointly hold the key when transmitting and processing the information, which is called a symmetric key.
The commonly used encryption algorithm is relatively simple and efficient, the key is short, and it is extremely difficult to decipher.Since the confidentiality of the system mainly depends on the security of the key, it is an important link to transmit and store the key securely on the open computer network.
3. Asymmetric cryptographic system
Asymmetric cryptographic system, also known as double-key cryptographic algorithm or public-key cryptographic algorithm, refers to a cryptographic algorithm in which the encryption key and the decryption key are two different keys.Public-key cryptography uses a pair of keys, one for encrypting information and the other for decrypting it.The encryption key is different from the decryption key, and the communicating parties can conduct confidential communication without exchanging keys in advance.Its characteristics are as follows.
(1) The encryption key is made public.
(2) Only the decryptor knows the decryption key.
(3) There is an interdependent relationship between the two keys, and information encrypted with any one key can only be decrypted with the other key.
(4) If the public key is used as the encryption key and the user's private key (private key) is used as the decryption key, the information encrypted by multiple users can only be interpreted by one user and can be used for digital encryption.
(5) By using the user's private key as the encryption key and the public key as the decryption key, the information encrypted by one user can be interpreted by multiple users.Can be used for digital signatures.
The public key cryptosystem embodies the irreplaceable superiority of the symmetric key system.For users who participate in e-commerce transactions, they hope to conduct transactions with thousands of customers through the open network.If a symmetric password is used, each customer needs to be directly assigned a password by the merchant, and the transmission of the password must pass through a separate secure channel.On the contrary, in the public key cryptography algorithm, the same merchant only needs to generate a pair of keys, and make the public key public.The customer only needs to encrypt the information with the merchant's public key to ensure that the information is safely transmitted to the merchant.
4. Use the password system to realize data confidentiality
A symmetric cryptographic algorithm refers to a cryptographic algorithm in which the encryption key and the decryption key are the same key, which has high efficiency, but the key is not easily transmitted.The public key cryptography algorithm has simple key transfer and low algorithm efficiency.Combining the two technologies and learning from each other can ensure the security of information during transmission.
7.2.2 Digital signature technology
1. Definition of digital signature
A digital signature is obtained by processing the information to be transmitted through a one-way function (irreversible algorithm). It is an alphanumeric string used to authenticate the source of the information and verify whether the information has changed.
(1) Hash function
The Hash function is a one-way hash function, which is not a strong calculation-intensive algorithm and is widely used.The signature generated using it is called a Hash signature key.This kind of key is easier to break, and there is a possibility of forging signatures.
(2) DSS and RSA signatures
DSS (Defense Security Service) and RSA (Rivest Shamir Adleman) use the public key algorithm, and there is no limitation of Hash.
RSA is the most popular encryption standard, and many products have RSA software and class libraries in their kernels.Long before the rapid development of the Web, RSA Data Security Company was responsible for the integration of digital signature software and the Macintosh operating system. It added a signature drag-and-drop function to Apple's collaboration software PowerTalk. Users only need to drag the data to be encrypted to the corresponding icon. , the digital signature in electronic form is completed. RSA can be used both for encrypting data and for identity authentication.
Compared with the Hash signature, in the public key system, since the key for generating the signature is only stored in the user's computer, its security factor is greater.
2. Digital signature principle
Digital signature is very important in e-commerce activities, and it is a typical application of cryptographic technology.Its main uses are:
(1) Use an algorithm to generate a summary of the plaintext.
(2) Encrypt the generated digest.
(3) Send the plaintext and encrypted digest to the other party.
(4) Generate a new digest with the received plaintext.
(5) Decrypt the received digest.
(6) Compare the two digests, if the comparison results are the same, the identity is considered confirmed, otherwise the identity is not confirmed.
7.2.3 Firewall technology
1. Definition of firewall
A firewall (Fire Wall) uses one or a group of network devices (computer systems or routers, etc.) and network software to strengthen access control between two or more networks, with the purpose of protecting the network from attacks from another network.It can be understood that a firewall is equivalent to digging a moat around the network, setting up a gate on the only bridge, and pedestrians and vehicles entering and leaving are subject to security checks.A network firewall can also be likened to security checks and customs at an international airport, where a series of checks must be passed before being allowed to enter or leave a country.
In the network firewall, each data packet must pass the inspection of these gateways before being allowed to continue to transmit. Legal data is allowed to pass, and illegal data is isolated or filtered out.
The composition of the firewall includes data packet filter and security policy.
A firewall can be a simple filter or a well-configured gateway, but their principles are the same. They all detect and filter all information exchanges between the internal network and the external network. The firewall protects the useful data of the internal network from being stolen. and destruction, and record relevant status information logs of internal and external communications, such as the time and operations performed by the communications.
It must be remembered that a firewall is not omnipotent, and the role of firewall managers is more important than the firewall itself.
2. Main types of firewalls
(1) Packet or packet filtering router
According to the packet filtering rules set inside the system, the router checks the source IP address and destination IP address of each packet, and decides whether the packet should be forwarded.Packet filtering rules are generally determined based on the header or the entire content of the packet.
[Example 7-1] Assume that the network security policy is as follows.
The E‐mail server of the internal network (IP address 192.168.116.20, TCP port number 25) can receive all emails from external network users.
Allow internal network users to send email to external email servers.
Deny all connections to hosts named TESTHOST on the external network.
Based on this, a packet filtering table can be established to ensure accurate implementation of assumed rules.
(2) State monitoring firewall
This firewall has very good security features and uses a software module called a monitoring engine that enforces network security policy on the gateway.
On the premise of not affecting the normal operation of the network, the monitoring engine uses the method of extracting relevant data to monitor each layer of network communication.Its working principle is to extract state information and dynamically save it as a reference for future implementation of security policies.
The monitoring engine supports multiple protocols and applications, and can easily expand applications and services.It works as follows.
①When the access request reaches the gateway, the status monitor extracts relevant data for analysis, and makes acceptance, rejection, identity authentication, alarm or encryption of the communication in combination with network configuration and security regulations.Once an access violates security regulations, the access is denied and the status is reported for logging.
②The state monitoring firewall will monitor the port information of connectionless remote procedure call (RPC) and user datagram (UDP), that is to say, it can monitor connectionless services.
(3) Application-level gateway
An application-level gateway is what is commonly referred to as a proxy server approach.It applies to specific Internet services, such as hypertext transfer (HTTP), remote file transfer (FTP), etc.
A proxy server works as follows.
①When the proxy server receives a computer access request for a certain site, it checks whether the request complies with the regulations. If the rules allow access to the site, the proxy server retrieves the required information from that site and forwards it to the requesting client.
②The proxy server usually has a high-speed cache, which is used to save the content of the site frequently visited by the user. When the next user wants to visit the same site, the server does not need to repeatedly obtain the same content, but directly sends the cached content, saving time and network resources. .
③The proxy server is like a wall that isolates internal users from the outside world. From the outside, only the proxy server can be seen but internal resource information, such as user IP addresses, can not be obtained.
④The application-level gateway is more reliable than a single packet filter, and it will record all access states in more detail.
3. Firewall construction
(1) Dual Homed Gateway
This configuration uses a dual-homed host with two network adapters as the firewall.Because the dual-homed host uses two network adapters (network cards) to connect to two networks, it is also called a bastion host.The proxy service can be provided by running firewall software (usually a proxy server) on the bastion host.
(2) host host + router firewall
(3) Screened Subnet Firewall (Screened Subnet)
This method is to establish an isolated subnet between the network (also known as Intranet) of the enterprise and the school and the Internet, and use two packet filtering routers to separate the subnet from the Intranet and the Internet respectively.Two packet filtering routers are placed at both ends of the subnet to form a "buffer zone" within the subnet.One of these two routers controls intranet data flow, and the other controls Internet data flow. Both the intranet and the Internet can access the shielded subnet, but they are prohibited from communicating through the shielded subnet.
It can be seen from the figure that installing a bastion host in the shielded subnet can provide proxy services for mutual access between the internal network and the external network, but the access from both networks must pass the inspection of the two packet filtering routers.For servers exposed to the Internet, Internet servers such as WWW, FTP, and MAIL can be installed in the shielded subnet, so that both external users and internal users can access them.The firewall with this structure has high security performance and strong anti-attack capability, but requires many devices and is expensive.
4. Enterprise internal firewall
From the perspective of enterprise network security, the threats to enterprise network security mainly come from two aspects.One is from the outside of the enterprise, and the other is from the inside. For example, employees attack the server for revenge and other reasons, or inadvertently bring the virus into the enterprise through mobile devices such as USB flash drives.According to relevant statistics, 80% of enterprise security threats come from internal behaviors of enterprises.
Only relying on a firewall is far from being able to guarantee the network security of an enterprise.
(1) Function of internal firewall
Used to control access to and from the internal network.User types may include:
① Trusted category: such as employees of the organization, it can also be internal users who want to go to the peripheral area or the Internet, external users (such as branch office staff), remote users or users who work at home.
② Partial trust category: the business partners of the organization, and the trust level of such users is higher than that of untrusted users.However, their trust level is often lower than that of the organization's employees.
③ Untrusted category: For example, users of the organization's public website.
In theory, untrusted users from the Internet should only access web servers in the perimeter area.If they need access to internal servers (for example, to check stock levels), trusted web servers query on behalf of those users, never allowing untrusted users through the internal firewall.
(2) Internal firewall rules
By default, all of the following packets are blocked or allowed.
① On the perimeter interface, block incoming packets that appear to come from internal IP addresses to prevent spoofing.
②On the internal interface, block outgoing packets that appear to come from external IP addresses to limit internal attacks.
③Allow UDP-based queries and responses from the internal DNS server to the DNS resolver host.
④ Allow UDP-based queries and responses from the DNS resolver host to the internal DNS server.
⑤Allow TCP-based queries from internal DNS servers to DNS resolver hosts, including responses to these queries.
(End of this chapter)
Tap the screen to use advanced tools
Tip: You can use left and right keyboard keys to browse between chapters.
You'll Also Like
-
Taiping Order
Chapter 567 1 days ago -
There's a ghost inside me
Chapter 1331 1 days ago -
Conan: Beika Town in the White Eyes
Chapter 123 1 days ago -
Cang Yuantu: I turn into ice and take charge of killing
Chapter 110 1 days ago -
Iron Man on the pitch
Chapter 303 1 days ago -
I can only say this game is very simple
Chapter 402 2 days ago -
The End of the World: I built the Supreme Shelter one year in advance
Chapter 197 2 days ago -
Miss Witch, it's time to clean up the entries
Chapter 218 2 days ago -
Fusion is the noblest form of summoning!
Chapter 403 2 days ago -
My family is super strong
Chapter 590 2 days ago
