The mine exchange pool provides a secure protection against atta
IP hiding method:
using proxy server can protect IP address compared with directly connecting to Internet, so as to ensure the security of Internet access. The proxy server is actually a "transit station" set up between the computer and the server to be connected. After sending the request data to the network server, the proxy server will first intercept the request, and then transfer the request to the remote server, so as to realize the connection with the network. Obviously, after using the proxy server, only the IP address of the proxy server can be detected instead of the IP address of the user's location, which realizes the purpose of hiding the IP address and effectively protects the security of the Internet
hacker attack means:
hacker attack means can be divided into non-destructive attack and destructive attack. Generally, non-destructive attack is to disturb the operation of the system, and does not steal system data. It usually uses denial of service attack or information bomb; The purpose of destructive attack is to invade other people's computer system, steal confidential information of the system and destroy the data of the target system.
1、 Access control technology
access control is one of the core strategies of network security protection and prevention. The main purpose of access control is to ensure that network resources are not illegally accessed and used. Access control technology involves a wide range of content, including network login control, network access control, directory level security control, attribute security control and other means
1. Network login control
network login control is the first line of defense of network access control. Through the network login control, users can be restricted to access the network server, or forbidden to log in, or restricted to log in only on the specified workstation, or restricted to log in to the specified server, or restricted to log in only at the specified time
network login control generally needs to go through three steps: one is to verify the user's identity and identify the user name; The second is to verify the user's password and confirm the user's identity; Third, check the default permissions of the user account. In these three links, as long as one of the links is abnormal, the user can not log in to the network. Among them, the first two links are the user's identity authentication process, which is more important. Users should strengthen the security of this process, especially the confidentiality of user password. Users can use one-time password or IC card to prove their identity
the network login control is implemented by the network administrator according to the network security policy. Network administrators can set up or delete ordinary user accounts at any time, control and limit the scope of activities of ordinary user accounts, the time and mode of accessing the network, and audit the login process. For users who try to log in illegally, they will report to the police immediately
2. Network access control
when a user successfully logs in to the network, he can use his own permissions to access network resources (such as directories, files and corresponding devices). If the network can not effectively control the user's permission, it may lead to illegal operation or misoperation. Network access control is a kind of security protection measures for the possible illegal operation or misoperation. The access of users to network resources can be regulated and restricted by network access control. The resources that users are allowed to access are open to users, and the resources that users are not allowed to access are controlled and protected
network access control is realized through access control table. In this access control table, the network resources that users can access and the operations they can perform on these resources are specified. According to the network permission, the network users can be divided into three categories: one is the system administrator user, who is responsible for the configuration and management of the network system; Second, audit users, who are responsible for the security control of network system and the audit of resource utilization; The third is the ordinary user, which is created by the system administrator. The network permission is granted by the system administrator according to their actual needs. The system administrator can change or delete the authority of ordinary users at any time
3. Directory level security control
users can access the corresponding directory, file or device after obtaining the network permission. The permissions specified by the system administrator at the directory level are valid for all files in the directory, all subdirectories and all files in the subdirectories. If users abuse their authority, it will pose a serious threat to these directories, files or devices and other network resources. At this time, directory level security control and attribute security control can prevent users from abusing permissions
generally, the access rights to directories and files include system administrator rights, read rights, write rights, create rights, delete rights, modify rights, file search rights and access control rights. Directory level security control can limit the access rights of users to directories and files, thus protecting the security of directories and files and preventing the abuse of permissions
4. Attribute security control
attribute security control is realized by setting security attribute tags for network resources. When the system administrator sets the access attributes to the resources such as files, directories and network devices, the user's access to these resources will be limited
generally, attribute security control can restrict users to read, write, delete and execute specified files, restrict users to view directories or files, hide, share and set directories or files as system features, etc
5. Server security control
the network allows a series of operations to be performed on the server console. Users can use the console to load and unload moles, install and delete software, etc. The security control of network server includes setting password to lock the server console to prevent illegal users from modifying, deleting important information or destroying data; Set the server login time limit, illegal visitor detection and shutdown interval< Second, firewall technology
firewall is a network security technology which is used to protect the internal network from malicious attacks and intrusions from the external network, and to prevent computer crimes, keep the intruders out of the door. Firewall is the boundary between the internal network and the external network. It can closely monitor the packet information in and out of the boundary, block the intruders, strictly limit the access of the external network to the internal network, and effectively monitor the access of the internal network to the external network< Third, intrusion detection technology is the combination of network security technology and information technology. The use of intrusion detection technology can monitor some areas of the network system in real time. When these areas are attacked, it can detect and respond immediately
intrusion detection can be divided into dynamic and static. Dynamic detection is used for prevention and audit, while static detection is used for recovery and evaluation< 4. Security scanning
security scanning is to detect the security of computer system or other network devices, so as to find the potential security risks and vulnerabilities that may be exploited by attackers. From the perspective of the role of security scanning, it is not only an essential technical method to ensure the security of computer system and network, but also one of the technical means for attackers to attack the system. System administrators can eliminate hidden dangers and prevent attackers from invading by using security scanning technology, while attackers use security scanning to find opportunities to invade the system and network
there are two types of security scanning: active and passive. Active security scanning is based on the network, which mainly simulates the attack behavior and records the system reaction to find the loopholes in the network. This kind of scanning is called network security scanning; The passive security scanning is based on the host, mainly by checking the system inappropriate settings, vulnerability passwords, and other objects that conflict with the security rules to find the security risks in the system, this kind of scanning is called system security scanning
there are four detection technologies involved in security scanning:
(1) application based detection technology. It uses a passive, non-destructive way to check the application package settings and find security vulnerabilities
(2) host based detection technology. It uses passive and non-destructive methods to detect the system. Usually, it involves the kernel of the system, the attributes of the file, the patch of the operating system and so on
this technology also includes password decryption to eliminate some simple passwords. Therefore, this technology can very accurately locate the system problems and find the system vulnerabilities. Its disadvantage is that it is platform related and the upgrade is complex
(3) target based vulnerability detection technology. It uses a passive and non-destructive method to check system attributes and file attributes, such as database, registration number, etc. The number of encrypted files is checked by message digest algorithm. The realization of this technology is to run in a closed loop, constantly deal with the file, system target, system target attributes, and then generate inspection numbers, and compare these inspection numbers with the original inspection numbers. Notify the administrator as soon as changes are found
(4) network based detection technology, which uses positive and non-destructive methods to check whether the system is likely to be attacked and collapse. It uses a series of scripts to simulate the behavior of attacking the system, and then analyzes the results. It also tests for known network vulnerabilities. Network detection technology is often used for penetration experiments and security audit. This technology can find a series of platform vulnerabilities and is easy to install. However, it may affect the performance of the network
security scanning technology is developing towards molarization and expert system
in terms of molarity, the whole security scanning system consists of several plug-ins, each of which encapsulates one or more vulnerability scanning methods, and the main scanning process performs scanning tasks by calling plug-in methods. When the system is updated, just add a new plug-in to add a new scanning function. In addition, e to the standardization of plug-ins, the security scanning system has strong flexibility, scalability and maintainability
in the aspect of expert system, security scanning can sort out the scanning results, form reports, and put forward corresponding solutions for specific vulnerabilities. With the development of security scanning technology, it is hoped that the security scanning system can evaluate the overall situation of the network, and propose a security solution for the whole network. The future system is not only a vulnerability scanning tool, but also a security assessment expert< Security audit is a mechanism that simulates social activities in the network, monitors and records the activities of the network system, and puts forward security opinions and suggestions. Security audit can be used to record, track and review the network operation status and process. Security audit can not only effectively evaluate the network risk, but also provide decision-making basis for making reasonable security strategy and strengthening security management, so that the network system can adjust Countermeasures in time
with the increasing popularity of overall network security solutions, security audit is an important part of network security system. It is an important means for network users to monitor, analyze and evaluate the security equipment, network equipment, application system and system operation
computer network security audit mainly includes security audit of operating system, database, web, mail system, network equipment and firewall, as well as strengthening security ecation and enhancing security responsibility awareness
network security is dynamic. If there is no real-time and centralized visual audit for the established system, it will not be able to evaluate the security of the system in time and find out the hidden dangers in the system< At present, the main functions and common problems of network security audit system are as follows:
1. Main functions of network security audit system
(1) collecting various types of log data. It can collect log information of various operating systems, firewall systems, intrusion detection systems, network switches, routing devices, various services and application systems
(2) log management. It can automatically collect log information in various formats and convert it into a unified log format
3. If the server has recovered and no important data has been lost, it just means that the loss is small, but not without loss. Even if no data has been lost, there is also a loss, because the time that causes the server not to run is part of the loss
the following are the relevant penalties. Please compare them< Article 285 of the criminal law; Crime of illegally obtaining data of computer information system and illegally controlling computer information system; Whoever, in violation of state regulations, intrudes into a computer information system in the fields of state affairs, national defense construction or cutting-edge science and technology shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention
Whoever, in violation of state regulations, intrudes into a computer information system other than the provisions of the preceding paragraph, or uses other technical means to obtain data stored, processed or transmitted in the computer information system, or illegally controls the computer information system, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention and shall also, or shall only, be fined; If the circumstances are especially serious, he shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and shall also be fined
those who provide special programs or tools for intruding into or illegally controlling computer information systems, or who provide programs or tools for others knowing that they have committed an illegal or criminal act of intruding into or illegally controlling computer information systems, if the circumstances are serious, shall be punished in accordance with the provisions of the preceding paragraph< Article 286 Whoever, in violation of state regulations, deletes, modifies, increases or interferes with the functions of a computer information system, thus causing the computer information system to fail to operate normally, with serious consequences, shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; If the consequences are especially serious, they shall be sentenced to fixed-term imprisonment of not less than five years
Whoever, in violation of state regulations, deletes, modifies or adds data and applications stored, processed or transmitted in the computer information system, if the consequences are serious, shall be punished in accordance with the provisions of the preceding paragraph
those who deliberately make or spread destructive programs such as computer viruses, which affect the normal operation of the computer system, and have serious consequences, shall be punished in accordance with the provisions of the first paragraph< Article 29 of the law of the people's Republic of China on administrative penalties for public security, whoever commits one of the following acts shall be detained for not more than five days; If the circumstances are serious, they shall be detained for not less than five days but not more than 10 days:
(1) violating state regulations, invading the computer information system and causing harm< (2) deleting, modifying, adding or interfering with the functions of a computer information system in violation of state regulations, resulting in the abnormal operation of the computer information system< (3) deleting, modifying or adding data and applications stored, processed or transmitted in computer information systems in violation of state regulations< (4) deliberately making and spreading destructive programs such as computer viruses, which affect the normal operation of computer information systems.
dynamically regenerate key
IPSec policy controls the frequency of new key generation ring communication through a method called dynamic re encryption. Communication is sent in blocks, and each block is protected with a different key. This can prevent the attacker who has obtained part of the communication and the corresponding session key from obtaining the rest of the communication. The request secure negotiation and automatic key management service is provided by using "Internet Key Exchange (IKE)" defined in RFC 2409
IPSec policy allows you to control how often new keys are generated. If no value is configured, the key is automatically regenerated at the default interval
key length
every time the key length increases by one bit, the number of possible keys will be doubled, making it more difficult to crack the key. IPSec policy provides a variety of algorithms that allow the use of short or long key lengths<
key material generation: Diffie Hellman algorithm
in order to enable secure communication, two computers must be able to obtain the same shared key (session key), without having to send the key through the network or divulging the secret
Diffie Hellman algorithm (DH) is prior to Rivest Shamir Adleman (RSA) encryption, which can provide better performance. It is one of the oldest and most secure algorithms for key exchange. Both sides can exchange key information publicly, and windows xp also protects the information by hash signature. Neither party exchanges the actual key, but after exchanging the key material, each party can generate the same shared key
DH key materials exchanged by both parties can be based on 768 bit or 1024 bit key materials, namely DH group. The security provided by DH group is commensurate with that provided by the key calculated from DH exchange. The combination of DH group which provides strong security and long key length increases the difficulty of trying to determine the key
IPSec uses DH algorithm to provide key materials for all other encryption keys. DH does not provide verification. In the implementation of Windows XP IPSec, after DH exchange, the identity will be verified to prevent man in the middle attack.
the characteristics of WiFi make it vulnerable to attacks and eavesdropping activities, but as long as we take the right protection measures, it can still have a considerable degree of security. Unfortunately, there are too many outdated suggestions and fictitious instructions circulating on the Internet. In this article, I will share with you several positive and negative measures to help improve WiFi security< Don't use WEP
WEP (Wired Equivalent security mechanism) protection is out of date, and its underlying encryption mechanism can be easily broken by some inexperienced novice hackers. Therefore, we should no longer use WEP. Upgrade to WPA2 (WiFi access protection) protected by 802.1x authentication mechanism immediately is our best choice. If you are using an old version of the client or access point does not support WPA2, then please immediately upgrade the firmware or simply replace the device< Do not use WPA / wpa2-psk
WPA and pre shared key (PSK) mode in WPA2 are not safe for business or enterprise application environment. When using the first mock exam, the same pre shared key must be input to each client. In other words, whenever an employee leaves or a client is lost or stolen, we need to change the PSK on all devices, which is obviously unrealistic for most business environments
3. We must adopt EAP (extended authentication protocol) mode adopted by 802.11i
WPA and WPA2 security mechanism, and replace PSK by 802.1x authentication mechanism, so that we can provide login credentials for each user or client: user name, password and / or digital certificate. The real encryption key will be modified periodically and replaced directly in the background, and users will not even be aware of this process. Therefore, to change or revoke the user's access rights, we only need to modify the login credentials on the central server instead of replacing the PSK in each client. Each session is equipped with a separate key to avoid the risk of eavesdropping on user traffic - which has become very simple with the help of tools such as firesheet and droidsheep. To use 802.1x authentication mechanism, we must have a set of rais / AAA server. If you are using Windows Server 2008 or the higher version of this series, you can also consider using the earlier server version of network policy server (NPS) or Internet authentication service (IAS). For those who don't use windows server, FreeRADIUS is the best choice< The EAP mode of WPA / WPA2 is still fragile in the face of man in the middle attack, but ensuring the correct configuration of the client can effectively prevent such threats. For example, we can enable server certificate verification by selecting CA authentication mechanism and specifying server address in Windows EAP settings; It can also be disabled by prompting the user for a new trusted server or CA authentication mechanism
we can also apply 802.1x configuration to domain clients through group policy or third-party solutions such as quick1x of avenda
5. Wireless intrusion prevention system must be adopted
the content of WiFi security warfare is not limited to resisting direct access requests from the network. For example, customers may set up malicious access points or organize denial of service attacks. In order to help themselves detect and combat such attacks, we should use wireless intrusion prevention system (WIPs). The design and operation mode of WIPs is different from the procts provided by suppliers, but generally speaking, the system will monitor the search behavior and give us timely notice, and may prevent the occurrence of some rogue AP or malicious activities
many commercial suppliers are providing WIPs solutions, such as AirMagnet and airtightnetworks. There are many open source solutions like snort< In addition to 802.11i and WIPs, we should also consider deploying a set of network access protection (NAP) or network access control (NAC) solutions. They can provide additional control for network access, that is, assign permissions to customers according to their identity and clear management policies. They also have special features to isolate problematic clients and fix them in accordance with administrative policies
some NAC solutions may also include network intrusion prevention and detection functions, but we must pay attention to whether these functions provide special wireless protection mechanisms
if you are using Windows Server 2008 or later and windows vista or later in the client, the nap function of Microsoft is also worth considering. If the system version does not meet the above requirements, a third-party open source solution like packetfence can also help
7. Don't believe the effectiveness of hiding SSID
there is a saying in the field of wireless security, that is, disabling SSID broadcasting of AP can hide our network, or at least hide SSID, which will make it difficult for hackers to find the target. In fact, doing so will only remove the SSID from the AP list. 802.11 connection requests are still included, and in some cases, the connection requests are detected and the packets are responded to. So eavesdroppers can quickly find those "hidden" SSIDs - especially ring busy times - and to do so, a fully legitimate wireless network
how to Hide IP:
using proxy server can protect IP address compared with directly connecting to Internet, so as to ensure the security of Internet access. The proxy server is actually a "transit station" set up between the computer and the server to be connected. After sending the request data to the network server, the proxy server will first intercept the request, and then transfer the request to the remote server, so as to realize the connection with the network. Obviously, after using the proxy server, only the IP address of the proxy server can be detected instead of the IP address of the user's location, which realizes the purpose of hiding the IP address and effectively protects the security of the Internet
hacker attack means:
hacker attack means can be divided into non-destructive attack and destructive attack. Generally, non-destructive attack is to disturb the operation of the system, and does not steal system data. It usually uses denial of service attack or information bomb; The purpose of destructive attack is to invade other people's computer system, steal confidential information of the system and destroy the data of the target system.
in August 2016, a hacker group named "shadow brokers" suspected to have obtained some confidential network tools in the "prism project", including a network attack tool called "eternal blue", namely "eternal blue". After the "eternal blue" was leaked, some hackers modified the tool and it became today's blackmail virus. The blackmail virus mentioned above is likely to be the latest variant of eternal blue
the attack feature of "eternal blue" is to use the open 445 port of the computer equipped with Microsoft system (Windows) to infect; As long as the windows computer is turned on and connected to the Internet, it can be quietly implanted into the computer or server for malicious file encryption. This 445 port itself is a network port with mixed reputation. With it, we can easily access all kinds of shared folders or shared printers in the LAN; But it is also because of it that hackers can take advantage of it
in today's Internet era, we don't need to share files and control printers through port 445, so some network operators banned it as early as 2008. Almost all of the victims who were blackmailed by "eternal blue virus" in this global IT disaster were recruited because of the opening of port 445
up to now, there are a lot of online tutorials on how to turn off Port 445 in a computer. We can cope with a temporary threat. However, it is better to take preventive measures at the beginning than to remedy the injury after it happens every time
in the process of enterprise information management and security services for many years, I feel more and more personally that "enterprise informatization" requires managers and business personnel to change their traditional it use thinking, so as to truly avoid risks and improve efficiency; Only in this way can we get rid of the dilemma of hindsight and easily deal with the next threat similar to "eternal blue"
for virus prevention, I have the following three suggestions
1. Overcome the psychological resistance to it and their own inertia, and realize and break through the bad user habits
in this "eternal blue" incident, Microsoft pushed the security update patch for Vista or above systems as early as March 14, 2017. Why do so many people suffer? One of the important reasons is that a considerable number of victims are still using Windows XP, an obsolete operating system
the problems of upgrading, incompatibility of old software, unwillingness to learn new software operation, and false propaganda of some competitors have led to the present results. But in essence, it is our laziness; Or, to put it in a better way - we call it "user habits."
I have always believed that it is a valuable habit to push through the old and bring forth the new and stick to the right things instead of clinging to the old and wrong habits“ It is the ideological basis of being invincible in the information age to be accustomed to breaking old habits and be brave to learn and accept new knowledge
2. Learn and judge the value of new technology independently
many stakeholders believe that the reason why Microsoft launches an operating system every few years is to make money; The existing system is enough, there is no need to upgrade
in my opinion, the premise of "making money" is "bringing value", which is just the key point that many people ignore. Computer viruses and external threats are constantly bringing forth new ideas. If we still hold prejudice and old ideas and do not make independent judgments on the basis of learning and recognizing the new situation, we are bound to be hurt. The "eternal blue" incident, which is rampant all over the world, has sounded an alarm for us
in fact, computers with windows 10 auto update enabled are immune to "eternal blue", while Microsoft has given users a one-year free upgrade period to upgrade from the old system to windows 10. At present, the operating system accounts for less than 10% of Microsoft's total revenue. For Microsoft, cloud ecology is the future profit direction. It is very important for managers to make correct decisions to master the IT information
3. Always put "security" in the first place of saving management files
our usual system security defense means, such as antivirus software, firewall, security patches, are actually passive protection
we never know where the next it threat will happen, so we can only plug the vulnerability with high risk coefficient as much as possible, or speed up the emergency response
however, for enterprises, only strengthening positive security defense can not prevent all threats. We also need a crisis plan and a comprehensive plan to ensure the security of documents. The point is that even if an accident happens, we can control it. For the "eternal blue" event, keeping and backing up the files properly is a thorough solution. It can do that, even if the file is maliciously encrypted by hackers, we still have a complete set of data to use
for business secrets and personal confidential files of enterprises, if you don't want to leave any traces of files on the Internet, I recommend using private cloud to save and backup them
finally, I'd like to give enterprises a tip: Based on the technical principles of Linux system and its good reputation in the server field, using private cloud based on Linux system is safer than using private cloud based on Windows system
turn to self-knowledge column "how to talk about oatmeal clouds"