Network Architecture and Access Control

I have always hoped to learn something from others' lessons and try to avoid falling in the place where others have fallen. Today I have gained a long understanding. A company's O & M management has done a good job. It has built a management private network for the IDC. The office network is connected to this management private network through VPN to manage servers distributed in all IDCs. For an enterprise, it is not easy to achieve this. The advantage of doing so is obvious. The external ACL is much better, and risks are aggregated and then eliminated or transferred. A sales leader of Niu X once told me: "An advantage is sometimes his disadvantage." When risks are concentrated, we can concentrate on fine-grained control, but once this threshold is broken, this is probably a comprehensive crash. For example, after a hacker enters the Management Network in any way, these servers may be unable to cope with the attacks such as hydra-l root-p ooxx-t 5-M ip-o log ssh2.

Today, I asked a hacker, "How did you obtain so much information about the enterprise's network architecture? "

The hacker said, "I lost an administrator's PC on their office network."

I asked, "How do you X the Administrator's PC? The span from the service network to the office network is huge ."

The hacker said: "their service network is connected to the office network"

My summary of the hacker's idea is: intrude into external servers-> destroy administrator PC-> obtain Network Architecture Information-> intrude into more external servers. The next step may be: control the email server-> locate employees and Intranet IP-> continue to find what you want

In fact, the management private network is similar to the domain, and the risk is aggregated to a point, and then the result is almost the same: do a good job with half the effort, and do not do it well. If it was me, I would still aggregate the risks and then attack them, but it would increase the defense depth. The reason why the company did not find the hacker intrusion was that the defense was too simple and the effect of independent access control was still relatively limited. In fact, the hacker's behavior on that network was still quite violent, you can find something.

In-depth defense is a long term concept, but how many enterprises can actually implement it? There may be many reasons why it is difficult to implement. I feel that it has a large relationship with financial resources and human resources.