The safety of the resort

Yunshu

In the past three days, the Department held a meeting in man longui rain. Every night, he played games with his colleagues late at night without having slept before three o'clock in the morning. It's a great pleasure to have a bunch of friends. When I was idle for the past three days, I thought about some security things in a mess and recorded them in my cell phone notepad temporarily, now let's sort out and paste it on the blog. Of course, it's still a mess. Coincidentally, snail care also updated a similar article.

The first is about permissions. Recently I wrote "permission expansion". Now it seems that the permission expansion at this network layer is similar to the horizontal permission problem in the WEB system, vertical permissions also exist. Of course, vertical permissions are easier to control, and horizontal permissions are more complex on the network and the WEB, because the granularity requirement is finer. Horizontal permissions can be implemented in network access control by using user groups and inheriting group permissions. URL encryption can be used in the WEB to solve the problem. However, when using encrypted URLs on the WEB to solve horizontal permissions problems, you must note that users use Plaintext to guess and decrypt text-based attacks. There are two feasible solutions to such attacks, first, you need to control in the program to prevent users from seeing the ciphertext of the input plaintext, and the second is to add a signature. Additionally, the URL encryption method can effectively prevent CSRF attacks.

The second problem is the new security problems caused by scale. When the scale is relatively small, a single problem can be solved in a variety of solutions, and both can better solve the problem. However, when the scale reaches a certain level, the problem will be exposed, and it may be a problem that was not pre-imagined in the early stage. Q1 it takes a lot of effort to design the security architecture of our Binjiang new office area, mainly because the network here is extremely large. Although I worked with IT on the security architecture of the new office area in Wimbledon at Yahoo!, I have a lot of experience, but there is basically no reference compared with the scale here. During this period, we also had some communications with McAfee, Cisco, and Yahoo in the United States. However, even if the scale was close, it could not be imitated due to Enterprise style and other reasons. There was basically no mature and available experience for reference. Although Huawei's network will be larger than ours, they have used too many administrative means, which I do not agree. I know that security should be combined with technology and management, but I prefer to try to make users feel that we do not exist at ordinary times. As for office networks, I believe that the same problems may occur in IDC networks, WEB application systems, and distributed computing. There are no problems with 10 thousand servers in the IDC. What should I do when there are 0.1 million servers? The security architecture of Binjiang's new office area has been completed and discussed with IT. How can this problem be solved? Only Q2 and Q3 are available. Should this be correct? Haha!

The third problem is about DDOS. The most important thing about Anti-DDOS is the preparation of the early stage and the establishment of the Emergency Handling process. I will not talk about these things. Coolc also wrote a similar article a few days ago. Here I will talk about some interesting things. This morning I watched the Discovery video about the construction of the Hangzhou Bay Cross-sea bridge. It was very interesting. I suggest you take a look at it. This video showed me a successful Anti-DDOS response. The background was that bridge engineers had to ship steel beams 70 meters long, 16.5 meters wide, and weighing 2200 tons to the sea for assembly, so they designed a super vertical and horizontal vehicle, each vehicle has four tire groups, and the gravity of 2200 tons is distributed to the four tire groups by hydraulic pressure. Each of the four tire groups contains 160 tires, which are also controlled by a hydraulic device. When a tire is damaged, its capacity is replaced by other tires. From the perspective of network security, the four tire groups have four CDN nodes. Isn't the pressure-dispersed hydraulic control system the smart DNS round robin? Then each tire group contains 160 tires, which is equivalent to 160 WEB Front-end servers. The hydraulic system that controls them is F5, And the Foundry Class 7 layer switching load balancing equipment. This is not a CDN node (tire group), intelligent DNS (total Hydraulic Control System), load balancing equipment (hydraulic system inside the tire group), server (tire ), is the bandwidth (pavement) A complete Anti-DDOS (2200 tons of steel beams) solution? They are security experts. Haha.

The fourth is the cookie problem in the ssl vpn system. ssl vpn must save the cookie on the device. As for how to store each device, you can still study it. I haven't done it yet. Maybe it's a small one. Please pay attention to it.

That's all. tired ...... In addition, when I came back to the car, I made a Chinese "disaster film" Typhoon "and was forced to finish reading it. There were only four words to describe it." SB "added" disgusting ".