Abstract: The increasing maturity of the network allows network administrators to break away from the embarrassing situation where they are confused and at a loss, and establish a security theory creed based on many practices. This kind of theory and practice strategy has gradually become a golden rule that no one cares about.
However, these seemingly reasonable theories and practical strategies are also not correct. They not only do not bring any benefits to the network, but may even cause huge crises and hidden dangers.
After years of development, network security has become a relatively mature field, network administrators who have accumulated a lot of theoretical and practical experience have also successively explored their own unique security theories and practical strategies.
In fact, many of these seemingly reasonable practice strategies are completely wrong. Next, we will analyze the top ten principles that are currently prevalent in the network security field one by one to see how many of them spread across the world.
Creed 1: After a firewall is deployed between the company's network and the Internet, the client PC does not need to install a personal firewall separately.
The author's opinion: there are many people who have this idea in the company's IT management department. But in fact, this idea is very wrong. Firewalls deployed between the company's network and the external network can only prevent external threats, internal threats, such as malicious attacks initiated by dissatisfied employees, or viruses and malicious programs that are carried into the network through the host itself, are powerless.
Creed 2: In addition to the individual firewall, deploying a large hardware firewall in an enterprise network can rest assured.
The author's opinion: This idea is wrong. An obvious example is to deploy a firewall between the common CIDR Block of the company and the CIDR block with the company's sensitive data to ensure the security of the company's sensitive data traffic.
Creed 3: Set complex user passwords and change frequently on a regular basis.
The author's opinion: This is a security rule that many network administrators regard as critical. True, like "aX-1r6 & d + n7S9tU !" This type of password containing 16 random characters is indeed difficult to guess, but in fact, this type of password leakage ratio is far higher than the ratio of the password to be guessed. Therefore, a more feasible strategy is to select character combinations that are easy to remember and difficult to guess by others.
Creed 4: If anti-virus software is installed, there is no need to install Trojan Detection or Anti-Virus products on the email server.
In my opinion, we cannot think that anti-virus software can eliminate all security threats. Anti-virus software does not recognize new viruses. Moreover, in most cases, anti-virus software cannot effectively detect trojans and other spyware, and of course it cannot provide adequate protection.
Creed 5: Spam is annoying, but does not pose a substantial security threat.
The author's opinion: this recognition is one-sided. Whether spam brings security threats depends on the spam itself. In fact, many spam are infected with viruses, Trojans, or malicious programs, and occupy a lot of server resources and network bandwidth, and even lead to network paralysis.
Creed 6: wireless networks use data encryption technology to ensure security.
My opinion: There is no doubt that this technology can protect data security to a certain extent. However, to ensure the security of wireless networks, it is far from enough to rely solely on more advanced data encryption technologies such as WPA. In addition, measures such as disabling the Access Point SSID Broadcast Function and wireless user identity authentication technology must be implemented in a two-pronged manner.
Creed 7: human feature recognition technology can improve the company's network security coefficient.
The author's opinion: from a theoretical point of view, this is true. However, due to technical and cost restrictions, the human feature identification equipment is not completely reliable, and incorrect identification often exists, which not only brings hidden risks to the system security, legal users may also be rejected.
Creed 8: encrypt hard disks on workstations and hosts to prevent unauthorized data access.
The author's opinion: This kind of understanding is also biased. Most of the hard drive encryption software can only protect the data on the hard disk when it is shut down. After the system starts, this type of software automatically decrypts the encrypted data. Therefore, the ideal solution is to set user identity authentication while encrypting the entire hard disk.
Creed 9: Turning to Linux can enhance system and network security.
The author's opinion: Although there are currently few viruses and malicious programs targeting Linux, in fact, among the top 20 Security Vulnerabilities jointly released by the U.S. System Network Security Association and the U.S. FBI, linux security vulnerabilities do not occupy a lower proportion than Windows. In this sense, Linux is not a safer operating system.
Creed 10: training investment is the most important investment in network security.
The author's opinion: This opinion is very correct. Regular and systematic training for network management personnel and users so that they can learn a variety of network security knowledge in a timely manner, so that the company can make full use of various security products on the network and truly make full use of them, effectively prevents various security threats.