The Construction of Enterprise Security Talk about the Security of Office Network

The Construction of Enterprise Security Talk about the Security of Office Network. In most internet companies, the main focus of security building is put on the business network security, and the office network often becomes the short board. In order to avoid textbook-style theory of preaching, this article from the offensive and defensive perspective to medium-sized Internet companies, for example, to discuss the construction of office network security. The office network here is a narrow office network, including only employee office network area, support office erp, e-mail and other systems are not included.

Office network infiltration ideas

Office network is usually a major breach of hacking, the reason I think the main:

Office network security investment relative to the business network is not enough, the cost of invasion is low The main office of the network is people, people have emotions, the Internet behave strangely, the attack surface is larger than the business network business network often trust office network, can be a strategic circuitous offensive business network excellent Springboard R & D, operations and other important information are often highly concentrated in the office terminal, the value of the data even more than business network

A lot of ideas to penetrate the office network, the following is an example:

Examples of ideas to penetrate the office network

From the entrance point of view, malicious links, documents are common means.

From the hacking behavior, mainly divided into:

Horizontal horizontal penetration vertical lifting

From the perspective of hacking purposes, mainly divided into:

Office network as a springboard attack business network steal HR, finance, senior management, etc. Important information in the hands of network security

The following figure shows the common office network topology

Example of office network topology

Firewall

As the first protection against attacks, the firewall has a heavy responsibility, but he also shoulders the important responsibility of accessing the Internet through NAT. The performance and stability of the firewall are demanding. I think from a purely security perspective, there are several things to consider when choosing a firewall:

Malicious Website Filtering Malicious file filtering

2016 gartner business network firewall magic quadrant

IPS / IDS

IPS / IDS has a very important role here is to identify the use of Nday's software, especially browsers, office network suite vulnerability attacks on employees. There are many manufacturers claim that their own IPS / IDS can identify 0day, I personally think that the more mature 0day recognition technology relies mainly on the sandbox and machine learning, really need to identify 0day or need professional APT equipment to do.

2017 gartner intrusion detection and defense magic quadrant

Email Security Gateway

This topic is too much content, you can write a separate article, this article omitted.

APT device

APT devices identify APT behavior by analyzing mail, traffic in the file and traffic behavior, and I know that foreign fireeye, trend, pa, mcafee, etc. all do this piece in.

Safe isolation

The main purpose of safety isolation are two:

On-demand network access to avoid abuse of authority Reduce the horizontal penetration of hackers in the office network and vertical rights attack surface, increase attack costs

For these two purposes, so security isolation is usually combined with access or vlan division, the main difference is that access can dynamically adjust the network permissions based on user identity, vlan division is relatively inflexible.

Network permission isolation

The figure is a simple classification, of which there are several types of students need to focus on:

O & M & DBA, system privilege, vertical optimization of the best goal, a kind of joke, black out of an operation and maintenance of the computer, turn all the text files over and over again, can not find a password is hell. Try to limit other people's access to them. The administrators of important business systems, who are responsible for the operation and management of the company's core business, have high authority over important back-end systems. Once their computers are compromised, the consequences will be serious. Such as the game company recharge system background, advertising company's customer advertising management system, recruiting company's background resume management system, electricity supplier's order logistics management system, a thing is a big deal. Try to limit other people's access to them, while strictly restricting their access to the extranet. Executives, HR, Finance, these students on the office system requires a relatively simple visit, the main network access needs outside the network, usually do not understand technology, security awareness is the weakest, but also the most can not afford to offend. The concentration of a large number of company-important data on their office computers can directly incur losses once intruded. This part of students can be strictly limited with other areas of the office network and access to internal systems. Wireless security

The wireless situation is particularly complicated, here discuss the more common situation. Many companies rely on static wireless password protection, authentication can access the office network. There are two common mistakes here:

I wireless only cover the company, hacking ye search?

Hackers if you really intend to black, you can really go to your company, and now AP launch capability are very strong, if you use a dedicated device hacker, the ability to receive signals is also strong.