Shulou(Shulou.com)06/02 Report--

My younger brother is an Internet enthusiast. I used to foolishly think that the environment on the Internet is very clean and free of viruses and * *, so I bought a CVM and built a * gateway to form a hybrid cloud with my own computer. The architecture is probably that the CVM does * *-server, and a machine at home does the gateway. The "gateway" connects to the * * service of the CVM through the * * protocol, so that all machines can be mapped to the home machine through the ip+ port of the CVM. Just a few days after having fun, the server was captured, and all the connected devices at home were captured. At that time, the mood was even worse than eating shit, and all the data were encrypted, including my decades-old photos and papers. Hearing this, I believe you will grieve for me for a second. But sadly, I am glad that all my important materials have been backed up, and they are backed up offline! Here I would like to emphasize that we must back up offline. RAID0, RAID1, RAID10 and RAID11 are all files in front of the virus. Eat them all. That kind of thing can prevent the loss of data caused by hardware errors, but can not prevent the loss caused by software viruses, so you must back up offline!

Of course, today's topic is how to build a relatively more secure hybrid cloud gateway, or the comparison of several ways.

After my research, hybrid cloud means to connect the CVMs of public clouds, such as AWS and Aliyun, with the servers of self-built computer rooms, put key data in self-built computer rooms, and put Internet portals such as nginx on public clouds to achieve cost savings, auto scaling and other requirements. So the key to building a hybrid cloud is how to connect the private cloud and the public cloud. At present, there are only two common practices. One is to ask the operator to pull a direct connect, directly add routes on the machine, and specify the direct connect to the network segment of the public cloud VPC on the machine in the self-built computer room. The other is to build a × × network.

Of course, the comparison between the two comes out. The "dedicated" of Direct Connect is very expensive, and it can only be achieved with the help of operators, cloud service providers and other aspects. Then small enterprises may not be able to afford such high-end lines, so the advantage of × × is reflected. × × gateway is a private network channel based on internet encapsulation, which is cheap to achieve the price of public network and the enjoyment of private network. Although the security of the × × gateway is slightly weaker than that of physical private lines such as high-speed channels, the × × gateway authenticates the data source, and the transmission process is encrypted, so the data content cannot be cracked even if it is stolen. In addition, it also provides tamper-proof and anti-playback capability. The convenience of × × is also one of its advantages, that is, it is ready to use, quickly built, and there is no need for multi-party coordination. × × is also reliable in terms of reliability. Dual hot backup of × × gateway nodes, real-time synchronization and automatic switching. If you use a dedicated line to open two special lines in order to be reliable, the cost is estimated to be beyond the affordability of ordinary enterprises.

Okay. So let's get back to business. Let's talk about how to build a more secure × × × line.

Speaking of *, that's even more. PPTP***,Ipsec × × ×, L2TPstores are the simplest, but the security is the lowest, and Open × × × is the safest, but you need specific software to log in, which is more complicated.

Through personal experiments, the IKEv2 type * * needs to create a certificate, which is more complicated to use, and you need to copy the certificate to the machine on which you need to log in, and you also need to ensure that the device can install the certificate, which is less universal, and there are some minor problems, such as some websites can be opened, but some websites cannot be opened, so it is difficult to troubleshoot.

Then use the L2TP method to deploy again, the mobile phone is still smoothly connected, but the win7 computer can not be connected, after inquiry found that for WIN7 to modify the registry, see the link: https://blog.csdn.net/u010750668/article/details/62057603

In view of the company's computer information is more important, do not dare to modify the key information of the registry, do not know what the consequences will be, so there is no operation, but in any case, this way is not very universal.

That leaves the last PPTP, which is the easiest but not the most complete. Since everyone says it is unsafe, let's explore why it is not safe and whether we can take the initiative to fix the loophole.

According to the data, the so-called "insecure" means that the data is easily intercepted during transmission and then deciphered the contents, because the encryption protocol used by PPTP has been cracked, the authentication process is mschapv2, and the total length of key is 2 ^ 56 x 2 = 57 bitsFinals and other special hardware will be completed in about 23 hours.

MPPE's 128bit session key is generated based on mschapv2's hash, which only combines md4 and sha1 for several times. If the key with initial authentication is obtained, and if the entire pptp is captured, subsequent session key can be launched to decrypt the entire pptp traffic.

Therefore, PPTP * * lacks forward secrecy, and once the key is cracked, it can decrypt all previous traffic, but ipsec's ike handshake uses diffie hellman key exchange, and each randomly generated session key can improve forward secrecy.

Although I don't quite understand, anyway, it can be cracked, but whether or not to crack you depends on your usefulness, but for general personal use, I don't think anyone will bother to decipher your data.

In addition, even if it is cracked, it is the plaintext data that is transmitted, and it is still impossible to crack encrypted data such as ssh,https. Let me use a little experiment to explore.

Experimental environment: machine A: × × client 1, public network IP address is 220.room.client .176, internal network IP is 10.31.162.113

B machine: Ali CVM, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

C machine: × × client 2, the public network IP address is 117.room.room.253, and the internal network IP is 10.31.162.111

D website:

Experimental Topology 1: packet capture Analysis of visiting Foreign Web sites through × ×

After establishing the connection, A visits the http website D, grabs the packets on the A side, and finds that all the data are PPP packets, and the data are all encrypted, so the content of the http message cannot be seen directly. However, if you grab the packet on the B side, you can see that ordinary HTTP data will be sent after decryption, and then you can see the HTTP message text data, as shown in the following figure:

Do a simple analysis: packet 32jue 33 is a DNS request, requesting the IP address of www.51cto.com, and getting the address 59.110.244.199. Then packet No. 41 is the TCP three-way handshake between the B machine and the D URL, and then packet 42 is the plaintext HTTP message, you can see what the Host address is. From this experiment, we can see that the * * tunnel is actually encrypted, and it is impossible to see the data content directly by grabbing the packet. Of course, you can crack it, but when you arrive at the * server, you visit the website. The unencrypted plaintext Datagram is used to send it, which does not play the role of encryption.

Experimental Topology 2: grab the package analysis by visiting the company's intranet website.

It is equivalent to two travelers An and C using company × × to connect to the company's intranet at the same time, and then test whether the communication between An and C is encrypted. To facilitate testing, set up a simple HTTP website nginx on An and visit it from C.

The packet capture result diagram is ignored. In short, there are no HTTP packets, all PPP Comp and GRE packets, which proves that the use of × × × network is all encrypted in the public network segment, but different × × protocols have different algorithms for data encryption. Therefore, in this sense, the use of PPTP × × × can still be used in scenarios where data is not very important. If the data is extremely important, it is recommended not to use this construction method.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.