Shulou(Shulou.com)06/01 Report--

With the past round of Bitcoin virus cleaning, the issue of network security has once again hit me in the head. For enterprises, ensuring data security and maintaining business stability is the top priority. So how to take effective measures to ensure the security of our data, to ensure that our system will not be destroyed by foreign people? The following is based on some personal work experience to talk about common security architecture strategies.

For almost all Internet companies, in addition to ensuring that the services they provide are feasible, they also need to consider the level of security. For different security priorities, different degrees of security policies can be adopted.

Network security control

Now the general website architecture is basically through the firewall or routing on the NAT mapping to provide services to the outside. Applications that provide external application services are the most sensitive area, and this is the entrance to all applications. Be very careful with entrance restrictions, and never leave doors (control rights) where you can leave windows (access rights).

1. In addition to providing the necessary services, other service ports and applications should be closed or disabled. If the site that provides web service, only open port 80, provide mail service, then only open a series of ports of smtp and pop3.

2. The firewall is an important barrier against external threats, and we try our best to adjust the security policy to the highest level without affecting the business. According to the application, only specific ports are open on the firewall, and all other protocols and ports are rejected.

3. When using a firewall for NAT conversion, port mapping instead of IP mapping should be used to avoid some security risks.

4. For servers that need to be managed remotely, the management port must not be exposed in the public network. The general method is to manage it by jumping to the trust zone of the firewall.

5. In order to facilitate the management of remote servers in the office area, the exit IP of the office area can be added to the trust zone of the firewall, while the local office network needs strict access restrictions, such as mac authentication, domain authentication and so on.

6. The remote management of the firewall can not be exposed in the public network environment.

Service security control

The aspect of service security mainly lies in the prevention of loopholes in external applications, the protection of data security and so on.

1. Strictly restrict the users who use the service, and do not use the highest administrative authority of the system to manage the service.

2. Optimize the security of the service, such as changing the default password by default, deleting unnecessary configuration items and data information with hidden dangers that may be included in the system.

3. Conduct regular vulnerability scanning for services and applications, even if patches are updated to fix vulnerabilities.

4. After completing the functional testing, the application should also carry out security testing to avoid unknown vulnerabilities.

Operation safety control

1. Prohibit unnecessary trust relationships between hosts.

2. If it is a linux system, root login is prohibited.

3. Monitor the operation of login users and send an alarm for abnormal login actions (multiple password errors).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.