Shulou(Shulou.com)11/24 Report--

With the rapid progress of the Internet era, the growth of the number of websites is accelerating. No matter the government, small and medium-sized enterprises or individuals, websites are playing a more and more important role in our lives. They not only play the role of publicity, but also bring us benefits and help many people find the information they want to know. Since the website is so important, how much do you know about website security?

Due to the actual needs of the current project, I recently purchased a full set of website security solutions in Huawei Yunshuang 11 marketing season. Next, I will take this as an example to give you a comprehensive understanding of the importance of website security and the performance advantages of Huawei Cloud website security solution.

First, how much do you know about the importance of network security?

With the rapid development of the Internet, the security of network information has been paid more and more attention. Network security essentially refers to the information security on the network. The Internet is the medium of information dissemination, and the website is the carrier of information display. However, in recent years, network security incidents occur frequently, and the ways of network attacks also show a diversified trend, which brings a serious threat to enterprises and even national economic security. Therefore, we need an effective solution to protect our network security. Here, we will introduce the website security solution launched by Huawei Cloud. The solution combines a variety of core products, including Web application firewall WAF, DDoS high defense AAD, cloud certificate management service CCM, data security center DSC, enterprise host security HSS, cloud fortress machine CBH, situational awareness SA, database security service DBSS and so on. These products comprehensively strengthen the website from four aspects: application, data, load and security situation.

It has the following core advantages:

1. Ensure access experience and uninterrupted business

Super traffic DDoS attacks, CC attacks, SQL injection, website crawlers and other network application layer threats, easy defense

two。 Data assets rest easy

Based on Huawei's 30 + years of network security best practices to resist malicious competition and core asset leakage

3. Important websites will not be tampered with to protect the image and reputation of the unit.

WAF+HSS static and dynamic web pages adopt a two-pronged approach to prevent the web pages of government, enterprises and institutions from being tampered with and affect their image and reputation.

4. Easily meet the requirements of equal security compliance 2.0

Help enterprises to meet the clear needs of laws and regulations related to security compliance 2.0 and network security protection.

5. Flexible expansion of resources and refusal to waste

Support flexible expansion, facilitate business upgrading and expansion, and ensure no waste of resources consumption

Here, we use a combination of technical services such as HSS Enterprise Edition, WAF Standard Edition, DDoS High Defense BGP Pro10G, SSL Certificate-Geotrust Enterprise OV pan-domain name, Yunbao bastion machine CBH and other technical services to ensure the reliability of our network security solution.

The following bloggers will disassemble them in detail:

II. Basic contents of Huawei Cloud website Security solution

Huawei Cloud website Security solution is a comprehensive solution that includes a variety of security measures, and its basic contents include:

1. Web Application Firewall (WAF)

Huawei Cloud website Security solution provides flexible WAF services that can effectively protect Web applications from various types of attacks. Huawei Cloud WAF supports custom rule settings and can set different rules according to specific needs. In addition, Huawei Cloud WAF also supports IP restrictions, submission frequency restrictions, identifying malicious requests, blocking SQL injection and other functions, which can help users respond to various network attacks quickly.

2. SSL certificate

SSL certificate is a kind of encryption technology used to protect the security of website data transmission. Huawei Cloud website Security solution provides SSL certificate service, which can provide users with an efficient and secure certificate acquisition process. We only need to purchase a trusted SSL certificate in the console without additional manual application or installation steps.

3. DDoS protection

DDoS protection is the most common and dangerous kind of network attacks. Huawei Cloud website security solution provides a variety of DDoS protection measures, including blacklist and whitelist settings based on IP address and URL, automatic removal of large-scale attack traffic, reliable global traffic cleaning service, etc., which can effectively ensure the stable operation of the website.

4. Yunbao bastion machine CBH

Yunbao base machine is the security center of operation and maintenance, which is necessary for account authority control, mainframe operation and maintenance monitoring and enterprise security management.

Yunbao base machine realizes the fine management of people, resource accounts and access process by establishing the one-to-one correspondence between its main account and resource slave account. Help customers to establish a safety management system for pre-planning, in-process control and post-audit to reduce the risk of data leakage and IT accidents caused by internal human causes.

Third, the experience effect in practice

As a comprehensive solution designed for network security, the application effect of Huawei cloud website security solution is very important. Below, I will introduce the application effects and characteristics that I feel in practice.

1. The protective ability of WAF is outstanding

In practice, WAF protection capability is one of the core competitiveness of Huawei cloud website security solution.

WAF firewall is actually Web Application Firewall, which is a web application protection system. Enterprises and other users generally use firewalls as the first line of defense of the security system. We conduct waf testing practice through website protection rules: first of all, you can set a flexible speed limit policy according to IP or Cookie to effectively alleviate CC attacks. The main configuration parameters:

Match field coverage: referer, url path, request parameter, user-agent, http request method, cookie key, cookie value, header key, header value, content type, content length. Here is an explanation of some of the proper nouns involved:

IP blacklist and whitelist: custom IP list to accurately identify parts of IP that need to be intercepted or released

Custom defense policy: combine common HTTP fields with conditions to support customized protection policy

Regional ban: blacklist can be imposed on overseas countries and regions, as well as major provinces and regions in China, to block all sources of access to the region.

Security report:

Practice verification: after enabling the rule, we notice that the request does not reach the business server and verify that the interception is effective. This clearly shows that this scheme can effectively prevent a variety of network attacks, such as SQL injection, cross-site scripting and other common attacks. The protection precision of WAF is extremely high, and it can accurately identify and block most of the attack traffic, so as to ensure the stable operation of the website. In addition, WAF also has the ability to quickly update security rules and respond to emerging network security vulnerabilities in a timely manner.

Huawei Cloud WAF is deployed flexibly, supporting the 24-hour operation of professional security teams and the ability to update 0day high-risk vulnerability protection rules within 2 hours at the earliest; at the same time, it can effectively protect our data privacy, support desensitization of sensitive information such as accounts and passwords in attack logs, and avoid exposing private information such as our passwords to event logs.

2. DDoS has strong protection against attacks.

The second advantage of Huawei Cloud website security solution is its strong DDoS attack protection capability, ultra-high attack detection performance and the ability to clear attack messages within the metropolitan area network, which are the advantages of cloud computing service providers. As a common high-hazard security threat, DDoS attack has always been a major concern for CIO.

In order to actually test the ability of DDoS attack protection, we first build an ultra-high traffic DDoS attack detection platform to analyze and monitor user business traffic. In this process, we consider many technologies, such as traffic mirroring, RSPAN, NetStream and so on, to direct the user traffic that needs to analyze attacks to the DDoS attack detection platform. Then, we make comprehensive use of various technologies of the detection platform to achieve attack detection of user traffic. Secondly, when the attack detection platform detects suspected abnormal attack traffic, we will use Huawei Cloud DDoS Service Management Center to automatically tow users' suspected attack traffic to the service provider's traffic cleaning center for malicious traffic removal by means such as BGP routing and release. Finally, the legitimate traffic after the attack is cleared will be injected back to the original network through policy routing, MPLS VPN, dual-link and other ways, and the cleaning log will be reported to the business management center to generate a variety of attack reports to be provided to cloud computing DDoS service tenants for audit.

Through the above tests, we can roughly estimate that its traffic cleaning capacity can reach 350Gbps per second, which is sufficient to deal with most DDoS attacks. In addition, Huawei Cloud's DDoS attack protection strategy is also very perfect, which can respond to different types of attacks and quickly transfer attack traffic to the protection zone to ensure the normal operation of the website.

In addition to the excellent protection features, the cost performance of the solution is also excellent. Users can purchase 10G protection at a lower threshold, which not only provides comprehensive protection for domain names and IP, but also supports multi-cycle purchase to provide you with more flexible and intimate services.

In addition, the professional operation team provides 24-hour technical support, always pays attention to users' security needs, responds in a timely manner and provides different levels of support to ensure that your network security is fully guaranteed.

In a word, for DDoS attacks, after we choose Huawei Cloud, without adjusting the website infrastructure, we can add protection with one click, transparent access, second response, and easily resist heavy traffic attacks!

3. Omni-directional security monitoring and management tools

Huawei Cloud website Security solution provides users with a series of practical security monitoring and management tools to help users understand the security status of the website in real time, discover and deal with potential security risks in a timely manner. These tools not only provide security configuration and log analysis, but also provide functions such as vulnerability scanning and repair to ensure the security and stability of the website. In addition, Huawei Cloud also provides professional security consulting services, according to the specific conditions of users, to provide customized security programs and professional security advice to better protect the network security of users. Both start-ups and large enterprises can comprehensively improve their network security protection level with the help of Huawei Cloud website security solution.

For example, the well-known Huawei cloud desktop, which fully takes into account the security requirements of users, systems and networks, prevents illegal access from the outside. The system has user identity authentication and rights management, corresponding to different application levels. It can not only ensure that different users can efficiently and quickly access and control the system resources within the authorized scope, but also effectively prevent illegal intrusion and unauthorized access between users.

Through Huawei cloud desktop, enterprises can centralize the user desktop data scattered on each PC to the data center in the cloud, and the client does not need to save the user's data to achieve unified security control. At the same time, Huawei Cloud Desktop can achieve strong security policy control. According to different business scenarios, policies such as USB port redirection, file redirection and clipboard redirection can be set accordingly to ensure data security.

For example, if you want to copy a file from the cloud desktop, the administrator needs to confirm and activate the permission, otherwise inserting the USB disk will have the prompt shown in the following figure:

In addition, the cloud desktop allows the administrator to configure the desktop display watermark function, display the login user name and time on the desktop, and configure fixed location watermark and random location watermark, which can effectively prevent users from using camera devices to shoot virtual desktops. Huawei cloud desktop stores customer data on Huawei cloud, which ensures the security of the data.

In addition, the open source cloud security tools widely used by Huawei cloud servers are usually developed by companies of large IT teams with rich experience in cloud computing, such as Netflix, Capital One, Lyft and so on. The teams of these companies have developed their own technologies to address specific needs not covered by existing cloud computing tools and services, and these security tools help understand visibility, proactive testing, and event response.

4. A variety of data encryption methods to improve data security

Huawei Cloud website security solution provides a variety of data encryption means, we can choose according to different situations to improve the security of data. For example, sensitive data can be protected through database encryption, data transmission security can be achieved through communication encryption technology, or file confidentiality can be protected through file encryption technology.

Secondly, Huawei Cloud uses transparent encryption, uses AES-128 algorithm, and uses CTR in encryption mode. CTR stream encryption can ensure that the length of plaintext and ciphertext is equal, so that the data storage space will not expand after encryption. Keys are managed by Huawei's public cloud KMS service to ensure the security of users' keys.

The encryption key hierarchy has three layers. Arranged in hierarchical order, these keys are master keys (CMK), cluster keys (CEK), and database keys (DEK). The master key is kept in KMS, which is used to encrypt CEK; CEK is used to encrypt DEK,CEK plaintext in cluster memory, and ciphertext is stored in service management side; DEK is used to encrypt data in database, DEK plaintext is stored in cluster memory, and ciphertext is stored in service management side.

IV. Future Development trend of Huawei Cloud website Security solution

Although Huawei Cloud website security solution has performed well in all aspects, I believe Huawei Cloud website security solution will continue to maintain a good momentum in the future development. With the development of 5G, big data, artificial intelligence and other technologies, cloud computing security will become more and more important. As a company with independent technology and rich experience, Huawei Cloud will continue to upgrade and improve its own security solutions to provide more high-quality security services for the majority of users.

V. Summary

Through the evaluation of Huawei cloud website security solution, we can find that Huawei cloud website security solution is a perfect and efficient security solution, which can effectively ensure the security of the website. In practice, Huawei Cloud website security solution performs well, with strong anti-attack ability and stable performance. It is worth mentioning that Huawei Cloud's website security products and solutions cover a wide range of applications, not only in Huawei cloud, but also in other data centers such as IDC and other clouds.

Huawei Cloud website security program focuses on the concept of "zero trust" and puts customer needs in the first place. With the continuous development of science and technology, Huawei Cloud website security solutions will continue to improve. With the advantages of rich resources, powerful technology and rapid innovation, Huawei will continue to launch competitive Internet services to meet the personalized business needs of customers. to help enterprises build an indestructible network security system.

It is Huawei Yunshuang 11 marketing season, and many products and solutions, including Huawei Cloud website security solutions, are under hot promotion. Huawei Cloud official website provides you with large discount gift vouchers, etc., with generous benefits. Now log on to the official website, choose the products and services you need, and seize the excellent cloud discount opportunity!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.