Shulou(Shulou.com)06/01 Report--

Today, let's talk about the construction plan of the security system. for enterprises, the security system has always been a topic of concern. Both large and small enterprises have certain questions about how to build a security system and what is security. This article will discuss the construction of security architecture from the perspective of basic composition.

What are the aspects of the security architecture?

Physical aspect

For example, the security of the computer room, the security of the physical server, the security of the hard disk. Some people may ask, my server is on the cloud, is there physical security? Of course, for enterprises, there is no need to worry too much about the physical security of the cloud, because cloud providers will monitor the physical security of their cloud server rooms, but in fact, there is a lot of information that needs to be examined at the initial stage, such as the monitoring of the cloud computer room, the visit and review of the staff of the cloud computer room, the high availability of the cloud computer room, the duration of use of the cloud server, and so on.

For instance

For example, our server has been in use for about 5 years, and there is something wrong with the battery on the motherboard. Once the server is restarted, it will refresh the time zone, which is 8 hours slower than the normal business time. There will be a problem with the HTTPS verification time, resulting in the failure of business entry. This problem occurs when the execution time synchronization of Crontab does not reach the second level, but who normally defines time synchronization to the second level? This problem directly leads to the paralysis of the business, so when choosing a cloud provider, be sure to ask how long their host is in use.

What does Cloud Physics Monitoring need to see?

For example, people who need to enter and leave the computer room need to be monitored. Earlier, some non-staff personnel will enter the cloud computer room as cloud providers to steal data. This is the most serious aspect abroad, and it has been much better through control and control at home. However, physical monitoring still cannot be taken lightly.

Data aspect

Data security, such as encryption of stored data, needs to be desensitized if necessary. Double-layer encryption is used as far as possible. Here's what I do:

Desensitization of original data (because it is an Internet financial industry, there will be transmission of personal information. If it is not necessary, this kind of information is not allowed to be stored, and desensitization is needed. For example, the first four digits of the bank card number are retained as the basis for payment. Check the key information when checking).

The first layer uses 3DES encryption algorithm to encrypt the data.

The second layer uses RSA strong encryption algorithm (2048 bits) to encrypt the key of 3DES.

The final key is stored in the encryption and decryption system, which will disorderly the stored key. Only those with relevant permissions apply for the key and get the out-of-order key, which is authorized by CEO or CTO and restored by the person in charge of the key.

Although this piece of process will be very troublesome, but can maximize the security of the data.

Application aspect

In fact, application security is not only the favorite aspect of people, but also the most easy to be attacked. How to do a good job in application security determines whether or not they can attack or how easy it is. Let's discuss my approach to application security from several aspects:

one

Who?

First of all, when I see this subtitle, I believe many people are confused. I will briefly tell you a small example. I will use Jenkins as an example. Jenkins is an open source automation project deployment platform, which is generally used when a project is released. Unlike Apollo, I have not studied the specific differences, but in order to combine the project architecture, I have built two sets of automated deployment platforms, and Apollo is more reflected in micro-services. Jenkins is more likely to use project releases.

When Jenkins is installed, it sets the access matrix, which means who is authorized to do what, such as operation and maintenance authorization for project release, script execution, audit authorization for log checking, and so on. There are actually several abnormal behaviors at this time:

(1) unauthorized access

Unauthorized access means that an unauthorized user can access the system and has the authority of an authorized user.

Or take Jenkins as an example. In the early days, Jenkins was not configured with an access matrix after initialization, resulting in many users not knowing and not knowing the harm of unauthorized access. Countless Jenkins were exposed on the public network. Perhaps the users themselves did not find that they could log in to Jenkins with an empty user name and empty password. This is the identity of everyone in the access matrix. The scary thing is that everyone has all permissions by default. As soon as anyone discovers that Jenkins is not authorized to access, they can enter Jenkins and execute the shell command, which is objective in Jenkins. Put down the screenshot.

There are also many problems with unauthorized access, such as zeppelin, redis, zookeeper, elasticsearch, docker, hadoop, and so on.

Here my suggestion is to do a good job of "who" control, control all the application access rights, who access what system, have what permissions, of course, the judgment here is best based on two-factor judgment.

And the application system had better be placed on the intranet and do access control, even if the 0day is exposed, it will not be swept to use immediately.

The fewer applications are open on the public network, the fewer the relative levels of * *, and the more difficult it will be.

(2) ultra vires access

Ultra vires access refers to a legitimate user who specifies A permission, but can do what B permission can do.

Here, take Jenkins as an example:

Post a loophole number directly here, and those who are interested can check it. Although this loophole is officially said to be serious, I can only rate him as medium and dangerous, so I did not post it in detail.

Because this vulnerability requires a Jenkins restart, however, this kind of OPS tools placed in the production environment are rarely restarted, unless they cooperate with DoS*** or wait for irreversible factors such as server room failure.

The overall description of the vulnerability is that * * users can take advantage of the CVE-2018-1999001 vulnerability to remove config.xml configuration files from the Jenkins home directory to other directories. When the Jenkins service is restarted again, it will return to legacy mode because it cannot load the security domain and authorization policy configured in config.xml, and grant anonymous user administrator access rights.

When the * * user obtains the Jenkins permission, they can view the construction history data and even download the code of the workspace, resulting in the leakage of the core code.

After entering the management page, users can execute any script commands used for management or fault detection or diagnosis through the "script Command Line" function under "system Management", causing serious impact and harm to the Jenkins system server.

In fact, unauthorized access changes the config.xml file, and then accesses the * server without authorization.

Ultra vires access generally occurs due to improper permission control. My suggestion is to implement minimum authority control in permission planning, with a little more detail, and authentication must be done well, each of which requires an authentication mechanism. this can minimize the possibility of ultra vires access.

(3) Bypass authentication access

In the early days, it is more popular, such as in the authentication page, enter the user name and password normally, and make the sql statement true by sql injection, you can skip the authentication and enter the system.

At present, there are many CMS systems that bypass authentication access. Or by hitting the library can also be regarded as bypassing authentication.

According to previous Akamai statistics, from the beginning of November 2017 to the end of June 2018, Akamai research analysis showed that there were more than 30 billion malicious login attempts in eight months.

The number of malicious logins around the world is increasing, and the situation is not optimistic. In the face of such a serious violence against the library, is there any good way to avoid it?

In fact, many people will think of two-factor login, but there are also many people who can't tell the difference between two-factor login and two-factor login.

Dual-factor login refers to verifying the traditional password and the second factor authentication at the same time, while dual-factor login refers to authenticating the traditional password first and then the second factor after success.

The difference between the two is that the two factors can not judge whether the password is correct, and even if there is a second factor, the two factors can still burst the password, and then hit the library through this password.

Here is an assumption that once the password of the corporate mailbox is the same as the password that burst, then corporate information disclosure and even professional social worker fishing will surround you like a nightmare.

Here, it is recommended to use two-factor login authentication to avoid the problem of bypassing authentication access.

two

Do what

Judge whether it is abnormal by behavior. In general, normal users do not execute abnormal requests. Let's take Jenkins as an example:

Normal users, such as operation and maintenance staff, execute scripts that generally execute project replacement code, such as compiling jar packages, such as replacement, etc.

* the commands that users use immediately when they get the command execution permission are usually identity type commands, such as whoami, w, last, etc.

However, this information is generally not needed in the normal operation of Jenkins and needs to be controlled. Of course, the permission of Jenkins itself should be minimized, and of course it cannot be root, and it will also increase the difficulty of execution.

three

How?

At this point, consider * possible means * applications, such as SQL injection, XSS, XXE, malicious file upload, CSRF, × × F, etc. in the most common OWASP TOP10. Based on these * * means, it is recommended to use WAF to block malicious * *. The construction of open source WAF system will be shared later, including WAF itself and log audit, alarm work. If you are interested, please leave a message and discuss. Welcome to follow.

Host level

Host security is the most difficult to control relative to all the above security, including server security and terminal security.

The security at the technical level is relatively easy to control, including the baseline security of the server terminal, killing software, access control and so on, but the most difficult to control is actually human factors.

There are a large number of cases, for example, employees privately set WiFi to set a weak password, which causes * * to connect to the corporate private network and conduct the private network * *; employees browse malicious websites to cause the terminal to be infected with the virus, which spreads to the corporate intranet.

There are many such things, and the management system is not enough to prevent such events from happening, so what should host security do? I would like to share my governance methods here:

First of all, the server uses ansible to push and install ClamAV to check and kill on a regular basis. Here, you can use crontab to perform scheduled tasks and feedback the results. Feedback can be passed to log analysis through filebeat, and alarm conditions are standardized in log analysis.

The terminal takes 360 as an example, unified control, 360 has a server and a client, a unified control password is set on the server, and the client is distributed and installed to each terminal, the terminal will be regularly antivirus, and can not be closed.

Carry out regular enterprise training to raise everyone's awareness of security, set access control on routers, and prohibit access to harmful websites (using crawlers as blacklist access control).

Network level

The focus of the network level is that the firewall controls the flow in and out of the DMZ area, and controls which cross-network access is compliant and which is not.

For example, if one of my businesses is located in Aliyun, and the monitoring system and the main business are located in Tencent Cloud, I do not want to set up a separate monitoring system in Aliyun because of cost. I just want to continue to use Tencent Cloud's monitoring system. However, to ensure the isolation between businesses, xx should be set up at both ends of the cloud, and only allow mutual access between the monitoring system and the business.

However, in order to ensure the stability of × ×, it should be very difficult in the current domestic form, especially in the action of protecting the net some time ago, which is basically cut off several times a day.

Multi-link reliable access is the embodiment of service availability designed for network congestion, large-environment network failure, accident and so on.

Imagine a business domain name, such as ex.com, when you encounter DDoS***, a large number of merchants cannot access the business domain name, which will cause much loss.

Or the failure of the network in the large environment, such as the failure of the domain name caused by the 114DNS failure some time ago, the failure of the routing of intermediate nodes, and so on, the losses are also huge.

At this time, the design of multi-line resolution and dual-line access can maximize the availability of the service, that is, what we call CDN and double-exit.

Security is not only a technical work, but also a management work, everything is to ensure that the business can be carried out normally. We need an emergency, but if we can, who wants an emergency?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.