The key of enterprise network security is to find out the security boundary ( Attack point ): To the left of the border is the attacker ( Script Kiddies , Hackers ,APT attack ), To the right of the border are network assets , Information assets . Enterprise network security construction is set up at the security boundary , As far as possible, the safe boundary will not be broken .

However, with the increase of business , Technological evolution , Mode adjustment and other factors , More and more security borders , More and more blurred . But we still need to sort out all the security boundaries of the enterprise network , And all of them should be protected , After all, network security follows the short board effect , A thousand things go wrong .

This paper combines with many years of safety experience of Party B and Party A , Try to sort out the whole , Practical enterprise network security boundary , Communicate with you .

1, Simple enterprise network architecture

The following is the enterprise network architecture for discovering security boundaries demo chart

Latest pictures :

2, Discover network security boundaries

from “ Big security ” The angle of , Enterprise network security is divided into attack and “ cover ” Launch an attack , Therefore, enterprises should ensure their own network security , And make sure it's not used to attack other enterprise networks

This paper summarizes the following network security boundaries ( Attack point )

2.1,DNS service

① There is no escrow DNS Parsing service , Self built DNS Service resolution of Intranet and extranet domain name , Pay attention to the distinction between intranet and intranet

②DNS Service software vulnerability

②DNS Used to amplify attacks on other people's networks

dns Best practices :

2.2,CDN service

①CDN Of DNS Service failure , Make your business inaccessible

②CDN Return flow (cdn Request business server ) unencrypted , Sniffed

③CDN There is a vulnerability in the edge server , Leak memory data

④ same CDN There are vulnerabilities in other corporate businesses of the server ( Edge nodes are not isolated )

cdn Working style needed ssl key Decryption and edge server routing ( Returns the optimal source server address ) Two ways , Obviously the latter is safer

cdn security :


2.3, Business server

① Multi gateway load balancing is adopted prevent DDOS attack ,CC attack

② gateway / Firewall adopts the least port principle , Only in the direction of entry is allowed 80,443 port , The flow in the direction out is not allowed , Prevent data leakage by external tape

③ To provide web Service safety assessment , Whole station https

( Most enterprises' external business is web form )

2.4, Cloud hosting server

Cloud server provides the function similar to firewall , But the internal network isolation security of cloud server still needs to be verified .

2.5, mail serve

① Forgery sender attack

In the past, post offices used to place a mailbox in each branch of the post office , Anyone can post a letter to anyone in any capacity as long as the stamp is attached .

Internet mail service is divided into post service and receiving service . The following is a brief description of the process of sending and receiving mail

1, user A Log in with password 163 After mailbox , Compose an email and send it to your friends B Of qq mailbox ;

2,163 The mail service of the mailbox server delivers mail to qq Mailbox server , No password is required for this procedure

3, user B Sign in qq After mailbox , adopt qq Mail service , Received from A Mail for

In fact, the process of Internet mail and post office delivery has not changed , just 163 mailbox ,qq The post office branch has been replaced by mail box, etc , There is the problem of identity authentication .

For example, malicious users C, Fake mail delivered to qq Mailbox server sends to users B, And claimed to be a user A, This process is feasible , Just find it QQ Mailbox's SMTP The server address is OK

There are two types of forgery : Forgery of sender [email protected], Email to [email protected]; The other is forgery [email protected] Email to [email protected] There are attacks by social workers

to configure DNS Of SPF( The ip address ),DKIM( Declare local public key ) strategy , Receiving domain for verification

② Carrying malicious attachments , Client antivirus , Email gateway antivirus

③ Blast code , The message contains server information , Architecture information , Business information

④ Email client vulnerability :foxmail,outlook,web mode , Enterprise mailbox

2.6, visitor WiFi

① set up WAP2 password , Access to the internal network is prohibited

② protect WiFi Physical security , Guarantee not to reset password , Update firmware, etc

③ limit WiFi strength , It doesn't need to spread far away

④ Detect forgery of the same SSID Of WiFi, Guard against fishing

⑤ No private building WiFi Access point


① Account and authority settings , Access to different internal networks with different permissions

② Certificate login , Prevention of blasting

③VPN software security

2.8, Office network access service server

Office network is not everyone can operate the business server , So use fortress machine for account authentication , And set different permissions on the account .

Business servers generally do not need to access the office network , Otherwise, access control is needed

2.9, Office network VLAN partition

The switch of office network should be deployed VLAN, Each department has its own vlan in , Printers belong to each other vlan.( Finance ,HR The data involved in other departments are more sensitive ).

Partition can also effectively deal with the attacker's post penetration phase

2.10, Office network IDS/IPS

When an attacker penetrates the office network, he will launch an intranet attack , For example, port scanning ,arp deception ,dns deception , Password sniffer, etc . Intrusion detection and protection system should be deployed inside and outside (IDS/IPS), Timely detection of Intranet attacks .( Internal employees can also be attackers )

2.11, Office network server

Office network will have OA system , Internal sharing , Test station , Pre release station , project management system , file system , Internal forum and other systems for office use , These systems store employee information , Protected information such as project data . And compared with employees PC Opportunities are much more stable , And it will be on for a long time , It's a good foothold for attackers

Attacker through employee terminal ,WiFi After entering the enterprise office Intranet , Generally, it will continue to attack the office server as a foothold to facilitate subsequent penetration

2.12, Office network IoT

Online water dispenser in office area , Surveillance camera , The punch machines are all small pc system , Will also be used as a foothold by attackers

2.13, Office network mobile phone , Notebook access BYOD

Employee mobile phone , Personal laptop may carry malware , Will attack the internal network . Need to be right BYOD The device is forced to install anti-virus software , Terminal management software (MDM) Or network isolation

2.14, Office network PC Software installation ,U disc

Domain control release domain policy restricts employees to install software at will , Do not insert U disc , No entry BIOS set up . Avoid the introduction of malicious attack software by employees

Domain control regularly checks employees PC Is there malware on board ( Mining software, etc )

2.15, Online behavior management of office network

Disable partial protocols , Prevent employees from uploading codes to GitHub,x Cloud disk, etc

(GitHub Items should be deleted after password disclosure , Instead of deleting the password , Because of the residual history in )

Ban office network access to forum , Fiction net, etc

Record employee visits , Launch external attacks on internal network , Easy to find the source

2.16,web service

The biggest exposed area of an enterprise is the business provided to the outside world , Namely web,app Etc .

The attacker attacks the business server more through these services 》 Stealing sensitive information & Using server resources to attack ( springboard , mining ,DDOS)》 Attack office intranet as a springboard 》 Steal more sensitive information
& Get more computing resources

Enterprises need to carry out SDL Safety assessment , Code audit ( Special framework and module code )

Except for sensitive data, of course , computing resource , various web loophole ( injection ,xss,csrf, Ultra vires , Upload and download ) Business logic loopholes in , It will also damage the interests of users and enterprises ( Stolen number , Steal brush ), Protection is also needed .

2.17, social worker

Employees install other people's software , Using others U disc , Disclose account and password, etc


3, summary

differ Google Zero boundary security , All machines , Resources adopt zero trust mode , All need to be certified and authorized . The boundary of the partition in this paper , The model of partial trust is adopted , For example, there are web The server , database server , Cache server, etc , They all belong to the unified boundary , There is a trust relationship ; The relationship between office network and business network is distrust . Less trust , The more complex the design is

Sensitive information should be included in the protected objects of enterprises , computing resource , Business logic

Network security is a dynamic development process , New businesses emerge , New systems emerge , New loopholes emerge . Enterprises need to have a security operation center , Master the security status of security boundary in real time .

This article discusses a very grand thing , can only “ In short ”, Hope to give readers inspiration .

This article will be updated continuously , I hope readers can leave messages for communication