The Self-Protection of the Internet World To Improve security, Security Protection Has No Boundaries, and Zero Trust Can Be Truly Safe
Knowledge

The Self-Protection of the Internet World To Improve security, Security Protection Has No Boundaries, and Zero Trust Can Be Truly Safe

Faced with various security threats, the internal network environment and the personal computers managed by the company are likely to be attacked and paralyzed, hacked, or even become the perpetrator. There is no distinction between inside and outside. Therefore, zero-trust management mode is imperative.
Published: Jun 12, 2020
The Self-Protection of the Internet World To Improve security, Security Protection Has No Boundaries, and Zero Trust Can Be Truly Safe

Pay more attention to network security in the Internet age

In the era of digitalization and networking, trust is one of the foundations for the operation of many systems, the interoperability of information, and the conduct of transactions. With the evolution of various technologies, the availability and usability of services continue to improve. How to ensure security, but it has always been a problem, and it is increasingly difficult to deal with, and it has even seriously threatened the normal operation of the real world.

According to the 2018 Global Risk Report released by the World Economic Forum, Cyber attacks ranked sixth among the top ten risks that caused serious impacts; and among the top ten possible major risks, cyber attacks entered the top three for the first time, second only to Extreme weather events are related to national disasters, and the fourth place is data fraud or theft, which is also closely related to security.

There are too many security threats to enumerate. Even after rising and facing recession, after a while, they are often recovered, evolved, or mixed with other threats, which is unpredictable. But overall, these threats can be rampant due to the rapid rise and popularization of emerging technologies, such as cloud services, mobile applications, and the Internet of Things. Moreover, the impact is overwhelming, and individuals and enterprises are irresistible and unable to resist. Stay out of the situation; at the same time, because of the wide-open door, threats across the inside and outside, such as: data leakage, DDoS, APT, privileged account abuse, etc., are also endless and difficult to completely cut off. Faced with this situation, we do not know what to believe, it is the current portrayal.

Intranet environment where boundaries no longer exist

In the design of traditional network security architecture, internally located users and application systems are generally considered to be in a trusted state. Therefore, fewer verification and verification mechanisms are implemented. However, nowadays, users and application systems are implemented in various places, and there is no distinction between inside and outside. At this time, when we look at security protection, we should adopt an attitude of continuous verification and not easy to trust.

Change in security thinking: from trust to zero trust

In the past, to strengthen information security, the IT industry has invested a lot of resources to try to enhance the trust of users. To trace the source of these efforts, we must first talk about Microsoft, they began to promote Trustworthy Computing in 2002.

At that time, the company's operating systems Windows NT 4.0 and Windows 2000 were abused because of their vulnerabilities, and suffered from network worm attacks such as Code, Nimda, and Blaster. Therefore, they painfully thought and actively strengthened the operating system and other software. Security, so since Windows XP SP2, built-in Windows Firewall, Windows Update automatically update, and promote the software development life cycle (SDL) security project.

Microsoft's follow-up in Windows Vista and Windows Server 2008, the built-in user account control (UAC) and network access protection (NAP) are also based on this concept, developed security features. In addition to Microsoft, AMD, HP, IBM, Intel and Microsoft also cooperated in 2003 to establish the Trusted Computing Group (TCG). They have promoted the development of several well-known security technologies, such as; more and more people in computers and servers Built-in Trusted Computing Module (TPM), Trusted Network Connection (TNC) providing network access control functions, and Standard Specification (SED) applied to the encryption application of the hard disk itself.

During those few years, the concepts of Layered Defense and Defense in Depth were quite popular, which attracted attention to the application of network access control (NAC), and many products of collaborative defense appeared on the market.

Later, with the rise of server virtualization platforms and cloud services, software-defined protection and cloud security products have also begun to rise to the stage, which can support the security defense strategy in these atypical network application environments implementation at that time.

For example, Check Point, a veteran network firewall manufacturer, launched Software Defined Protection in 2014, Shield, a server virtualization platform manufacturer VMware, which was released in 2011, and NSX acquired in 2012 from the acquisition of network virtualization vendor Nicira. It can provide the Network Segmentation function to reduce the possibility of horizontal attacks on the internal network. In large public cloud services, it also has multiple network partitioning mechanisms. In terms of AWS, Amazon VPC provides subnets, Security groups, network access control lists (NACLs).

In 2009, the chief analyst of the research institute Forrester proposed a new security model called Zero Trust Model, which received great attention at the time. However, there were not many security vendors that responded actively in the initial stage, mainly based on the next generation firewall the famous Palo Alto Networks. By 2015, Forrester found that the related application fields gradually expanded, covering virtualized network infrastructure (VNI) and Network orchestration solutions. In the fourth quarter of 2016, they significantly increased the threat mitigation technology based on the concept of zero trust to 20 types. However, Forrester's report released in January this year re-introduced a zero-trust product type and corresponding manufacturers. They set these parts as an extended ecosystem and distinguished them into a zero-trust platform, security automation and dispatch command, security perspective and analysis, and security levels such as personnel, workload, data, network, and networked equipment, and "staff "" is further subdivided into interactive processes and identity management. "Network" refers specifically to network partition isolation.

Network isolation is a more common structure of the zero-trust model. When Forrester started to advocate the zero-trust model in 2010, they also designed a zero-trust network architecture based on this concept, which included the integration of multiple controls and protections. Functional network isolation gateway (SG), micro-cores and boundaries (MCAP) that are divided into multiple isolation zones according to different operational attributes, a server responsible for the centralized management mechanism, and data acquisition responsible for collecting and analyzing network traffic Take the Internet (DAN).

The basic spirit of zero trust: No matter whether you trust or not, you must pass verification before counting

What exactly is zero trust? Why are more and more security vendors embracing this concept? In short, in a zero-trust network environment, all network traffic is untrusted. Therefore, security professionals must verify and protect all resources, restrict and strictly implement access control, and detect and record all Internet traffic.

According to John Kindervag's interpretation of the zero-trust network architecture in 2010, he put forward the following three core concepts: (1) on security devices, there is no longer a trust and untrust interface; (2) there is no longer a trust and Untrusted network; (3) There are no longer trusted and untrusted users.

If the zero trust model is extended to the level of information security, three basic concepts are proposed: (1) no matter where you are, you must ensure that all resources are accessed securely; (2) adopt the lowest authority Strategies, and strictly implement access control; (3) Detect and record all traffic.

In the above concept, we must assume that all network traffic is threatening. Unless they are verified by their security team to confirm that they are legally authorized, passed the test, and are protected, they will not be trusted. For example, data access between internal and external networks is often protected by encrypted channels. In contrast, cyber criminals can easily detect unencrypted data. Therefore, security experts have The protection attitude must be consistent with external data access on the Internet.

In the management of access behavior, the zero-trust model will also use more methods to verify and mitigate harm.

What we have relied on in the past is mainly protection based on user role-based access control mechanisms (RBAC), and is commonly used in network access control, infrastructure software, and identity and access management systems. If the zero-trust model is adopted, RBAC will not be the only method. The focus is on configuring the lowest access rights and implementing precise access control to reduce the impact of attacks and abuse. For example, according to the identity indicated by the user, appropriate access to resources is allocated, and they are limited to the range they need to perform these tasks, so that they can only do the right thing, instead of blindly trusting the user, without considering intention or negligence. And lead to the possibility of doing wrong.

Of course, there are no perfect and seamless restrictions in the world. To further ensure that things are done right, and to grasp the status of errors early, we also need to continuously detect and record. For example, we must have the analysis and analysis of network traffic activities. Perspective capability (NAV), and detection and recording can be carried out together to process all network traffic in an active and real-time manner, not passively and delayed for a while, and only for internal network traffic.

To meet such requirements, the zero trust model also specifically defines the characteristics that should be possessed for network traffic analysis and perspective. For example, it can flexibly expand the scale of use and the situational awareness of continuous execution, and includes network exploration (finding and Track assets), flow data analysis (analysis of traffic patterns and user behavior), packet capture and analysis, and network interpretation data analysis (analysis of network streaming packets), network forensics (to assist in emergency response and crime investigation).

In the design of zero-trust architecture, John Kindervag believes that four components need to be matched, namely: Network Segmentation Gateway (SG), Microcore and Perimeter (MCAP), centralized management, and Data Acquisition Network (DAN).

The SG will include functions that were originally dispersed in multiple security products, such as firewalls, network intrusion prevention systems, website application firewalls, network access control, content filtering gateways, VPN gateways, and other encryption products , And deeply integrated into the network level, at the same time, SG will also build a packet forwarding engine, so that it can be built in the center of the network. Security personnel can define common control policies in the SG, and must configure multiple high-speed network interfaces to undertake huge network traffic processing operations.

The SG here is quite similar to the UTM equipment we are familiar with. However, John Kindervag said that the part of UTM is the control of the network boundary. The location where the SG is deployed and targeted is at the center of the network.

MCAP is for each network partition. They are Switching Zones formed by connecting to the network interface of SG and other devices. These areas are set up with dedicated micro-core switches that share the same functions and policy control attributes. Each isolation zone becomes a Microperimeter. Security personnel can form a unified switching network by aggregating all the switches in MCAP to achieve the purpose of centralized management.

The so-called centralized management refers to the processing operations of the backplane of the network, which can be defined by the transparent and integrated MCAP overall management mechanism. Moreover, it must be upgraded from a command line operation method based on individual components to be centralized and easier to use. Management system.

As for the setting of DAN, it is to highlight the importance of capturing network data. It is also a kind of MCAP, which can deploy a security event management system (SIEM), network analysis and perspective tool (NAV), which is responsible for centralized acquisition and analysis. And log all network traffic.

Using such a network area, we can process all the traffic that passes through the SG, including the part that connects all MCAP-through mirroring and forwarding the traffic, effectively collect the packets, Syslog, SNMP and other information transmitted therein, and store it in In a single location, to facilitate the subsequent analysis and analysis of network traffic, to achieve near real-time processing requirements.

Attacks come from all directions, and the border division needs to be more detailed

In the zero-trust model, the threat of attack is more extended. Just like protecting the safety of the president, attention should be paid to the identity, location, and accessibility of the protected objects; the border control needs to set up multiple layers of partitions, such as peripheral fences and military police, and special services are surrounding the president’s car, forming For micro-boundary protection, it is also necessary to guard against remote sniper attacks and do well in endpoint control.

Application control strategy based on zero trust model

Depending on the motivation, the level of threat also changes. However, whether it is malicious or well-intentioned, endpoint devices and applications may become threats. Therefore, to deal with different levels of threats, blacklists and whitelists can be used to control However, in relatively normal and legal endpoints and applications, we can use isolation to enforce protection with the least-privileged access method.

The zero-trust model has begun to expand significantly, and can be applied at more levels

In the zero-trust research report released by Forrester at the beginning, there is a lot of attention to the network architecture. Also, network partition isolation does play a very important role here. Therefore, in recent years, whenever this concept is adopted, for product types, most people will think of next-generation firewalls. However, zero trust is not just network isolation, but the overall protection strategy, involving processing processes and technologies. Therefore, when Forrester elaborated the zero-trust model in recent years, it did not Restricted to the Internet, but extend more protection.

For example, at the beginning of this year, they specifically proposed the concept of Zero Trust eXtended Ecosystem, disassembled the zero trust model, centered on data, surrounded by four links such as personnel, equipment, network, and workload, and used the network Perspective and analysis, automation and dispatching and other technologies come together.

The number of companies that recognize and value zero trust has increased, and both Google and Netflix have begun to adopt

In addition to the research institutions that have long advocated this concept, there has been a major change in market views, and the zero-trust model has received a lot of attention recently. There are several reasons for this.

One of them is related to Google. The company's chief information officer said that large enterprises should establish a "zero trust" infrastructure. Google also released a research paper "BeyondCorp: A New Approach to Enterprise Security" this year, and subsequently published several papers that explored the concept and implementation of BeyondCorp. Since 2017, Google has provided new cloud services in this self-developed zero-trust security framework, and has begun to actively promote it. For example, at the Google Cloud Next conference, Cloud Identity-Aware Proxy ( Cloud IAP), allowing users to build a content-aware secure access environment described by BeyondCorp; Google is proud of this research project that began in 2011, claiming to allow most employees to work on untrusted networks every day In the road environment, you can work safely without using VPN protection.

In addition to Google, recently, we also saw another network company that built a zero-trust architecture, which is the well-known online audio and video industry Netflix.

At the Usenix Enigma conference earlier this year, the company's senior security engineer Bryan Zimmer publicly introduced their zero-trust architecture, called Location Independent Security Approach (LISA), which contains three basic principles: (1) The key to trust is to use The identity of the person and the health status of the endpoint, not the location; (2) The office network cannot be trusted; (3) The device must be isolated.

In the long run, to improve the overall security protection, there should be more organizations joining the ranks of implementing the zero-trust model. With the continuous promotion of the new wave of digital transformation, the operation of application systems and services is bound to move towards a more open environment If we continue to use the traditional dichotomy (internal, external, trust, distrust) to define the scope of protection of information security, I am afraid that it will be increasingly difficult to cope with this unknown situation.

If you can thoroughly understand the reality, think and construct a zero-trust model suitable for your operating environment, through continuous verification, recording, and continuous analysis and supervision, you can effectively implement "control" and "protection" instead of defensive strategies. Only by focusing on either end, we can also get a solid guarantee.

Google invests in the development of a zero-trust model

The zero-trust model is not only advocated by information security vendors. Cloud service giant Google has invested. They have spent six years developing a zero-trust security framework called BeyondCorp. In terms of access control, they have strengthened the protection from the original network boundary to the control of individual devices and users. At present, they can allow their employees to connect to the company's application system from anywhere. There is no need for encrypted connections via traditional VPN.

Published by Jun 12, 2020 Source :ithome

Further reading

You might also be interested in ...

Headline
Knowledge
A Complete Guide to Selecting the Ideal Paper Cups for Hot Beverages
This guide provides a detailed overview of how to choose the best paper cups for hot beverages. It explores the different types of cups—single-wall, double-wall, insulated, and eco-friendly—and explains their unique features and ideal use cases. Key factors to consider include beverage temperature, insulation needs, cup size and lid compatibility, environmental impact, and safety standards. The article also outlines best practices for both consumers and businesses to ensure safe use and responsible disposal. Ultimately, selecting the right paper cup depends on balancing functionality, comfort, sustainability, and cost.
Headline
Knowledge
Understanding the Difference Between Reverse Osmosis and Traditional Water Filters
An in-depth comparison between reverse osmosis (RO) and traditional water filters, two widely used methods for purifying drinking water. It outlines how RO uses a semi-permeable membrane to remove dissolved salts, heavy metals, and microorganisms, making it ideal for areas with highly contaminated water. In contrast, traditional filters rely on physical and chemical filtration - often using activated carbon - to improve taste and remove larger particles. While RO systems offer superior contaminant removal, they come with higher costs and water usage. Traditional filters are more affordable and environmentally friendly but less effective against microscopic impurities. The article concludes that the best choice depends on specific water quality needs, and in some cases, combining both systems can offer the most comprehensive solution.
Headline
Knowledge
A Comprehensive Guide to Selecting Cutting Techniques in Plastic Bag Production
This article provides a detailed comparison of hot and cold cutting methods used in plastic bag manufacturing, emphasizing how the choice impacts production efficiency, edge sealing, and material compatibility. Hot cutting uses heated blades to cut and seal simultaneously, making it ideal for leak-proof and high-speed production, while cold cutting offers precise, sharp cuts without heat damage, suitable for a variety of bag types. The selection depends on factors such as material type, production requirements, and environmental considerations. Understanding the strengths and limitations of each method helps manufacturers optimize their processes and meet evolving industry demands.
Headline
Knowledge
Exploring Ventilator-Associated Pneumonia (VAP) and Its Effects on ICU Patients
Ventilator-associated pneumonia (VAP) is a significant healthcare challenge in intensive care units, typically occurring in patients who have undergone mechanical ventilation for at least 48 hours. It is associated with high morbidity, mortality, and healthcare costs. VAP develops due to respiratory tract colonization by pathogens, facilitated by invasive devices like endotracheal tubes. Common bacteria include Pseudomonas aeruginosa, Escherichia coli, and Staphylococcus aureus. Risk factors range from prolonged ventilation to prior antibiotic use and underlying health issues. Diagnosing VAP is difficult due to overlapping symptoms with other lung conditions and the absence of standardized criteria, often leading to antibiotic overuse. Preventive strategies—such as ventilator care bundles, elevating the head of the bed, maintaining oral hygiene, and staff training—are critical to reducing its incidence. While progress has been made, ongoing research and consistent application of evidence-based practices are essential to improve outcomes and lower the burden of VAP in ICU settings.
Headline
Knowledge
Popping Boba: A Comprehensive Exploration
Popping boba, also known as bursting boba or popping pearls, is a fascinating and popular addition to the world of beverages and desserts. These small, colorful spheres are known for their unique texture and the burst of flavor they provide when consumed. This article delves into the intricacies of popping boba, exploring its composition, production process, popularity, and culinary applications. By examining various sources, this report aims to provide a comprehensive understanding of popping boba, highlighting its significance in contemporary food culture.
Headline
Knowledge
Nylon and Sustainability: Exploring Greener Alternatives for the Future
Nylon has been a widely used synthetic material since the early 1900s, valued for its strength, flexibility, and resilience. From fashion to industrial use, it’s found in countless products. But as sustainability becomes a global priority, nylon’s environmental impact has come under greater scrutiny. This article takes a closer look at how nylon is made, its environmental challenges, and the more sustainable options now available.
Headline
Knowledge
EPE Pearl Cotton Recycling Solution: A Comprehensive Overview
This article examines the recycling of Expanded Polyethylene (EPE) Pearl Cotton—a lightweight, shock-absorbing, and moisture-resistant packaging material. While EPE offers many benefits, its bulky form and high transportation costs make recycling difficult. However, advancements in recycling technologies and increasing environmental awareness are driving the development of more effective solutions. The report explores current challenges, emerging recycling methods, and the future potential of EPE recycling.
Headline
Knowledge
Are Compatible Toner Cartridges a Smart Choice? A Comprehensive Analysis
Toner cartridges play a crucial role in both the performance and cost-effectiveness of printing. Among the available options, compatible toner cartridges—third-party products made to function with branded printers—have become a widely used alternative to Original Equipment Manufacturer (OEM) cartridges. This report examines the advantages and disadvantages of compatible cartridges, considering factors such as cost, environmental impact, print quality, and potential risks. By drawing on diverse sources, it provides a balanced evaluation of their suitability for personal and business use.
Headline
Knowledge
Pneumatic Power Tools: Reliable, High-Performance Solutions for Industrial Applications
Pneumatic power tools, commonly known as air tools, are widely used in industrial, automotive, and construction settings due to their efficiency, durability, and power. These tools operate using compressed air, making them a lightweight and high-powered alternative to electric or battery-operated tools. Pneumatic power tools consistently perform well, even under the most demanding conditions. They come in various forms, including impact wrenches, pneumatic drills, sanders, grinders, ratchets, air hammers, chisels, paint sprayers, nail guns, and staplers.
Headline
Knowledge
Introducing the Vise Grip: A Tool of Precision and Power
In 1921, in the quiet workshop of a small-town Nebraska blacksmith, William S. Petersen, a Danish immigrant, invented an ingenious tool that forever changed the landscape of hand tools. He created a new type of pliers with a vise-like grip that could lock onto his work. The Vise-Grip's unique ability to securely latch onto any object with unparalleled precision and strength not only made it a tool but a true extension of the craftsman's hand. This provided an adjustable, locking grip for a wide range of applications.
Headline
Knowledge
Adjustable Wrenches and Pipe Wrenches: Essential Tools for Plumbing and Maintenance
Adjustable wrenches and pipe wrenches have long been recognized as effective solutions for mechanical repairs, plumbing, and construction. Due to their ability to adjust jaw width, they are extremely versatile, allowing a single wrench to fit various sizes of nuts, bolts, and pipes. Their practicality and durability have made them indispensable tools for both professionals and DIY enthusiasts. Each type of wrench serves a unique function and offers distinct benefits.
Headline
Knowledge
RO Filter System Quick Fit Connectors: A Reliable and Efficient Solution
Quick fit connectors have become a preferred solution for connecting tubing in reverse osmosis (RO) filter systems due to their ease of use, reliability, and efficiency. Traditional threaded and compression fittings often require tools and careful handling to ensure a secure and leak-free connection. Quick fit connectors, however, offer a tool-free, push-to-connect mechanism that ensures a tight seal in seconds. Their widespread adoption in RO filtration and other water treatment applications highlights their effectiveness in enhancing system performance and installation convenience.
Agree