网络拓扑和安全

1 简述

大学我们都学过计算机网络和计算机组成原理,个人大学时并不是很注重这方面的知识,以前傻傻的觉得计算机组成原理这些东西不太重要,在工作过程中才发现越是计算机组成原理这玩意,越重要。这里个人回忆和学习的章节一些题外编程知识,主要章节如下(备注:这里是收集资料和学习工作思考笔记,按理说大部分借鉴,如有版权问题,请联系我删除);

  1. 报文传输
  2. 网络拓扑图
  3. 安全防控
  4. 一些: "Content-Type: application/json" http header: "User-Agent: PostmanRuntime/7.26.8" http header: "Accept: */*" http header: "Cache-Control: no-cache" http header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486" http header: "Host: localhost:8888" http header: "Accept-Encoding: gzip, deflate, br" http header: "Connection: keep-alive" http header: "Content-Length: 41" http header done generic phase: 0 rewrite phase: 1 test location: "/" using configuration "/" http cl:41 max:1048576 rewrite phase: 3 post rewrite phase: 4 generic phase: 5 generic phase: 6 generic phase: 7 generic phase: 8 access phase: 9 access phase: 10 access phase: 11 post access phase: 12 generic phase: 13 generic phase: 14 http client request body preread 41 http request body content length filter http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0 http init upstream, client timer: 0 http script copy: "Host" http script copy: "yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net" http script copy: "X-Real-IP" http script var: "127.0.0.1" http script copy: "REMOTE-HOST" http script var: "127.0.0.1" http script copy: "X-Forwarded-For" http script var: "127.0.0.1" http script copy: "Connection" http script copy: "close" http script copy: "Content-Length" http script var: "41" http script copy: "" http proxy header: "Content-Type: application/json" http proxy header: "User-Agent: PostmanRuntime/7.26.8" http proxy header: "Accept: */*" http proxy header: "Cache-Control: no-cache" http proxy header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486" http proxy header: "Accept-Encoding: gzip, deflate, br" http proxy header: "POST /order/popOrderSearch HTTP/1.0^M Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M X-Real-IP: 127.0.0.1^M REMOTE-HOST: 127.0.0.1^M X-Forwarded-For: 127.0.0.1^M Connection: close^M Content-Length: 41^M Content-Type: application/json^M User-Agent: PostmanRuntime/7.26.8^M Accept: '*/*' Cache-Control: no-cache^M Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486^M Accept-Encoding: gzip, deflate, br^M ^M " http cleanup add: 00007FAA4680ED90 get rr peer, try: 1 stream socket 4 connect to 101.124.18.198:80, fd:4 #23 kevent set event: 4: ft:-1 fl:0025 kevent set event: 4: ft:-2 fl:0025 http upstream connect: -2 posix_memalign: 00007FAA45C05680:128 @16 event timer add: 4: 60000:259302474 http finalize request: -4, "/order/popOrderSearch?" a:1, c:2 http request count:2 blk:0 http upstream request: "/order/popOrderSearch?" http upstream send request handler http upstream send request http upstream send request body chain writer buf fl:0 s:398 chain writer buf fl:1 s:41 chain writer in: 00007FAA4680EDF0 writev: 439 of 439 chain writer out: 0000000000000000 event timer del: 4: 259302474 event timer add: 4: 60000:259302564 http upstream request: "/order/popOrderSearch?" http upstream dummy handler http upstream request: "/order/popOrderSearch?" http upstream process header malloc: 00007FAA48015C00:4096 recv: eof:1, avail:377, err:0 recv: fd:4 377 of 4096 http proxy status 401 "401 Unauthorized" http proxy header: "Date: Thu, 11 Mar 2021 11:58:26 GMT" http proxy header: "Content-Type: application/json; charset=utf-8" http proxy header: "Connection: close" http proxy header: "x-jdcloud-request-id: c150bpgmqwr218ur1oe60vsg2ome1qgn" http proxy header: "Server: jfe" http proxy header done posix_memalign: 00007FAA48017200:4096 @16 HTTP/1.1 401 Unauthorized^M Server: nginx/1.19.6^M Date: Thu, 11 Mar 2021 12:00:01 GMT^M Content-Type: application/json; charset=utf-8^M Transfer-Encoding: chunked^M Connection: keep-alive^M x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^M write new buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0 http write filter: l:0 f:0 s:243 http cacheable: 0 http proxy filter init s:401 h:0 c:0 l:-1 http upstream process upstream pipe read upstream: 1 pipe preread: 176 pipe buf free s:0 t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0 pipe length: -1 input buf #0 pipe write downstream: 1 pipe write downstream flush in http output filter "/order/popOrderSearch?" http copy filter: "/order/popOrderSearch?" http postpone filter "/order/popOrderSearch?" 00007FAA4680EE00 http chunk: 176 write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0 write new buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0 write new buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0 write new buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0 http write filter: l:0 f:0 s:425 http copy filter: 0 "/order/popOrderSearch?" pipe write downstream done event timer: 4, old: 259302564, new: 259302612 http upstream exit: 0000000000000000 finalize http upstream request: 0 finalize http proxy request free rr peer 1 0 close http upstream connection: 4 free: 00007FAA45C05680, unused: 48 event timer del: 4: 259302564 reusable connection: 0 http upstream temp fd: -1 http output filter "/order/popOrderSearch?" http copy filter: "/order/popOrderSearch?" http postpone filter "/order/popOrderSearch?" 00007FFEEA1AAFF0 http chunk: 0 write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0 write old buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0 write old buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0 write old buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0 write new buf t:0 f:0 0000000000000000, pos 0000000105B298D4, size: 5 file: 0, size: 0 http write filter: l:1 f:0 s:430 http write filter limit 0 writev: 430 of 430 http write filter 0000000000000000 http copy filter: 0 "/order/popOrderSearch?" http finalize request: 0, "/order/popOrderSearch?" a:1, c:1 set http keepalive handler http close request http log handler free: 00007FAA48015C00 free: 00007FAA4680F200, unused: 0 free: 00007FAA4680E200, unused: 8 free: 00007FAA48017200, unused: 2889 free: 00007FAA4680D600 hc free: 0000000000000000 hc busy: 0000000000000000 0 reusable connection: 1 event timer add: 3: 65000:259307612 http empty handler event timer del: 3: 259307612 http keepalive handler close http connection: 3 reusable connection: 0 free: 0000000000000000 free: 00007FAA472045C0, unused: 136

    自己来分析一下报文结构:

    "POST /order/popOrderSearch HTTP/1.0^M Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M X-Real-IP: 127.0.0.1^M REMOTE-HOST: 127.0.0.1^M X-Forwarded-For: 127.0.0.1^M Connection: close^M Content-Length: 41^M Content-Type: application/json^M User-Agent: PostmanRuntime/7.26.8^M Accept: */*^M Cache-Control: no-cache^M Postman-Token: 5c574468-1bf1-47ea-9cd9-0d88b245090c^M Accept-Encoding: gzip, deflate, br^M ^M " 

    2.1.1 请求报文格式

    1、进程处理中的请求行request header line
    请求行主要由三部分组成: 请求方法(POST)、资源路径(/order/popOrderSearch或加文件名,若是get请求,请求报文会在后面拼接)、协议版本(HTTP/1.0)
    POST /order/popOrderSearch HTTP/1.0

    2、请求头http header
    请求头主要包括验证签名数据,协议,版本,数据传输类型,host,接收数据类型,cookie等等,保证安全行访问有一篇文章https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
    3、空行
    可能这里设计读取报文方式,个人没再查找资料
    3、请求报文体 request body,由于stream,nginx没打印
    如nginx代理数据:
    http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0

    2.1.2 响应报文数据

    HTTP/1.1 401 Unauthorized^M Server: nginx/1.19.6^M Date: Thu, 11 Mar 2021 12:00:01 GMT^M Content-Type: application/json; charset=utf-8^M Transfer-Encoding: chunked^M Connection: keep-alive^M x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^M 

    1、响应状态行
    协议、状态码、网络拓扑和安全
    更多网络拓扑基本信息可参考 https://blog.csdn.net/tryheart/article/details/107471119
    个人这里总结几点:

    1. internet的ip地址无法伪造,每个internet国际互联网都需要登记备案
    2. WAN广域网内部互通,路由寻地址
      这就存在广域网、互联网、DMZ区的概念,正是因为存在这些原理,所以才能保证网络安全规范和操作。

    2.3安全防控

    我们可以利用抓包脚本抓包或者安装抓包工具(wireshark,fidder)
    因为公网IP是不可伪造,可以利用防火墙强制设置出口和入口的就近公网IP
    1、终端计算机
    终端计算机非常关键,防止终端计算机中毒,电量不足等
    2、出口防控
    出口防控主要端口限制,更加安全操作有定向访问IP和端口,更加强制安全要求是访问网关,网关安全出口数据格式。在出口数据主要上报安全数据,指定的报文结构数据。端口防火墙开发等各种技术手段防控,防止一些木马程序导致数据安全丢失和不正当的操作导致数据丢失
    3、入口防控
    入口数据,访问数据授权,防止恶意窃取数据。这里防控主要IP白名单和和名单准入,以及端口开发转入,更多是上报数据报文格式操作。
    4、公司对外发布服务的DMZ服务器
    DMZ也就是“隔离区”,可地区隔离,局域网隔离,时间隔离,端口隔离等等
    5、VPN和类似远程连接设备
    VPN专用虚拟网通道,就是创建一个专用IP通道进行通讯。更多可设计VPC虚拟物理隔离网

    3 Web漏洞缺陷分析和修复(简介)

    3.1服务器

    1. XSS跨站脚本攻击,通过非资源网站访问禁止操作。站点识别,签名验证等
    2. SQL注入,主要保证数据库安全,防止数据丢失等。可以通过sql过滤,预编译
    3. 水平垂直越权。不同用户动态权限校验,防止出现不该有的角色拿到越权的数据
    4. 防重复提交,防止数据错乱等等
    5. 数据存储。加密数据存储
    6. 数据枚举。特别是重要数据,用户数据枚举防控
    7. 若密码防控。只用多种符号密码组成判断
    8. 服务器文件目录遍历。目录权限控制,防止目录遍历
    9. 接口权限控制。接口鉴权。
    10. 宏机操作。防止雪崩效应,实现分布式
    11. …………

    3.2客户端

    1. 客户端篡改。ios 手机禁止越狱判断、android root权限校验
    2. 屏幕录像。屏蔽屏幕录像监控,保护密码和用户私下截图
    3. 权限控制。尽量禁止定位和操作,防止个人行踪泄漏
    4. 数据存储。加密数据存储
    5. 敏感信息泄漏。查看信息脱敏
    6. 数据页面权限控制,防止接口泄漏和页面泄漏
    7. 代码泄漏。通过混淆编译,增加代码可读性等

    4 参考文献

    【1】HTTP报文的结构
    【2】认识网络、几种常用的网络拓扑图

版权声明:玥玥 发表于 2021-03-12 15:25:17。
转载请注明:网络拓扑和安全 | 女黑客导航