当前位置:网站首页>Why is access to the external network prohibited for internal services of the company?
Why is access to the external network prohibited for internal services of the company?
2022-07-07 09:01:00 【bboyzqh】
List of articles

In the above figure, network access is divided into two directions :
- Internet( Extranet ) Access the company network www.taobao.com: The request will be forwarded to the company's load balancing server after routing , The load balancing server will check the request 、 Current limiting and other controls , Generally, there is no safety risk .
- Corporate LAN access Internet( Extranet )www.baidu.com: Corporate LAN access Internet( Extranet )www.baidu.com when , It will also be forwarded by route , If... Is set in the router ACL( Access control list ), Can't access , Otherwise, you can access . here ACL It can be configured separately according to the requests of different network segments in the company's LAN , For example, the production network has a high security level and cannot access the external network , And the office network can access the external network ( For example, Alibaba's internal seven network isolation ). This can not only improve network security , And easy to manage .
A brief introduction ACL,ACL( Access control list ) It's an access control technology based on packet filtering , It can filter the data packets on the interface according to the set conditions , Allow it to pass through or discard . Access control lists are widely used in routers and layer 3 switches , With access control lists , Can effectively control the user's access to the network , So as to ensure the network security to the greatest extent . Now let's introduce what is accessing the Internet 、 The risk of accessing the Internet , And what scenarios need to apply for external Internet .
What is access to the Internet ?
Accessing the Internet refers to The application server deployed in the company actively connects to the public network , For example, a server of the production network in the above figure accesses www.baidu.com.
The risk of accessing the Internet
If the internal application server of the company has the ability to actively connect to the public network, there are the following risks :
- Attackers can download malicious backdoors from the public network 、 Mining Trojan horse, etc , Then invade the internal server of the company
- Attackers can obtain internal data of the company , Thus causing data leakage
- Convenient for attackers XXE、SSRF Etc
What business scenarios need to apply for external Internet ?
Connect with external open platforms , Need to use open api Equal demand . Such as visiting Alipay open platform
Reptile demand .
Ants have had security incidents before , An internal application of ant has patrol function , Will visit the domain name provided by the user ( The domain name provided by the user is uncertain , For example, the State Council Government website ), The application has visited a large number of State Council government websites , Because all applications of ant production network share the external network outlet ip, Cause all ants to exit ip Supplement the ban on government websites , It affects the operation of a large number of core businesses of ant , It had a great impact .
…
So , By default, the application baseline does not allow access to the Internet ( Try on the server ping command , Such as ping www.baidu.com To verify ), For the above business scenarios , If you need to open Internet access , After the security assessment, the operation and maintenance department can release the restriction of accessing the external network .
Welcome to reprint , Please indicate the source ! Welcome to WeChat official account. : Fang Chen's blog
边栏推荐
- Greenplum 6.x build_ Environment configuration
- 硬件大熊原创合集(2022/06更新)
- OpenGL 3D graphics rendering
- Mock. JS usage details
- 【ChaosBlade:节点磁盘填充、杀节点上指定进程、挂起节点上指定进程】
- 2022-06-30 unity core 8 - model import
- Panel display technology: LCD and OLED
- Speaking of a software entrepreneurship project, is there anyone willing to invest?
- ncs成都新電面試經驗
- 个人力扣题目分类记录
猜你喜欢
随机推荐
模拟卷Leetcode【普通】1705. 吃苹果的最大数目
Implement custom memory allocator
Personal deduction topic classification record
systemd
OpenGL三维图形绘制
Unity shader beginner's Essentials (I) -- basic lighting notes
硬件大熊原创合集(2022/05更新)
[MySQL] detailed explanation of trigger content of database advanced
【ChaosBlade:节点磁盘填充、杀节点上指定进程、挂起节点上指定进程】
[chaosblade: node disk filling, killing the specified process on the node, suspending the specified process on the node]
Goldbach conjecture C language
MySQL master-slave delay solution
GoLand set goproxy
硬件大熊原创合集(2022/06更新)
【ChaosBlade:根据标签删除POD、Pod 域名访问异常场景、Pod 文件系统 I/O 故障场景】
NCS Chengdu Xindian interview experience
STM32 serial port register library function configuration method
The longest ascending subsequence model acwing 1017 Strange thief Kidd's glider
C语言指针(中篇)
Calf problem