当前位置:网站首页>Why is access to the external network prohibited for internal services of the company?
Why is access to the external network prohibited for internal services of the company?
2022-07-07 09:01:00 【bboyzqh】
List of articles

In the above figure, network access is divided into two directions :
- Internet( Extranet ) Access the company network www.taobao.com: The request will be forwarded to the company's load balancing server after routing , The load balancing server will check the request 、 Current limiting and other controls , Generally, there is no safety risk .
- Corporate LAN access Internet( Extranet )www.baidu.com: Corporate LAN access Internet( Extranet )www.baidu.com when , It will also be forwarded by route , If... Is set in the router ACL( Access control list ), Can't access , Otherwise, you can access . here ACL It can be configured separately according to the requests of different network segments in the company's LAN , For example, the production network has a high security level and cannot access the external network , And the office network can access the external network ( For example, Alibaba's internal seven network isolation ). This can not only improve network security , And easy to manage .
A brief introduction ACL,ACL( Access control list ) It's an access control technology based on packet filtering , It can filter the data packets on the interface according to the set conditions , Allow it to pass through or discard . Access control lists are widely used in routers and layer 3 switches , With access control lists , Can effectively control the user's access to the network , So as to ensure the network security to the greatest extent . Now let's introduce what is accessing the Internet 、 The risk of accessing the Internet , And what scenarios need to apply for external Internet .
What is access to the Internet ?
Accessing the Internet refers to The application server deployed in the company actively connects to the public network , For example, a server of the production network in the above figure accesses www.baidu.com.
The risk of accessing the Internet
If the internal application server of the company has the ability to actively connect to the public network, there are the following risks :
- Attackers can download malicious backdoors from the public network 、 Mining Trojan horse, etc , Then invade the internal server of the company
- Attackers can obtain internal data of the company , Thus causing data leakage
- Convenient for attackers XXE、SSRF Etc
What business scenarios need to apply for external Internet ?
Connect with external open platforms , Need to use open api Equal demand . Such as visiting Alipay open platform
Reptile demand .
Ants have had security incidents before , An internal application of ant has patrol function , Will visit the domain name provided by the user ( The domain name provided by the user is uncertain , For example, the State Council Government website ), The application has visited a large number of State Council government websites , Because all applications of ant production network share the external network outlet ip, Cause all ants to exit ip Supplement the ban on government websites , It affects the operation of a large number of core businesses of ant , It had a great impact .
…
So , By default, the application baseline does not allow access to the Internet ( Try on the server ping command , Such as ping www.baidu.com To verify ), For the above business scenarios , If you need to open Internet access , After the security assessment, the operation and maintenance department can release the restriction of accessing the external network .
Welcome to reprint , Please indicate the source ! Welcome to WeChat official account. : Fang Chen's blog
边栏推荐
- Digital triangle model acwing 1027 Grid access
- 硬件大熊原创合集(2022/05更新)
- Uniapp wechat applet monitoring network
- 如何统计项目代码行数
- Several common database connection methods
- 最长上升子序列模型 AcWing 1017. 怪盗基德的滑翔翼
- Vagrant failed to mount directory mount: unknown filesystem type 'vboxsf'
- With an annual salary of 50W, Alibaba P8 will come out in person to teach you how to advance from testing
- Markdown editor Use of MD plug-in
- Count the number of words C language
猜你喜欢
Greenplum 6.x build_ Environment configuration
The essence of high availability
使用Typora编辑markdown上传CSDN时图片大小调整麻烦问题
Output all composite numbers between 6 and 1000
平台化,强链补链的一个支点
Synchronized underlying principle, volatile keyword analysis
Introduction to data fragmentation
Greenplum 6.x build_ install
JVM 垃圾回收 详细学习笔记(二)
为不同类型设备构建应用的三大更新 | 2022 I/O 重点回顾
随机推荐
NCS Chengdu New Electric interview Experience
channel. Detailed explanation of queuedeclare parameters
Original collection of hardware bear (updated on May 2022)
Esp32-ulp coprocessor low power mode RTC GPIO interrupt wake up
模拟卷Leetcode【普通】1609. 奇偶树
2022-07-06 unity core 9 - 3D animation
C语言指针(特别篇)
2022-06-30 unity core 8 - model import
【ChaosBlade:根据标签删除POD、Pod 域名访问异常场景、Pod 文件系统 I/O 故障场景】
Mock. JS usage details
C language for calculating the product of two matrices
MySQL partition explanation and operation statement
Mountaineering team (DFS)
Isomorphic C language
Unityshader introduction essentials personal summary -- Basic chapter (I)
9c09730c0eea36d495c3ff6efe3708d8
Ppt template and material download website (pure dry goods, recommended Collection)
Recommended by Alibaba P8, the test coverage tool - Jacobo is very practical
数据在内存中的存储
Greenplum 6.x common statements