Network device hard core technology insider firewall and security gateway (IX) virtualization artifact (II)

Huashan sect is in the anti epidemic action , It is famous for its online video courses , It has entered the leader quadrant in the national Wulin .

It is said that , Tall trees catch much wind . Soon , Yue buqun was interviewed by the network security department , The reason is , Some advertisements that violate the core socialist values have been inserted into the website of Huashan School .

There are such ：

And so on ：

ah ？ Out of sight . That's because it was identified as a bad picture shielding .

Yue buqun was in a rage , Order the website department to check the server immediately , But the website development department reported , There are no advertisements on the website , There is no sign of being invaded and implanted with advertisements .

Linghuchong was ordered in the face of danger , Organize the network security team to interview users one by one .

Soon , Linghuchong found the law ——

All users who find various unhealthy advertisements on huashanpai page , It's all used “ Internet smart home router ” Users of .

original , Some unscrupulous businesses take advantage of the human weakness that the public likes to take advantage of , Under the “ Give ” The flag of the router , Put the router with the function of inserting advertisements into the web page “ send ” To the user .

As long as you use this router at home , Some web pages you watch will be inserted with advertisements .

The solution is simple ： Open all websites on the front virtual machine https service .

because https Is based on SSL Of , All data is encrypted , The third party is on the web HTTP Inserting advertisements into the data stream will not work .

but , In the test environment , Engineers found , Browsers always prompt such errors ：

original , This is because , The browser thinks that the load balancing device is an implementation “ Man-in-the-middle attack ” Behavioral devices .

What is? “ Man-in-the-middle attack ” Well ？

user A Expectations and users K Private communication ：

here , The expected communication content is encrypted , Cannot be stolen or tampered .

O To intercept or tamper with content , Respectively to the user A Claim to be a user K, To the user K Claim to be a user A, As shown in the figure below ：

such , user A And the user K They all think they are communicating with each other , In fact, these two users are working with O signal communication , The communication between the two parties is completely O Intercept , There is no privacy or security ,.

To avoid this kind of “ Man-in-the-middle attack ”, stay SSL A certificate mechanism is introduced in , Use the public key - Private key system , Let the authority sign its own information with the private key , The opposite end uses the public key to verify the signature . Because the public key - The private key system is difficult to counterfeit , In this way, the server can prove that it belongs to a specific domain name .

Understand these background knowledge , We can see why the load balancing device is HTTPS The scenario will cause the user's browser to report an error ——

Pictured ,LB Because we didn't get the signature certificate from the authority , In an interview with SSL When the connection , Only self signed certificates can be used . The user browser recognizes that the signing authority is not in the list of trusted authorities , Naturally, they will not trust each other and report mistakes .

The solution is also obvious .

This needs to be in LB Develop a function on ： Certificate installation —— Install the certificate applied by the website to the authority to LB On ！

Pictured , because LB The certificate applied by the website developer to the authority is installed on , Users can trust LB equipment , Both sides have established a safe HTTPS Connect ——

This also led to another evolution of security gateway ——

Please look at the next breakdown .