Spa in SDP

SPA What is it? ？ The spa ？ massage ？ No, it isn't . In fact, swimming is also doing SPA, During swimming, the waves in the water will naturally massage the whole body , But people prefer to lie down and enjoy being massaged by others , because , Lying down is better than being comfortable .
For doing IT For the ,SPA The first possibility is
Single page WEB application Single Page Application

SPA The idea of is very simple ： Any one of them web Applied HTML、JavaScript and css（ If any ） Will only be sent once . Once the browser gets HTML, And then to DOM All modifications are made by Javascript To complete , Make users feel like navigating to another page .
For example , When you navigate from the home page to the vacation list page , The server does not need to send different HTML 了 . Of course , The server will continue to participate ： It is also responsible for providing updated data , And in multi-user applications , So is it “ A single source of facts ”. But in SPA In the framework of , How applications are presented to users is no longer a server-side concern , It is JavaScript And what the framework should pay attention to . It is the framework that creates the wonderful illusion of applying multiple pages .
It is commonly believed ,Angu1ar Is the first SPA frame . later SPA Many more members have been added to the camp , One of the most famous is React、Vue and Ember.

The second possibility is
Software defines boundaries （SDP Software Defined Perimeter） Medium Single package certification （SPA Single Package Authentication)

Software defines boundaries SDP Is a network security solution , It's also called Zero trust network access . Let's not talk about the development history .
Why call it zero trust ？ At first glance, this word is very unfriendly .
Actually , The essence of network is communication and sharing . That's why the Internet is developing so fast , If the development of the network is security first , Then I don't think the Internet is developing so fast .
Just as there are liars and bad guys in reality , The bad guys and sabotage actions on the network are more secret 、 Rampant and unbridled . There is a saying that the Internet is not a place outside the law , let me put it another way , In the past, the Internet seemed to be a place outside the law , This is just in terms of social management .
From the technical structure of the network , At first, there were not many considerations about safety , So on the Internet , There are temptations that you can't see 、 Cheat and destroy operations .
Here is a picture commonly used on the Internet TCP/IP Overview of the agreement , come from 《UNIX Network programming 》

Each layer of the protocol stack , There are some security defects ：

1. ICMP

   • utilize “ Destination unreachable ” The message launches a denial of service attack against the attack target
   • utilize " Change the route " The message destroys the routing table , Cause network paralysis .
   • Trojan horse utilization ICMP Message for covert communication
   • utilize " Send back (Echo) To ask or answer “ Packet network scanning or denial of service attack .

2. UDP Easy to be used for storm denial of service attacks

3. TCP

   • Allowed by a host or server TCP The number of connections is limited , therefore , Attackers often use TCP Full connection （ Complete three handshakes ） Or semi connected （ Only complete the second handshake process ） To launch a denial of service attack on the target , Such as SYN Flood attack 、TCP Connect exhaustion attack, etc .
   • Serial number prediction .TCP The initial sequence number of the message segment (ISN) stay TCP When the connection is established , The attacker can get the last serial number by sending a connection request to the target host , Then the round-trip time of data packet transmission between the attacking host and the target host is obtained by measuring the round-trip transmission path for many times （RTT）. The serial number and... Of the last connection are known RTT, You can predict the serial number of the next connection . If the attacker predicts the sequence number, he can forge harmful packets and make the target host accept .
   • Network scanning . Attackers can take advantage of TCP Connection request for port scanning , So as to obtain the network service status on the target host , Further launch targeted attacks .

4. IP

   • IP The protocol has no authentication mechanism . because IP No source certification , therefore IP Almost all fields in the package can be forged . for example ,IP There is no corresponding control in order to prevent data packets from being tampered , Attackers can forge header checks and fields , Or recalculate the checksum so that network nodes do not discard packets ; because IP I am right IP Whether the packet comes from the real source address does not provide any guarantee , Therefore, the attacker can IP The source address is fake . Many need rewriting IP The first attack will use IP cheating , The main attacks include ： Denial of service attacks 、 Man-in-the-middle attack 、 Source routing attack 、 Client side attack and server side attack .
   • Segment data report . Because of the low-level agreement MTU The limitation of ,IP Datagrams may need to be fragmented , Regroup after arriving at the destination . This mechanism can be exploited by attackers . for example , Used to attack those exceptions that cannot handle datagram fragmentation correctly （ Such as overlapping pieces ） The host ; Used to bypass the firewall , Or escape the inspection of intrusion detection system .
   • Addressing and protocol options . The addressing information of datagrams and the information of protocol options reveal some network topology information . Protocol options that record routes or timestamps may be used by attackers for network reconnaissance .
   • Access control and bandwidth control .IP No access control mechanism , Allow attackers to view the upper layer protocol （ Such as TCP、UDP etc. ） The content of , Attackers can also take advantage of IP There is no defect of bandwidth control , Use packet storm attacks to consume bandwidth 、 System resources , Which leads to denial of service attacks .

ARP Let's not talk about the safety defects of .
As for the application level, there are more defects and vulnerabilities , It's hard to list here .

that SPA What is single package certification ？ For what purpose ？
because TCP/IP The widespread use of protocols , It is difficult to directly transform or replace its safety problems . So the solution of safety problems , It can be achieved by , Formulate safety rules to solve .
in other words , Enjoy myself on my zone , I make rules for secure access , I have the final say .
SDP Is a rule and solution , That's it “ Verify before connecting ”, and SPA It's the implementation .
If there is one SDP product , Then it protects IT Resources are behind it ,SDP Products stand in the front .
and SDP By default, the product discards all received unauthenticated TCP/UDP Data packets . Only through SPA After certification , The connection will be established （TCP）.
So ,SDP The product closes all entrances , Only one entrance is left, that is SPA, And you must be right before you enter , Otherwise, it is a silent refusal .
SPA Generally choose to use UDP Communicate without choosing TCP, because UDP The transmission is connectionless , No response is required by default , This has great advantages , It can be done by drop Authorize packets that do not pass to hide themselves ; In addition, from the perspective of safety ,TCP More vulnerable to attack .
also , How to adopt the method of no listening port for the entry SPA authentication , as well as SPA How to ensure the security, integrity and non playback of the customized protocol part of the package , Limited to capacity , Not here .