Access Control
Detective Access Control
FunctionTo detect and record unauthorized activities.
MethodThese controls themselves do not directly prevent attacks or violations, but monitor, detect, and record these events for subsequent investigation or response.
Example:
IDS (Intrusion Detection System) monitors traffic and records suspicious behavior.
SIEM (Security Information and Event Management) tools collect logs and analyze abnormal activities.
Security audit logs record user access behavior to detect violations.
Preventive Access Control
FunctionTo prevent unauthorized activities from occurring.
MethodIt is a 'pre-event' control, the goal of which is to prevent threats or violations from occurring, rather than补救 after the fact.
Example:
ACL (Access Control List) restricts certain users from accessing specific files or resources.
Firewall rules to block malicious IP access to internal networks.
Account lockout policies to prevent brute-force password attacks.
Deterrent Access Control
FunctionIt is to deter attackers or insiders from engaging in malicious operations.
MethodIt is not a direct technical protection, but a psychological deterrent, making potential violators hesitate.
Example:
Surveillance cameras to let employees or visitors know that their behavior is being monitored.
Violation warning signs, such as “Unauthorized access will be pursued legally.”
The company's security policy, explicitly stipulating the penalties for violations.
Corrective Access Control
FunctionIt is to restore the system to a normal state after a failure, intrusion, or system destruction.
MethodIt is a 'post-event' control, the purpose of which is to repair the damage and minimize the impact as much as possible.
Example:
Backup and recovery mechanisms to restore data after system crashes.
Undo the impact of malicious software, such as automatically isolating infected hosts and executing remedial measures.
Incident response plan, taking measures to fix vulnerabilities when a security incident occurs.
Strong password
Difficult to guess, unpredictable, and meet the minimum length requirements
PurposeTo prevent passwords from being brute-forced or attacked by social engineering.
Reason:
Too short passwords are easilyBrute force(Brute Force).
Predictable passwords (such as birthdays, “123456”) are easilyDictionary attack(Dictionary Attack).
Strong passwords are usuallyContains uppercase and lowercase letters, numbers, and special characters,并且长度至少为 12-16 位。
随机生成,使用所有字母、数字和标点符号
Purposeand have a length of at least 12-16 characters.Randomly generated, using all letters, numbers, and punctuation marksand: Increase the complexity of the passwordComplexity
Reason:
Entropy value(Entropy, a measure of password randomness).。
Humans are easy to use passwords with patterns (such as "P@ssw0rd123"), but these patterns can be
Intelligent guessingComputer-generated random passwords (such asXy9@Lm!2#qR%)harder to crack.Combining all character types makes it difficult for attackers to
Pattern matching
PurposeShould not be written down or shared with others: Prevent the password from being easily cracked due toMistakes made by humans
Reason:
Lead to password leakage.Written on paper or stored in a text file, easy toOrStolen。
PhotographySharing with others may lead toInternal threats
(Insider Threats).A safer alternative is to usePassword managers
(such as Bitwarden, Keepass).
PurposeShould not be stored in publicly accessible or readable locations
Reason:
: Prevent the password from being accidentally leaked. Stored on the desktop,TXT filesOr ExcelBrowser auto-fillIt is easy to beOrMalwareIntruders
Leakage of environment variables from code repositories (such as GitHub) reading.
password="admin123"It is easy to be discovered by hackers.
Should not be transmitted in plaintext
Purpose: Prevent **Man-in-the-Middle Attack (MITM)** from intercepting passwords.
Reason:
通过 HTTP,Email,Chat toolsSending plaintext passwords (such as QQ/WeChat) is easy to intercept.
Should be usedEncrypted transmission(such as HTTPS, TLS/SSL).
Multi-factor authentication (MFA) can provide additional security, even if the password is stolen, an additional verification step is still required.
IDS
1. Network-based IDS (NIDS)
Function: Monitoring network traffic, detecting attack attempts (including DoS attacks).
Advantages:
Can detectExternal attacks, such as SYN Flood, UDP Flood, ICMP Floodand other DoS attacks.
Can detect persistent intrusion attempts, such as brute force attacks, scanning activities, etc.
Limitations:
It is impossible to confirm whether the attack was successfulbecause it only analyzes network traffic and does not check the status of the host system.
It is impossible to accurately locate the affected resources, it is impossible to know specificallyWhich user, file, or applicationdestroyed.
may beencrypted trafficBypassing (such as HTTPS) requires coordination withDecryption technologyor host-based detection.
Example::
Snort,Suricata(Open-source NIDS)
Zeek (Bro)(IDS that analyzes network traffic)
2. Host-based IDS (HIDS)
FunctionMonitoring activities on a specific host, such as file changes, abnormal processes, log analysis, etc.
Advantages:
Can detectWhether the intrusion was successful, such as whether the attacker has tampered with system files, modified permissions, etc.
MonitorSpecific users, processes, and applicationsAbnormal behavior, providing detailed intrusion traces.
Limitations:
Cannot efficiently detect network-level DoS attacks, because it focuses onHost behavior, rather than network traffic.
If the attack directly leads to the host failure (such as CPU resource exhaustion, disk full), HIDS may fail.
Example::
OSSEC(Open-source HIDS)
Wazuh(Supports SIEM HIDS)
Tripwire(Monitor file integrity HIDS)
3. Vulnerability scanner
Function: Scan known vulnerabilities in systems and applications and provide repair suggestions.
Advantages:
Can identifyVulnerabilities that may be exploited by attackers, such as unpatched services, weak passwords, etc.
HelpsPreventive measures for DoS vulnerabilities, but will not actually execute the attack.
Limitations:
Will not actively detect DoS attacks, can onlyDiscover potential DoS vulnerabilities。
Cannot determine whether the vulnerability hasHas been exploited, only provides possible security risks.
Example::
Nessus(Commercial vulnerability scanner)
OpenVAS(Open-source vulnerability scanner)
Qualys(Cloud-based vulnerability scanning)
4. Penetration testing
Function: Simulate an attacker, actively test the system's security, including the exploitation of DoS-related vulnerabilities.
Advantages:
Can verify the existence of exploitable DoS vulnerabilities, and test the system's anti-attack capability.
Provide a real attack perspective, more targeted than vulnerability scanning.
Limitations:
Not a detection tool, it isActive testingInstead of passive monitoring.
May lead toActual DoS attack, affects business operations, therefore it is necessaryPrior authorizationand take emergency measures.
Example::
Kali Linux(Provides DoS penetration testing tools, such as hping3, slowloris)
Metasploit(Can test DoS vulnerabilities)
LOIC, HOIC(Used for DoS testing)
| Tool type | Can detect DoS attacks? | Function | Limitations |
|---|---|---|---|
| NIDS (Network IDS) | Can detect | Discover DoS attack traffic | Cannot confirm whether the attack was successful, cannot locate the affected system |
| HIDS (Host IDS) | Difficult to detect | Monitor host behavior | Cannot detect network layer DoS attacks, may fail when the host crashes |
| Vulnerability scanner | Cannot detect | Discover potential DoS vulnerabilities | Cannot determine whether an attack has occurred, only provide preventive suggestions |
| Penetration testing | Executable DoS attack | Discover DoS vulnerabilities, verify system defense | Not a detection tool, may affect business |
DOS
1. Non-malicious DoS event
DoS 并非总是黑客刻意发动的攻击,某些软件或系统设计缺陷也可能引发 DoS,for example:
DoS is not always an attack deliberately launched by hackers; certain software or system design flaws may also trigger DoS.
CPU resource occupation issuesCertain processes may be due toOrDead loopThread locking
, causing CPU resources to be exhausted, affecting the execution of other tasks in the system.
For example: an application continuously requests resources but never releases them, causing the entire system to slow down or crash.
Memory leaks
For example: a web server allocates new memory each time it processes a request, but never releases it, eventually exhausting all available memory.
Unreasonable resource consumption
The resource consumption of certain services is not proportional to the volume of requests processedImbalanced, causing the server to be unable to handle normal traffic.
For example: a database query request consumes too many CPU or I/O resources, even if the request volume is not large, the system still crashes.
Actual cases:
In the 1990s Windows 95's 'Blue Screen of Death' (BSOD): Certain applications can cause the entire system to crash, forcing users to restart their computers.
In 2010 iPhone 4 signal problem: When the user holds a specific area of the phone, it causes a significant drop in signal, affecting normal phone calls (although this is not a typical DoS, but similar design flaws may cause certain services to be unavailable).
2. Differences between Social Engineering and DoS
Social Engineering (Social Engineering)
Mainly refers toDeception,Disguise,Psychological manipulationand other ways to obtain sensitive information or access permissions.
For example: hackers pretend to be IT directors, deceiving customer service personnel to reset the administrator password.
Differences from DoS: Social engineering mainly targetsPeople, while DoS attacks are aimed atSystem resources, making it unable to run normally.
Example::
Pretending to be an IT technician, tricking employees into giving their VPN account passwords (social engineering).
Sending a large number of spam emails, making the user's email box full, making it difficult to find normal emails (DoS).
3. Differences between Sniffing (Sniffing) and DoS
Sniffing (Sniffing)
Refers to intercepting network traffic, analyzing packet content, in order to stealUsername, password, sensitive informationetc.
For example: using Wireshark to listen to unencrypted HTTP transfers to obtain login credentials.
Differences from DoS: The purpose of sniffing isSteal information, while the purpose of DoS isParalyze services。
Example::
Hackers perform sniffing on open Wi-Fi (such as in cafes), stealing users' login credentials(Sniffing).
Hackers send a large amount of spam traffic to servers, causing network congestion(DoS).
4. Sending Harassment Information vs. DoS
Spam
Sending a large number of spam emails (such as advertisements and scam emails) may affect the normal use of the recipient's email account.
But if the volume of emails is not large enough, it is justHarassment behavior, it does not count as DoS.
When spam becomes DoS
Email Bombing: Sending to someone's emailA large number of emails, causing the mail server to overload and thus preventing the recipient from receiving other emails (this is considered DoS).
For example: someone sends millions of emails to the victim's email, causing the email box to overflow and affecting normal communication.
Example::
Hackers send 2 to 3 threatening emails to a user's email every day using scripts(Harassment, not DoS).
Hackers send millions of emails to the server using botnets, causing the mail server to crash(DoS).
Summary
| Concept | Is it a DoS attack? | Explanation |
|---|---|---|
| CPU resource exhaustion | It could be | If a process locks the CPU due to programming errors, it may cause the system to become unresponsive |
| Memory leak causing crash | It could be | Applications do not release memory, causing system crashes |
| Social Engineering (pretending to be an IT manager to steal passwords) | Not | The goal is to deceive people, not to make the system unavailable |
| Sniffing (intercepting network traffic) | Not | The goal is to steal information, not to crash the system |
| Spam | Not | Unless the volume of emails is extremely high, affecting server operation |
| Email Bombing | Is | A large number of emails cause the mail server to crash |
Security Recommendations
Prevent non-malicious DoS incidents:
Developers should manage resources wellSuch as avoiding memory leaks, optimizing CPU calculations).
System administrators should set resource quotas, to prevent a single application from monopolizing resources.
Prevent social engineering attacks:
Train employees, do not blindly trust phone or email requests for passwords.
Enable multi-factor authentication (MFA), even if the password is stolen, it can prevent intrusion.
Prevent sniffing attacks:
Enforce HTTPS/TLSProtect data transmission.
Use VPN to encrypt network traffic, to avoid being monitored.
Prevent spam DoS:
Deploy spam filter, such as SPF, DKIM, DMARC mechanisms.
Use email rate limiting, to prevent mail servers from being misused.
OSI Seven-Layer Model
The OSI model is divided into 7 layers, each with specific functions and corresponding different types of devices and protocols.
| Level | Name | Function | Common devices/protocols |
|---|---|---|---|
| Layer 7 | Application Layer | Provide network services to applications | HTTP, FTP, SMTP, DNS |
| Layer 6 | Presentation Layer | Responsible for data format conversion and encryption | SSL/TLS, JPEG, MP3 |
| Layer 5 | Session Layer | Responsible for establishing, managing, and terminating sessions | NetBIOS, RPC |
| Layer 4 | Transport Layer | End-to-end communication, providing reliable or unreliable data transmission | TCP, UDP, firewall |
| Layer 3 | Network Layer (Network) | Responsible for IP address addressing and routing selection | Routers, IP, ICMP |
| Layer 2 | Data Link Layer (Data Link) | Responsible for MAC address addressing and frame transmission | Switches, bridges, ARP |
| Layer 1 | Physical Layer (Physical) | Transmit bit streams, define physical interfaces | Cables, fibers, repeaters, hubs |
Firewall Classification
Firewalls are mainly divided into two categories:
Stateless Firewall
Static Packet Filtering Firewall (Packet Filtering Firewall)
Application-Level Gateway Firewall
Circuit-Level Gateway Firewall
Stateful Firewall
Stateful Packet Inspection (SPI)
1. Stateful Firewall (SPI)
Definition:
Dynamic Packet Filtering Firewall (Dynamic Packet Filtering Firewall)Is Stateful, it will track the status and context of network connections, such as:
Is the connection established?
To which session does this packet belong?
Is this connection legitimate?
Maintaining State Table, it can intelligently decide whether to allow packets to pass through.
Working principle:
When a host (A) initiates a TCP connection to a server (B), the firewall records the status of the connection, such as:
A → B [SYN]B → A [SYN-ACK]A → B [ACK]
After that, all packets on this connection will be allowed to pass through.
If the firewall does not see a three-way handshake (SYN-SYN-ACK-ACK), it may discard suspicious packets!
Advantages:
Can understand the contextCan dynamically adjust filtering rules to prevent abnormal or unauthorized connections.
More secureCan prevent attacks such as TCP SYN Flood.
Reduce the workload of rule maintenanceNo need to create rules for each port separately.
Example::
iptablesof
-m state --state ESTABLISHED,RELATEDRule:iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT允许已经建立的连接继续通信,而不必显式允许所有数据包。
allows established connections to continue communication without explicitly allowing all packets.
2. Stateless Firewall (Stateless Firewall)stateless firewallcannot remember the state of previous packets, each packet isindependent processing
without considering the communication context before and after.
2.1 Static Packet Filtering Firewall (Packet Filtering Firewall)based on static rules such as IP address, port number, protocol (TCP/UDP/ICMP)
does not track connection statusall packets are filteredfixed rulesmatching, for example:
iptables -A INPUT -p tcp --dport 80 -j ACCEPTallows traffic on all TCP port 80, regardless of which session it belongs to.
Advantages:
fast, uses fewer resources.
Disadvantages:
Cannot detect illegal connections(such as SYN Flood attack).
rule management is complexrules need to be manually set for each port.
2.2 Circuit-Level Gateway Firewall (Circuit-Level Gateway)
filters based on TCP/UDP ports and the process of establishing connections。
does not check specific data contentonly checks whether the TCP three-way handshake is completed.
Advantages:
faster, suitable for use in NAT, VPN and other scenarios.
Disadvantages:
Cannot detect application layer attacks such as SQL injection, XSS, etc.
2.3 Application Layer Gateway Firewall (Application-Level Gateway, ALG)
proxy trafficto check application layer protocols (such as HTTP, FTP).
For example: HTTP proxy servers can check the request URL, filter malicious traffic.
Advantages:
Can detect application layer attacks(such as SQL injection).
Disadvantages:
slowerbecause it requires deep analysis of packet content.
Summary: Firewall comparison
| Firewall type | Is it stateful? | Main features | Advantages and disadvantages |
|---|---|---|---|
| static packet filtering (Packet Filtering) | stateless | only filters based on IP and port | rules are simple but lack flexibility |
| circuit-level gateway (Circuit-Level) | stateless | check TCP/UDP connections | does not check data content |
| Application Layer Gateway (ALG) | stateless | proxy application layer traffic | high security but low performance |
| Stateful Firewall (Stateful Firewall) | stateful | maintain session state table, and intelligently adjust rules | more secure and can prevent SYN Flood |
VPN
1. VPN can run on various network connections
VPN is essentially a encrypted tunnelUsed to establish secure communication on insecure networks. It can run on the following 各种网络通信连接之上:
| 网络类型 | Description | VPN 适用性 |
|---|---|---|
| 有线局域网(LAN) | 例如办公室或家庭的以太网 | 可用于员工访问内部资源 |
| 无线局域网(WLAN) | Wi-Fi 网络,如咖啡店、机场、酒店 | 防止公共 Wi-Fi 中的数据被嗅探 |
| 拨号连接(Dial-up) | 通过电话线连接 ISP | 速度较慢,但仍可使用 VPN |
| 广域网(WAN) | 例如公司不同办公室之间的 MPLS 连接 | 企业级 VPN 典型应用 |
| 互联网(Internet) | 用户通过 ISP 访问远程资源 | 远程办公的主要方式 |
2. VPN 的工作原理
VPN 通过 加密和隧道协议在公共网络上创建安全的通信路径:
数据加密:使用 AES、ChaCha20、3DES等加密算法,确保数据不会被窃听。
隧道封装:数据被封装在 VPN 协议的数据包中,然后在公网上传输。
远程访问:VPN 服务器解密数据并将其发送到目标网络。
3. VPN 的主要类型
根据用途,VPN 主要分为 远程访问 VPNand 站点到站点 VPN。
(1) 远程访问 VPN(Remote Access VPN)
Applicable to 个人用户或员工远程访问公司网络,常见于远程办公。
使用场景:
在家办公时访问公司内网资源。
连接公共 Wi-Fi 时保护隐私。
Protocol:
OpenVPN(最常见)
WireGuard(性能优秀)
L2TP/IPSec
IKEv2/IPSec
(2) 站点到站点 VPN(Site-to-Site VPN)
Used for 连接公司不同办公室的网络,类似于“企业内部专线”。
使用场景:
连接总部与分公司网络。
通过 MPLS 或 SD-WAN进行企业级网络优化。
Protocol:
IPSec
GRE over IPSec
DMVPN(Cisco 动态多点 VPN)
4. VPN 可运行在任何类型的互联网连接上
你可以通过 4G/5G 移动数据连接 VPN,确保流量不会被运营商或中间人监视。
即使在 防火墙严格的国家,也可以使用 Shadowsocks、V2Ray、Trojan等协议绕过封锁。
CIA
C - 机密性(Confidentiality)
确保信息 不被未授权访问或泄露。
主要措施:加密、访问控制(ACL)、多因素认证(MFA)。
I - Integrity (Integrity)
Ensure the integrity of dataAccuracy and integrity, to prevent tampering or unauthorized modification.
Main measures: Hash (SHA-256), digital signature, access control management.
A - Availability
Ensure the security of systems and dataAccessible when needed, to avoid interruption or denial of service (DoS).
Main measures: DDoS protection, redundancy (RAID), backup, and disaster recovery.
WPA3
1. The main authentication method of WPA3
WPA3 mainly has two modes:
WPA3-Personal (Personal Mode)
Adopt SAE (Peer-to-Peer Synchronization Authentication), replacing WPA2's PSK (Pre-Shared Key)。
Defend against offline dictionary attacks: Attackers cannot crack Wi-Fi passwords offline by sniffing handshake packets.
Using Dragonfly Key Exchange, based on Diffie-Hellman Key Exchange, providing stronger security.
WPA3-Enterprise (Enterprise Mode)
Adopt IEEE 802.1XAuthentication mechanism, authenticated through RADIUS server.
Using EAP (Extensible Authentication Protocol)Authentication, supporting multiple methods:
EAP-TLS (Based on Certificate)
EAP-TTLS (Based on TLS Tunnel)
PEAP (Protected EAP)
Applicable to corporate, school, and other scenarios, which is safer than WPA3-Personal.
2. Protocol Analysis
(1) IEEE 802.1X (Enterprise-level Wi-Fi Authentication)
Port-based Network Access Control Protocol, to ensure that unauthenticated clients cannot access network resources.
Adopt EAP (Extensible Authentication Protocol, Extensible Authentication Protocol)。
Mainly used for WPA3-EnterpriseAuthentication.
(2) SAE (Peer-to-Peer Synchronization Authentication)
Applicable to WPA3-Personal, replacing the traditional PSK Pre-Shared Key。
Adopt Zero-Knowledge Proof, and does not transmit passwords directly.
Defend against offline dictionary attacks and improve security.
(3) IEEE 802.1Q (VLAN Tag)
Define VLAN (Virtual Local Area Network), used to divide multiple logical networks on the same physical network.
It is unrelated to Wi-Fi authentication, but is often used in corporate network environments with WPA3-Enterprise in combinationUsers with different authentication levels are divided into different VLANs.
(4) EAP-FAST
Cisco proprietary protocol, providing secure tunnel authentication。
is used to replace LEAP (Lightweight EAP), because LEAP has security vulnerabilities。
WPA3 does not support EAP-FAST, mainly used in the enterprise mode authentication methods such as EAP-TLS, PEAP, etc.。
3. WPA3 Security Advantages
| security features | WPA2 | WPA3 |
|---|---|---|
| authentication method | PSK (personal) 802.1X (enterprise) | SAE (personal) 802.1X (enterprise) |
| offline dictionary attack defense | not supported (may be cracked after capturing handshake packets) | supported (SAE prevents offline cracking) |
| forward secrecy (Forward Secrecy) | not supported (PSK can be used to decrypt historical traffic) | supported (SAE generates a unique key without affecting historical traffic) |
| device protection | not supported (weak passwords on IOT devices are easily attacked) | supported (WPA3-Easy Connect provides a safer pairing) |
| encryption strength | 128-bit | 192-bit (enterprise level) |
permission control
1. Explanation of Account Types
| account type | Description | Applicable scenarios |
|---|---|---|
| standard user account (User Account) | with only basic access permissions, unable to change system settings or install software | applicable to ordinary employees or visitors |
| guest account (Guest Account) | restricted account, unable to access sensitive data | applicable for short-term access |
| service account (Service Account) | used by applications or background processes, usually without interactive login permissions | applicable to databases, web servers, scheduled tasks, etc. |
| privileged account (Privileged Account) | with administrative level permissions, capable of system configuration, software installation, etc. | applicable to IT maintenance personnel, repair technicians, security administrators |
| domain administrator account (Domain Admin Account) | in the Windows AD (Active Directory) environment, with the permission to manage the entire domain | applicable to enterprise IT infrastructure management |
| root account (Root Account) | Linux/Unix highest privilege account | applicable to server operations and maintenance |
2. Why does a repair technician need a privileged account?
perform system maintenance(such as Windows updates, disk check, and repairing damaged system files).
install/uninstall software(which may involve drivers or critical system components).
access restricted system filessuch as
C:\Windows\System32Or/etc/directory).modify user permissions(such as adjusting the ACL access control list).
execute diagnostic commandssuch as
chkdsk,sfc /scannow,netstat,tasklist)
3. How to manage privileged accounts safely?
Privileged accounts have higher permissions, and if not managed properly, they may become targets of attacks.It is recommended to take the following measures:
Principle of least privilege (PoLP):Grant only the minimum permissions required for technicians to perform tasks.
Use temporary elevated privileges (Just-In-Time Access):Allow technicians to obtain administrative privileges during a specific time period.
Use the Privileged Access Management (PAM) system:Such as CyberArk, BeyondTrust, monitor the use of privileged accounts.
Enable MFA (multi-factor authentication):Prevent credential leakage leading to unauthorized access.
Record and audit privileged account activities:Enable Windows event log or SIEM to monitor privileged account behavior.
AAA (Authentication, Authorization, and Accounting) service
1. AAA component analysis
| Component | Description | Function |
|---|---|---|
| A - Authentication (Authentication) | Verify the identity of users or devices | Ensure that only legitimate users can access the system |
| A - Authorization (Authorization) | Control the operations that users or devices can perform | Ensure that users can only access the resources allowed |
| A - Billing (Accounting) | Record the operation logs of users | Monitor and audit user behavior to prevent abuse |
2. AAA authentication workflow
The user tries to access the system(such as VPN, Wi-Fi, server).
Authentication (Authentication):
User input Username + passwordOr Multi-factor authentication (MFA)。
The server checks the credentials and uses RADIUS, TACACS+ or LDAPAuthentication.
Authorization (Authorization):
The server determines whether the user Has access to resources(such as SSH, database, file sharing).
May use Role-based access control (RBAC)Or ACL access control。
Billing (Accounting):
Record user access, executed commands, and access duration.
Can be used for Log analysis, auditing, and security compliance。
3. AAA-related protocols
| Protocol | Usage | Characteristics |
|---|---|---|
| RADIUS(Remote Authentication Dial-In User Service) | Remote access authentication, Wi-Fi authentication | Using UDP, suitable for large-scale user authentication |
| TACACS+(Terminal Access Controller Access-Control System Plus) | Device management (such as routers, switches) | Uses TCP, more secure, and can handle authentication and authorization independently |
| LDAP (Lightweight Directory Access Protocol) | Directory services (such as AD, OpenLDAP) | Suitable for centralized management of user accounts |
| Kerberos | Server and user authentication | Suitable for Windows domain environments (Active Directory) |
4. Examples of AAA in practical applications
VPN authentication(Users use AAA for identity verification when connecting to the company VPN)
Wi-Fi enterprise-level authentication(WPA2-Enterprise relies on AAA for 802.1X authentication)
Server SSH access control(Operators use AAA for authentication and authorization when logging into Linux servers)
Network device management(Cisco devices use TACACS+ for administrator permission control)
Cloud platform permission management(AWS IAM, Azure AD use AAA to control cloud resource access)
5. AAA vs IAM (Identity and Access Management)
AAA is more inclined towards network and system access control, such as permission management for devices like VPN, Wi-Fi, SSH, routers, etc.
IAM (Identity and Access Management)Is More general identity management, including SSO (Single Sign-On), user lifecycle management, API access control, etc.
Token devices
1. Main differences between TOTP and HOTP:
| Features | TOTP (Time-based OTP) | HOTP (Event-based OTP) |
|---|---|---|
| Password generation basis | Current timestamp | Counter (event) |
| Synchronization methods | Server and client synchronization based on time | Server and client synchronization based on counter |
| Password validity period | Short-term validity (such as 30 seconds, 60 seconds) | Until used (will not timeout) |
| Applicable scenarios | Quickly changing dynamically, suitable for short-term verification (such as Google Authenticator, Microsoft Authenticator) | Based on counter changes, suitable for scenarios without time constraints (such as YubiKey) |
| Security | Higher, as the password becomes invalid after expiration, preventing replay attacks | Lower, as the password can still be used for authentication if the attacker intercepts it but does not use it |
| Common implementations | Google Authenticator, Microsoft Authenticator, RSA SecurID | YubiKey, certain hardware tokens |
2. TOTP (One-time Password Based on Time)
Formula:
[
TOTP = HOTP(K, T)
]
Among them:K:Shared key (stored on the server and client)T:Current timestamp (with a window of 30s or 60s)
Characteristics:
Based on HMAC-SHA1/SHA256Generate short-term valid OTP.
Commonly used in 2FA solutions such as Google Authenticator, Microsoft Authenticator, Duo Security, etc.
Prevents replay attacks because the OTP cannot be used again after expiration.
3. HOTP (One-time Password Based on Event)
Formula:
[
HOTP = HMAC(K, C)
]
Among them:K:Shared keyC:Event counter (increases by 1 for each authentication)
Characteristics:
Counter increments, not dependent on time, OTP will not expire until used.
Suitable for hardware tokens (such as YubiKey, RSA SecureID), no need for time synchronization.
Less secure than TOTP because if the OTP is intercepted but not used, it can still be used for authentication.
4. The Role of HMAC in OTP
HMAC (Hash-based Message Authentication Code)Used for Generate OTPBut It is not an authentication method itself。
It is a One-way hash function,combined with symmetric key generation to produce irreversible hash values.
Common algorithms:HMAC-SHA1, HMAC-SHA256, HMAC-SHA512.
HOTP and TOTP Both rely on HMAC for OTP generation。
5. SAML vs OTP
SAML (Security Assertion Markup Language)Not an OTP authentication method, but used for Federation,for example:
Single Sign-On (SSO):Allow users to access multiple systems seamlessly (such as enterprise Google Workspace + AWS).
Authentication Protocol:Used for exchange of user identity information between Identity Providers (IdP) and Service Providers (SP)。
XML structure,not used for OTP generation, but for Identity sharing。
6. Summary
TOTP:Based on time, OTP becomes invalid after expiration, with higher security (such as Google Authenticator).
HOTP:Based on a counter, not dependent on time, but may be exploited by replay attacks (such as YubiKey).
HMAC:Used for OTP generation, ensuring the security of one-time passwords, but not an authentication method itself.
SAML:Used for Federationand Single Sign-On (SSO),but not OTP generation method.
CSP
1. Why is the data retention policy the most important?
Data Collection and Storage: What data will the CSP collect (such as user identity, logs, transaction information)?
Data Storage Duration: How long will the data be stored (is it in compliance with regulations such as GDPR, CCPA)?
Data Destruction Strategy: How is data securely deleted (is secure erasure technology used)?
Data Access Permissions: Who can access the data (CSP employees, partners, is there third-party data sharing)?
Compliance requirements: Does data retention comply with standards such as ISO 27001, GDPR, HIPAA, SOC 2?
For example:
Companies like Facebook, Google, and Amazon provide SaaS-level services and can access user data, so their data retention policies are crucial.
If a CSP experiences a data breach or retains data for too long, it may lead to privacy compliance issues or legal risks.
2. Why are the number of customers, hardware, or service types less important than data retention?
| Options | The extent of impact on security | Reason |
|---|---|---|
| Data retention policy | High | Affects data privacy, compliance, and data lifecycle management |
| Number of customers | In | Affects scalability, but has a smaller impact on security |
| The hardware used | In | Hardware affects performance and infrastructure security, but is less important than data strategies |
| Services provided by the CSP (SaaS, PaaS, IaaS) | In | Choosing the right service is important, but all services are at risk if the data retention policy is not secure |
For example:
A CSP may use the most secure hardware (such as HSM encryption devices), but if data is stored indefinitely or leaked, it remains high-risk.
Choosing SaaS/PaaS/IaaS is an architectural decision, but it does not affect how data is ultimately stored or accessed.
3. How is the security of the CSP evaluated?
When choosing a Cloud Service Provider (CSP), the following security factors should be considered:
Data Retention Policy (Retention Policy)
Data Encryption (Encryption at Rest & in Transit)
Access Control (IAM, Zero Trust, MFA)
Data Compliance (GDPR, HIPAA, SOC 2, ISO 27001)
Log Auditing and Threat Detection (SIEM, XDR Monitoring)
Backup and Recovery Strategy (DRP, Data Breach Emergency Response)
Conclusion:
The data retention policy is the most important security issue in the CSP options, as it directly determines the lifecycle of data, privacy compliance, and access risks. In comparison, while the number of customers, hardware types, and service types are important, they do not directly affect data security. When choosing a CSP, enterprises must prioritize the evaluation of their data processing and destruction strategies.
评论已关闭