边界网络和基于零信任的无边界网络 2023-02-14
边界网络
边界网络一般指通过防火墙、网关等设备划分开来的、区分"位置"(一般按内外网)的网络结构
网络边界
What is a Network Perimeter?
A network perimeter is the secured boundary between the private and locally managed side of a network, often [a company’s intranet, and the public facing side of a network(the network here is often the Internet)].
A network perimeter includes:
- Border Routers: Routers serve as the traffic signs of networks. They direct traffic into, out of, and throughout networks. The border router is the final router under the control of an organization before traffic appears on an untrusted network, such as the Internet.
- Firewalls: A firewall is a device that has a set of rules specifying what traffic it will allow or deny to pass through it. A firewall typically picks up where the border router leaves off and makes a much more thorough pass at filtering traffic.
- Intrusion Detection System (IDS): This functions as an alarm system for your network that is used to detect and alert on suspicious activity. This system can be built from a single device or a collection of sensors placed at strategic points in a network.
- Intrusion Prevention System (IPS): Compared to a traditional IDS which simply notifies administrators of possible threats, an IPS can attempt to automatically defend the target without the administrator's direct intervention.
- De-Militarized Zones / Screened Subnets: DMZ and screened subnet refer to small networks containing public services connected directly to and offered protection by the firewall or other filtering device.
vpn:边界网络下基于网络位置的内网访问机制
vpn只解决身份问题的单一认证,不解决终端安全性问题,也不关注用户后续访问是否合规。形象地说就是一道门,过了就过了。(至少我觉得没问题,单一职责原则。在现有网络安全架构下,用户后续访问是否合规,是另外一件事情,和是否通过vpn访问没有关系)
无边界网络下的零信任
不管你的位置,终端还是身份,每一次访问都进行安全认证——零信任。这是一种安全理念
SDP
SDP全称是Software Defined Perimeter,即软件定义边界,是由国际云安全联盟CSA于2013年提出的基于零信任(Zero Trust)理念的新一代网络安全技术架构。
众所周知,传统的网络安全是基于防火墙的物理边界防御,也就是我们所熟知的“内网”。随着云计算、移动互联网、AI大数据、IoT物联网等新兴技术的不断兴起,传统安全边界在瓦解,企业IT架构正在从“有边界”向“无边界”转变。过去服务器资源和办公设备都在内网,现在随着迁移上云、移动办公、物联网等应用,网络边界越来越模糊,业务应用场景越来越复杂,传统物理边界安全无法满足企业数字化转型的需求,因此,更加灵活、更加安全的软件定义边界SDP技术架构顺势而生。
