×
Community Blog What is Network Security? Definition, Practices, Tips, Solutions

What is Network Security? Definition, Practices, Tips, Solutions

Network security includes network equipment security, network information security, and network software security and protect your business security from attacks.

Best Practices of ECS Container Network Multi-NIC Solution

Container-based virtualization is a type of virtualization technology. Compared with a virtual machine (VM), a container is lighter and more convenient to deploy. Docker is currently a mainstream container engine, which supports platforms such as Linux and Windows, as well as mainstream Docker orchestration systems such as Kubernetes (K8S), Swarm, and Rocket (RKT). Common container networks support multiple models such as Bridge, Overlay, Host, and user-defined networks. Systems such as K8S rely on the Container Network Interface (CNI) plug-ins for network management. Commonly used CNI plug-ins include Calico and Flannel.

This article will introduce the basics of container networks. Based on Alibaba Cloud's Elastic Network Interface (ENI) technology, the ECS container network features high performance, easy deployment and maintenance, strong isolation, and high security.

Traditional Container Network Solution

This section introduces the working principle of traditional container networks.

CNI is an open source project managed by the Cloud Native Computing Foundation (CNCF). It develops standards and provides source code libraries for major vendors to develop plug-ins for Linux container network management. Well-known CNI plug-ins include Calico and Flannel. Calico implements protocols such as BGP through Flex/Bird, and stores them into a distributed in-memory database to establish a large Layer 3 network, enabling containers on different hosts to communicate with containers on different subnets without sending ARP.

Flannel implements a container overlay network based on tunneling technologies such as VXLAN. The CNIs such as Calico/Flannel use VETH pairs to configure the container network. A pair of VETH devices are created, with one end bound to the container, and the other end to the VM. The VM forwards the container network through technologies such as the network protocol stack (overlay network), Iptables (Calico plug-in), or Linux Bridge. (When the container network is connected to the vSwitch through the bridge in the ECS, the VPC can only reach the ECS level, and the container network is a private network on the bridge.)

The following figure shows the workflow of the currently mainstream container network, which differs from the multi-NIC container network from the following aspects:
container network from aspects

  1. The message sent by the container on host 1 is transmitted to the Linux Bridge on the VM through VETH, and the Linux Bridge runs the forwarding logic to send the NIC on the message VM to the vSwitch located on the host.
  2. The VM on host 2 receives the message sent by the vSwitch and sends it to the container through VETH by using the forwarding logic of the Linux Bridge.

Related Blogs

Securing Your Smart Home Network

Smart home is one of the most prominent application of IoT, and many companies have invested heavily in this field.

Introduction

The Internet of Things (IoT) has led to the innovation of a variety solutions, covering both consumer and industrial applications. Smart home is one of the most prominent application of IoT, and many companies have invested heavily in this field. However, a major drawback with smart home and other IoT applications is network security. Since all devices are connected to each other, a single faulty device can affect the integrity of the entire network. For smart-home owners, the security requirements on networks are demanding. A hacked smart home allows unauthorized access to premises, or even the failure of critical systems such as fire protection systems.

To better understand the methods of securing smart homes, let us review the concept of network communications security.

Network Communications Security

In a Local Area Network (LAN), a third party might snoop transmitted information via the network. Although communication in a LAN is passive, a malicious listener can snoop critical data that is being communicated through the network. Additionally, malicious users can deceive the network using Address Resolution Protocol (ARP) and other means to obtain data without being detected.

What are some effective ways to solve this problem? In general, there are two methods to ensure the security of a communication network:

  1. Using passwords for authorization
    Password is a common element in network security, such as securing a Wi-Fi network. The use of passwords limits the access into a network by allowing access only to users with the proper authorization. However, this approach is not immune to attacks. If a password is disclosed, the entire security mechanism fails.
  2. Communicating with a unique language
    In this approach, a language known only to the internal network is used for communication. Even if a message from the network is disclosed publicly, the message cannot be deciphered.

Introduction to the Smart Home System

The image below shows a typical structure of a smart home system.

smart home system

  1. Server: Cloud server
  2. SmartHost: SmartHost, which forwards the Ethernet data to Device via the Zigbee data
  3. Device: Device node, including light, curtain, and access control sensors, which Zigbee connects to SmartHost
  4. Client: Mobile application. The application may be for Android or iOS clients. It receives the command of the user. When the Client and SmartHost are on the same LAN, the Client will interact with SmartHost through Wi-Fi. If the Client and SmartHost are not on the same LAN, the Server will forward the communicati

Safeguarding the Double 11 Shopping Festival with Powerful Security Technologies

Wu Hanqing, Chief Security Researcher at Alibaba Cloud, talks about the various security measures to ensure the success of the Double 11 Shopping Festival.

Often times we talk about the impressive computing power needed to support a large-scale e-commerce event such as Alibaba's annual Double 11 Shopping Festival (Singles' Day). However, you probably won't notice the challenges of protecting data, not only for the customers but also for the organization, at such a scale.

The man responsible for ensuring the security of Double 11 is Wu Hanqing, Chief Security Researcher at Alibaba Cloud, who is better known as "Brother Dao". In this article, Brother Dao will talk about Alibaba Cloud's various security measures to ensure the success of the Double 11 Shopping Festival.

About the Speaker

Wu Hanqing, also known as "Brother Dao", is a Chief Security Researcher at Alibaba Cloud. He has been involved in security technologies in 2000 and has been active in China's security community ever since. Wu joined Alibaba in 2005, becoming one of the early contributors to Alibaba security. He designed the application security systems of Alibaba.com, Taobao, Alipay, and Alibaba Cloud. From 2012 to 2014, Wu acted as a partner of Anquanbao and started his own business, committed to providing better cloud security products and services. He returned to Alibaba in 2014, becoming the lead of Alibaba Cloud Security. He wrote a book titled "Web Security Lessons by a White Hat Hacker", and opened his personal WeChat account / public Zhihu account called "Brother Dao's News".

Could you briefly introduce Alibaba Cloud Security to the readers?

Alibaba Cloud Security is a product and service designed to ensure user security. Apart from basic defense and security services against attacks, it also offers full-stack security solutions. Currently, Alibaba Cloud Security has 10+ security products, involving various aspects of network security, server security, application security, and business security. Alibaba Cloud Security business is growing very fast. It now protects more than 37% of websites in China, defending Chinese Internet against 50% of daily DDoS attacks. It verifies the feasibility of SaaS in the security sector in the true sense.

Next-Gen Enterprise Security Based on Cloud-Native Technology

The senior director of the Cloud security department at Alibaba Cloud discusses the idea of next-gen enterprise security architecture designs based on cloud-native tech.

Relive the best moments of the Apsara Conference 2019 at https://www.alibabacloud.com/apsara-conference-2019.

"With development of the digital economy, an increasing number of enterprises are migrating their business to the cloud. With this move, enterprises are building next-generation enterprise-level security architecture designs based on cloud-native security technologies, upgrading from a flat architecture to a three-dimensional architecture. With this move, the benefits of cloud-native security technologies will be maximized," said Xiao Li, Senior Director of Cloud Computing Security Department, Alibaba Cloud Intelligence, at the Cloud Security Summit on September 27, 2019 during the Apsara Conference.

During the summit, Xiao Li stressed that cloud-native security technologies will be embedded in every module of the enterprise security architecture, which will help to improve the overall security of the system.

A Three-Dimensional Security Architecture

At the summit, Xiao Li released the Alibaba Cloud Security White Paper 4.0, in which the core capabilities required for the next-generation enterprise security architecture designs from the perspective of five horizontal systems and two vertical systems were described.

From the horizontal perspective, users need to build five systems. These five systems form a bottom-up security architecture that is tailored towards users' business requirements. The security of the Cloud platform serves as the base layer, upon which the basic security, data security, application security, and business security layers on the user side are stacked on top of each other. Cloud-native security technologies can be implemented in each module of this architecture in the form of product functions or security services, allowing enterprises to enjoy various advantages, such as higher performance, stronger scalability, and more intelligent defense, of cloud-native security technologies.

From the vertical perspective, users need to build two systems: account security and operations security systems. These two systems cover all aspects and nodes. In this case, enterprises can thoroughly transform the flat security architecture to a three-dimensional security architecture. The vertical systems are essential for the cloud security architectures of all enterprises.

In the whitepaper, Xiao Li demonstrated the cloud security best practices provided by Alibaba Cloud to users. His intention is to help enterprises build systems of higher-level security. These best practices include unified account authentication, network access control, data security, threat detection and response, and global security defense.

The growth of cloud-native security brings about boundless benefits to the public and enterprise users alike, making the "unified" security model an inescapable trend. In response to this trend, Alibaba Cloud has applied cloud-native security technologies in their products and services that are provided to cloud-based enterprises, and recommends such best practices to the industry.

Related Courses

Network Series Courses

This course is associated with Network Series Courses. You must purchase the certification package before you are able to complete all lessons for a certificate.

Use Anti-DDoS Basic and Pro to Defend DoS Attack

The network is the only entry point for all cloud services. Network attacks, especially denial of service attacks, are the most diverse and harmful, and one of the most difficult to protect against network risks. This course is designed to help students understand the principles of DoS attacks in a minimum amount of time and learn common protection methods and Alibaba Cloud Anti-DDoS protection solutions to minimize or reduce the risk of network layer attacks, protect your cloud network security.

Cloud Servers Security Strengthening

For the security measures of the host on the cloud, we need to consider more factors, such as the configuration of the firewall inside the host, as well as various settings related to operating system user management and privilege management. Only by understanding and correctly configuring the security settings inside these hosts you can better cooperate with various cloud security products. This course is designed to help you better understand these security setup and learn how to properly configure them to maximize the security hardening of hosts on the cloud.

Related Market Products

Alibaba Cloud Network Solution

Through this course, you can understand the functions and usage scenarios of Alibaba Cloud Network products, and be able to use basic service functions. Study Now

Fortinet FortiManager (BYOL) Centralized Security Management

Offers centralized configuration, policy-based provisioning, update management and end-to-end network monitoring for your Fortinet installation - You can further simplify management of your network security by grouping devices into geographic or functional administrative domains (ADOMs) - Easily manage VPN policy and configuration while leveraging FortiManager virtual appliances as a local distribution point for software and policy updates

Fortinet FortiAnalyzer (BYOL) Security Logging and Reporting

Instant visibility, situation awareness, real-time threat intelligence and actionable analytics

Related Documentation

Call CEN API actions for network connections

This topic describes how to connect network instances by calling CEN API actions.

Connect network instances in the same region under the same account

To connect network instances in the same region under the same account, follow these steps:

  1. Call Create Cen to create a CEN instance.
  2. Call Attach Cen Child Instance to attach the target network instances to the CEN instance.

Connect network instances among different regions under the same account

To connect network instances among different regions under the same account, follow these steps:

  1. Call CreateCen to create a CEN instance.
  2. Call AttachCenChildInstance to attach the target network instances to the CEN instance.
  3. Call Create Cen Bandwidth Package to purchase a bandwidth package in the area to which the network instances belong.
  4. Call Associate Cen Bandwidth Package to associate the bandwidth package with the CEN instance.
  5. Call Set Cen Inter Region Band width Limit to set cross-region connection bandwidth.

Network security

Internet

Simple Application Server has built-in firewalls which opens ports 22, 80, and 443 by default, and closes others. You can configure which ports to open.

VPC

Simple Application Server uses VPC by default, and all instances of one user are deployed in one VPC, which guarantees an isolated networking environment of each user.

For now, one user’s cloud products on different VPCs cannot be connected. For example, your Simple Application Server cannot access your RDS on another VPC.

Related Products

Global Accelerator

Provides network acceleration service for your Internet-facing application globally with guaranteed bandwidth and high reliability.

Cloud Enterprise Network

A global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud network

Security Center

A unified security management system that identifies, analyzes, and notifies you of security threats in real time.

0 0 0
Share on

Alibaba Clouder

2,218 posts | 513 followers

You may also like

Comments