Several stack operation and maintenance security cases: security escort of a media enterprise during the two sessions

Time:2021-9-13

The stack is a cloud native one-stop data center PAAS. We have an interesting open source project on GitHub and gitee: flinkx. Remember to point us a star! star! star!

Gitee open source project:https://gitee.com/dtstack_dev…

GitHub open source project:https://github.com/DTStack/fl…

Flinkx is a unified batch stream data synchronization tool based on Flink. It can collect both static data, such as MySQL and HDFS, and real-time changing data, such as mysql, binlog and Kafka. It is a global, heterogeneous and batch stream integrated data synchronization engine. If you are interested, please come to GitHub community to play with us~

The customer is responsible for the design, R & D and maintenance of national new media products, focusing on building app, mobile reporting command system, all media aggregation platform, new media special line and other financial media products. As required by the Ministry of public security, it is necessary to do a good job in the security of the system during the “two sessions in 2020”. We focus on ensuring the security of the customer app system and make relevant emergency plans to ensure the normal, safe and stable operation of the whole system during the two sessions.

Kangaroo cloud operation and maintenance service team has developed a special security escort scheme according to customer needs. The specific scheme is as follows:
1、 Safety escort preparation

During escort preparation, the main purpose is to understand their own security status through internal self inspection, actively find security risks, improve security protection capability, improve security monitoring and reduce the attacked surface. Kangaroo cloud has taken the following measures:

(1) Network security architecture

Find the unprotected area and then reinforce it. The schematic diagram of the strengthened network security architecture is as follows:

DNS resolution: DNSPod is used to provide resolution services. The resolution platform has 200g DNS attack protection capability, and the account double factor authentication login function is opened to prevent malicious tampering with the domain name.
Internet area: add advanced anti DDoS and WAF products at the public network entrance to improve the protection capability. In this escort, we use advanced anti DDoS IP that can resist 300 Gbps attacks to resist DDoS attacks with large traffic on Internet servers; Use the web application firewall to defend against common OWASP attacks such as SQL injection, XSS cross site scripting, common web server plug-in vulnerabilities, Trojan horse upload, unauthorized core resource access, and filter malicious CC attacks to avoid website asset data disclosure and ensure the safety and availability of the website. At the same time, only WAF back to source traffic is authorized on the public SLB.

(2) Asset sorting

Strictly protect assets directly exposed to the Internet. During the sorting process, it is found that some ECS servers use EIP to directly access the public network, which belongs to high-risk areas. The solution we provide is to cancel the EIP of these servers, use the NAT gateway to go out of the public network, and shield the servers from being directly exposed to the public network.

(3) Comprehensive baseline self inspection

Check and strengthen the server / database account, password, authority, policy, log, vulnerability, operation security and other items. During this escort, we minimized the authorization control and audit of the account through the fortress machine, monitored the baseline and vulnerabilities in real time through the cloud security center, and repaired abnormal alarms in time.

(4) Security policy optimization

Sort out the security group, RDS white list, RAM access policy, OSS access policy, etc. Optimize the IP that has no policy restrictions or the policy opening range is too large to minimize authorization.

(5) Data protection

Configure automatic backup strategy for database data and backup data regularly every day. Set the automatic snapshot strategy for ECS server and take snapshots regularly to prevent huge losses caused by blackmail virus.

(6) Establish an emergency team

In order to respond quickly in the face of network attacks, start the emergency plan, dispatch technicians, and temporarily establish an emergency team during escort.

(7) Comprehensive safety monitoring

Conduct comprehensive and real-time monitoring and early warning on Internet entrance / exit network traffic, business access, server Vulnerability baseline, database SQL and other contents to find abnormalities in time.
2、 Escort support

During the escort period, kangaroo cloud organized the security team to provide customers with the whole process of security escort, and provided daily security patrol, emergency response, attack blocking and strategy optimization.

The daily security patrol mainly checks whether the status of important monitoring indicators such as Internet incoming / outgoing traffic, advanced anti DDoS, WAF, SLB and cloud security center is abnormal, and reports and handles abnormal events.

Real time response notification of security early warning and analysis, research and judgment of attack events. During this period, we carried out multiple policy optimization for a large number of CC attacks, carried out accurate access control for abnormal access, blocked attacks in time and reduced the business impact of attacks.
3、 Escort summary

After the escort, we summarized and counted CC attacks, web intrusion, anomaly scanning and other attacks during the two sessions: the customer system suffered a total of 700 million + network attacks during the two sessions. Through real-time security early warning and timely optimization of protection strategies, all attacks were successfully intercepted and blocked without causing losses to the business, and the security escort of the two sessions was successfully completed.

With the rapid development of cloud computing industry, network attacks on cloud enterprises emerge one after another. If enterprises do not establish global security protection capability and improve security awareness, it is inevitable to be attacked. Kangaroo cloud can provide enterprises with one-stop security services such as security reinforcement, penetration testing, vulnerability scanning, emergency response, security housekeeper, etc., to escort the security on the enterprise cloud!