September 2021
Beginner to intermediate
392 pages
12h 13m
Chinese
book
Google系统架构解密: 构建安全可靠的系统
by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield
Content preview from Google系统架构解密: 构建安全可靠的系统
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
弹性设计
|
111
8.4
控制爆炸半径
可以通过限制系统每个部分的范围来为纵深防御机制增加另一层策略。例如,考虑网络分
段。在过去,一个组织拥有一个包含其所有资源(机器、打印机、存储器、数据库等)的
单一网络是很常见的。这些资源对该网络上的任何用户或服务都是可见的,并且访问由资
源本身控制。
如今,提高安全性的常见方法是对网络进行
分段
,并将每个网段的访问权限授予特定类别
的用户或服务。可以通过将虚拟局域网(
VLAN
)与网络
ACL
配合使用来达到此目的
,这
是一种容易配置的行业标准解决方案。你可以控制进入每个网段的流量,并对允许哪些网
段通信加以控制。你还可以限制每个网段对“需要知道”的信息的访问。
网络分段是分区化的一个很好的例子,第
6
章中讨论过这一点
。
分区化
包括专门创建小型
的独立运行单元(分区),并限制每个单元的访问。将系统的服务器、应用程序、存储等
大部分模块划分开是个好主意。当你使用单网络设置时,利用用户凭证的攻击者也许就能
访问网络上的每台设备。而当你使用分区时,一个分区中的安全漏洞或者流量过载不会危
及所有分区。
控制爆炸半径意味着对事件的影响进行分区,类似于船上的隔间为应对整个船的沉没提供
弹性机制的方式。在设计弹性系统时,你应该创建限制攻击者
和
意外失败的分隔屏障。这
些障碍使得你可以更好地定制响应,并将其自动化。你还可以使用这些边界来创建提供组
件冗余和故障隔离的故障域,更多信息参见
8.5
节。
分区还有助于隔离工作,减少了响应者在防护和保留证据间的权衡工作。部分分区可以被
隔离和冻结,以供进一步分析,而其他分区则可以被回收 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.