Huawei Intranet Security Analysis
Categories:
- Huawei Intranet Security Analysis
Huawei has a lot of great learning materials internally, and I have also summarized a lot of knowledge and experience. I’ve always been thinking about how to import them into my personal knowledge base. I am well aware that this general knowledge is not confidential or sensitive, but the alarm bell for information security is always ringing, making me tempted but not daring to cross the line. After some tests, I found that the company’s network security protection is quite difficult to bypass. This article will provide a rough analysis of the Yellow Zone in the R&D area. The Green Zone is a free area, with no important information by default, generally for the network of peripheral staff. The Red Zone has ultra-high-level network protection. I haven’t had in-depth, prolonged contact with it. The Red Zone I briefly encountered is located in the network equipment lab, which houses various large switch chassis and is the hub of the company’s intranet. Breaching the Red Zone is equivalent to breaching the regional network; at least the network of an entire building could be paralyzed for a period of time.
Router Firewall Method
Encryption: Encryption uses a public key. What is a public key? Simply put, it’s like a key that everyone can have a copy of, but it can only lock, not unlock. The above is a very concrete expression. Below will be slightly more abstract. A public key is a number A, and there is a piece of information M. Encrypting M with A is an operation $$f(A, M)$$. The resulting information cannot be easily reverse-decrypted, similar to the difference in difficulty between squaring a number and taking its square root, or combining like terms and factoring. Reverse decryption is very difficult and time-consuming, taking years or even decades with a supercomputer.
Decryption: The server uses a private key to decrypt. All the encrypted information gathered from all directions can be decrypted with the same private key.
Man-in-the-Middle: The man-in-the-middle role is like a megaphone. To the client, it is the server, and to the server, it appears as a regular user. Because of this megaphone role, it has a full view of the information from both sides. To put it simply, Huawei itself acts as a very powerful man-in-the-middle. All outgoing network traffic passes through its scanning, and any traffic not using ports 80/443 is completely intercepted.
How to Bypass: Since the Yellow Zone only allows specific ports to go through a proxy server to access the public internet, and all other ports are blocked by default, there are technically no vulnerabilities in the network traffic. We can manually generate a key, manually encrypt on the intranet, and then manually decrypt on the public internet. This way, at least the information seen by the man-in-the-middle cannot be truly parsed. How can the encryptor be sent to the intranet? Email, WeLink, or web pages can all be used, but they all leave traces. Sending it directly and secretly via a web page has the smallest impact and the least obvious traces. Alternatively, you could write the key down on paper and save it on a company computer, making it completely undetectable, except for the ubiquitous cameras inside the company. GitHub’s SSH thoughtfully supports SSH over 443, but testing has shown this doesn’t work either, as the proxy, acting as a firewall, can easily identify such high-risk websites. Based on my personal experience, the company’s firewall is based on a whitelist, not a blacklist. This means that even a self-hosted SSH server would be blocked by the proxy. When accessing an unknown website in a browser, there is a redirect page with a warning like “proceed at your own risk,” while in a terminal window, it directly shows that the connection is closed.
After all, Huawei started in the networking business and has many talented experts in the field. It’s nearly impossible to break through technically; it seems only social engineering could succeed.
Local Firewall Method
The Windows system has security applications installed, and users cannot change the configuration at will; configurations are uniformly deployed by administrators. The network access permissions for applications might be based on a whitelist/blacklist approach, and some applications cannot access the network. The new version of VSCode cannot use the proxy channel.