Skip to content

Commit

Permalink
Merge pull request #1184 from Max-zs/main
Browse files Browse the repository at this point in the history
Fix the image paths of  SPA vs. NHP document
  • Loading branch information
windcbf authored Sep 14, 2024
2 parents 76cf197 + 53752b3 commit 5316ffb
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 16 deletions.
18 changes: 9 additions & 9 deletions docs/comparison.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,13 @@ permalink: /comparison/

       To comprehensively evaluate the performance of NHP, we set up the experimental environment shown in the figure below and conducted load performance tests for both NHP and SPA. The environment consists of two main areas: the Agent deployment area and the network stealth deployment area.

![Deployment diagram](/docs/images/Deployment_diagram.png)
![Deployment diagram](/images/Deployment_diagram.png)

       In the network stealth deployment area, we integrated a network stealth server and an application server as key components. To ensure the stability and consistency of the test environment, we selected three machines with identical configurations, each equipped with a 4-core CPU and 8GB of memory. In the agent deployment area, we launched `n` agent services that communicated with the network stealth server at a frequency of sending a port knocking request per second. At the same time, JMeter components were deployed on the network stealth server to simulate and monitor its performance. On the application server side, JMeter services were also deployed to track the performance resource consumption of the network stealth server in real time. With this setup, we were able to comprehensively monitor and compare the performance of NHP and SPA.

While maintaining the consistency of the experimental environment, we selected 1, 10, 20, 30, 40, and 50 agents according to the deployment plan and conducted performance tests for NHP and SPA. The test results are shown in Table 4, where the horizontal axis represents the number of agents involved in the experiment, and the vertical axis displays the variation in CPU utilization during the test period. With this setup, we can visually observe the different performance of NHP and SPA in terms of CPU resource consumption as the number of agents increases.

![CPU comparison](/docs/images/CPU_comparison.png)
![CPU comparison](/images/CPU_comparison.png)

&nbsp; &nbsp; &nbsp; &nbsp;The experimental results show that as the number of agents increases, the CPU load for both NHP and SPA rises. However, with further increases in the number of agents, the performance advantage of NHP becomes more pronounced, with its CPU load remaining approximately half that of SPA, demonstrating a significant improvement in efficiency.<br>
<small>*&nbsp; &nbsp; &nbsp; &nbsp;(Note: Although theoretically NHP performance should be approximately 1000 times better than SPA, actual tests showed only about a 1-fold improvement. The primary factors contributing to this discrepancy include the significant impact of network overhead on performance, performance losses due to the garbage collection mechanism, and differences in hardware environments. Additionally, despite choosing the memory-safe Go language for code security and encryption algorithm implementation, its garbage collection mechanism also had a certain impact on performance.)*</small>
Expand All @@ -89,11 +89,11 @@ While maintaining the consistency of the experimental environment, we selected 1

&nbsp; &nbsp; &nbsp; &nbsp;NHP achieves high availability for zero trust services through a distributed architecture, ensuring that the port knocking module and the access control module are deployed on different hosts to avoid resource contention and enhance elastic scaling. Even in the event of a failure, seamless service switching can maintain system functionality and response speed. This design enhances the robustness and stability of the system, reducing the impact of service failures on the overall system, as shown in the figure below.

![High availability architecture](/docs/images/High-availability.png)
![High availability architecture](/images/High-availability.png)

&nbsp; &nbsp; &nbsp; &nbsp;NHP supports horizontal elastic scaling for port knocking verification services, allowing the number of service instances to be dynamically adjusted based on real-time load. This feature provides high flexibility and scalability, ensuring that services remain responsive and stable even under high load. Each service instance can handle port knocking requests and maintain business sessions, which not only enhances processing capacity but also improves fault tolerance, ensuring business continuity and stability. According to the test results, NHP significantly outperforms SPA in terms of high availability.

![Load diagram](/docs/images/Load_diagram.png)
![Load diagram](/images/Load_diagram.png)

## 4. Scalability Comparison

Expand All @@ -111,7 +111,7 @@ While maintaining the consistency of the experimental environment, we selected 1

&nbsp; &nbsp; &nbsp; &nbsp;DNS is a crucial foundational service for internet operations, but its security has long been overlooked. Due to the use of the unreliable UDP protocol, there are numerous security vulnerabilities, such as DNS hijacking and denial-of-service attacks. Therefore, strengthening DNS security is essential. By integrating network stealth technology, DNS resolution is conducted through a bidirectional encrypted channel, ensuring confidentiality and tamper-resistance. Additionally, only authenticated users are allowed to perform resolution, effectively defending against DDoS attacks and hijacking. The specific implementation is shown in the figure below, and our approach significantly enhances DNS security, providing users with a more reliable DNS service.

![DNS integration Scheme](/docs/images/DNS_integration.png)
![DNS integration Scheme](/images/DNS_integration.png)

- (1) The Agent (such as a client, browser, etc.) initiates a request to the Network-Hiding
Server (i.e., Server) using a domain name.
Expand Down Expand Up @@ -148,7 +148,7 @@ and secure resource interaction.

&nbsp; &nbsp; &nbsp; &nbsp;Although FIDO performs exceptionally well in web authentication, potential vulnerabilities in servers can still be exploited by hackers to bypass FIDO authentication and directly invade servers for data theft or damage. Integrating FIDO with NHP can effectively address the shortcomings of FIDO in vulnerability protection, providing a more comprehensive defense solution for internet exposure. The specific implementation is shown in the figure below, with detailed implementation steps as follows.

![FIDO integration solution](/docs/images/FIDO_integration.png)
![FIDO integration solution](/images/FIDO_integration.png)

- (1) The User Agent (i.e., Agent) sends a Port Knocking packet to the Network-Hiding
Server (i.e., Server) aiming to attempt access to sensitive resources within sessions
Expand All @@ -162,9 +162,9 @@ redirecting the Port Knocking message to a trusted authentication authority to r
a higher assurance FIDO-based authentication.

- (4) After receiving the Application Provider’s response, the Server passes the redirection indicator to the Agent.
-
- (5) Upon receiving the redirection message, the Agent directly opens the FIDO authentication page.
-
- (6) The Server, upon receiving the Agent’s FIDO authentication page, promptly initiates
a FIDO authentication request to the authentication authority.

Expand All @@ -186,7 +186,7 @@ FIDO-based authentication response to the Server.

&nbsp; &nbsp; &nbsp; &nbsp;Compared to the SPA protocol, a key goal of NHP is to ensure good compatibility with both the domestic zero trust standards and the innovation-driven environment. In terms of encryption algorithms, NHP supports international cryptographic algorithms (such as RSA, SHA256, AES) as well as national cryptographic algorithms (such as SM2, SM3, SM4), and can adjust encryption time based on the length of the packet header. Regarding hardware and software compatibility, NHP is adapted to major domestic and international CPU hardware and operating systems, including Kunpeng, x86, Loongson, and Shenwei. Additionally, NHP complies with the forthcoming national standard "Information Security Technology - Zero Trust Reference Architecture," ensuring compatibility with this standard, as shown in the figure below.

![Compatibility comparison](/docs/images/Compatibility_comparison.png)
![Compatibility comparison](/images/Compatibility_comparison.png)

- [中文版](/docs/zh-cn/comparison.zh-cn.md){: .label .fs-4 }

Expand Down
16 changes: 9 additions & 7 deletions docs/zh-cn/comparison.zh-cn.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ permalink: /zh-cn/comparison/
- [2. 性能对比](#2-性能对比)
- [2.1 加密算法开销](#21-加密算法开销)
- [2.2 性能开销](#22-性能开销)
- [](#)
- [3. 高可用性对比](#3-高可用性对比)
- [4. 扩展性对比](#4-扩展性对比)
- [4.1 与DNS集成](#41-与dns集成)
Expand Down Expand Up @@ -74,13 +75,14 @@ permalink: /zh-cn/comparison/

&nbsp; &nbsp; &nbsp; &nbsp;为了全面评估 NHP 的性能表现,我们搭建了一个下图所示的实验环境,针对 NHP 和 SPA 进行了负载性能测试。该环境由两个主要区域组成:Agent 部署区域和网络隐身部署区域。

![部署图](/docs/images/Deployment_diagram.png)
![部署图](/images/Deploment_diagram.png)


&nbsp; &nbsp; &nbsp; &nbsp;在网络隐身部署区域,我们集成了网络隐身服务器和应用服务器作为关键组件。为了确保测试环境的稳定性和一致性,我们选用了三台配置相同的机器,每台配备 4 核 CPU 和 8G 内存。在 agent 部署区域,我们启动了 n 个 agent 服务,这些服务以每秒发送一次敲门请求的频率与网络隐身服务器通信。同时,在网络隐身服务器上部署了 JMeter 组件,用于模拟和监控其性能表现。应用服务器端同样部署了 JMeter 服务,实时跟踪网络隐身服务器的性能资源消耗情况。通过这种设置,我们能够全面监控和比较 NHP 与 SPA 的性能表现。

&nbsp; &nbsp; &nbsp; &nbsp;在保持实验环境一致性的前提下,我们按照部署方案分别选取了1、10、20、30、40、50个agent,对NHP和SPA进行了性能测试。测试结果如表4所示,其中横轴表示参与实验的agent数量,纵轴则显示测试期间的CPU占用率变化。通过这种设置,我们能够直观地观察到随着agent数量的增加,NHP和SPA在CPU资源消耗方面的不同表现。

![CPU对比](/docs/images/CPU_comparison.png)
![CPU对比](/images/CPU_compare.png)

&nbsp; &nbsp; &nbsp; &nbsp;实验结果显示,随着 Agent 数量的增加,NHP 和 SPA 的 CPU 负载均呈现上升趋势。然而,随着 Agent 数量的进一步增加,NHP 的性能优势逐渐凸显,其 CPU 负载大约维持在 SPA 的一半左右,展现出显著的效率提升。<br>
<small>*&nbsp; &nbsp; &nbsp; &nbsp;( 注:尽管理论上 NHP 的性能应较 SPA 提升约 1000 倍,但实际测试中仅提升约 1 倍。分析原因,主要因素包括网络开销对性能的显著影响、垃圾回收机制导致的性能损失,以及硬件环境差异。此外,尽管出于代码安全性和加密算法实现的考虑,我们选择了内存安全的 Go 语言开发,但其垃圾回收机制也对性能产生了一定影响。)*</small>
Expand All @@ -90,11 +92,11 @@ permalink: /zh-cn/comparison/

&nbsp; &nbsp; &nbsp; &nbsp;NHP 通过分布式架构实现零信任服务的高可用性,确保敲门模块和门禁模块在不同主机上部署,以避免资源占用和提升弹性扩展。即使发生故障,也能无缝切换服务,维持系统功能和响应速度。这种设计增强了系统的稳健性和稳定性,降低了服务故障对整体系统的影响,如下图所示。

![高可用架构](/docs/images/High-availability.png)
![高可用架构](/images/High-availability.png)

&nbsp; &nbsp; &nbsp; &nbsp;NHP 支持敲门验证服务的横向弹性扩展,能够根据实时负载动态调整服务实例数。这一功能提供了极高的弹性和可扩展性,确保在高负载下服务依然快速响应且稳定。每个服务实例均能处理敲门请求并维持业务会话,这种设计不仅提升了处理能力,还增强了容错性,保证了业务连续性和稳定性。从测试结果来看,NHP 在高可用性方面相较于 SPA 显著提升

![负载图](/docs/images/Load_diagram.png)
![负载图](/images/Load_diagram.png)



Expand All @@ -114,7 +116,7 @@ permalink: /zh-cn/comparison/

&nbsp; &nbsp; &nbsp; &nbsp;DNS作为互联网基础服务在网站运行中至关重要,但其安全性长期未被重视,且因使用不可靠的UDP协议,存在诸多安全漏洞,如DNS劫持和拒绝服务攻击。因此,加强DNS安全至关重要。通过集成网络隐身技术,DNS解析通过双向加密通道进行,确保了保密性和防篡改能力,同时只有经过身份认证的用户才能解析,从而有效防御DDoS攻击和劫持。具体实现方案如下图所示,我们的方法能够显著提升了DNS的安全性,为用户提供了更可靠的DNS服务。

![DNS集成方案](/docs/images/DNS_integration.png)
![DNS集成方案](/images/DNS_integration.png)

- 步骤1:网络隐身代理(如客户端、浏览器等)通过域名与网络隐身服务器发起请求。

Expand All @@ -134,7 +136,7 @@ permalink: /zh-cn/comparison/

&nbsp; &nbsp; &nbsp; &nbsp;尽管FIDO在Web身份认证方面表现出色,但服务器的潜在漏洞仍可能被黑客利用,从而绕过FIDO的认证,直接入侵服务器进行数据盗窃或破坏。将FIDO与NHP集成,可以有效弥补FIDO在漏洞防护方面的不足,为互联网暴露面提供更全面的防御方案。具体实现方案如下图所示,详细实现步骤如下。

![FIDO集成方案](/docs/images/FIDO_integration.png)
![FIDO集成方案](/images/FIDO_integration.png)

- (1) 用户代理(即代理)向网络隐身服务器(即服务器)发送一个端口敲门数据包,旨在尝试访问会话中已认证但保证水平相对较低的敏感资源。

Expand Down Expand Up @@ -164,7 +166,7 @@ permalink: /zh-cn/comparison/

&nbsp; &nbsp; &nbsp; &nbsp;与SPA协议相比,NHP的一个关键目标是对信创环境以及国内零信任标准体系的良好兼容性。在加密算法方面,NHP支持国际密码算法(如RSA、SHA256、AES)和国密算法(如SM2、SM3、SM4),并能根据数据包头的长度调整加密时间。在软硬件兼容性方面,NHP适配了国内外主流的CPU硬件和操作系统,包括鲲鹏、x86、龙芯、申威等。此外,NHP符合即将颁布的国家标准《信息安全技术零信任参考体系架构》的规范要求,确保了与该标准的兼容性,如下图所示。

![兼容性对比](/docs/images/Compatibility_comparison.png)
![兼容性对比](/images/Compatibility_comparison.png)

- [英文版](/docs/comparison.md){: .label .fs-4 }

Expand Down

0 comments on commit 5316ffb

Please sign in to comment.