2.6 terminal safety
At present, the mainstream information security products fundamentally, there are three major defects:
1 is mainly protected from external protection, but the source of the visitor lacks corresponding control means.
2 Operating system itself lacks security, waiting to use a higher level of operating system to meet systematic security
Demand.
3 The implementation of the security is based on the subparal test detection of existing knowledge, causing the system to do more and more complex, the system has problems
The energy is not reduced, but it increases.
It should be seen that the root of many security issues is the limitations of traditional Fengnoiman architecture for system security implementation
Sex and current mainstream application operating systems' uneasity. If you don't control the root causes of unsafe problems,
Blocking, various safety measures, it is only a small small, repair, and to achieve the relative safety of the information system.
It is difficult.
If these unsafe factors are controlled from the terminal source, then the problem solving is fundamental changes.
To eliminate most of the problems currently plaguing information security, reduce the expected risks of the information system to the water that can withstand
Flat or even lower.
2.6.1 Trustful calculation
In a large information system, the security of the host (server) is often attached to it, but sometimes
It is also imposed another aspect of the problem, which is the safety of many terminal equipment. In terms of terminal safety
Aspect, several major computer hardware software giants such as Intel, IBM, Microsoft are working together, they have achieved
Big results are the concept of trustworthy computing.
Trustful computing is a security technology that combines software and hardware, which makes data stored on the computer hard drive more
Safe and reliable. Currently, trusted Computing Group has been established, it is committed to
Create an open-style software and hardware standard for trusted computing technology services, these standards will apply to PCs, servers
And PDA and other platforms. Although this technology just starts, it is foreseen that due to revolutionary reforms in terms of terminal safety.
In, this technology is very bright.
2.6.2 Design Goals
Traditional information security measures are mainly three-wheeled, do high walls, anti-processes, etc., but the final result is to prevent
Win. The main reason for producing this situation is that it is not to control the root cause of unsafe problems, while blocking in the periphery.
All invasion attacks are initiated from the PC terminal, and hackers use vulnerabilities that are attacked to steal superuser privileges.
It is destroyed; the injection of the virus is also initiated from the terminal, and the virus program uses the PC operating system to do not check the execution code.
The weakness of the consistency, embed the virus code into the execution code program, to achieve viral communication; more serious is legal
The user does not have strict access control, and the accessibility can be performed, causing an unsafe accident.
In fact, most of the current insecurity issues are caused by PC structure and operating system insecurity. If you are from the terminal
The operation platform implements high level prevention, which will be controlled from the end source. This situation is in the workflow phase
It is more important and feasible to a fixed production system.
In order to solve the unsafe of the PC architecture, fundamentally improve its security, and implement trusted worldwide
Calculation technology, 1999 by Compaq, HP, IBM, Intel and Microsoft Terminal TCPA (Trusted Compu
Ting Platform Alliance, currently developed 190 members, all over the world's mains manufacturers. TCPA Focus
The standard specification (V1.1) was released from the computing platform architecture, and the standard specification was released in January 2001. March 2003
The group is a TCG (Trusted Computing Group), its purpose is to use hardware based on calculation and communication systems
The trusted computing platform supported by the security module to improve the overall security. The trusted calculation terminal is based on the trusted platform module (TPM), which is supported by password technology, and the secure operating system is the core (shown below).
2.6.3 function
The trusted computing platform has the following functions:
Ensure the unique identity, permissions, workspace integrity / availability;
Ensure the confidentiality / integrity of storage, processing, and transmission;
Ensure hardware environment configuration, operating system kernel, service, and application integrity;
Ensure the security of key operations and storage;
Make sure the system has immunized ability, fundamentally prevents viruses and hackers.
2.6.4 composition
The safety operating system is the core and foundation of the trusted calculation terminal platform. There is no safe operating system.
Applications. Any tiny leak in the operating system will cause the disaster of the entire information system.
Production systems that are relatively fixed for workflows, information systems are mainly applied, shared services and network communications
A link consists. If each user in the information system is authenticated and authorized, its operation is in line with the regulations.
The network will not be eavesdropped and invaded, so it will not generate an aggressive accident, so that the entire information system can be guaranteed
Safety.
The trusted terminal ensures the consistency of the user's legitimacy and resources, and the user can only follow the prescribed permissions and access control.
The rules can be operated, and those who can do the right level can only do access to their identity, as long as the control rules
It is reasonable, then the entire information system resource access process is safe. The trusted terminal has laid the basis of system security
.
Safety boundary devices (such as VPN security gateways, etc.) have identity authentication and security audit capabilities, will share the server (such as
Database Server, Web Server, Mail Server, etc.) to isolate illegal visits to prevent accidental unauthorized users
Access (such as an illegal accessible non-trusted terminal). Such shared server is mainly enhanced, such as two-machine backup,
Fault tolerance, disaster recovery, etc., without having to be heavy access control, thereby reducing the pressure of the server to prevent the service attack
hit.
Network communication is fully securely secured by IPSec. IPSec works in the operating system kernel, fast, almost
To achieve the line speed processing, you can realize the full communication security protection of the destination, ensuring the authenticity and number of transport connections.
According to the confidentiality, consistency, prevent illegal eavesdropping and intrusion.
In summary, trusted application operation platform, secure shared service resource boundary protection and full-service security
Communication constitutes information security framework for workflow relatively fixed production systems.
To achieve the above-mentioned terminal, boundary, and communication effective full protection, also requires authorized management management centers and faithful
The support of the password management center.
