Chapter 1 General
This program is a large LAN network security solution, including the original network system analysis, security requirements analysis, security objectives, and design of the security architecture, etc. The goal of this security solution is to achieve comprehensive security management for their local area network without affecting the current business of a large enterprise LAN.
1. Combine safety policies, hardware, and software, which constitute a unified defense system, effectively prevent illegal users from entering the network, reducing network security risks. 2. Regular vulnerability scan, audit tracking, timely discovery, solve problems. 3. Implement real-time security monitoring by invasive testing, providing a quick response fault, and has good security forensics. 4. Make network managers to reneganized files or applications quickly. Make the system to the state of the destruction, minimize losses. 5. Install the corresponding anti-virus software on the workstation, the server is unified and managed by the central console, and realize the full network unified antivirus.
Chapter II Network System Overview
2.1 Network Overview
The local area network of this company is a more intensive local area network system that is jointly connected to the existing information of information on the entire enterprise, providing a fast and convenient information exchange platform. Not only that, through the connection between the line and the Internet, open a window to the outside world, each department can communicate directly with the Internet users, query information. By public server, companies can post information directly or send emails. High-speed exchange technology adopts, flexible network interconnecting schemes provide users with fast, convenient and flexible communication platforms, but also bring greater risks for network security. Therefore, a complete, operable security solution is implemented on the original network, but it is necessary.
2.1.1 Network Overview
The local area network of this company, the physical span is not large, providing 1000m exclusive bandwidth on the backbone network through a Gigabit switch, linking the workstation and server of each department, and provides 100M exclusive bandwidth. With the Cisco router coupled to the center switch, all users can access the Internet directly.
2.1.2 Network Structure
The local area network of this company can be divided into three main areas, internal networks, and public server areas. The internal network can be divided into many subnets in accordance with the department, functions and safety of the department, including: financial subsidiary, leadership network, office net, market department network, central service subnet, etc. In security scheme design, we can directly divide four virtual local area networks (VLANs) on the Catalyst type switch based on safety schemes. Subnet. Different LANs are different broadcast domains. Due to financial subsidies, leadership networks, central server subnets are important network segments, so they are divided into a separate broadcast domain on the central switch, and other other broadcast domains The workstation is divided in one of the same network segments. (省 省)
2.2 Network App
The local area network of this company can provide users with the following main applications: 1. Document sharing, office automation, WWW service, email service; 2. Unified storage of file data; 3. Secondary development (such as financial systems) for specific applications (such as financial systems); Provide access to the Internet; 5. Enterprise information, email, etc. Through the public server.
2.3 Characteristics of network structure
When analyzing the security risks of this enterprise LAN, the following features should be considered:
1. The network is directly connected to the Internet, so it is necessary to consider the related risks associated with the Internet when performing security schemes, including those who may spread in viruses, hacker attacks, unauthorized access from Internet. . 2. There is a public server in the network. Since the open server must open some business, the security server network should be considered when performing security schemes, avoiding security risks of public servers to internal. 3. There are many different subnets in the internal network. Different subnets have different security, so when they are designed for security schemes, they should be considered to separate networks of different functions and security levels, which can be divided by the switch. achieve. 4. There are two application servers in the network, and should consider enhanced user login verification and prevent unauthorized access when applications. In summary, when the network plan is designed, it should be considering the characteristics of this enterprise LAN, according to the product's performance, price, potential safety risks to consider. Chapter III Network System Security Risk Analysis
With the sharp expansion of the Internet network and the rapid increase in Internet users, the risk becomes more serious and complicated. It is the damage caused by a single computer security incident that may spread to other systems, causing a wide range of paralysis and losses; additional security control mechanisms and lack of understanding of Internet security policies, these risks are increasingly serious.
In response to the security risks in this enterprise LAN, the following security risks must be considered carefully and should take appropriate safety measures for the risk of safety schemes. The following risks are caused by a variety of factors, and is closely related to factors such as the application of this enterprise local area network structure and system, and the reliability of network servers in the LAN. Some of these risk factors are listed below:
Network security can be understood from the following three aspects: 1 Network physics is safe; 2 network platform is safe; 3 system is safe; 4 Application is secure; 5 Manage is safe. For every kind of security risks, we combine the actual situation of this enterprise LAN, we will analyze the security risks of the network.
3.1 Physical security risk analysis
The risk of physical security of the network is diverse. The physical security of the network mainly refers to environmental accidents such as earthquake, floods, fires; power failure; human operation error or error; equipment is stolen, destroyed; electromagnetic interference; line cut. And high availability hardware, dual-machine multi-redundant design, computer room environment and alarm system, safety awareness, etc. It is the premise of the security of the entire network system. In this corporate area network, because the network has little physical span, as long as it makes a sound safety management system, make a good backup, and strengthen the management of network equipment and equipment rooms, these risks are Avoided.
3.2 Security Risk Analysis of Network Platform
The security of the network structure involves the network topology, network routing conditions, and the network environment.
The threat of public servers
This enterprise LAN Public Server Region (WWW, Email and other servers) As the company's information publishing platform, once the latter cannot be attacked, the company's reputation is huge. At the same time, the public server itself must be an external service, and the corresponding service must be opened; every day, hackers are trying to break into the Internet node, these nodes are not kept, maybe even hackers don't know, and even become hackers invading others. Site board. Therefore, the scale of the larger network is more important to make effective responses to the Internet security accident. We need to isolate public servers, internal networks with external networks, avoid external leakage of network structure; while filtering the service request of the external network, only the data packets of normal communication arrive at the corresponding host, other requests services are arriving The host should be rejected.
Whole network structure and routing
Safety applications are often built on the network system. The maturity of the network system directly affects the successful construction of the security system. In this corporate LAN system, only one router is used, used as a boundary router connected to the Internet, the network structure is relatively simple, and the use of static routes can be considered when specific configuration, which greatly reduces the network structure and network route. Safe risks. 3.3 Safety risk analysis of the system
The so-called system security is obvious to refer to the entire LAN network operating system, whether the network hardware platform is reliable and worth trustworthy.
Network operating system, network hardware platform reliability: For China, I am afraid that there is no absolutely safe operating system can choose, whether it is Microsoft's Windows NT or any other commercial UNIX operating system, its developer must have its back-door. We can say this: There is no fully safe operating system. However, we can safely configure existing operating platforms, strict control of operation and access, and improve system security. Therefore, it is not only necessary to use as reliable operating system and hardware platform. Moreover, it is necessary to enhance the authentication of the login process (especially the authentication before the server host), ensuring the legality of the user; second should strictly limit the operation permission of the login, and the operation is limited to the minimum range.
3.4 Safety risk analysis of applications
The security of the application system is related to the specific application, which involves many aspects. The security of the application system is dynamic, changing. The security of the application also involves information security, which includes many aspects. Application system security dynamics, continuous changes: applications are widely involved, with the most widely used e-mail system on the Internet, there are dozens of solutions, but their system is encoded and even compiled. The bug caused by the unit is very few people who can find it, so a detailed test software is quite necessary. However, the application system is constantly evolving and the application type is increasing. The result is that security vulnerabilities are increasing and hidden. Therefore, ensuring that the security of the application system is also a process of continuous improvement with the development of network. The security of the application involves information, security: information security involves: confidential information disclosure, unauthorized access, destroying information integrity, counterfeit, destroying system availability, etc. Since this company's local area network span is not large, most important information is transmitted internal, so the confidentiality and integrity of information can be guaranteed. For some particularly important information, it is necessary to confidential (such as leader networks, financial systems), which can be considering encryption in the application level, and encrypts the specific applications directly in the application system. 3.5 Management of security risk analysis
Management is the most important part of network security is the most important part of the security in the network. Unknown responsibility, management confusion, safety management system is not perfect and lack of operability, etc. may cause risk of management. The responsibility is unknown, and the management is confusing, so that some employees or administrators will make some non-local employees even enter the machine room, or some of the employees intend to unintentionally leak some important information they know, but there is no corresponding system to constrain. When the network attacks or the network is subject to some other security threats (such as the illegal operations of internal people), real-time detection, monitoring, reporting and warning cannot be performed. At the same time, when the accident occurs, the tracking clues of hacker attack behavior and the basis of solving the case, that is, the lack of controllability and reviewability of the network. This requires us to multi-level records on the access activities of the site, and discover illegal intrusion. Establish a new network security mechanism, you must deeply understand the network and provide direct solutions, and therefore, the most feasible practice is to manage system and management solutions.
3.6 Hacker Attack
The hacker's attack action is not performed, and all possible exploits of all possible use of system and management. A typical example of the public server has a vulnerability, and hackers can easily deceive the public server software to get UNIX password files and send it back. After the hacker invades the UNIX server, it is possible to modify privileges. From ordinary users to advanced users, once they succeed, hackers can enter the password file directly. Hackers can also develop fraudulent procedures to load them into UNIX servers to listen to login sessions. When it finds that there is a user login, it began to store a file so that hackers have the accounts and passwords of others. At this point, in order to prevent hackers, it is necessary to set the public server so that it does not leave their own space and enters another directory. In addition, group privileges should be set, and anyone who is not allowed to access things other than the WWW page file. In this business LAN, we can integrate firewall technology, web page protection technology, intrusion detection technology, safety assessment technology to protect information resources within the network to prevent hackers. 3.7 Universal Gateway Interface (CGI) Vulnerability
There is a type of risk involves a general-purpose gateway interface (CGI) script. Many page files and super connections to other pages or sites. However, some sites are used to find specific information by these superconnections. The search engine is implemented by the CGI script. Hackers can modify these CGI scripts to perform their illegal tasks. Typically, these CGI scripts can only be found in these creative WWW servers, but if they make some modifications, they can find outside the WWW server. To prevent such problems, these CGI scripts should be set to a lower user privilege. Improve systematic anti-breaking ability, improve server backup and recovery capabilities, and improve the tamper and automatic repair capability of site content.
3.8 malicious code
Malicious code is not limited to viruses, as well as worms, Trojan horses, logical bombs, and other unadcoming software. The detection of malicious code should be strengthened.
3.9 virus attack
Computer viruses have always been the main threat of computer security. A new virus that can spread on the Internet, such as viruses propagating through E-mail, increases the extent of this threat. The type and infective way of virus is also increased, and the total number of viruses in international space has reached tens of thousands or even more. Of course, see documentation, browsing images, or full of virus infection, however, downloading executables and receiving unknown E-mail files need to be particularly vigilant, otherwise it is easy to cause serious damage. A typical "CIH" virus is a terrible example.
3.10 dissatisfied internal staff
The dissatisfaction of internal employees may have some little jokes on the WWW site, and even destroy. No matter how they are most familiar with the weaknesses of servers, applets, scripts, and systems. For those who have been left-proof, you can reduce such risks through regular changes and delete system records. But there is still a dissatisfaction, these employees can cause greater losses than those that have left, such as they can pass critical information, revealing security important information, incorrectly enter the database, delete data, etc.
3.11 Network Attack Means
It is generally believed that the current attack measures currently in the network are: unauthorized access: no pre-consent, use network or computer resources as unauthorized access, if you intend to avoid system access control mechanism, conduct network equipment and resources Not normal use, or unauthorized permissions, and access information. It has the following forms: counterfeit, identity attack, illegal users enter the network system for illegal operation, legal users operate in unauthorized ways. Information leakage or loss: means that sensitive data is intentionally or unintentionally leaked or lost, it usually includes losing or leak in transmission (such as "hackers" using electromagnetic leaks or tapping, etc. Or through analysis of parameters such as information flow, traffic, communication, and length, such as user passwords, accounts, etc. Important information.), Information is lost or leak in storage media, by establishing a hidden tunnel such as stealing sensitive information Wait. Destroying data integrity: Stealing the right to use the right, delete, modify, insert or retransmit certain important information in illegal means to achieve the response of the attacker; malicious add, modify data, to interfere with the normal use of users . Refusal service attack: It constantly interferes with the network service system, changing its normal job flow, executing unrelated procedures to slow system response or even paralysis, affecting normal users, and even make legal users to be rejected to enter computer network systems or Corresponding services cannot be obtained. Using network propagation viruses: propagating computer viruses over the network, its destructive is much higher than standing systems, and users are difficult to prevent. Chapter IV Security Demand and Safety Goals
4.1 Analysis of Safety Demand
Through the previous weeks of our local area network structure, application and security threat analysis, it can be seen that its security issues are mainly focused on the security of the server, anti-black and viruses and important network segments. Therefore, we must take appropriate safety measures to eliminate safety hazards, which should be:
Security Protection of Open Servers Prevent hackers from external attack intrusion detection and monitoring information auditing and recording virus protection data security data backup and recovery network security management
In response to the actual situation of this enterprise local network system, the following requirements should be met when considering how to solve the above security problems:
1. Largely improve the security of the system (focus is availability and controllability);
2. Keep the original features of the network, that is, the protocols and transmission of the network have good transparency, can transparent access, no need to change the network settings; 3. Easy to operate, maintain, and easy to automate, without increasing or Less increase additional operation; 4. Try not to affect the original network topology, which is convenient for the expansion of the system and system functions; 5. Safety confidentiality system has better performance ratio, one-time investment, can be used for a long time; 6. Safety products have Legitimacy and approval or certification through relevant national management departments; 7. Distribution implementation.
4.2 Network Security Policy
The security policy refers to the rules that must be observed in a specific environment to ensure a certain level of security. The security strategy model includes three important components of the establishment of a security environment, namely, majestic laws: safe cornerstone is social laws, regulations, and means, this part is used to establish a safe management standard and method. That is, through the establishment of laws and regulations related to information security, illegal elements are discouraged by law and do not dare to act rashly. Advanced technology: Advanced security technology is the fundamental guarantee of information security, and users have risk assessments to their own threats, determine the types of safety services they need, select the appropriate security mechanism, and integrate advanced security technology. Strict management: All network usage institutions, enterprises and units should establish appropriate information security management methods, strengthen internal management, establish audit and tracking systems, and improve overall information security awareness. 4.3 System Security Target
Based on the above analysis, we believe that this LAN network system security should achieve the following objectives: establish a complete set of network security and network management policies to effectively isolate internal networks, public server networks, and external networks, avoid direct communication with external networks. Establish security measures for both the hosts and servers to ensure that their system security controls the contents of the online service request content, so that illegal access is rejected to enhance access authentication before reaching the host, while controlling the user's access rights at the lowest limit Comprehensively monitor access to open servers, timely discovering and rejecting unsafe operations and hacker attack behavior to strengthen audit work for various access, detail the access behavior of network, open server, form a complete system log backup and disaster recovery - - Strengthen system backup, realize the system rapid recovery to strengthen network security management, improve network security awareness and prevention technology of all system all personnel
Chapter 5, Network Security Program, Overall Design
5.1 Security Scheme Design Principles
In designation and planning of this enterprise LAN network system security program, the following principles should be followed:
General, integral principles: the viewpoint, method, method, analysis of the network, the safety and specific measures of the application system engineering. Safety measures include: administrative legal means, various management systems (personnel review, workflow, maintenance system, etc.) and professional measures (identification technology, access control, password, low radiation, fault tolerance, anti-virus, high security products) Wait). A good security measures are often a suitable application result for a variety of methods. A computer network, including individuals, devices, software, data, etc. The status and influencing effects of these links in the network, and only see the overall angle of the system, and analyze can be effective, feasible. That is, computer network security should follow the principle of overall safety, and a reasonable network security architecture is established according to the prescribed security strategy.
The principle of demand, risk, cost balance: the absolute security is difficult to achieve, nor necessarily necessary. A network of actual research (including tasks, performance, structure, reliability, maintenance, etc.), and analyzes the threats of the network and the risk of qualitative and quantitative risks, and then develop specifications and measures. Determine the security policy of this system.
Consistency Principles: The principle of consistency is mainly referred to whether the network security issue should be at the same time as the work cycle of the entire network (or lifecycle), and the security architecture developed must be consistent with the security requirements of the network. Safe network system design (including preliminary or detailed design) and implementation plan, network verification, acceptance, operation, etc., there must be safe content light glow and measures. In fact, in the beginning of network construction, consider network security countermeasures, ratio After the construction is good, consider safety measures, it is not only easy, and it costs much.
Easy Operation Principles: Safety measures need to be completed, and if the measures are too complex, it is too high for people, it is itself reduced. Second, the use of measures cannot affect the normal operation of the system. Step-by-step implementation principles: Due to the network system and its application extension, with the expansion of the network, network vulnerability will continue to increase. It is unrealistic to solve cybersecurity issues in one another. At the same time, due to the implementation of information security measures, it is considerable expense. Therefore, the basic demand for network systems and information security can be saved in step-by-step implementation, and cost expenses can also be saved.
Multiple protection principles: Any security measures are not absolutely safe, they can be broken. However, a multi-protected system is established, and the protection of each layer has complement each other. When a layer of protection is broken, other layers protect the security of information.
Scope of evaluation: How to pre-evaluate a safe design and verify the security of its network, which requires the country's assessment of network information security assessment certification agencies.
5.2 Safety services, mechanisms and technology
Safety services: Safety services mainly include: control services, object certification services, reliability services, etc .;
Safety mechanism: access control mechanism, certification mechanism, etc.
Safety technology: firewall technology, identification technology, audit monitoring technology, virus prevention and control technology, etc. In a safe open environment, users can use a variety of security applications. Safety applications are implemented by some security services; and security services are achieved by various security mechanisms or security technologies. It should be noted that the same safety mechanism can sometimes be used to achieve different security services.
Chapter VI Network Security Architecture
Through the comprehensive understanding of the network, according to the requirements of security strategy, the results of risk analysis and the security objectives of the entire network, the entire network measures should be established according to the system system. The specific security control system consists of the following aspects: physical security, network security, system security, information security, application security and security management.
6.1 Physical Security
To ensure that the physical security of computer information systems is the premise of the safety of the entire computer information system. Physical security is to protect computer network equipment, facilities, and other media from environmental accidents such as earthquake, floods, fires, and human operation errors or errors and various Destructuring process caused by computer crime. It mainly includes three aspects:
Environmental safety: security protection, such as regional protection and disaster protection; (see national standard GB50173-93 "Electronic computer computer room design specifications", national standard GB2887-89 "computing station site technical conditions", GB9361-88 " Station Safety Requirements "Equipment Security: Mainly include anti-theft, anti-destruction, anti-electromagnetic information radiation leakage, prevention of line cut, anti-electromagnetic interference and power protection, etc. Media security: including media data security and media itself.
In terms of network security, mainly considering two large levels, one is ripening throughout the network, mainly to optimize the network structure, and the other is the security of the entire network system.
6.2.1 Network Structure
The security system is based on the network system, the security of the network structure is the basis for the successful establishment of the security system. In terms of security of the entire network structure, the optimization of network structures, systems, and routing is mainly considered. The establishment of network structure should consider environmental, equipment configuration and application, remote networking mode, traffic estimate, network maintenance management, network application and service location and other factors. The mature network structure should have openness, standardization, reliability, advancedness and practicality, and should be structured, fully utilize existing resources, have a simpleness of operation and management, and a perfect security system. The network structure uses a hierarchical architecture to maintain management, facilitating higher security control and business development. Optimization of network structure, mainly considering redundant links in network topology; real-time monitoring of firewall settings and intrusion detection.
6.2.2 Network System Security
6.2.2.1 Access control and inside and outside network isolation
Access control access control can be implemented in the following aspects: 1. Develop a strict management system: the corresponding corresponding: "User Authorization Implementation Rules", "Password Word Management Specification", "Permission Management System". 2. Equipped with the appropriate security equipment: Between the internal network and the external network, set the firewall to realize the isolation and access control of internal and external networks is the most important and most effective and economical measures to protect intranet security. The firewall is set in the unique entry of information between different networks or network security domains. The main type of firewall is a pack filtering, and the filter firewall generally uses the IP and TCP packets to filter the IP package information of the entry and protected network, which can be controlled (allowed, refused, monitored) to the network according to the security policy of the company. Information flow. At the same time, network address translation (NAT), trials, and real-time alarms can be realized. Since this firewall is installed on the channel between the protected network and the router, it also plays an isolation of the protected network and the external network.
The firewall has the following five basic functions: filtering, out of network data; managing entering, online access behavior; blocking some prohibited services; record through firewall information content and activity; testing and alarms for network attacks.
6.2.2.2 Isolation and Access Control of Different Network Security Domains
Here, the physical isolation of the internal subnet is mainly used by VLAN technology. By dividing the VLAN on the switch, the entire network can be divided into several different broadcast domains, and the internal network segment is physically isolated from the other network segment. In this way, it is possible to prevent problems affecting a network segment through the entire network. For some networks, in some cases, some of its local area networks are more trusted than another network segment, or some network segments are more sensitive than another. By dividing the trust network segment with the untrusted network segment in different VLAN segments, local network security issues can be restricted to the impact of global networks.
6.2.2.3 Network Security Detection
The security of the network system depends on the weakest link in the network system. How to find the weakest link in the network system in time? How to maximize the security of the network system? The most effective way is to regular security analysis, timely discovery and correct weaknesses and vulnerabilities. Network security detection tool is usually a network security assessment analysis software. It features a practical method to scan the analysis network system, check the weaknesses and vulnerabilities in the reporting system, suggest remedial measures and security strategies to enhance network security. . The testing tool should have the following functions:
Network monitoring, analysis and automatic response function
Find out the root causes of frequent problems; establish the necessary loop procedures to ensure hidden hazards are corrected; controlling various network security hazards. Vulnerability Analysis and Response Configuration Analysis and Response Vulnerability Situation Analysis and Response Certification and Trend Analysis
Specifically reflected in the following:
Firewall gets a reasonable configuration of security vulnerabilities in inside and outside Web site to minimize aggressiveness-resistant all kinds of server operating systems, such as E_MIAL servers, web servers, application servers, will be subject to hacker attacks to the lowest network access Make effective responses, protect important application systems (such as financial systems) data security is not subject to hacker attacks and internal personnel
6.2.2.4 Audit and Monitoring
The audit is to record the process of all activities using the computer network system, which is an important tool for improving security. It not only recognizes who has access the system, but also see how the system is being used. The audit information is important for determining whether there is a network attack. At the same time, the recording of system events can identify problems more quickly and systematically, and it is an important basis for the processing of accidents in the back. In addition, by analyzing the continuous collection and accumulation of the security event, some sites or users are selectively, to provide strong evidence for the discovery or possible destructive behavior.
Therefore, in addition to using a general network management software and system monitoring management system, you should also use the currently mature network monitoring equipment or real-time intrusion detection equipment to perform real-time check, monitor, alarm, and blocking of common operations of local area networks from all levels. To prevent attacks and criminal behavior against the network. 6.2.2.5 Network Antivirus
Since computer viruses have an imperivivivable threat and destructive force in a network environment, a computer virus is an important part of network security construction. Network anti-virus technology includes three technologies to prevent viruses, detect viruses and disinfection: 1. Preventive virus technology: It passes through its own resident system memory, priority to obtain system control, monitoring, and determination system, there is a virus in the system, and prevent computers The virus enters the computer system and destroying the system. Such technologies have, encrypted executables, guiding area protection, system monitoring and reading and writing control (such as anti-virus software, etc.). 2. Test the virus technology: It is a technique of judging the characteristics of computer viruses, such as its own check, keyword, and document length. 3. Clear the virus technology: It develops software with deleting virus programs and restoring the original file by analyzing computer viruses.
The specific implementation of network anti-virus technology includes frequent scanning and monitoring of files in the network server; use anti-virus chips on the workstation and access to network directory and file settings.
The selected anti-virus software should construct a uniform anti-virus system in all networks. Mainly facing the Mail, Web server, and PC servers and PCs in office network sections. Support real-time virus monitoring for networks, servers, and workstations; can distribute new anti-virus software to multiple targets in the central console, and monitor viral prevention and control of multiple targets; support for viral prevention of multiple platforms; can identify extensive Know and unknown viruses, including macro viruses; support for the Internet / Intranet server, can prevent malicious Java or ActiveX small procedures damage; support for viral prevention for email attachments, including Word, Macrovirus in Excel; Virus detection of compressed files; supports a wide range of viral processing options, such as real-time anti-virus, removal, renaming, etc. for dyed files; support virus isolation, when the client attempts to load an infected file, the server can automatically shut down to this Workstation connection; provide regular online update services for viral feature information and detection engines; support logging function; support a alarm function (sound, image, email, etc.), etc.
6.2.2.6 Network Backup System
The backup system is for a purpose: the data and system information required to run the computer system as quickly as possible. The backup mechanisms selected according to system security requirements are: high speed, high-capacity automatic data storage, backup and recovery; data storage, backup and recovery outside the field point; backups for system devices. The backup is not only in the network system hardware failure or human error, but also protects the invader's non-authorization access or to the network attack and damage data integrity, and is also one of the premise of system disaster recovery.
After determining the guidance ideology and backup scheme of the backup, you should select secure storage media and technology for data backup, with "cold backup" and "hot backup". Thermal backup refers to the "online" backup, that is, the data downloaded backup is also stored in the entire computer system and network, which is only stored in a business system that makes a non-working partition or another non-real-time processing. "Cold Backup" refers to a backup of "not online", downloaded backups stored in a secure storage medium, and this storage medium is not directly contacted with the entire computer system and network, reinstalling when the system is restored, Part of the original data is saved for a long time and is used as a query. The advantage of the hot spare is that the investment is large, but the call is fast, easy to use, and more advantageous when needed in system recovery. The specific practice of the hot spare is: You can open a non-work running space in the host system, dedicated to backup data, namely partition backup; another method is to back up data to another in another subsystem, through the host system and subsystem Transmission between the same speed and convenient speed, but the investment is more expensive. Cold backups compensate for some of the shortcomings of the hot spare, the two advantages complement each other, complementary, because the cold backup also has a special advantage that is convenient in the void risk. 6.3 System Security
The security of the system mainly refers to the security of the operating system, the application system, and the reliability of the network hardware platform. The following policies can be taken for security prevention of the operating system:
Safety configuration for the operating system, improve the security of the system; internal calls are not disclosed in the Internet; key information is not directly disclosed, and high security operating systems are used as much security. When the application system is developed, the standardized development process is used to reduce the vulnerability of the application system as much as possible; the server and network devices on the network do not take the same product as much as possible; Safety assessment.
6.4 information security
Within the local area network of this company, the information is mainly transmitted internal, so the information is eavesdropped, and the possibility of tampering is small, which is more secure.
6.5 Application Safety
In applications, mainly consider the authorization of communication, the encryption and auditing records of transmission. This must strengthen the authentication of the login process (especially the authentication before arriving at the server host) to ensure the legality of the user; second should strictly limit the login's operational permissions, and the operation is limited to the minimum range. In addition, in the management of the host, in addition to the access control and system vulnerability detection above, access access control, the permissions can be split and managed. Application Security Platform To strengthen resource directory management and authorization management, transfer encryption, audit records, and security management. For application safety, it is mainly considered to determine application software for different services and closely watch its bug; constantly upgrading the scanning software.
6.6 Safety Management
In order to protect the security of the network, in addition to increasing security service functions on network design, improving system security and confidentiality measures, security management specifications are also required. Safety management strategies are implemented from pure management, and on the other hand, it is technically established high-efficiency management platforms (including network management and security management). The security management strategy mainly: define a perfect security management model; establish a long-term and implementable security policy; thoroughly implement the standard safety precautions; establish an appropriate safety assessment scale, and conduct regular rules for regular rules. Of course, it is also necessary to establish an efficient management platform.
6.6.1 Safety Management Specification
In the face of the vulnerability of network security, in addition to adding security service functions in the network, improve the system security and confidentiality measures, it is necessary to strengthen the establishment of network security management specifications, because many unsafe factors are just reflected in organizational management. In terms of employment and other aspects, this is another basic issue that computer network security must consider, so it should cause the attention of the leadership of various computer network application departments. 1. Safety management principle
The security management of network information systems is based primarily on three principles. Multi-person responsibility Principles: Everything related to safety must have two or more people. These people should be assigned by the system leaders, they are loyal and reliable, they can compete for this job; they should sign the work record to prove safe work has been guaranteed. The specific activities are: access control use documents issuance and recycling; media distribution and recycling of information processing systems; handling confidential information; hardware and software maintenance; system software design, implementation, and modification; important procedures and data deletion and Destruction, etc .; Terminal Limited principle: Generally speaking, anyone is best not to serve as safety for a long time, so as not to make him think that this position is proprietary or permanent. In order to follow the limited principle of termination, the staff should be recycled from time to time, enforce the vacation system, and stipulate that the staff is turned in to make the term limited system. Responsibilities: People who work in information processing systems do not listen, understand or participate in any security related to safety outside the responsibility, unless the system competent leadership approval. For security considerations, the two information processing work within each group should be separated.
Computer operation and computer programming; confidential data reception and transmission; security management and system management; application and system programming; access documents management and other work; computer operation and information processing system use media storage, etc.
2. The security management department of the security management information system shall formulate the corresponding management system or adopt the corresponding specification according to the management principles and the confidentiality of the system to process data. The specific work is: According to the importance of the work, determine the security level of the system according to the determined security level, determine the scope of security management to formulate the corresponding computer room access management system for a high security level, to implement partition control, restriction Personnel access and unrelated areas. The access management can use documents to identify or install automatic identification registration systems, using magnetic card, ID card, etc., identify and register management. Developing strict operating procedures operating procedures should be responsible for the separation of responsibilities and the principles responsible for the responsibility, they cannot surpass their jurisdiction. Data protection measures should be taken when maintaining system maintenance, such as data backups, such as data backups. At the time of maintenance, you should first approval by the competent department, and there are safety managers present, the cause of the fault, the maintenance content and maintenance before and after the maintenance should be recorded in detail. Developing emergency measures To develop emergency measures to recover as soon as possible, the loss is minimized. Establish a personnel employment and dismiss system, to adjust the authorization of the response and retirement staff.
6.6.2 Network Management
Administrators can integrate management of network devices, security devices, security devices on the entire internal network, and the intrusion detection detecting detector on the management machine, while using security analysis software from different angles to all devices, servers, Workstations conduct safety scans, analyze their security vulnerabilities, and take corresponding measures.
6.6.3 Safety Management
The main function of safe management refers to the management of security equipment; monitoring network hazards, isolates danger, and controls danger within minimum scope; identity authentication, permission settings; management of access rights to resources; Dynamic or static audit; for illegal events, automatic generation alarms or generating event messages; password management (such as operator password authentication), control of universal operators; Key Management: For servers related to key , Deal with the management function of the key life, key backup; redundant backup: To increase the security factor of the network, the key server should be redundantly backed up. Safety management should be implemented in two aspects of management system and management platform technology. Safety management products support the unified central control platform as much as possible. Chapter VII Significant Significant Significant Situation Situation Significantly Contacts Something, this article is to teach you how to design a security solution, so the specific security resolution configuration, I will not be described, the specific ideas have been written. The remaining configuration will be done according to the actual situation. If there is anything wrong, please advise, thank you! (There are some pictures I omitted, I will come out, I will come out.)
