Enterprise Network Security Risk and Prevention Technical Overview
(Treaty: 2004-8-4)
The computer around the 21st century will join together with the Internet, with the development of the Internet, network-rich information resources have brought great convenience, but also bring security issues to the Internet users. Due to the Internet of Internet and transcending organizational and national borders, it has some hidden dangers in security. Moreover, the connotation of information security has also undergone fundamental changes. It has become a very ordinary prevention from a general defense, and it has become everywhere from a special field.
Network security is the premise of the normal operation of an enterprise network. Network security is not only safe, but the security of the entire enterprise information network, requires three-dimensional protection from physical, network, system, application, and management. To know how to protect, you first need to understand where security risks come from. The network security system must include both technical and management, covering a number of risks on the various levels of physical layers, system layers, network layers, and various levels of management. Regardless of the security measures on which level, there is a big security hazard, which may cause interruption of business networks.
According to the network structure and application of domestic enterprise network systems, this paper first analyzes the hidden dangers of current enterprise network security from network security, system security, application security, and management security; then introduces some main guarantee network security. Technology; Finally, a summary of how to ensure enterprise network security.
I. Main hidden dangers of enterprise network security
1, network structure security risk analysis
1.1, external network security threat
Enterprise networks are interconnected from the outside. Based on the scope of the network system, the widespread coverage, the internal network will face a more serious security threat, and the invaders are trying to break into the network node every day. There are information on the office system and employee host in the network system. If a computer is secured within an internal network (attacked or virus infected), many other systems on the same network will also affect at the same time. Through network propagation, there will be an external unit network that is connected to this system network.
If there is no certain security impact in the internal local area network and system external network, the internal network is easy to attack from some uncomfortable intruders from the outside network.
1.2, internal local area network security threat
About 70% of the survey in existing network security attacks are invasive from internal networks. Threats from the internal local area network include: misuse and abuse of key, sensitive data; internal personnel deliberately leak internal network network structure; inside unlike employees to spall out the information of others in various ways.
1.3, security hidden dangers of network equipment
The network device includes routers, switches, firewalls, etc., their settings are more complicated, and these devices can be used but safely due to negligence or incorrect understanding.
2, security risk analysis of the operating system
The so-called system security is often the security of the operating system. The installation of the operating system is based on the normal work, which generally rarely considers its security, so the installation is usually set by the default option. From a security perspective, it is manifested as a lot of service modules that don't use, and there are many ports that don't have to be open, which may implicit security.
Current operating systems are WINDOWS or UNIX operating systems and other vendor-developed applications, and their development vendors must have their back-door. Moreover, the system itself must have security vulnerabilities. These backmen and security vulnerabilities will have significant security hazards. The system's security is a big relationship with the application of security configuration and system. If the operating system does not adopt a corresponding security configuration, it is a hundred vulnerabilities, and people who master the general attack technology may invade. If you are safe configuration, fill the security vulnerability, close some unopened services, prohibit open some uncommon-use and more sensitive ports, then invaders should succeed that it is not easy to enter the internal network, which requires a quite high technology level and For quite long.
3. Application safety risk analysis
The security of the application system involves many aspects. The application system is dynamic, changing. The security of the application is also dynamic. This requires us to take appropriate safety measures to reduce applicability to different applications, test security, and reduce the safety risks of the application.
Security Risk of File Servers: Office web applications are usually shared network resources. There may be employees intended, unintentionally sharing the important information catalog in the hard disk, long-term exposure to the network neighbors, may be easily stealing or spread out of the external personnel or splitting in the internal other employees, because the necessary access control strategy.
Database Server Security Risk: Internal Network Service Area deploys a large number of servers as database servers, running database system software, mainly providing data storage services. The security risks of the database server include: unauthorized users access, through the password guess, the system administrator privilege, the database server itself is easy to attacked. Data in the database cannot be resumed due to accidents (hardware issues or software crashes), but also security issues that need to be considered.
Safety risks of viruses (worms) infringement: The network is one of the best and fastest ways of viral spread. Virus programs can be downloaded online, email, using pirated discs or floppy disks, and human beings have sneaked into the internal network. Therefore, the harm of the virus cannot be underestimated. Once there is a host by a host by viral infection, the virus program is fully probably spread rapidly in a very short period of time, spreading all hosts on the network, may result in unsafe factors such as information leakage, file loss, machine crash.
Security Risks of Data Information: Data security is especially important for companies, and data is transmitted on public network lines, which is difficult to ensure that they are not illegally stolen, tampering during transmission. Many advanced technologies, hackers or some enterprise spies will be made through some means, try to do some hands and feet on the line, and obtain data information transmitted online, which is caused.
4. Safety analysis of management
Management safety hazards include: internal administrators or employee maps, easy to save, or set the user password, or the settings are too short and too simple, resulting in easy cracking. The responsibility is unclear, using the same username, password, leading to the management of permission management, information disclosure. Communicate internal network structure, administrator username and password, and some important information about the system to outsiders bring information leakage risk. The internal dissatisfied employees may have great security risks.
Management is an important part of the security that is guaranteed in the network is to prevent parts from internal network intrusion. Unknown responsibility, management of conflicts, safety management systems, uncomfortable and lack of operability, may cause risk of management security. In addition to the efforts from the technology, it has to rely on safety management.
Second, ensure the main technique of enterprise network security
1 firewall technology
Network firewall technology is an access control between networks to prevent external network users from entering internal networks with illegal means to access internal network resources, protecting special network interconnects of internal network operating environments. It performs an inspection of data packets transmitted between two or more networks such as a link to determine whether the communication between the network is allowed and monitors the network operation.
Current firewall products mainly have a fortress host, package filtering router, application layer gateway (proxy server), and circuit layer gateway, shielded host firewall, two-storey host.
The firewall is at the bottom of the 5-storey network security system, which belongs to the technical scope of network layer security technology. Responsible for security certification and transmission between networks, but with the overall development of network security technology and the continuous change of network applications, modern firewall technology has gradually moved to other security levels outside the network, not only to complete the filter task of traditional firewalls, It is also possible to provide appropriate security services for a variety of network applications. In addition, there are a variety of firewall products that are being certified by data security and user, prevent viruses from developing in the direction of hackers.
Depending on the technology used by the firewall, we can divide it into four basic types: packet filter, network address translation - Nat, agent, and monitoring. details as follows:
1.1, pack filter type
The filtered product is a primary product of a firewall, and its technical discretion is a subcontracting transmission technology in the network. The data on the network is transmitted in "packet". The data is split into a packet of a certain size. Each packet contains some specific information, such as data source address, destination address, TCP / UDP source Port and target ports, etc. The firewall determines whether these "package" comes from the trusted security sites by reading the address information in the packet, once the packets from the dangerous site are found, the firewall will refuse this data. System administrators can also flexibly develop judgment rules based on actual conditions. The advantages of package filtering technology are simple and practical, and the implementation is low. When the application environment is relatively simple, it is possible to ensure the safety of the system at a certain extent at a certain extent.
However, the defect of package filtration technology is also obvious. Packet filtering technology is a complete network-based security technology that can only be judged according to network information such as data packets, target and ports, etc., unrecognizable malicious intrusion based on application layer, such as malicious Java applets and email The virus comes with. Experienced hackers are easy to fake IP addresses and deceive the bag filter firewall.
1.2, network address transformation - Nat
Network address conversion is an IP address standard for converting IP addresses to temporary, external, registered IP address. It allows internal networks with private IP addresses to access the Internet. It also means that users do not allow for registering IP addresses for each machine in their network.
The working process of NAT is: When the internal network accesss the external network through the Security NIC, a mapping record will be generated. The system maps the source address and the source port to a camouflage address and port, so that this camouflage address and port is connected to an external network through a non-secure NIC, so that the real internal network address is hidden. When an external network accesses internal networks via a non-secure NIC, it does not know the connection of internal networks, but just through an open IP address and port to request access. The OLM firewall determines whether the access is safe based on a pre-defined mapping rule. When complies with the rules, the firewall believes that access is safe, accept access request, or map the connection request to a different internal computer. When the rules are not met, the firewall believes that the access is unsafe, cannot be accepted, the firewall will shield the external connection request. The process of network address translation is transparent for the user, and does not require the user to set, the user can make a regular operation.
1.3, agent
Agent firewall can also be referred to as a proxy server, and its security is higher than that of the package filter product and has begun to develop to the application layer. The proxy server is located between the client and the server, completely blocking data exchange between the two. From the client, the proxy server is equivalent to a real server; and from the server, the proxy server is a real client. When the client needs to use the data on the server, first send the data request to the proxy server, the proxy server requests data to the server according to this request, and then transmits the data to the client by the proxy server. Due to no direct data channels between the external system and the internal server, the external malicious invasion is difficult to hurt the internal network system.
The advantages of agency firewall are high security, which can be detected and scanned for application layers to deal with application-based intrusion and viruses are very effective. Its disadvantage is that there is a big impact on the overall performance of the system, and the proxy server must set up one by one by one of the application types that the client can generate, greatly increase the complexity of system management.
1.4, monitoring
The monitoring firewall is a new generation of products, and this technology has actually surpassed the initial firewall definition. The monitoring of the firewall can actively, real-time monitoring of the data of each layer, on the basis of analyzing the data, can effectively determine the illegal intrusion in each layer. At the same time, this detection type firewall product generally has a distributed detector, which is placed in a node of various application servers and other networks, but also can detect attacks from the outside of the network, but also for malicious destruction from internal There is also a strong precautionary role. According to the statistics of the authority, in the attack on the network system, there is a considerable approval from the interior of the network. Therefore, the monitoring firewall not only exceeds the definition of traditional firewalls, but also exceeds the first two generations of products on security.
Although the monitoring firewall security has exceeded the package filter type and proxy server type firewall, it is not easy to manage due to the high cost of monitoring firewall technology, so it is currently in practical firewall products still use the second generation agent. The product is main, but in some respects have begun to use a monitoring firewall. Based on the comprehensive consideration of system cost and security technology cost, users can selectively use certain monitoring techniques. This can guarantee the security requirements of the network system, and can also effectively control the total cost of ownership of the security system. Although the firewall is currently protecting the network from hacker attacks, there is also a significant shortcoming: unable to prevent attacks from other ways outside the firewall, can not prevent the threats from internal variables and unusual users, Fully prevent software or documentation of the infected virus, as well as unable to prevent data-driven attacks.
2 intrusion detection technology
2.1 Introduction to Intrusion Detection Technology
Intrusion detection techniques are mainly collected by several critical points in a computer network or computer system, and it is analyzed from which there is a violation of security policies in the network or in the system.
Intrusion detection technology is a network security technology that actively protects you from attack. As a reasonable supplement of the firewall, intrusion detection technology can help system deal with network attacks, extend system administrators' security management capabilities, including security audits, monitoring, attack identification, and responses, and improve the integrity of information security infrastructure. It collects information from several critical points in your computer network system and analyzes this information.
2.2 Why need intrusion detection
At present, in terms of network security, domestic users have a high degree of cognitive on firewall, and most of the role of intrusion detection systems is not very well. The firewall plays to the role of the gate guard in network security. The imported data is matched according to a predetermined rule, which is in line with the rules, and the role of access control is the first gate of network security. Excellent firewalls even perform dynamic analysis of the high-level application protocol to protect the security of the data application layer. But the function of the firewall also has limitations. The firewall can only analyze the data of the entry and exit network, and the events occurring within the network are completely unable to force.
At the same time, because the firewall is in the position of the gateway, it is impossible to make too much judgment on the entry and exit attack, otherwise it will seriously affect network performance. If the firewall is more guarded by the gate guard, intrusion detection is an uninterrupted camera in the network, intrusion detection is uninterrupted by the way bypass the way to collect network data, and there is no impact on the operation and performance of the network, and it is judged whether it contains Attempt to attack, to the administrator alarm through various means. Not only can you find an external attack, you can also find internal malicious behavior. Therefore, the intrusion detection is the second gate of network security, which is the necessary supplements of the firewall, constitute a complete network security solution.
2.3 Development trend of intrusion detection technology
(1) Analyze the improvement of technology
The intrusion detection and false positives and the resolution of the leaks ultimately rely on the improvement of analysis technology. Current intrusion detection analysis is mainly: statistical analysis, pattern matching, data reorganization, protocol analysis, behavioral analysis, etc.
Statistical analysis is the number of related events in the statistical network to achieve the purpose of discriminating attacks. Mode matching uses the feature character for the attack to complete the detection of the attack. Data reorganization is a recombination of data streams of network connections, not just a single packet.
The protocol analysis technology is based on the restructuring of network data streams, understanding the application agreement, reuse the technique of pattern matching and statistical analysis. For example, an attack-based attack contains an ABC feature. If this data is dispersed in several packets, such as: one data contains A, the other includes B, and the other includes c, then a simple mode match cannot be detected. Only data stream reorganization can be fully detected. Use protocol analysis. This event will only be alarm only in accordance with the agreement (HTTP). Suppose this feature appears in Mail, because it does not match the agreement, it will not be alarm. This technology is used to effectively reduce false positives and missions.
Behavioral analysis technology not only simply analyzes a single attack, but also to confirm whether there is an attack, the attack behavior is effective, which is the highest realm of intrusion detection and analysis technology. However, due to the difficulty of the algorithm processing and rules, it is not very mature, but it is the trend of intrusion detection technology. It is best to use a variety of testing techniques, not just relying on traditional statistical analysis and pattern matching techniques. In addition, whether the rule base is timely updated and the accuracy of the test is related to the accuracy of the detection. (2), introduction of content recovery and network audit function
It has been mentioned earlier that the highest realm of intrusion detection is behavioral analysis. However, it is not very mature before behavior analysis, so individual excellent intrusion detection products introduce content recovery and network audit function.
The content recovery is based on protocol analysis, and any behavior that has occurred in the network should be a complete restructuring and record, and any behavior that occurs in the network fled its monitoring. Network audits are recorded in all connection events in the network. Intrusion detection access method determines network audits in the intrusion detection system not only similar to the firewall to record network access information, but also record network internal connection conditions, this function is especially useful to recover content recovery.
The content recovery and network audit allows administrators to see the real health status of the network, in fact, mobilizing administrators participate in behavioral analysis process. This feature not only enables administrators to see an alarm of the isolated attack event, but also see the entire attack process, understand the attack does happen, check the attacking process, understand the hazard caused by attacks. Not only did known attacks, but found unknown attacks. Improper discovery of external attackers attacks, and found internal users' malicious behavior. After all, the administrator is the most understanding of its network. The administrator has achieved behavioral analysis by this feature. But use this feature to pay attention to the protection of user privacy.
(3), integrated network analysis and management functions
Intrusion Test is not only a test for network attacks. At the same time, the invasion test can receive all the data in the network, which can play a significant role in the fault analysis and health management of the network. When the administrator finds that a host has problems, it hopes to manage it immediately. Intrusion detection should not only use passive analysis methods, it is best to combine with active analysis. Therefore, intrusion detection products integrated network management function, scanner, sniffer (Sniffer) and other functions are the direction of future development.
(4), improve safety and ease of use
Intrusion detection is a safety product, it is extremely important. Therefore, most intrusion detection products use hardware structures, black-hole access, and exempt from their own safety issues. At the same time, the requirements for ease of use are also increasing, such as: full Chinese graphical interface, automatic database maintenance, diverse report output. These are the characteristics of excellent intrusion products and continue to develop refinement in the future.
(5), improve the processing method for large data quantity network
With the requirements of large data processing, the performance requirements of intrusion detection are gradually improved, and Gigabit intrusion detection has occurred. However, if the intrusion detection detection product has not only an attack analysis, but also has a content recovery and network audit function, its storage system is difficult to work in a Gigabit environment. In this case, network data divide is also a good solution, and the cost performance is better. This is also a more common practice.
(6), firewall joint function
Intrusion detection discovery attack, automatically sent to the firewall, firewall loading dynamic rules intercept invasion, called firewall joint function. At present, this feature has not yet to completely and use, mainly a concept. Just use it will result in many problems. At present, the main application objects are automatic attacks, such as NIMDA, etc., linkage only has a certain role in this occasion. Unlimited use linkage. If it is not fully tested, the stability and network applications of fire prevention will have a negative impact. However, with the improvement of the detection accuracy of the intrusion detection product, the linkage function is increasingly practical. 3 network anti-virus, anti-harmination technology
At present, from the development trend of computer viruses, there are more and more viruses of worms. Unlike file-type viruses with ordinary infection, such procedures are usually not infected with normal system files, but it is installed as part of the system to the system. Relatively, such viruses have more concealed, and it is not easy to be found by the user.
Computer viruses and worms have multiple definitions. In order to better divide the two, according to the definition of RFC and Eugene Spafford, the worm is characterized by independent operation and can propagate your own version to another computer. Computer virus is a code that can add themselves to other programs, including operating systems, can not run independently, need to be run by its host program to activate it. At present, with the wide application of the email system, it is increasingly harmful to the virus of the main propagation carrier and has caused great harm. Therefore, we can further subtract the virus into mail viruses and ordinary computer viruses.
The same thing in worms and mail viruses is extremely strong infectivity. Set up the rear door program, launching a service attack, etc., is often important behavioral characteristics.
From this, we can see that the powerful means of controlling worms and mail viruses is the network communication path, including mail communication, vulnerability invasion, sharing communication, etc .; and controlling the important means of controlling the normal computer virus is the concentration of all computer terminals Network anti-virus system.
The world's famous information security education institutions SANS Institute will be a major category of anti-Worm solutions and firewalls, intrusion detection systems, etc. However, there is currently a product that can realize anti-worms and mail virus prevention, only KSG (Kill Shield Gateway) issued by Gunochen, which is considered to be the first antigen and virus gateway.
Ksg's unique anti-cancer attack technology (Anti-Worm) can all resist all known worm attacks and dissensive behaviors, with anti-murder worms, anti-virus viruses, anti-spam, content filtering four functions, filled Blank in the information security community. After two or three years of development, KSG series products have been widely used in multiple fields, and they have been supported by users, and their characteristics are as follows:
• Unique Anti-Worm technology can actively defense the virus spread caused by worm, latter vulnerabilities, intrusion behavior, and DOS attacks, etc.
• High processing capabilities, support 100M and Gigabit network environments, ensuring that it is not a network bottleneck
• With excellent viruses and worm detection and clearing engines, ICSA, West Coastal Laboratory, virus bulletin board, etc. International authority certification
• Use a dedicated safety operating system to eliminate safety hazards
• Transparent bridge access network, plug-and-play, easy to use and manage
4 encryption technology
Information exchange encryption technology is divided into two categories: symmetrical encryption and asymmetric encryption. details as follows:
4.1 Symmetrical Encryption Technology
In symmetric encryption technology, the same key is used to encrypt and decrypt information, that is, a key is opened. This encryption method simplifies the encryption process, and both parties of information exchange do not have to study and exchange dedicated encryption algorithms. If the private key in the switched phase has not been disclosed, the confidentiality and packet integrity can be guaranteed. Symmetric encryption technology has some shortcomings. If you have N exchange objects, then he will maintain N private keys, another problem with symmetrical encryption is to share a private key, and exchange any information on both sides. It is transmitted to each other after encrypting the key. 4.2 Asymmetric Encryption Technology
In an asymmetric encryption system, the key is decomposed into a pair (ie the public key and the private key). This can be disclosed to others as the public key (encryption key) in the key (encryption key), while the other is saved as a private key (decryption key). The public key is used for encryption, and the private key is used to decrypt. The private key can only be mastered by the exchange of keys, and the public key can be widely announced, but it only corresponds to the switching party generating the key. Asymmetric encryption methods can establish secure communication without prior exchange keys, which are widely used in information exchanges such as identity authentication, digital signatures. The asymmetric encryption system is generally based on certain known mathematical problems, which is an inevitable result of the development of computed complexity. The most representative is the RSA public key cryptographic system.
The RSA algorithm is the first perfect public key cryptographic system proposed in 1977 in 1977, which is based on the difficulty of decomposing large integers. In the RSA system, this basic fact is used: So far, an effective algorithm cannot be found to decompose two large numbers. The RSA algorithm is described as follows:
Public key: n = pq (p, Q is two mutually variable numbers, p, q must be confidential) E and (P-1) (q-1) Mutual private key: D = E-1 {MOD (P-1) (q-1)} Encryption: C = ME (MOD N), where m is clear, C is a ciphertext. Decryption: m = CD (MOD N)
Using the knowledge and theory of currently mastered, Decompose 2048bit's large integer has exceeded 64-bit computer computing power, so it is safe enough in the current and foreseeable future.
5 PKI technology
PKI (Publie Key Infrastucture) technology is an infrastructure that provides secure services with public key theory and technology. PKI technology is the core of information security technology and is also the key and basic technologies of e-commerce. Because of the lack of physical contact through electronic commerce, e-government, electronic affairs such as e-commerce, e-government, electronic affairs, so that the use of electronic modeling trust relationship is critical. PKI technology happens to be a password technology suitable for e-commerce, e-government, and electronic matters. He can effectively solve security issues such as confidentiality, authenticity, integrity, undenny and access control in e-commerce applications. A practical PKI system should be safe and easy to use, flexible and economical. It must take full care of interoperability and scalability. It is an organic combination of certification body (CA), registration body (RA), policy management, key (KEY) and certificate management, key backup, and recovery, withdrawal system, and other functional modules.
5.1 Certification Body (CA)
CA (CERTIFICATION Authorty) is such an authoritative entity that ensures trust. Its main responsibility is to issue certificates to verify the authenticity of user identity. Network user-issued network user electronic identification - certificate, any person who believes the CA, should believe in proven users according to the principle of third party trust. CA also takes a range of corresponding measures to prevent the electronic certificate from being faked or tampered with. Building a CA with strong security is critical, which is not only related to the cryptography, but also related to the framework and model of the entire PKI system. In addition, flexibility is also a key to CA to get market identity, which does not need to support a variety of general international standards, which can be compatible with CA products of other manufacturers. 5.2 Registration Agency (RA)
RA (Registration Authorty) is the interface of users and CAs. The accuracy of the user ID it get is the basis of the CA issued certificate. Ra must not only support face-to-face registration, but also support remote registration. To ensure the safety and flexibility of the entire PKI system, you must design and implement network, secure and easy-to-operate RA systems.
5.3 Strategy Management
In the PKI system, the development and implementation of scientific security policy management is a very important of these security policies to adapt to different needs and can be integrated into CA and RA technology into CA and RA technologies. At the same time, these strategies should comply with password and system security requirements, scientifically apply cryptography and network security theory, and have good scalability and interoperability.
5.4 Key Backup and Recovery
In order to ensure the security of the data, it is very important to update the key and recovery of accidental damage to the key and recovery of accidental damage to the key management solution to ensure the security key backup, update, recovery, and the entire PKI. An important factor in system robustness, security, availability.
5.5 Certificate Management and Undo System
The certificate is used to prove the electronic medium of the certificate holder identity, which is used to bind the certificate holder identity and its corresponding public key. Typically, this binding is effective in the entire life cycle of the issued certificate. However, sometimes there will be a case where a certificate is no longer valid. This requires a certificate to undo. The reason for the certificate revoked is a variety of reasons why the work changes to the key doubts. The implementation of the certificate undo system is to use the periodic issuance mechanism to undo the certificate or use the online query mechanism to query the revoked certificate.
6 virtual private network technology
Virtual Private Network (VPN) is a technology that has developed rapidly with the development of Internet in recent years. Modern companies are increasingly using Internet resources to conduct promotions, sales, after-sales service, and even training, cooperation. Many companies tend to use Internet to replace their private data networks. This logical network formed by using Internet to transmit private information is called virtual private network.
The virtual private network actually treats the Internet as a public data network. This public network and PSTN net do not essentially distinguish between data transfer. From the user's point of view, data is properly transmitted to the destination. Relatively, the network established by the enterprise in this public data online is called private network.
At present, VPN mainly adopts four technologies to ensure safety, these four technologies are tunneling, encrypting technology, key management technology, user and device identity authentication technology (Authentication) ).
6.1 Tunnel Technology
Tunnel technology is a way to pass data between networks by using an internet network. Data (or load) that use tunnels (or load) can be data frames or packages of different protocols. The tunneling protocol will be reproducted to the data frames or packages of these other protocols in the new header. The new header provides routing information so that the packaged load data can be passed through the Internet. The packaged packet is routed through the public interconnection network between the two endpoints of the tunnel. The logical path passed by the packaged packet is transmitted on the public interconnection network is called a tunnel. Once the network end point is reached, the data will be unpack and forward to the final destination. Note that tunneling technology refers to a whole process including data packaging, transmission, and unpacking.
6.2 Advanced Technology
Data transmitted through the public interconnection must be encrypted to ensure that other unauthorized users of the network cannot read this information. The addendal technology is a more mature technology in data communication, and VPN can directly utilize the prior art.
6.3 Key Management Technology
The main task of key management technology is how to secure the key in public data online without stolen. The current key management technology is divided into two kinds of SKIP and Isakmp / Oakley. Skip mainly uses Diffie-Hellman's algorithm, transmits a key on the network; in Isakmp, both sides have two keys, which are used in public, private.
6.4 User and Device Identity Certification Technology
The VPN scheme must be able to verify the user's identity and strictly control only the authorized user to access the VPN. In addition, the program must also provide audit and billing functions, showing what information when they visit. Identity certification technology is most commonly used by the user name and password or card authentication.
VPN integrates a wide range of users, from the family's dial-up users to the office connected workstation until ISP's web server. User type, transmission method, and mixing of services used by VPN, increasing the complexity of VPN design while also increasing the complexity of network security. If VPN technology can be effectively used, it is possible to prevent fraud, enhance access control and system control, strengthen confidentiality and authentication. Choosing a suitable VPN solution can effectively prevent the malicious attack of online hackers.
7 Safety Isolation
The security threats and risks of the network are mainly present in three aspects: physical layer, protocol layer and application layer. Network lines are maliciously cut or high voltage lead to communication interruptions, belonging to physical layer; network address camouflage, Teardrop debris attack, synflood is the threat of protocol layer; illegal URL submission, web malicious code, mail virus, etc. Attack of layers. From the perspective of safety risks, less attacks based on the physical layer, based on the network layer, and the application layer is the most, and the complexity is diverse, it is difficult to prevent.
In the face of the continuous emergence of new network attacks and the special needs of high security networks, the new security protection concept - "Safety Isolation Technology" came into being. Its goal is to complete the security exchange of network information under the premise of ensuring harmful attacks outside the credible network, and ensure the internal information of the credible network.
The emergence of isolation is to protect the high security network environment, and the development of isolation products has experienced five generations.
First generation isolation technology, complete isolation. With completely independent equipment, storage, and lines to access different networks, complete physical isolation, but multiple sets of networks and systems, construction, and maintenance costs are required.
Second generation isolation technology, hardware card isolation. Controlling independent storage and discharging device and lines through hardware cards to implement access to different networks, there is still problems such as inconvenience, poor availability, and there is still a large security hazard.
Third generation isolation technology, data broadcast isolation. The pathway to replicate files with the broadcast system is isolated, the switching time is longer, and even manually completed, not only greatly reduces the speed, but also supports common network applications, only the specific file-based data exchange can only be completed.
The fourth generation of isolation technology, air switch isolation. The technology is to complete data exchange by using a single-knife double-throw switch, through the internal and external network, to complete data exchange, but there is a problem of supporting network applications, slow transmission speed and hardware failure rate, often become a bottleneck of the network. The fifth generation isolation technology, safety channel isolation. This technology achieves isolation and data exchange between networks through security mechanisms such as communication hardware and proprietary exchange protocols, which not only solves the problems of previous isolation technology, but also achieve efficient internal and external network data simultaneously. It transparently supports a variety of network applications and has become the development direction of current isolation technology.
Third, summary
At present, the network security field has entered a comprehensive and specialized development path. The network security market began diversified, and China's network security system is gradually formed. Single network security products are not sufficient to meet the needs of enterprise network security, and the overall solution proposed by system requirements analysis begins to be the most favored option.
Below, it will take the application of "Crown Jintan Stereo Anti-Virgin System in China Reserve Food Management Corporation System" as an example, explaining how to do safety solutions for enterprises.
1, demand
China Reserve Food Management Corporation is a state-owned large enterprise, and there are 14 branches and 194 direct food reserves (hereinafter referred to as direct library). Under the situation where information is rapidly developed, China Reserve Food Management Corporation is actively carrying out the construction of network information systems, planning to build a multi-level computer network system containing head companies, branches and direct libraries. The system is divided into the main company's main control center as the first-level network structure, branch network management system is the secondary network structure and the direct library network management system as a third-level network structure. In the design of the China Reserve Food Management Corporation network system, the high reliability, availability, performance, and interconnection of the system have made full consideration. At present, the network has completed the core network main control center construction and branches of the company and the internal WAN construction of the head office, and DDN or dialing between the head office and the branches.
Since the content of the Computer Network System of China Reserve Food Management Corporation involves national security, some data is confidential, and it should be complete and meticulous in terms of network security. In order to further improve network security, the goal of building a complete, secure, and efficient information system, network security issues have become an urgent need to solve problems. Therefore, China Reserve Food Management Corporation decided to build a special network and information security management system. After cautious research and screening, in view of the leading position in the overall network security field, mature products and rich implementation and service experience, and finally selected Beijing Guan Jun Jinchen Software Co., Ltd. as the solution and implementation of the manufacturer.
2, put the pulse
Before the information security management system is set up, considering that China Reserve Food Management Corporation has already taken some more preliminary measures in network security, and takes into account the steps and protection investment of overall network construction. Chen first analyzes the presence of security issues and hidden dangers in its network to ensure the targeted and efficiency of the program:
First, most of the current business system of China Reserve Food Management is mostly distributed applications, users, programs, and data based on customer / server mode and Internet / Intranet network computing mode possible to all corners of the world. In such a distributed application environment, the database server, email server, WWW server, file server, app server, WWW server, file server, application server, etc. are a "portal" for people, as long as there is one "Portal" is not fully protected - forgetting the lock or not strong, "hackers" will enter the system through this door, steal or destroy all system resources.
Secondly, the current network of China Reserve Food Management Corporation mainly uses TCP / IP as a network communication protocol, and the main server is a Windows NT operating system. It is well known that TCP / IP is known in the openness. The design idea of the system is easy to interconnect and sharing information throughout the system, and the security content such as access control, user verification, real-time and post-occurrence, and afterwards, only the basic security control functions, there is still some like this. Such a vulnerability. In fact, from the network layer of TCP / IP, it is difficult to distinguish between legitimate information flow and intrusion data, DOS (Denial of Services, refusal service) is a significant example. Again, there are a variety of applications in China Reserve Food Management Corporation, including WWW, mail systems, database systems, and more. These systems have some security issues. From the application system (software) situation, most direct libraries are currently building a grain testing system, using stand-alone processing financial, statistics, personnel and documentation. Statistics, financial, warehousing, and personnel, etc. in the near future will be applied. Using some of the HTTP servers, especially on systems that use server scripts, use these executable scripts, invaders can easily obtain control of the system. At the same time, there are many security issues in the database system of China Reserve Food Management Corporation. How to guarantee and strengthen the security and confidentiality of the database system is essential for the normal and safe operation of China Reserve Food Management Corporation.
In addition, although the China Reserve Food Management Circle currently has considered security issues, the firewall system is designed, but in view of the serious conditions of the current IT system security, these considerations are more simple and preliminary, and there is no formation. A complete set of protective systems.
3, keep the warehouse
According to the safety requirements in China's Reserve Food Management Corporation network system, Crown Jinchen Software Company proposes to build a deep defense system that constructs from boundary protection, transport layer protection, and core host protection, in accordance with the characteristics of its network system architecture. Solution to ensure the security of its network system. According to the construction schedule of China Reserve Food Management Corporation, the first phase will mainly deploy the network antivirus system.
China Reserve Food Management Corporate Network System is a multi-level distributed network system based on the head office, branch, and direct library, etc., which includes UNIX / NT servers, mail servers, Windows95 / 98 and other networked customers. Machine, etc., its multi-level network simulation structure diagram is as follows:
Because the virus is stored, propagated, the infection is different in the network and the way is varied, so when building a corporate network antivirus system, the complete anti-virus system can be established through KILL, and the "layer floor fortification, centralized control is implemented. Anti-virus strategy for anti-killing combination. According to the network structure of China Reserve Food Management Corporation, Crown Jinchen Company divides the deployment of its virus protection system into the following aspects: PC protection, real-time protection file / database server, real-time protection mail server, real-time Internet gateway Protection, deploying Etrust intrusion detection in key network segments to protect core data security. The deployment distribution of specific architectures and products in the network is as follows:
In the design of the anti-virus system, the Crown Jinchen Company installed a KILL anti-virus management server in China Reserve Food Management Beijing Corporation as a National Network Anti-Virus Safety Management Center. A KILL anti-virus management server is installed at all levels as the Secondary Anti-Virus Safety Management Center. In 194 direct libraries in China Reserve Food Management, the KILL Anti-Virus Management Server can be installed as the Level 3 Network Antiral Safety Management Center according to scale and actual management needs, and install management on various local administrator workstations. Client client. Administrators can log in to management services to manage servers directly through administrator clients. The client products are installed on other servers and clients in the network. All of the client-side kill virus configuration can be distributed from the management server. In this way, a three-level centralized management structure is formed in the entire enterprise network: The first level: Beijing Headquarters management server is responsible for the development of distribution and information collection of the headquarters network anti-virus strategy, and is responsible for the strategy of the second-level management server group. The headquarters server is responsible for downloading the virus library and anti-virus engine upgrade code from the Crown Jinchen website, providing an upgrade service to the headquarters network and the secondary management center. Corporate administrator view
Level 2: Secondary management server is responsible for the establishment and distribution of anti-virus strategies for each branch network and direct library, and is responsible for dividing the security policy and upgrade code for direct libraries without setting management centers.
Branch administrator view Level 3: The third-level management server is responsible for the development and distribution of security strategies for clients of our network.
Direct library administrator view
As needed, the superior administrator can log in directly to the lower management control center for security policy checks and configurations. Through such deployments, it can help China Reserve Food Management Corporation has a corresponding preventive means to form a corresponding method of infection and spread virus in the network to form a complete network anti-virus system. In addition, the policy setting of the anti-virus system is set through the central management station. Administrators can focus on all anti-drug policies applicable to the network, and then deploy them into each group, and KILL's centralized management function can make the administrator to complete centralized configuration of all machines in the network through a management server. End to achieve zero management.
4, no worries
The anti-virus system uses a full-platform unified anti-virus interface, all operations use Microsoft resource manager style, easy to operate easily. Without restarting after installation, automatic real-time upgrade does not require user intervention and restart. Minimize the manual operation of the client to the client. In addition, fully take into account a variety of different operational platforms and application systems in a large enterprise network in China Reserve Food Management Corporation, and computer equipment for accessing the network varies, KILL antivirus products support for all platforms And the very little occupation of resources can use users to maximize their original configuration, and the version is compatible with integration management to maximize the user's existing investment.
At present, the anti-virus system has been put into use in China's Reserve Food Management Corporation. It has enhanced its network system for viral immunity from all aspects, thus providing high reliability, usability of China Reserve Food Management Corporation Information System. High performance.