Government Network Security First, Network Information Security Current Situation With the vigorous development of a series of network applications such as government Internet, customs Internet, e-commerce, Internet is gradually incorporated into society. On the one hand, network user ingredients are more diverse, and there is more and more frequent network invasion and attacks in various purposes; on the other hand, network applications are getting deeper into financial, business, defense, etc. . In other words, the security of the Internet network, including the information data security and the operation of the network device service, increasingly become "big things" related to the interests of the state, government, and enterprises. Security capacity is an important part of the comprehensive national strength, economic competitiveness and survival capacity of the new century. It is not exaggerated that it can be compared with the importance of nuclear weapons in the next century. This problem solves the problem, will endanger all aspects of politics, military, economic, cultural and social life in all directions, enabling the country in the threat of information warfare and high economic financial risks. In government network, there is a large number of highly confidential data and information on the internal network, and network security is in the first place. If the network is safe to ensure that the country, society and network users will cause serious threats, which may cause huge losses in political, economic, etc.. While the government's work is constantly realizing informationization, and more efficient and convenient, safety has become an urgent problem to be solved. In the face of network security threats, the currently common security methods are mainly: ◆ Software solutions ◆ Regulations and administrative orders ◆ Physical isolation plans are now widely used in many complex software and part of hardware technology, such as firewall, proxy server , Intrusion detectors, channel control, etc. to reduce the risk from the Internet. However, any software-based protection is a logical mechanism that detects and rejects possible harmful operation or information with pre-set rules. However, these protection may be cracked. In the beautifula event, the security tool based on the software is facing completely unfamiliar viruses. From this point of view, software technology can guarantee the normal operation of the network and conventional security, but does not meet the security requirements of the internal confidential network of a highly confidential department. Regulations and administrative orders are absolutely necessary to safety, strict working discipline is an important guarantee for safety protection. But it or not to exclude slight negligence in the work, may damage the administrative rules and disclose confidential information. And we can't rule out the existence of intentional leaks or destruction. The hardware physics isolation scheme is used to completely physically separated from the external network with the external network, without any line connections. This ensures that online hackers cannot connect to the interior network, which has extremely high security. Ordinary physical isolation method is safe. However, there is also a negative impact of inconvenience, difficulty in data exchange, increased equipment and maintenance costs. When forming a government network system, we must fully consider the security construction of the network system. So, how can I make the network security building have achieved fruitful? This paper analyzes important issues that need to be considered in network security construction.
Second, the safety hazard of network security vulnerabilities in network security, in addition to the network system itself, including operating system, database system, network communication protocol, etc. in addition to the external network system. Specifically, there are several security hazards in the network system. 1. Transfer channel: Whether it is an internal network system or an outer system, the connection between the subnets is always passed through the related transmission channel. Generally speaking, current network transmission is primarily through broadband IP, DDN, X.25, and PSTN channels. As far as their transmission channel itself, there are problems such as electromagnetic leaks, signal leaks, listening / interference, counterfeit communications and information. And these phenomena have no exception to constitute a security threat to enterprise networks. They or because the transmission distance is too far, or the transmission line quality is poor, causing the "packet loss" in data transmission, thereby reducing network transmission speed, even making remote subnets unable to communicate. 2. Operating system: It is not exaggerated, most network invasion is due to the vulnerability of the operating system. Windows NT or Novells running on the auxiliary server running on the primary database server, there is no exception to have a vulnerability. In addition, in most network operating systems, the convenient communication function and sharing settings provided by the user are also left "Machine" for hacker attacks and viral infections, such as the remote user login of the UNIX system, NT system Functions such as file sharing and printer sharing based on NetBIOS. 3. Database System: All corporate key data and important information are stored in the database of any enterprise network. Once the database password is stolen due to poor administrator management, it will make it quite fragile. 4. Network Communication Agreement: The network communication protocol used in most enterprise network systems is TCP / IP, HTTP, FTP, SMTP, Telnet, etc., most of which are innate and secure vulnerabilities. For example, in the recent version of the TCP / IP protocol, the biggest security problem is the lack of effective identity authentication and authentication mechanism. The two parties of communication are difficult to determine the specific identity of the other party and the physical location of communication, and the network attackers often use. These security vulnerabilities come frequently from enterprise networks. 5. Web Server: WWW server is a tie and fortress connected inner and external networks, so it is easier to become a hacker active attack. 6. Virus: Thousands of network viruses are raging in a network environment, and their harm is even higher than hacking malicious attacks. 7. Data security storage: Due to all important data of the network center, especially the primary data inventory, these data and information are even the life of the company, such as telecommunications, mobile, paging and other communication enterprises. It is the basic information and communication billing data of all communication users. If such a data center is destroyed, the consequences will enable the company to be disaster. 8. Desktop PC Settings: The network administrators usually focus on the security guards on the server, ignoring the settings of the client and desktop PC. In particular, some net managers are set to completely share the client or desktop PC when installing the software. Some staff are accustomed to storeing some of its own business confidential documents in their own documents, or have backups on their hard drives, which may make some important documents to flow at the internal network, Leave a security hidden danger for the network system. 9. Pay attention to the backyard: Internet internal personnel, because of its own network is very familiar, it is also in the rear of the firewall, and it is possible to threaten network security. There may be some channels bypassing the network export, such as some subnets unauthorized and some external units, some PCs use dial-up mode to access the Internet, some non-internal staff external dialing, etc., these are great security Hidden dangers.
10. Certification and transmission of information: When large enterprises are forming a network, typical ways are the subnets and computing center subnets built in the enterprises, in particular, in particular, the management institution is located in the same building. Although this construction is convenient for the construction and management of the network, it also makes it easier to steal information from the Internet. Similar to telecommunications, mobile, banking, taxation and other units, there is a large provincial company (bureau), there is a large and medium-sized enterprise network of county branch, and there are many internal users. This requires establishing a safe identity authentication and access control mechanism. It is particularly worth noting that the traditional seal system is unable to play within a certain range, which requires the security system to provide this guarantee, so that the information is transmitted, stored, and the sharing process is neither illegally tampering. deny. Therefore, there is a security threat to a network, both technical and management; there is both from the interior of the network, and there is also from the outside of the network; both people are malicious attacks, and there is also unintentional. Therefore, network security is a system, multi-level and all-round system engineering.
Third, the overall implementation of network security strategy 1. Internal network system prevention measures 1 Virus protection: Totally select excellent professional network antivirus software, is an important guarantee for network systems from viral intrusion. From the perspective of viral development trends, the current virus has been spread, single behavior, becomes a wide range of communication methods such as Internet communication, integration email, document contigments, etc., combining hackers, Trojans, etc. "New Virus". Computer virus exhibits the following characteristics: combined with Internet and intranet, using all the ways that can be utilized (such as email, local area network, remote management, instant communication tool, etc.); all viruses have a hybrid type Characteristics, set file infection, worm, Trojan, hacker program characteristics, big destructive significant increase; because of its spread, no longer pursue hidden, and pay more attention to spoof; use system vulnerability will become a strong propagation method of virus . Therefore, the product needs to be focused on the following points when considering the anti-virus, and the anti-killing method needs to be comprehensively combined with the Internet. It not only has traditional manual kills and document monitoring, but also to the network layer, mail client. Monitoring, preventing viral invasion; product should have a complete online upgrade service, users have the latest anti-virus capacity at any time; provide key protection for applications that often attack viruses; product manufacturers should have a fast response to virus detection network, in viral explosions The first time can provide a solution; the manufacturer can provide complete, instant anti-virus consultation, improve the user's anti-virus consciousness and alertability, let users know the characteristics and solutions of new viruses as soon as possible. 2 Safety of channel transmission: Some can require channel providers to improve the quality of the line, and others can be improved by the network system. For example, in large and medium-sized enterprises, the technical strength is relatively strong, and most of the database information needs to be developed secondary, so that security measures in channel transmission can be injected. For example, the application encryption can be encrypted, and the communication line (mainly DDN) is encrypted, or a better data security transmission program such as VPN virtual private network is used to improve the network security system. Due to the information transmission of the intranet, the data packet is easily listened and intercept in the broadcast domain, so it is necessary to use a secure switch to physically or logically isolating network resources from the network segmentation and VLAN. The security of the network. 3 Internal Network Security Auditing: If the firewall is an important level to defend the internal network, the network security audit is a online patrol that is on the network. Network security audit helps dynamically real-time monitoring of the network, can record everything that happen on the network, and provides users with forensic means by looking for intrusion and violations. The network security audit not only can monitor and control the intrusion from the outside, but also monitor the violations and destruction of internal personnel. It is an important scale for judging whether a system is really safe. For example, Fudan Guanghua S-AUDIT audit system, as long as it is placed on the network segment where the large and medium-sized enterprise network center database server is located, the collection, analysis, statistics, storage, and alarms, etc. can be successfully carried out. 4 Internal network IP address and MAC address binding: In order to ensure the security of the network, especially to prevent external malicious attacks, destruction, stealing, change the important data and information of enterprise network systems, you can completely The allocated IP address is bound to the MAC address on the computer network card, so that the network security system has a physical uniqueness when the internal information node is detected. Obviously, for those such as telecommunications, mobile, banking, securities, taxation, etc., due to its network system, the information is extensive, one PC, each person's password, and created the MAC address with IP address bundled.
5 Operating System: From the process of end users to server application service, take the bar to step into the 芏嗉 窃 性 性 诓 飨 飨 飨 系 系 系 系 系 系 飨 飨 飨 飨 飨 飨 飨 飨 飨 飨 飨 霭 车 母 黾 低 低 低 低 低 低 ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ ⒔⒑ Э 诹詈 诹詈 梦 刂 刂 @ @ 小 机 机 机 机 机 机 机 机 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 环境 网络 环境 网络Series and extensive database systems. There are many network systems that are related to users of users, such as telecommunications, mobile, banking, securities, taxation, etc., which are not only hardware, but also use special use by small machine manufacturers. Products, databases must also be developed specifically for such small machines. This dedicated system is universal because of their specialty of hardware and software, and thus does not be optimistic about the general virus manufacturer, but also can't talk about the system to make a virus. 7 Information Confidentiality Prevention: In order to protect the security of the network, the confidentiality measures provided by the network operating system can also be utilized. Take Windows as an example, the username login registration, set the login password, set the directory and file access, to control what kind of directory and files can only be operated, or set user-level access control, and access Internet through the host . At the same time, security protection for database information can be strengthened. The data organization in the network has two types of files and databases. Due to the lack of sharing of data in the form of file organization, the database is now a main form of network storage data. Since the operating system does not have special confidentiality measures for the database, the database's data is stored in readable form, so the confidentiality of the database should also take the corresponding method. Email is the main way of enterprise delivery information, and the delivery of email is encrypted. A corresponding confidentiality measures can also be taken for the leakage channels of the computer and its external equipment and network components, such as electromagnetic leaks, illegal terminals, strands, and media remaining magnetic effects. 8 Data Backup and Recovery System: Greater Medium-sized Enterprise Network System, the subsidies of each system cannot be in the same building, and there are many subnets distributed from a subsidiary of several kilometers or even dozens of kilometers away from the network. In general, important data from the network system can be concentrated in the management of corporate network, but some companies have their own business development needs, the following subnet systems also have their own independent database systems, such as telecommunications systems, not only the provincial company Fee business system, the city company also has a billing business system, which is the county company also has a billing business system. These systems have both the association control between the upper and lower levels, and there is a relatively independence, so the data differential backup center must be established. If a tape library backup system using an Ethernet method is used to process backups, etc. In the internal network system, the importance of the user is getting bigger and bigger, in fact, causing computer data loss or damage, and tampering factors have far exceed the known viruses or malicious attacks, the user's error operation, the system Unexpected power-off and other more targeted disasters may be larger than the direct virus and hacker attacks. To maintain the security of the internal network, important information must be backed up to prevent the system crashes due to various hardware and software failures, viruses invasion and hackers. For the protection of data, select the ability to complete, it is essential to use flexible backup software. The backup software in the current application is more comprehensive, with a variety of disaster recovery software, can protect the security of data more. ⑨ Other network protection means: The security of the network is not just for hackers and viruses, but also the system's own physical security prevention, in addition to the applicable, such as dual power supply double-fans, disk mirroring, server hosting structures, etc. The necessary lightning protection, anti-static, anti-electromagnetic interference, and magnetic disk degaussing should also be used.
2. Outer linkage system prevention measures 1 Install a firewall: Install a firewall between the internal network and the external network, isolate the internal and external network, and set the firewall to make all the information of the internal network through the firewall, while the external user passes through the network firewall. Only the port specified by the internal network database system can only be accessed, and the HTTP protocol of the WWW server and an anonymous FTP protocol are pointed out. The choice of firewall should be appropriate, for minor enterprise networks, from Norton Internet Security, PcCillin, Tianwang Personal Firewall, etc. Personal firewall. For companies with internal networks, you can choose to set setting or purchase more powerful firewall products on the router. For almost all router products, they can be attacked by the built-in firewall defense, and the hardware firewall applications can be further strengthened. 2 Installation of the Isolation Server: Like Telecom, Mobile and other industry systems, many marketing and charging systems received by individuals or by banks from the needs of customers and their business development are enhanced. Although there are only a few terminals in these agent systems, these terminals must access the data center of the enterprise network when collecting calls or handling customers. For the safety of the enterprise network, the general method is to install a front isolation server, so that this isolation server is an intermediate link of internal data and external data exchange to ensure the purpose of ensuring the security of the center database. The advantage of using the proxy gateway is that the exchange of network packets will not be done directly between internal and external networks. The internal computer must pass the proxy gateway to access the Internet so that the operator can easily restrict the external network within the network within the network on the proxy server. Different protocol standards are used at both ends of the proxy server, or the external illegal access is also blocked. Also, the gateway of the proxy service can verify the data packet and confirm the password to the password.
3 Install the electronic declaration server: Enterprise network must be accessed into the Internet, in order to ensure the data security of the enterprise network center, the electronic declaration server of WWW data transmission can be installed, and the hierarchical management of the WWW information is graded, and the information is true, complete And encryption, which is also one of the necessary safety means. For example, on the JB-FW of the Blue Bird Network, directly adding role certifications is a relatively convenient electronic declaration server mode, which consists of three parts: firewall, security client and key management center, with strong security. Protection. 4 External users access internal information security measures: According to traditional network management experience, external users have access to internal information compare safety: First, information that can be opened to government departments or publications, such as reporting, corporate yellow pages and products Introduction, etc., on the private server other than the firewall; second, when the external user is necessary to access internal information, such as the agency site or enterprise of the charge or marketing agent agreement with telecommunications and mobile, can set up the database Access the dedicated port, or grant only the HTTP protocol of the WWW service and an anonymous FTP protocol, so that the external user is accessible to the internal information, it must be accessed through address conversion, and others are prohibited.
5 Key Management In reality, when the intruder attacks the intranet target, 90% will use the password of the decipherous ordinary user as the first step. Take the UNIX system or the Linux system as an example, first identify the user account on the host with the "Finger Far Host Name" and then attack with the dictionary exhaustion. This deciphering process is done by the program. About more than a dozen hours can complete the words in the dictionary. If this method does not work, intruders will carefully find the weak links and vulnerabilities of the target, and the file shadow or passwd of the storage password in the target is allowed. The password is then parsed with a dedicated cracking the DES encryption algorithm. System administrators must pay attention to all password management, such as the number of bits of the password as long as possible; do not select the information that is easy to see; do not use the same password on different systems; the input command should be in no one In the case of the case; the password must be case case, characters, numbers; regularly change their password; regularly use crack passwords to detect if the shadow file is safe. There is no regular password to have good safety. 6 From the perspective of the attack, there is a large part of the security threat of computer network systems from denial of service (DOS) attacks and computer virus attacks. In order to protect network security, it can be carried out from these aspects. Dealing with the "Deny Service" attack effective method is to allow network traffic related to the entire web station to prevent such hacker attacks, especially for ICMP packets, including ping instructions, etc., should be closed. By installing the illegal intrusion detection system, it can improve the performance of the firewall, to the monitoring network, perform immediate interception actions and the action of analyzing filter packets and content, and can effectively terminate the service immediately when the steadfaster invading, in order to effectively prevent enterprise confidential information steal. At the same time, illegal users should be restricted to network access, which specifies access to local network devices to prevent illegal modifications to network device configuration from the outside world.
7 When the key management is in reality, when the intruder attacks the intranet target, 90% will take the password of the decipherous ordinary users as the first step. Take the UNIX system or the Linux system as an example, first identify the user account on the host with the "Finger Far Host Name" and then attack with the dictionary exhaustion. This deciphering process is done by the program. About more than a dozen hours can complete the words in the dictionary. If this method does not work, intruders will carefully find the weak links and vulnerabilities of the target, and the file shadow or passwd of the storage password in the target is allowed. The password is then parsed with a dedicated cracking the DES encryption algorithm. System administrators must pay attention to all password management, such as the number of bits of the password as long as possible; do not select the information that is easy to see; do not use the same password on different systems; the input command should be in no one In the case of the case; the password must be case case, characters, numbers; regularly change their password; regularly use crack passwords to detect if the shadow file is safe. There is no regular password to have good safety.
8 Information Confidentiality Prevention In order to protect the security of the network, the confidentiality measures provided by the network operating system can also be used. Take Windows as an example, the username login registration, set the login password, set the directory and file access, to control what kind of directory and files can only be operated, or set user-level access control, and access Internet through the host . At the same time, security protection for database information can be strengthened. The data organization in the network has two types of files and databases. Due to the lack of sharing of data in the form of file organization, the database is now a main form of network storage data. Since the operating system does not have special confidentiality measures for the database, the database's data is stored in readable form, so the confidentiality of the database should also take the corresponding method. Email is the main way of enterprise delivery information, and the delivery of email is encrypted. A corresponding confidentiality measures can also be taken for the leakage channels of the computer and its external equipment and network components, such as electromagnetic leaks, illegal terminals, strands, and media remaining magnetic effects. ⑨ Other security measures to access the Internet: In addition to the above security measures, consider the security policy of accessing the Internet to the relevant users, the specific practices are mainly: laptop users who visited the Internet via ISDN or PSTN, requires In addition to the operating system and related applications, the laptop is not allowed to store data and content involving confidential data, including backup files; if the lower department needs to be on the Internet, it is best to match a dedicated PC that is not connected to the government network. This dedicated PC accesses the Internet through dial-up, and other online PCs are not allowed to use dial-up mode. Or use the public website (such as government website or ISP, etc.) to lease server external release information, so that the individual departments transmit information to the server through specially configured PCs; need frequent access to the Internet, and must work in some specials on the government online. Personal users can be done by installing network isolation cards or dual hard drives;
In order to effectively prevent online users from using the unit telephone line online, in addition to need to access the ISP's dedicated telephone line, other telephone lines are directly shielded by telephone numbers (such as 163, 990, 169, 165, etc.) To eliminate the possibility of accessing the Internet by phone line; for the safety architecture of large and medium-sized network systems, it is also possible to use the method of independent of each individual network segment, and isolate each subnet according to the specific needs. Safety protection strategy. If the central computer room is the highest security level, other disclosed resources can be safely accessed, and the data is transmitted, and the external to the illegal use of internal computers, and implement powerful network audits for the internal network. Other departments can access resources within the allowable range.
In summary, establish a complete, perfect network security defense system, which can easily provide various services, and effectively protect the internal network security, is a very important networking strategy. Of course, the construction of cybersecurity is not a matter of life, and should also improve their network system with the development of technology.
Fourth, the trend of cybersecurity is from the current market demand. It is expected that physical isolation network locks, anti-attack gateways, firewalls, anti-virus gateways, identity authentication, encryption, intrusion detection and centralized network management will become eight trends in the 2003 security market. . I. Physical isolation solution: Physical isolation network brake physiological isolation is very different from logical isolation. Philosophical philosophy is unsafe, it is absolutely guaranteed. Logical Isolation Philosophy: Do as safe as possible in the case of ensuring normal use. Both are completely different products. The physical isolation of the idea is from two fully connected computers. The user copies the data from one computer from a computer, sometimes called "data ferry". Since the two computers are not directly connected, there will be no network-based attack threats. Second, logical isolation solutions: The firewall has a lot of ways to realize logical isolation, but mainly firewalls. The firewall has different types in the architecture: there are dual network ports, multi-network ports, DMZ and SSN. Different types have obvious working mechanism on the 7-layer model of OSI. The main evaluation system of the firewall includes: performance, security and functionality. In fact, these three are contradictory and mutual constraints. Technologies, more features, good security, often have affected; functions also affect system security. Third, the defense from the network attack solution: anti-attack gateway network attack, especially the defective service attack (DOS), using the TCP / IP protocol defects, some DOS attacks are consuming bandwidth, some are the CPU and memory of network devices. Among them, representative attack means include SYN FLOOD, ICMP FLOOD, UDP FLOOD, etc. The principle is to use a large number of forged connection request packets to attack the port of the network service, such as 80, resulting in the server's resource, system stop responding Even crashes. The connection is exhausted, then uses a real IP address to initiate a large number of real connections to the network service to seize the bandwidth, or cause the resources of the web server to exhaust, resulting in service abort. Other DOS technology that uses network protocol defects include LAND, Winnuke, Ping of Death, Teardrop, etc. Anti-attack gateway can identify the packets of normal services, distinguish between attack packages. At present, DDOS has a concurrent attack of more than 100,000, so the defense capabilities of the anti-attack gateway must reach more than 100,000. Fourth, prevent viral solutions from the network: Anti-virus gateway traditional virus detection and killivirus are completed at the client. But this approach has a fatal disadvantage if a computer discovers the virus, indicating that the virus has been infected with almost all computers inside the unit. If the virus is new, the old killivirus software generally does not detect and clear. Anti-virus gateway should be placed at a computer network and the Internet of the Internet. If a new virus occurs, you only need to update the anti-virus gateway without updating each end software. V. Identity Solution: The identification of the network, authorization and management (AAA) system 80% of the attack occurs instead of external. The management and access control of the internal network is much more complicated relative to external isolation. The isolation of the external network is basically prohibited and released, which is a crude particle access control. Interior network management, you want to set it for users, who are you? How do you confirm who you are? What group do you belong to? What is the access authority of this group? This is a fine particle access control. In the average person's mind, RADIUS-based authentication, authorization and management (AAA) system is a very large security system, mainly used in large network operators, and there is no need to have such complicated things within the company. This view is getting more and more, in fact, the internal network is also a powerful AAA system. According to IDC report, the AAA system in units is the fastest growing part of the current security market.
