Practice on the revision of network security construction idea: "Vase" model V2.0

First, the preface

My experience tells me: Information security is a kind of artificial confrontation against information protection, it is the competition between man and man in technology and thinking, and it is the war of real "no smoke". The way of attack is multi-faceted and multi-level, so it is a complicated project to establish an effective information security guarantee system, it is a "war" because it fully embodies the combination of human's subjective initiative and technological creativity.

But the reality tells me: the information security technology has many, the product is numerous, the firewall, the intrusion detection, the encryption machine and so on, whether uses the security product more, the more advanced, our network information is safer? It's like putting the best security door on a new house, even more installation, your heart will not collapse, because again clever "lock" for the high level of the thief is not safe, in addition, perhaps your negligence, the key on the door, even the "rookie" can also be in. Therefore, the construction of an effective security system requires the combination of security technology and people, while the management of people without technical implementation is often useless. It's not the money that's safe, the rapid advances in technology, the "bottomless pit" of investment, how do you explain a large budget to a leader as a director of information? Not to invest more, security is a responsibility, when the incident comes, you do not "as", also have to bear the responsibility of ineffective management.

In order to clarify the idea of information security construction, in 2007, we put forward the "vase" model, which divides information security into three dimensions: the protection system before the event, the monitoring system and the emergency Recovery system in the event, and the audit forensics and analysis system after the event; Organic security is divided into three "lines of defense" , first to the "ordinary" threat of protection, with "anti-theft door" to block some of the low-level intrusion and virus; then to those senior "intruder" adopt "whole accompany", establish the real-time monitoring system on the network, any destruction behavior is found in time, reduce the possible loss to the smallest; Finally, the internal personnel (controllable user) to establish an audit system, "To ungrateful, conceal", forensics can enhance the deterrent effect of security.

After a year of practice testing, "vase" model is very practical and constructive, it is not only in line with people's understanding of safety protection, but also with the National Information security technology standards, such as the Ministry of Security and the protection of the level of classification protection, therefore, It is very suitable for the safety company's engineers and information security users of the use of the management of the use of units, for the rationale for the construction of ideas, arrangements for construction plans, to ensure that the network security construction and business development synchronization, has a strong guiding significance.

However, with its in-depth application in information security construction, the in-depth understanding of the needs of security construction, "vase" model made a number of small adjustments to make it more suitable for construction and use of the demand, but also adapt to the natural evolution of security technology.

Ii. amendments to the "vase" model

1. The identity authentication system moves from the protection platform to the audit platform: through practice, we understand that the main purpose of the identification system is two, one is to establish an effective access control mechanism according to the user authorization; the second is to provide traceability information for the audit, many manufacturers audit system audit to IP or Mac, not to the account, More can not be to people, so even if the discovery of violations, can not provide direct evidence, the last can only "shout two Wolf", therefore, audit must be linked with identity and authorization, because there is no complete authorization management, how do you determine his behavior is ultra vires? Each "citizen" on the network has its own identity card, and is not counterfeit and tamper with, the behavior of people will be true to check.

2. The function of risk assessment moves from the protective platform to the monitoring platform: in practice, we realize that the early security thinking is the way to plug the loophole, so often is first evaluated, find loopholes, and then play patches; with the increase of business system on the network, the network becomes the "information nerve" of the unit, and is the basic platform of the unit business operation, simple "Sick to see the doctor" model clearly can not meet the actual security needs of users, the continuous protection of the "bodyguard model" is gradually replacing the intermittent "on the hospital model." Therefore, the user's leadership needs to keep abreast of the overall security situation of the network, the calculation of the network dynamic "entropy" value, security managers need to be able to make an assessment of the scope of an event. Risk assessment becomes a threat assessment tool for monitoring systems.