Access Control creates a real-name management platform for terminals

Over the past few years, Enterprise Network Security has developed rapidly. A security boundary consisting of firewalls, IDS, and other security means has been established between the enterprise network and the Internet. The Enterprise Network has also implemented an anti-virus system, the enterprise network security system has been developed on a scale, and its security is far higher than that of the Internet.

However, CEN inherits the openness and freedom of the Internet. In the face of ever-changing attack methods and ever-accelerating attack propagation speeds, the security situation faced by CEN is still very serious, in particular, viruses are still the primary security threats to the enterprise intranet, and internal attacks also occur from time to time. The reason is that the development speed of the existing security protection technology lags behind that of the virus technology, at present, enterprises are prone to problems of disassociation between security technologies and security management. Either, good security technologies or products cannot be well utilized and play their due roles, either the security management system lacks corresponding technical means to ensure its effective implementation.

Security management has huge defects, which are manifested in the fact that security management has two separated objects: Each real employee in the enterprise and the users in the enterprise network. Because there is no definite ing between the two objects, the virus can take advantage of it and indulge in unauthorized access by employees with malicious attempts. What's more serious is that, due to the unreliable identity in the network, even in the case of a security accident, it is impossible to find the "culprit" behind the scenes. security management systems and regulations are also useless.

The Enterprise Network real-name system is to use the latest security technology and products to establish a correspondence between the two objects in security management, so as to ensure the seamless integration of security technology and security management, by establishing a user identity in the enterprise network, you can establish a one-to-one correspondence between the network users and natural persons to ensure that employees are based on their real roles in the enterprise, engage in work-related activities on the Internet. Even if someone still tries to violate their roles, the enterprise can still find the person responsible for the incident through the one-to-one correspondence between network users and natural persons.

1. Architecture of enterprise network real-name system

The core of the enterprise network real-name system is to establish a deterministic correspondence between network users and enterprise employees. This correspondence includes the static logical correspondence between network users and enterprise employees. For example, LDAP-based user management is widely used in enterprises, it is to maintain such a user relationship. At the same time, the enterprise network real-name system also contains the dynamic ing between network users and enterprise employees, for example, an enterprise employee accesses network resources through which terminal device, which IP address to use, which network port to access, and which network path.
Establishing a dynamic ing between network users and enterprise employees is to establish a dynamic ing between each enterprise employee for key elements in the network access process, specifically, we need to combine the endpoint devices used by employees, assigned IP addresses, Network Ports, network access permissions, and network user identities to build an enterprise network real-name management system.

Figure 1 shows the logical architecture of the enterprise network real-name management system:

498) this. style. width = 498; "border = 0>

Figure 1 architecture of enterprise network real-name Management System

The key elements and key steps of enterprise network real-name management have been shown:

(1) enterprise employees: Legal employees of the enterprise

(2) network user: the user name or account of an enterprise employee in the network (usually managed in LDAP)

(3) endpoint device: enterprise employees use it to access the network

(4) User Authentication: verifies the network user name and password provided by enterprise employees

(5) device authentication: Verify that the endpoint device has a valid physical address, IP address, and security status.

(6) authorization and access control: regulate network users to access networks based on the roles of enterprise employees in the Enterprise

2. Key to implementing real-name management-Access Control

The key to implementing real-name management is to solve the security access problems of users and terminals, that is, to implement access control for terminals and users, and ensure that only legitimate and secure computers can access the enterprise intranet, complete security protection.

In the enterprise intranet, the network access layer is the entry point for users to initiate access. It is very suitable for users and terminals to authenticate, authorize, and manage access, and protect end users throughout the process, establishes a dynamic ing between enterprise employees and network users, and finally enables real-name management.

Figure 2 shows the logic after the network access layer implements access control:

498) this. style. width = 498; "border = 0>

Figure 2 network logic architecture of real-name management

By implementing access control at the access layer, legal users and secure devices within the enterprise can still be transparently connected to the Intranet, while illegal users and terminals with security risks exist, access to the network is prohibited or automatically allocated to the repair area.

Access control is implemented at the access layer. In fact, a solid internal security ring is established between the terminal and the enterprise's core intranet. In response to the security boundaries of the Internet, the Intranet security ring completely changes the security status quo of the enterprise network, which is powerful and empty, and brings the enterprise intranet to a secure and intelligent trusted network era.

The internal network security risk management and audit system is built together with network access devices to build a real-name management platform for enterprise network users, this has completely changed the gap between the original network security management and user management and terminal management. By establishing an access control system between the terminal and the user and the internal network core, the enterprise intranet is centered around the enterprise network core, the establishment of an Intranet security protection ring revolutionizes the enterprise intranet architecture and brings the security of the enterprise network to a new level. Enterprise network user real-name management not only effectively implements enterprise security management formulation and implementation to every employee, but also provides a very reliable Intranet security audit platform for enterprises, it provides a powerful guarantee for the implementation of enterprise security management goals.