Through the analysis and research of Private Network classified information systems, this paper comprehensively considers network operation security, information security and confidentiality management. The security protection system is designed and implemented in accordance with classified protection to ensure the security, integrity, authenticity and anti-Repudiation of data transmitted in the classified network, and form pre-protection and in-process security detection, event auditing and evidence collection is an integrated security protection system that provides Entity security, application security, system security, and management security to meet the security protection requirements of private network classified information systems.
I. functions and requirements of the security protection system
The main function of the private network security protection system is to ensure that the private network meets the confidentiality protection requirements.
① From the perspective of network security, functions should be provided: physical isolation should be implemented with other networks, and logical isolation measures should be implemented between different departments to control user access; network anti-virus measures should be implemented, able to update the virus database in real time through the network; have the ability to audit online events; have the ability to monitor, alarm and control the handling of illegal events; transmission of information outside the control area should have network encryption measures to prevent illegal information theft and tampering; Establish a unified Identity Authentication system across the network; and set up a network security management center, manages network security devices and other resources and monitors user violations: the port of the switch, the MAC address of the user's computer, and the IP address.
② From the perspective of user security, users with classified networks should adopt special part authentication; user computers should install anti-virus software and upgrade in a timely manner; and users' computer operating systems should install patches in a timely manner; the user's computer should shut down unnecessary system services: the user should have different user names and operation passwords to ensure identity uniqueness; the computer related to the password is prohibited from installing unrelated applications.
③ From the perspective of application security, the requirements should be functional: the application system software should install patches in a timely manner; the Application System of classified information should have the ability to authenticate the user and grant fine-grained access control to the information. The public information server and the confidential information server should be separately set up to only provide specialized services; text and electricity, business processing and other application systems should have signature verification, confidentiality-level identity and other functions: WWW servers providing information services have webpage tamper-proofing measures to prevent illegal modification of information content.
Ii. System Composition
The private network security protection system consists of firewall, intrusion detection, network audit, vulnerability scan, Intranet security management and audit, authentication/authorization/access control, security device management platform, full disk Protection, document encryption, anti-virus and other system devices. Topology 1.
In specific application security domains, such as non-Password, secret, host-level security domains, and server security domains, firewall devices are configured for border protection, strict access control policies are set, and inter-regional communication is audited, send Logs to the security management center in a timely manner.
The intrusion detection system performs deep detection on the connection to the application server: monitors access sessions in security domains at all levels, and records the operation of visitors. The intrusion detection system is associated with the firewall system, automatically blocks unauthorized behaviors or attack events and records them. The security events are summarized to the security management center and the audit requirements are unified globally.
The vulnerability scan system detects and analyzes vulnerabilities in operating systems, network products, security products, databases, and servers. Detects security product vulnerabilities to prevent security products from having security risks. Hackers can exploit these vulnerabilities to enter the Intranet or important security areas and scan switches and router devices for vulnerabilities; periodically scans internal network servers to learn about new system vulnerabilities in a timely manner, and scans internal network clients to prevent internal network worms or other Trojans that exploit system vulnerabilities.
Configure security protection devices for key hosts and classified terminals, that is, the Intranet security management and audit system, provides security control measures such as anti-virus management, desktop networking monitoring, client status management, device registration, desktop security audit, Desktop Patch Distribution Management, desktop application resource control, and remote assistance management. The client's registry, process, USB interface, String, parallel port, optical drive, and soft drive are controlled to implement mobile media management, illegal external connection, and illegal access blocking; bind the terminal IP address to the MAC address.
Authentication/authorization/access control systems include authorization management systems, application access control systems, CA, RA, and USB key certificate systems. A strong identity authentication system at the application layer is established in the private network, establishes a unified and controllable user management mechanism to complete secure identity authentication access to information.
The security device management platform is a unified and centralized management platform for distributed and cross-platform security protection devices, it collects logs, messages, statuses, and other information generated by general application service systems such as network devices, security products, server hosts, databases, and Web Services in real time, and collects administrator information during operation. host operation log, on the basis of real-time analysis, it discovers various abnormal behaviors and issues Real-Time alerts. It also provides data mining and Association Analysis for stored historical log data, provides accurate and detailed statistical analysis data and exception analysis reports through visual interfaces and reports to help managers detect security vulnerabilities in a timely manner and take effective measures to improve security levels.
Network Anti-Virus systems are deployed on various servers, clients, and email systems of the information system to implement comprehensive and multi-level virus protection systems, and to achieve unified upgrades of the virus code base. Provides effective protection against intrusions from viruses and malicious code. Summarize the virus and malicious code detection and removal logs to the security management center.
The full disk protection system is installed for internal mobile office laptops, and the secure logon and full disk protection systems are used together with personal file safes to ensure the full-stage Data Storage Security of computers. Strengthen the control and management of confidential documents, improve the approval process, implement hierarchical use management, prevent information leaks, and configure a document encryption system