Measures to strengthen network security

This is a time full of change, 94 years a 64k data line for the first time to China's access to the world, today, from the government, enterprises, medical, education ... All walks of life use the Internet extensively to obtain countless information and opportunities. For most enterprises, the Internet not only brought rich online resources, but also brought information into the enterprise, making the traditional mode of operation of enterprises ushered in a profound change. The internet has greatly reduced the organization's operating and communication costs, and by using the Internet, most employees have been able to perform their work more efficiently.

However, as a "double-edged sword", the internet has also brought unprecedented threats to organizations and enterprises. There are too many risks on the web that are flowing around the clock for 24 hours: spam, malicious websites, online scams, internet viruses, and so on, on the other hand, internet abuse, including malicious peer-to-peer downloads, online games, Entertainment applications such as IM are crowding out the organization's limited business bandwidth, which also leads to inefficient network applications.

So, how to bypass these Internet abuses, fully enjoy the Internet to the organization to bring convenience and efficiency, so as to create a full range of safe and efficient Internet environment? Here are 8 ways to give you an answer.

I. Promotion of border defense

Firewalls, IDS, IPS are the basic devices for solving network security problems, and they have the filtering and security capabilities to withstand most attacks from the extranet. Equipped with these traditional network protection equipment, to achieve network-level access control, is the premise of enterprise safe access to the Internet. However, in the application content and its format to increase the explosion of today, many of the hidden dangers of the Internet in the application layer, just according to the third level of information to determine whether the access, simply can not meet the security requirements, we also need fine-grained application layer strategy control.

According to IDC's research report, by 2006, more than 90% of the virus to the Internet as its transmission portal, through e-mail and network for the spread of the virus is gradually rising, at the entrance of the network to the virus intrusion at the gateway to become a top priority, therefore, in addition to the above firewall, IDS, IPs and other basic security devices, you also need to deploy an effective gateway level antivirus engine.

Second, the Internet Terminal management

Network edge of the peripheral equipment can not be advanced to protect the internal network, from the Internal network abuse, destruction is also a threat to the security of the Internet is an important factor. For example, the security level of the client is often difficult to guarantee, this is even more so for organizations with a large number of intranet users-the lack of security of stand-alone machines, such as the use of obsolete operating systems, long time not to update personal firewalls and anti-virus software, the application of software with potential security vulnerabilities, will become a hidden time bomb in LAN Security.

To configure network access rules for Internet terminals, a single point of security assessment and access Strategy list is the best way to achieve full client security protection. The list of security policies for the terminal should include the operating system, the running program, the system process, the registry, and so on.

Third, harmful content filtration

The internet is an uncontrollable black hole, countless malicious sites make you surf the internet on the Thin Ice: Hidden worm, Trojan plug-ins illegal websites, all kinds of endless fishing sites ... will allow the organization to share Internet convenience at the same time bring huge hidden dangers.

For these harmful content, URL Library Filter technology has been widely adopted in recent years, the use of this technology to include potential threats to the Web site is one of the effective way to secure the Internet, of course, should also take into account the use of some phishing Web page is SSL, so also need to combine certificate validation, link black and white list and other measures It is also necessary to standardize the transfer behavior of file downloading, associating keywords, file types, network services with IP address groups, and standardizing downloading strategies, which can control most of the damage caused by active downloads.

Iv. spam Filtering

There are some less "harmful" information-spam, although not necessarily a security risk, but it can lead to bandwidth utilization, more importantly, the low efficiency.

To minimize the useless information that affects bandwidth utilization and productivity, it is important to find an effective means of distinguishing between spam, normal mail, and suspicious messages, such as spam fingerprint identification techniques, and random signature intelligent response techniques to reduce miscalculation.

V. Optimizing Bandwidth Resources

No matter what way to use the Internet, bandwidth is limited after all, in the premise of unable to change bandwidth, how to optimize bandwidth resources, so that its efficiency is the highest, it is necessary to solve the problem. But the reality of the problem is that the network administrator of their own units within the effective use of bandwidth is unknown, not to mention improved.

In order to optimize the bandwidth resources, we should first examine the intranet network usage and form a report for decision making, and some manufacturers can provide the data center to provide rich report analysis function. In addition, for some important network services, it is also necessary to enable QoS technology, so as to ensure that important services first, to avoid garbage traffic crowding out the bandwidth of important services.

Vi. Comprehensive Application Management

Around the world, 12 billion messages are sent daily via instant messaging (Instant Messaging,im), which may be an employee discussing work with co-workers and clients, but more people are talking to family, friends, and even strangers. In addition, there are many other network and work-related network applications exist, including network games, online stock, Peer-to-peer downloads, these working hours of "rich application" caused the organization's production efficiency of a huge waste. Some organizations rely on a number of methods, such as port, server address, and so on, but because the server address and the port will often transform, which causes the server address and port to become a continuing high cost work, can only be a symptom and not a cure.

There are two kinds of effective plugging methods in comprehensive application management, one is based on application protocol and Packet Intelligent analysis, the other is for traffic detection. The former is a better way to discover specific services by analyzing the service type, protocol, source address, destination address, and data part of the IP packet header. The latter can be used for specific users of the network connectivity analysis, when the network traffic and network connection beyond the specified threshold, the user's behavior will be limited traffic.

The internet also has an important harm to enterprises is the excessive flow of information. Because it is an open system, as long as the user clicks the mouse, the enterprise and the organization's confidential information can instantly reach the competitor at the speed of light. And some aggressive, insulting internet abuse/rumors may lead to unnecessary internal disputes. In addition, internal staff through the organization of the network free speech, may also bring legal risks to the organization.

To prevent these risks, should be from the IM, HTTP, FTP, email and other possible exports, external information for audit and monitoring. The measures taken should include recording and saving, auditing of keywords, and even delaying audits of critical information.

VIII. Apply permission settings

The above various means can basically satisfy a safe and efficient internet environment construction, however, an organization, different departments, different people, if the network applications have the same permissions, destined to make the network for inefficient, dangerous situation. So here we need to introduce the management of the application permissions.

It is a good measure to manage the network users ' permissions. As far as flow optimization is concerned, traditional bandwidth management can only allocate the corresponding percentage bandwidth to specific services, which is a "one-size-fits-all" behavior. More effective network traffic optimization is based on the user's flow control technology, combined with a variety of different applications of role allocation, can have better results. Specifically, in the area of WAN access, special applications of some departments should and must obtain exclusive resources, such as the headquarters of the management of the branch with the director of the video conferencing, and some departments of non-work-related services should not be so high bandwidth, such as the procurement Department of Peer-to-peer downloads. Through packet flow control, you can make a fine bandwidth allocation for the services used by different user groups, and ensure that the important services of important departments get enough bandwidth.

In addition to service management, time planning is also an important means of network management, this includes micro-time management and macro-time management, which includes dividing each day of the week and allowing specific activities to be performed at specific times, which includes setting the total online time of the week for employees in each department, This is a good way to ensure the maximum efficiency of network utilization.

In order to create a safe and efficient network application environment, the organization managers adopt traditional management methods, such as rules and regulations, codes of use and rewards and punishments. In fact, the bell still needs to be tied to people, the negative impact of information technology will ultimately rely on information technology to solve. The construction of a good internet environment is a careful system engineering, the above 8 kinds of means to create a safe and efficient Internet environment provides a broad idea.

Of course, the above 8 kinds of technical means of application, often need to organize to buy different IT equipment: such as "one, enhance border defense" and "four, spam filtering" need to buy the corresponding gateway anti-virus equipment and anti-spam devices, and "second, Internet terminal Management" needs to deploy the corresponding client security software, "five, Optimize bandwidth Resources "There are currently a number of dedicated flow control manufacturers can provide, such as F5, Packeteer, but often expensive," seven, outgoing information audit "involves some monitoring and auditing equipment, and" third, harmful content filtering "," six, comprehensive application Management "," Eight, apply permission settings " Because it is an emerging field, there are still no specialized manufacturers to get involved.

The purchase of these different IT equipment, on the one hand, hundreds of thousands of or even millions of cost input for most users is difficult to accept, on the other hand, because of these devices from different vendors, management interface, the IT maintenance and management is also a huge challenge and difficult.

So, there is no such a solution, the above 8 kinds of technical means are integrated into a device, so convenient and flexible to achieve the entire LAN Internet behavior effective management? We are pleased to see the rapid growth in recent years in China's network security and border network solution provider deeply convinced that technology provides such a solution--sinfor AC Internet Behavior Management equipment. The device includes access control, bandwidth management, internal monitoring, security audit, outsourcing information management and data center management software "multiple module functions, and have" mail delay audit "," Network Client Access "," Peer-to-peer flow Control "and many other patented technology, in addition, it also flexible integration of the" firewall "," Gateway antivirus "," anti-spam "and other UTM security modules, customers can be based on their own network environment and the actual demand flexibility to choose whether to open, effectively make up for the firewall and other traditional security equipment is not heavy outside, the lack of effective management of Internet behavior deficiencies.

In the promotion of border defense and harmful content filtering, deeply convinced that the AC device built-in Gateway antivirus module, at the same time, for the source of the virus and transmission channels, AC network behavior Management equipment can also be very good with the original anti-virus software customers to achieve the "symptoms of the root causes" effect. The URL filtering function inside the AC gateway can filter the common illegal web site/illegal BBS forum directly, and the communication of http/ftp download and peer-to-peer software by AC Gateway can effectively reduce the virus spread caused by downloading the files. Especially worth mentioning is the AC inside the SSL control function, can control the user through the SSL protocol access to the URL, and the SSL protocol for the validity of the certificate check, allowing or denying users access to a designated X.509 certificate of the site, greatly reducing the user is forged online banking, shopping site cheat probability, Avoid users getting caught in the phishing trap.

In the Internet terminal security management, deeply convinced that the AC Internet Behavior Management equipment provides a "Client access rules" (Network admission Rules,nar) authentication function, can through the evaluation of client security to achieve network access control, better maintenance of network security lines. When the AC NAR feature is enabled, the first time an intranet user initiates an Internet connection request, NAR dynamically distributes the Access Proxy (Sinfor ingress Agent,sia) to the client host. Sia is a lightweight software agent that determines whether a terminal complies with an administrator-defined security policy, and Sia can check for predefined and customizable standards, such as whether the PC terminal has the latest operating system patches, installed anti-virus software, or has anti-virus software upgraded to the latest version. When Sia passes the collected client information back to the AC gateway, if the security status of the PC terminal does not conform to the SIA rule setting, the AC gateway will perform a predefined strategy for the user, such as directly prohibiting Internet access or pop-up alerts, thereby effectively preventing some employees from being busy or lazy without installing antivirus software and patching. Or, although the anti-virus software installed but did not do a timely upgrade and caused by the virus events.

In the user identity authentication, the application of permission settings and external information audit, deeply convinced that the AC gateway using strict identity authentication and different access rights strategy, and can be based on different time periods to do flexible time management, with URL filtering, keyword filtering, upload download restrictions, depth content detection, e-mail filtering function and a unique email delay audit function, etc., so as to facilitate organizations and enterprises to work unrelated to the internet to minimize the behavior, so that employees more focused on work, improve efficiency, and technical measures to cooperate with the system management to eliminate the possibility of internal secrets through the Internet leakage of hidden dangers.

In the optimization of bandwidth resources, AC device Gateway provides intelligent QoS, but also shows the user a powerful flow control function, can be internal network user group or terminal flow control, so that the organization's network bandwidth is the most effective use.

In addition, deeply convinced that the AC gateway Rich Data Reporting Center can also support the graph of the network of people on the Internet behavior Analysis and induction, such as: daily Internet situation analysis, visit the most frequent site analysis, application and flow rankings, and provide time, service, website access, the use of network traffic, such as a variety of rankings, Provides the most intuitive data statistics for network administrators and decision makers.