1. Introduction
With the deepening of the informatization process and the rapid development of the Internet, network has become the general trend of enterprise informatization, and information resources are shared to the greatest extent. However, the network security problem that follows the development of information technology is becoming more and more prominent. The network security problem has become a challenge facing mankind in the information age. The network information security problem has become a top priority, if this problem is not solved well, it will inevitably hinder the process of information development.
Ii. Security attacks, security mechanisms and security services
The ITU-T X.800 standard logically defines what we call "Network security", namely security attack) security mechanisms are designed to detect, prevent, or recover systems. security Services) A service that uses one or more security mechanisms to defend against security attacks and improve the Data Processing System Security and Information Transmission security of an organization.
Iii. Architecture of Network Security Defense System
In order to effectively understand the security requirements of users and select various security products and policies, it is necessary to establish some systematic methods to prevent network security. The scientific and feasible cybersecurity protection system ensures smooth implementation. Figure 1 shows a three-dimensional Security Protection Technical Architecture Based on DISSP extension. The first dimension is the security service, which gives eight security attributes (ITU-T REC-X.800-199103-I ). The second dimension is the system unit, and the composition of the information network system is given. The third dimension is the structure layer. The Open System Interconnection (OSI) model of ISO is presented and extended.
Each system unit in the framework structure corresponds to a certain protocol layer. Several security services are required to ensure the security of the system unit. The network platform must have authentication and access control between network nodes, and the application platform must have user-specific authentication and access control. It must ensure the integrity and confidentiality of data transmission, the anti-denial and audit functions are required, and the availability and reliability of the application system must be ensured. For an information network system, if each system unit has corresponding security measures to meet its security requirements, we think the information network is secure.
Iv. Network Security Defense System Level
As an all-round and overall network security defense system, different layers reflect different security issues, according to the current situation of network applications and network structure, we divide the security defense system into physical layer security, system layer security, network layer security, application layer security and security management.
1. Physical Environment Security (Physical Layer Security)
Security at this level includes the security of communication lines, physical devices, and data centers. The security of the physical layer is mainly reflected in the reliability of communication lines (line backup, network management software, transmission media), security of hardware and software equipment (replacement equipment, removal equipment, and addition of equipment), and backup of equipment, disaster prevention, interference prevention, equipment operating environment (temperature, humidity, smoke), uninterrupted power supply, and so on.
2. Operating System Security (system layer security)
This level of security issues come from the security of operating systems used in the network, such as Windows NT and Windows 2000. It mainly involves three aspects: first, the insecure factors caused by the defects of the operating system, including identity authentication, access control, and system vulnerabilities. The second is the security configuration of the operating system. Third, the threat of viruses to the operating system.
3. Network Security (Network Layer Security)
Security issues at this level are mainly reflected in network security, including network layer identity authentication, access control of network resources, data transmission confidentiality and integrity, and remote access security, domain Name System Security, routing system security, intrusion detection methods, network facilities anti-virus, etc.
4. Application Security (Application Layer Security)
Security issues at this level are mainly caused by the application software used to provide services and the security of data, including Web Services, email systems, and DNS. It also includes threats to the system.
5. Management Security (Management Security)
Security management includes management of security technologies and equipment, security management systems, and organization rules of departments and personnel. The systematic management has a great impact on the security of the entire network, strict security management systems, clear division of departmental security responsibilities, and reasonable staffing can greatly reduce security vulnerabilities at other levels.
V. Network Security Protection System Design Guidelines
According to the security requirements to prevent security attacks, the security goals to be achieved, the corresponding security mechanisms required security services and other factors, with reference to SSE-CMM ("System Security Engineering Capability Maturity Model ") and ISO17799 (Information Security Management Standards) and other international standards, comprehensive consideration of implementation, manageability, scalability, comprehensive completeness, system balance and other aspects, the network security protection system should follow the following nine principles in the overall design process:
1. Network Information Security Barrel Principle
The bucket principle of network information security refers to the balanced and comprehensive protection of information. "The maximum volume of a bucket depends on the shortest piece of wood ". A network information system is a complex computer system. Its physical, operational, and management vulnerabilities constitute the security vulnerabilities of the system, in particular, the complexity and resource sharing of multi-user network systems make it difficult to defend against pure technical protection. The "Most penetration-prone principle" used by attackers must be attacked in the weakest part of the system. Therefore, fully, comprehensively and completely analyzing system security vulnerabilities and security threats, and evaluating and detecting (including simulated attacks) are necessary prerequisites for the design of information security systems. The primary purpose of the security mechanism and security service design is to prevent the most common attack means, and the fundamental goal is to improve the security performance of the entire system's "lowest security point.
2. holistic principles of Network Information Security
In the event of network attacks or damages, it is required that the services of the network information center be restored as quickly as possible to reduce losses. Therefore, information security systems should include security protection mechanisms, security detection mechanisms, and security recovery mechanisms. The security protection mechanism is based on various security threats of a specific system to prevent illegal attacks. The security detection mechanism is used to detect the operating status of the system and detect and stop various attacks on the system in a timely manner. The security recovery mechanism is used to respond to emergencies and restore information as soon as possible and in a timely manner when the security protection mechanism is ineffective, so as to reduce the damage to the supply.
3. Security Evaluation and balancing principles
It is absolutely difficult to achieve security for any network, and it is not necessarily necessary. Therefore, a reasonable practical security and user demand evaluation and balance system should be established. The security system design should correctly handle the relationship between requirements, risks and costs, ensure security and availability compatibility, and ensure that the security system can be implemented in the Organization. There are no absolute criteria and metrics for evaluating information security. They can only be determined by the system's user requirements and specific application environments, depending on the system's scale and scope, the nature of the system and the importance of information.
4. Principles of standardization and consistency
A system is a huge system project. The design of its security system must follow a series of standards so as to ensure the consistency of various subsystems and ensure secure interconnection and information sharing of the entire system.
5. Principles of combining technology and management
A security system is a complex system engineering that involves people, technology, operations, and other elements. It cannot be achieved by technology or management alone. Therefore, various security technologies and operation management mechanisms, personnel ideological education, technical training, and security rules and regulations must be combined.
6. Overall planning and step-by-step implementation principles
Due to unclear policies and service requirements, changes in the environment, conditions, and time, and advances in attack methods, security protection cannot be implemented in one step. In a comprehensive security plan, according to the actual needs of the network, first establish a basic security system to ensure basic and necessary security. With the expansion of the network scale and the increase of applications in the future, the network application and complexity will change, and network vulnerabilities will also increase, adjusting or enhancing security protection, ensure the most fundamental security requirements of the entire network.
7. Level Principle
The classification principle refers to the security level and security level. A good information security system must be divided into different levels, including classification of information confidentiality, user operation permissions, and network security (Security subnet and security region ), hierarchical System Structure (application layer, network layer, and link layer) to provide comprehensive and optional security algorithms and security systems for security objects of different levels, to meet the actual needs of different layers in the network.
8. Dynamic Development Principles
Constantly adjust security measures to adapt to the new network environment and meet new network security requirements according to network security changes.
9. Operational Principles
First, security measures need to be done manually. if the measures are too complex and the requirements on people are too high, the security will be reduced. Second, the adoption of measures does not affect the normal operation of the system.
Vi. Conclusion
Due to the openness of the interconnected network and the security defects of communication protocols, as well as the distribution of data information storage and access and processing in the network environment, data transmitted on the Internet is prone to leakage and destruction, and the network is under severe security attacks. Therefore, it is more urgent to establish an effective network security defense system. In fact, to ensure network security, you must not only refer to the network security standards to form a reasonable evaluation criteria, more importantly, it is necessary to clarify the network security framework system, the security defense hierarchy, and the basic principles of system design, analyze the various insecure links of the network system, find security vulnerabilities, and be targeted.