Physical security Guarantee of enterprise information security

The physical layer of enterprise is confronted with the threat to the physical equipment of computer network and computer system, which is mainly manifested in natural disasters, electromagnetic radiation and bad working environment. The corresponding preventive measures include anti-jamming system, physical isolation, radiation protection system, stealth system, strengthening system, data backup and recovery. In many technologies, physical isolation and data backup and recovery is the most critical and important enterprise physical layer Security protection technology, this article will introduce them in detail.

First, physical isolation

In the highly developed Internet today, access to the enterprise's internal LAN without good protection is not difficult for external malicious visitors, they can often spy, illegally acquire or even malicious destruction of the enterprise's valuable data and information, thus causing irreparable economic losses to enterprises. At present, the majority of enterprises in the physical level of physical isolation of the local LAN and the Internet to isolate, to ensure that two of the network can not exchange, so as to protect the intranet data security purposes.

NET GATE schematic diagram

At present, the higher security requirements of enterprises, the general use of physical isolation network brake to achieve enterprise network management. The physical isolation gateway is an information security device that uses solid-state switch read-write media with multiple control functions to connect two independent host systems. Because of the two independent host systems connected by the physical isolation gateway, there is no physical connection to communication, logical connection, Information Transmission command, Information transmission protocol, no forwarding of packets according to the protocol, only the "ferry" of data files, and only "read" and "write" two commands for solid-state storage media. Therefore, the physical isolation of the network gate from the physical isolation, blocking all possible connections with potential attacks, so that "hackers" can not invade, cannot attack, cannot be destroyed; the physical isolation gateway resolves the following threats: Operating system vulnerabilities, intrusions, attacks based on TCP/IP vulnerabilities, attacks based on protocol vulnerabilities, Trojans, Tunneling based attacks, file-based attacks, etc. These are the most major threats to the Internet at present, and the physical isolation gateway is in theory fully realized real security.

The physical isolation network gate appeared in the United States, Israel, Russia and other countries of the military, to solve the secret-related network and public network connection security. Russia's Ry Jones, Israel's Buky Carmeli,elad Baron,daniel Steiner, and others are pioneers in the field, which now run the U.S. company. At present, the largest physical segregation company in the United States Whale Communications company, spearhead company is not small.

With the rapid development of e-government in China, the external network is connected with the general public, the internal network is connected with the Government civil Servant desktop Office system, the special network is connected with the information system of all levels of government, the external network, intranet, private network exchange information is the basic requirements. How to ensure intranet and private network resources security, the realization of the network from the public to the government unimpeded, resource sharing, convenient and fast is the e-government system construction must be resolved technical issues. In general, the method is to implement the logical isolation between intranet and extranet, and to carry out physical isolation between intranet and private network. For the purpose of protecting important information and files, the physical isolation network Gate has been accepted by people, and the physical isolation network brake has become the equipment which must be configured in E-Government information system.

The physical isolation network gate is mainly composed of the Internal network Processing Unit, the External net processing unit, the security isolation and the information Exchange Processing unit. The extranet processing unit is connected to an external network (such as the Internet), the intranet processing unit is connected with the intranet (such as the Army network); The security isolation and information exchange Processing unit disconnects the internal and external network physical connections through the dedicated hardware, and at any time only connects to one of the networks, reads the data waiting to be sent, and then "pushes" to another network. In the case of very fast switching speed, real-time exchange of information can be realized.

Physical isolation card is a low-level implementation of physical isolation, a physical isolation card can only control a personal computer, or even only in the Windows environment, each switch requires a switch machine once. The physical isolation network gate is the advanced realization form of the physical isolation, the net gate can manage the entire network, does not need the switch machine. After the realization of the gateway, the physical isolation card is no longer needed in principle. Security isolation is a logical isolation, a firewall is a logical isolation, so the firewall is a security isolation. Some vendors have added some features to security isolation, such as the use of dual host structure, but between the two host is through the packet to forward.

No matter how strict security checks are used between the two hosts, there is a packet-based security vulnerability, as long as it is packet forwarding, and there is an attack on the package. This is essentially in tandem with two firewalls and there is no essential difference. From the existing security Isolation network Gate, includes the following types: Through the serial port or the same port to achieve the packet forwarding between the two hosts, through the USB or 1394 or FireWire (FireWire) and other means to achieve the packet forwarding between the two hosts, or even directly through the Ethernet line to achieve the packet forwarding between the two hosts, And any other form of communication to implement packet forwarding between the two hosts, such as ASIC switching circuit, atm,myrinet card, etc., are safe isolation network gates, but are not physical isolation network gate.

For enterprise users, the physical isolation network gate is suitable for five typical application situations:

1. Between LAN and Internet (intranet and extranet)

Some local network, especially the government office network, involves government sensitive information, sometimes need to be physically disconnected from the Internet, the use of physical isolation network brake is a common method.

2, office network and Business Network between

Because the information sensitivity of the office network and the Business network is different, for example, the bank's office network and Banking Network is a typical two kinds of network with different information sensitivity. To improve productivity, office networks sometimes need to exchange information with business networks. In order to solve the security of the business network, it is better to use the physical isolation gateway between the office network and the service network to realize the physical isolation of the two kinds of networks.

3. Between intranet and special network of E-government

In the construction of e-government system, it is required that the government should be separated from the external network by logic, and it should be physically isolated between the government network and intranet. The common method is to use the physical isolation network brake to achieve.

4. Between the business network and the Internet

E-commerce network connected to the Business network server, while connecting the vast number of people through the Internet. In order to secure the Business network server, physical isolation should be realized between the business network and the Internet.

5. Between the secret-related network and the non-involved secret network

In the construction of e-government, the security domain is divided according to the security level, which guarantees the security of information, and the system of non-secret and public-oriented information collection and release is mainly run in the part of non-involved secret network. In accordance with the principle of "minimizing" the secret-related information, a moderate "reliable exchange" between two different information security domain information between the secret-related network and the non-secret network is carried out.

The physical isolation gateway restores the data to the original data file at the seventh level of the network and then transmits the original data in the form of a "ferry file". Any form of data packets, information transmission commands, and TCP/IP protocols cannot penetrate the physical isolation gateway. According to our country computer network security management stipulation, the physical isolation network gate needs to obtain the security Product Appraisal Certificate of the Ministry of Public Security, the State Secrecy bureau and the China Information Security Evaluation and Certification center. On this basis, enter the military field, but also need the military evaluation and Certification center certification.

Computer information systems involving State secrets shall not be connected directly or indirectly with the Internet or other public information networks, and physical isolation must be carried out. The secret-related network must be based on physical isolation to achieve WWW browsing and free to send and receive e-mail. Government agencies at all levels and the secret-related units, must be built in the office LAN with the Internet or a secondary network to carry out physical isolation, the construction of e-government network must be physical isolation. In addition to military, other industries and departments have promulgated construction norms and management measures, the use of physical isolation. Power, railways, finance, banking, securities, insurance, taxation, customs, Water Conservancy, transportation, civil aviation, social security, petrochemical and other industries, requires the physical isolation of the conditions of the implementation of secure database data exchange. In order to guarantee the security of the key system in e-government and e-commerce system, the physical isolation network will ensure the critical network and the secret-related network foolproof, while providing the interconnection of network services.

At present, the market has a special application to specific industries of physical isolation network brake, such as the supply of power-specific physical isolation network brake is a special use for the power system "two security protection design" a one-way physical isolation network gate. It is mainly used in real time control area (area I, or DCs network, uncontrolled production area (ii) and Production management Area (III, IV, or MIS network) complete network physical isolation, and ensure that I, ii zone to III, IV effective real-time transmission of data, but in turn, any network intrusion, Virus attacks are effectively blocked, so that the maximum limit to prevent hackers, viruses.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/