With the development of Internet information technology, computers have been applied in all corners of the world. Many enterprises rely on IT technology to build their own information systems and business operation platforms, and provide services to many customers through one or more servers. This method has brought a lot of convenience to people, however, this open environment also increases the risk of information security and easily leads to information loss. This gives our testers the opportunity. Attackers, hackers, industry spies, and crazy Computer Technology enthusiasts can intercept network data transmission and intrude into databases in various ways, posing a serious threat to information security. Therefore, how to comprehensively protect information security becomes a key part of enterprise information construction.
Security needs give rise to new protection trends
For enterprises, information security of high-performance computers or servers that operate and store core data is more critical. With the increasing demand for high-performance computing, a high-performance computer group has been built or created to facilitate user use and expand the scope of user use, and is gradually developed from the original Client/Server mode C/S) switch to Browser/Server mode B/S) and directly target LAN and Internet users, which makes the high-performance computing network physically isolated from the LAN or the Internet face serious security problems. Therefore, security issues need to be considered in the company's network construction, especially in the high-performance computer group.
Gao Qi, A sugon technical expert, said: "scientific computing systems not only provide various internal services, but more and more high-performance computing is also available to commercial users. High-performance computing is not uncommon for external users. On the one hand, internal security is the main security problem. According to statistics, internal attacks and misuse of internal personnel cause 70% of security problems. On the other hand, strengthen access control, illegal intrusion, and security filtering. In addition, users still have Disaster Tolerance requirements for massive storage and backup tape libraries ."
Provides comprehensive security protection.
Only by having a good understanding of high-performance computer running and communication programs can we take security measures to keep them safe ". Gao Qi, A Shuguang technical expert, said that HPC is an integrated system that involves two layers: network system and host system. The network system model is a hierarchical topology. It usually uses a layer-5 model, that is, the physical layer, data link layer, network layer, transmission layer, and application layer. Host systems can also be divided into two levels: operating systems and application services. Therefore, high-performance computing (HPC) security protection also requires hierarchical topology protection measures, that is, a complete high-performance computing (HPC) security solution should cover all layers of the network and host, and security management.
Starting from this idea, Shuguang launched a private firewall, network intrusion detection system (NIDS), Host Intrusion Detection System (HIDS), and VPN Virtual Private Network (VPN) comprehensive "three-dimensional Security" solution for comprehensive management of functions and clusters. Deploying the sugon three-dimensional security solution to a LAN and the Internet, or a specific area in a LAN can provide comprehensive three-dimensional security protection for a specific area in the LAN or LAN.
|
(Three-dimensional security solution architecture) |
Layer-by-layer security
Previously, in the security field, we used to disable useless service ports on hosts, set anti-virus software, and software version firewalls to defend against external threats, at present, the network security measures are mainly independent hardware firewalls. It can implement access control and security prevention of user information, isolate different security areas of the network, and achieve controllable access. For example, if an attacker opens some prohibited ports on the host and the firewall does not open the port, the attacker still cannot use the port for communication between the Intranet and the Internet, prevents internal resources or data leakage. For example, Shuguang tianluo firewall can improve the security level through access control, security filtering, Attack resistance, traffic bandwidth management, and illegal intrusion prevention. When detecting dangerous information, the system can disconnect the connection according to the Administrator's settings to implement active intrusion protection. In addition, firewall can effectively reduce the work intensity of security management and improve the manageability of computer group system security.
The firewall provides basic security protection for high-performance clusters. However, the firewall can only provide passive and static protection, providing a low level of security, if it is associated with the network intrusion detection system (NIDS) host Intrusion Detection System (HIDS), data security, and cluster security management can work together to provide dynamic security protection and comprehensively improve the security level of computer groups.
|
Three-dimensional security solution network topology) |
Level 1 Protection: Network Security
Computers on the Internet must first face network security. Generally, the firewall is powerless to defend against attacks on allowed hosts and applications, because these attacks disguise access to these legitimate hosts and application services, thus deceiving the firewall, enter the area protected by the firewall. Therefore, if a key application is deployed in a LAN or LAN with high security requirements, the intrusion detection system (NIDS) should be used to improve the security protection level in the relevant areas based on firewall protection.
Network Intrusion Detection System (NIDS) monitors network traffic and monitors network segments in real time by listening to packets of specific network segments, and discovers suspicious connections and illegal access intrusion, prevents various malicious attacks and misoperations from the network layer to the application layer. The network intrusion detection system works together with the firewall to filter and control network data packets and restrict access to the IP addresses of hosts allowed by the Network) and Application Service ports ), this greatly reduces the security scope required for management and provides security protection against network intrusion.
Level 2 protection: host system security
Although network intrusion detection can provide protection for a variety of application services, such as Web, SMTP, POP3, and so on, it is more about network packet inspection, in addition, defense methods usually lag behind the development of attack methods, so there is also a network threat caused by this lag, and the protected network is infiltrated, for example, if a host on the network is attacked and becomes a transfer station, intruders can modify the host system to conceal themselves and launch attacks against other hosts on the network. These actions cannot be solved by the network intrusion detection system. Therefore, a complete host protection system is required.
Sugon Host Intrusion Detection System (HIDS) can prevent malicious tampering and misoperations of host system files, monitor suspicious connections in real time, regularly check system logs, scan user behavior, and detect illegal access intrusion. Therefore, the Host Intrusion Detection System can well make up for the blind spots of the network intrusion detection system. The two are complementary to each other and perform fine-grained detection and defense for attack behavior bypassing the firewall, provides comprehensive protection from the network to the host.
In addition to HIDS protection, the Shuguang Tianmu three-dimensional monitoring system provides better protection for server host security. It supports starting the system and capturing BIOS detection information for the server during system startup, and convert them into Chinese characters and display them on the server front panel LCD screen, so that the system administrator can intuitively and effectively locate server system faults and monitor the server based on the host and operating system, at the same time, the monthly server running check report is provided, which not only monitors the software and hardware resources of the server, but also knows the running status of the second-level servers in the LAN.
Level 3 protection: Data Security
High-performance computer clusters are mostly used for scientific research or important data processing. Therefore, their raw data and computing results are sensitive and secure data, it can be said that the value of the data stored in the server far exceeds its own value. Therefore, the secure storage and secure backup of these data are extremely important. The dual-Machine backup solution based on Cluster technology is, based on the Fault Tolerance software used to monitor dual servers and the series of disk array cabinets used as data storage devices, the close cooperation between hardware and software provides dual protection for data security.
In addition, sensitive data can be easily stolen or tampered with when transmitted over the LAN or the internet. Therefore, when designing a high-performance computer group for security issues, security issues in data transmission must also be considered.
The firewall's Virtual Private Network (VPN-Virtual Private Network) function is used to achieve secure communication between Internet users, LAN users, and HPC user interfaces. VPN refers to the enterprise network established on the public network, which has the same security, management, and functions as the private network. It replaces the traditional dial-up access, INTERNET resources are used as a continuation of the enterprise private network. It can ensure data security and integrity through encryption, authentication, and digital signature. The Application of VPN in three-dimensional security has built a high-security dedicated data transmission channel for key data transmission, and has become an extremely important part of three-dimensional security.
Comprehensive Management: Cluster Security Management
As a three-dimensional security, an efficient and convenient management system is very important. The Shuguang cluster security management system can manage global network resources, implement centralized management and unified configuration. Firewalls, IDS, and VPNs are closely integrated with cluster security management to provide higher security and stronger management for cluster servers, thus realizing the "three-dimensional Security" concept advocated by sugon, it provides comprehensive and in-depth three-dimensional security protection for users' information systems.