电信支撑系统信息安全体系研究及应用
|
摘要
目前,通信行业信息安全形势严峻,在层出不穷的病毒、木马、黑客等的攻击下,在人为差错与事故连锁灾害的影响下,网络运营同样存在遭遇类似“911式”恐怖活动的毁灭后果。通信网络和业务系统服务的中断、瘫痪,甚至那怕就是计费系统的失误或信息泄漏,都可能会给整个社会带来不可弥补的损失。通信行业的信息安全问题的分析和解决,是各大电信运营商稳定发展的关键问题之一。
电信支撑系统作为企业管理、快速开通业务、及时保障业务、优化管理网络资源的重要手段,越来越受到电信运营商的重视,在企业发展中扮演着越来越重要的角色。如何建立信息安全体系,对电信支撑系统进行有效保护,也就显得尤为重要。
DCN网(Data Communication Network)作为某电信运营商支撑系统的唯一的承载网络,当前承载了大客户管理系统、客服系统、联机计费采集系统、IP综合网管系统、交换接入网综合网管系统、新九七系统等20多个业务系统,其安全性非常重要,信息安全体系的建设迫在眉睫。如何保障DCN网以及所承载的信息系统安全可靠的运行,成为关系到该电信运营商整个业务运营的重要课题。
本文以该电信运营商的支撑系统为对象,以DCN网络及其所承载的业务系统为主要载体,围绕其信息安全体系建设进行了研究。
首先,在对现有的信息安全体系模型深入研究的基础上,结合该电信运营商的支撑系统的实际情况,参照国际和国内的安全标准和规范,充分利用成熟的信息安全理论成果,提出了一种改进的适合电信支撑系统的信息安全体系模型——POO-PDRRA模型,简称P02P模型。
同时,以DCN网络为核心,以信息化资产为主线,针对网络和系统中存在的脆弱性和威胁,进行了电信支撑系统的安全评估。通过评估,获得了安全漏洞报告和安全风险报告,并在此基础上形成了支撑系统安全现状报告。
最后,依据安全评估结果,明确了安全需求,以POO-PDRRA模型为理论基础,采用P-PADIS-T安全服务模型方法论,进行了由信息安全策略体系、组织体系、运作体系和技术体系四部分构成的电信支撑系统安全体系的构建,并对POO-PDRRA信息安全体系模型的应用效果及其优势进行了分析和讨论。
The situation of information security in the communications industry is very grim at present. With the emerging of viruses, Trojans and hacker attacks, the communication operations also have encountered the destruction similar to the consequences of "911" terrorist activities. Artificial mistakes and a series of accidents can also lead to calamity. The interruptions, paralysis of the communication networks and business systems service, and even the errors of the accounting system or information leakage, may give the whole community irreparable loss. To analyze and solve the information security problems in communications industry has become one of the critical issues for a telecom operator's stable development.
As a significant means for enterprise management, rapidly business opening, timely business protecting and optimizing the management of network resources, the telecom support system has been emphasized increasingly by telecom operators, and has played a more important role in the enterprise development. How to establish an Information Security System and to give the telecom support system more effective protection become particularly crucial.
DCN Network (Data Communication Network), as a unique carrier network for a provincial telecom operator's telecom support system (also known as the IT systems, information systems), carries more than 20 support systems such as Major Customer Management System, Customer Service System, on-line Billing Acquisition System, IP Network Management System and Integrated Network Management System. The safety of the systems is very important, so building an Information Security System becomes extremely urgent. How to ensure the security of the DCN network and information system over it becomes a critical issue for the whole business operation of the telecom operator.
The research on building the Information Security System was carried out, taking the telecom support system of the telecom operator as object and using the DCN network and information systems over it as the main carrier.
On the basis of study of the Information Security System model, according to the actual situation of the telecom support system, in the light of domestic and international security standards, making full use of information security theories, an improved Information Security System Model- POO-PDRRA Model, which fits the telecom support system, was developed. The PO2P Model is the short for POO-PDRRA Model.
The security assessment for the telecom support system was held, which was about the DCN network and the information assets of the information systems over the DCN, and aimed at the vulnerabilities and threats in the network and systems. Based on the results of security assessment, a security status report on the telecom support system was written.
The security requirements are defined on the basis of the security assessment results. According to the POO-PDRRA Model, using P-T-PADIS security service model methodology, the Information Security System was built, which consists of security strategy system, security organization system, security operation system, and security technology system. The effects of application and the advantages of the POO-PDRRA Model were discussed and analyzed.
电信支撑系统作为企业管理、快速开通业务、及时保障业务、优化管理网络资源的重要手段,越来越受到电信运营商的重视,在企业发展中扮演着越来越重要的角色。如何建立信息安全体系,对电信支撑系统进行有效保护,也就显得尤为重要。
DCN网(Data Communication Network)作为某电信运营商支撑系统的唯一的承载网络,当前承载了大客户管理系统、客服系统、联机计费采集系统、IP综合网管系统、交换接入网综合网管系统、新九七系统等20多个业务系统,其安全性非常重要,信息安全体系的建设迫在眉睫。如何保障DCN网以及所承载的信息系统安全可靠的运行,成为关系到该电信运营商整个业务运营的重要课题。
本文以该电信运营商的支撑系统为对象,以DCN网络及其所承载的业务系统为主要载体,围绕其信息安全体系建设进行了研究。
首先,在对现有的信息安全体系模型深入研究的基础上,结合该电信运营商的支撑系统的实际情况,参照国际和国内的安全标准和规范,充分利用成熟的信息安全理论成果,提出了一种改进的适合电信支撑系统的信息安全体系模型——POO-PDRRA模型,简称P02P模型。
同时,以DCN网络为核心,以信息化资产为主线,针对网络和系统中存在的脆弱性和威胁,进行了电信支撑系统的安全评估。通过评估,获得了安全漏洞报告和安全风险报告,并在此基础上形成了支撑系统安全现状报告。
最后,依据安全评估结果,明确了安全需求,以POO-PDRRA模型为理论基础,采用P-PADIS-T安全服务模型方法论,进行了由信息安全策略体系、组织体系、运作体系和技术体系四部分构成的电信支撑系统安全体系的构建,并对POO-PDRRA信息安全体系模型的应用效果及其优势进行了分析和讨论。
The situation of information security in the communications industry is very grim at present. With the emerging of viruses, Trojans and hacker attacks, the communication operations also have encountered the destruction similar to the consequences of "911" terrorist activities. Artificial mistakes and a series of accidents can also lead to calamity. The interruptions, paralysis of the communication networks and business systems service, and even the errors of the accounting system or information leakage, may give the whole community irreparable loss. To analyze and solve the information security problems in communications industry has become one of the critical issues for a telecom operator's stable development.
As a significant means for enterprise management, rapidly business opening, timely business protecting and optimizing the management of network resources, the telecom support system has been emphasized increasingly by telecom operators, and has played a more important role in the enterprise development. How to establish an Information Security System and to give the telecom support system more effective protection become particularly crucial.
DCN Network (Data Communication Network), as a unique carrier network for a provincial telecom operator's telecom support system (also known as the IT systems, information systems), carries more than 20 support systems such as Major Customer Management System, Customer Service System, on-line Billing Acquisition System, IP Network Management System and Integrated Network Management System. The safety of the systems is very important, so building an Information Security System becomes extremely urgent. How to ensure the security of the DCN network and information system over it becomes a critical issue for the whole business operation of the telecom operator.
The research on building the Information Security System was carried out, taking the telecom support system of the telecom operator as object and using the DCN network and information systems over it as the main carrier.
On the basis of study of the Information Security System model, according to the actual situation of the telecom support system, in the light of domestic and international security standards, making full use of information security theories, an improved Information Security System Model- POO-PDRRA Model, which fits the telecom support system, was developed. The PO2P Model is the short for POO-PDRRA Model.
The security assessment for the telecom support system was held, which was about the DCN network and the information assets of the information systems over the DCN, and aimed at the vulnerabilities and threats in the network and systems. Based on the results of security assessment, a security status report on the telecom support system was written.
The security requirements are defined on the basis of the security assessment results. According to the POO-PDRRA Model, using P-T-PADIS security service model methodology, the Information Security System was built, which consists of security strategy system, security organization system, security operation system, and security technology system. The effects of application and the advantages of the POO-PDRRA Model were discussed and analyzed.
引文
[1]信息产业部.2007年全国通信业统计公报[EB/OL].http://www.mii.gov.cn/art/2008/02/19/art_169_36206.html,2008-02-19/2008-03-01.
[2]奚国华.在第38届世界电信日暨首届世界信息社会日纪念大会上的讲话[EB/OL].http://www.mii.gov.cn/art/2006/05/18/art_131_13668.html,2006-05-18/2007-03-20.
[3]ISO/IEC TR 13335-1,信息技术-IT安全管理指南-第1部分:IT安全的概念和模型[S].
[4]National Security Agency,Information Assurance Technical Framework(IATF)[EB/OL],http:l/www.iatf.net/framework_docs/version-3_1/index.cfm,2007-03-20.
[5]宋向瑛.信息安全综述[J].电脑知识与技术(学术交流),2006,6:67-69.
[6]阙喜戎,孙锐,龚向阳等.信息安全原理及应用[M].北京:清华大学出版社,2003,7.
[7]张耀疆.信息安全体系建设与服务过程[Z].上海:上海安言信息技术有限公司,2004.
[8]Shon Harris,CISSP Certification All-in-One Exam Guide[M],4~(th)Ed.America:McGraw-Hill Osborne Media,2007.
[9]ISO 7498-2,Information processing systems- Open Systems Interconnection-Basic Reference Model-Part 2:Security Architecture[S].
[10]GB 50173—93,电子计算机机房设计规范[S].
[11]GB 2887—89,计算站场地技术条件[S].
[12]GB 9361—88,计算站场地安全要求[S].
[13]GB/T 9387.2-1995,信息技术-开放系统互连-基本参考模型-第2部分:安全体系结构[S].
[14]BS7799-2,Information Security Management Systems-Specification With Guidance for use[S].
[15]曾海.P~2MDR~2网络安全防御模型的研究[J].湘潭大学自然科学报,2005,27(3):32-35.
[16]魏永红,李天智,张志.网络信息安全防御体系探讨[J].河北省科学院学报,2006,23,1:25-28.
[17]启明星辰信息技术股份有限公司.启明星辰天阗入侵检测与管理系统V6白皮书[EB/OL].http://www.venustech.com.cn/IpsInfo/212/399.Html,2008-01-10.
[18]ISO/IEC 21827-2002,Information technology-Systems Security Engineering -Capability Maturity Model(SSE-CMM)[S].
[19]Harold F.Tipton,Micki Krause.Information Security Management Handbook[M].Fifth Edition.US:Auerbach Publications,2004.
[20]Whitman M E,Mattord H J.Principles of information Securit[M].Thomson Learning,2003.132-133.
[21]HAYANO Shin-ichiro,TANIKAWA Tadashi,KITAKAZE Jiro.Coordinated implementation of facilities and information security systems[J].NEC Technical Journal,2007,2(1):35-39.
[22]Morneau Keith A.Designing an information security program as a core competency of network technologists[A].SIGITE 2004-IT Education-The State of the Art[C].Salt Lake City,UT,United States,2004.
[23]Bernard Ray.Information Lifecycle Security Risk Assessment:A tool for closing security gaps[J].Computers and Security,2007,26(1):26-30.
[24]Singh A,Girdhar.Building and implementing a successful information security policy [A].Proceedings of National Seminar on e-Security[C].Malout,India,2004.
[25]Koji Nakao.Information security management for telecommunications[J].ISO Focus,2007,4(5):12-13.
[26]Thomas R.Peltier.Implementing an Information Security Awareness Program[J].Information Systems Security,2005,14(2):37-49.
[27]Neil F.Doherty,Heather Fulford.Aligning the information security policy with the strategic information systems plan[J].Computers & Security,2006,25(1):55-63.
[28]余志伟,唐任仲.面向业务活动的信息系统安全模型[J].浙江大学学报(工学版),2007,41(11):1903-1907
[29]周晓梅.论企业信息安全体系的建立[J].网络安全技术与应用,2006,3:62-64,57.
[30]张庆华.信息网络动态安全体系模型综述[J].计算机应用研究,2002,10:5-7.
[31]李玮.运营商IT系统网络架构的安全域划分[J].通信世界,2005,30:41-41,45-45.
[32]孙强,陈伟,王东红.信息安全管理全球最佳实务与实施指南[M].北京:清华大学出版社,2004.
[33]周振宇.电信行业网络信息安全体系的建设[J].计算机系统应用,2003,4:44-46.
[34]刘远山.计算机网络安全[M].北京:清华大学出版社,2006.
[35]张原,史浩山.信息安全模型研究[J].小型微型计算机系统,2003,24(10):1878-1881.
[36]沈昌祥.关于强化信息安全保障体系的思考[J].信息安全与通信保密,2003,6:15-17.
[37]卢周焕.电信业务网络安全技术研究,[学位论文].北京:北京邮电大学,2005.
[38]杨义先,周亚建.SOC在电信网络安全中的应用[J].电信技术,2006,5:16-18.
[39]褚龙,陈鹏,范俊波.网络安全动态防御体系研究及应用[J].成都信息工程学院学报,2004,19(3):403-407.
[40]姜宁.建设主动防御的信息安全体系[J].计算机安全,2005,11:35-36.
[41]刘益和,沈昌祥.基于应用区域边界体系结构的安全模型[J].计算机科学,2006,33(2):83-86.
[42]沈昌祥.网络安全应急体系探究[J].信息网络安全,2006,1:19-20.
[43]陈炜,罗霄峰,罗万伯.一种全面的信息安全管理方案的设计[J].四川大学学报(工程科学版),2004,36(4):103-106.
[44]郭宁.综合信息安全风险评估模型研究[J].信息技术与标准化,2006,1-2:27-31.
[45]赵阳.电信网安全评估方法及实施探讨[J].电信网技术,2006,5:11-14.
[46]傅坚,张翎.骨干网安全与电信运营商应急体系建设[J].电信科学,2006,2:27-30.
[2]奚国华.在第38届世界电信日暨首届世界信息社会日纪念大会上的讲话[EB/OL].http://www.mii.gov.cn/art/2006/05/18/art_131_13668.html,2006-05-18/2007-03-20.
[3]ISO/IEC TR 13335-1,信息技术-IT安全管理指南-第1部分:IT安全的概念和模型[S].
[4]National Security Agency,Information Assurance Technical Framework(IATF)[EB/OL],http:l/www.iatf.net/framework_docs/version-3_1/index.cfm,2007-03-20.
[5]宋向瑛.信息安全综述[J].电脑知识与技术(学术交流),2006,6:67-69.
[6]阙喜戎,孙锐,龚向阳等.信息安全原理及应用[M].北京:清华大学出版社,2003,7.
[7]张耀疆.信息安全体系建设与服务过程[Z].上海:上海安言信息技术有限公司,2004.
[8]Shon Harris,CISSP Certification All-in-One Exam Guide[M],4~(th)Ed.America:McGraw-Hill Osborne Media,2007.
[9]ISO 7498-2,Information processing systems- Open Systems Interconnection-Basic Reference Model-Part 2:Security Architecture[S].
[10]GB 50173—93,电子计算机机房设计规范[S].
[11]GB 2887—89,计算站场地技术条件[S].
[12]GB 9361—88,计算站场地安全要求[S].
[13]GB/T 9387.2-1995,信息技术-开放系统互连-基本参考模型-第2部分:安全体系结构[S].
[14]BS7799-2,Information Security Management Systems-Specification With Guidance for use[S].
[15]曾海.P~2MDR~2网络安全防御模型的研究[J].湘潭大学自然科学报,2005,27(3):32-35.
[16]魏永红,李天智,张志.网络信息安全防御体系探讨[J].河北省科学院学报,2006,23,1:25-28.
[17]启明星辰信息技术股份有限公司.启明星辰天阗入侵检测与管理系统V6白皮书[EB/OL].http://www.venustech.com.cn/IpsInfo/212/399.Html,2008-01-10.
[18]ISO/IEC 21827-2002,Information technology-Systems Security Engineering -Capability Maturity Model(SSE-CMM)[S].
[19]Harold F.Tipton,Micki Krause.Information Security Management Handbook[M].Fifth Edition.US:Auerbach Publications,2004.
[20]Whitman M E,Mattord H J.Principles of information Securit[M].Thomson Learning,2003.132-133.
[21]HAYANO Shin-ichiro,TANIKAWA Tadashi,KITAKAZE Jiro.Coordinated implementation of facilities and information security systems[J].NEC Technical Journal,2007,2(1):35-39.
[22]Morneau Keith A.Designing an information security program as a core competency of network technologists[A].SIGITE 2004-IT Education-The State of the Art[C].Salt Lake City,UT,United States,2004.
[23]Bernard Ray.Information Lifecycle Security Risk Assessment:A tool for closing security gaps[J].Computers and Security,2007,26(1):26-30.
[24]Singh A,Girdhar.Building and implementing a successful information security policy [A].Proceedings of National Seminar on e-Security[C].Malout,India,2004.
[25]Koji Nakao.Information security management for telecommunications[J].ISO Focus,2007,4(5):12-13.
[26]Thomas R.Peltier.Implementing an Information Security Awareness Program[J].Information Systems Security,2005,14(2):37-49.
[27]Neil F.Doherty,Heather Fulford.Aligning the information security policy with the strategic information systems plan[J].Computers & Security,2006,25(1):55-63.
[28]余志伟,唐任仲.面向业务活动的信息系统安全模型[J].浙江大学学报(工学版),2007,41(11):1903-1907
[29]周晓梅.论企业信息安全体系的建立[J].网络安全技术与应用,2006,3:62-64,57.
[30]张庆华.信息网络动态安全体系模型综述[J].计算机应用研究,2002,10:5-7.
[31]李玮.运营商IT系统网络架构的安全域划分[J].通信世界,2005,30:41-41,45-45.
[32]孙强,陈伟,王东红.信息安全管理全球最佳实务与实施指南[M].北京:清华大学出版社,2004.
[33]周振宇.电信行业网络信息安全体系的建设[J].计算机系统应用,2003,4:44-46.
[34]刘远山.计算机网络安全[M].北京:清华大学出版社,2006.
[35]张原,史浩山.信息安全模型研究[J].小型微型计算机系统,2003,24(10):1878-1881.
[36]沈昌祥.关于强化信息安全保障体系的思考[J].信息安全与通信保密,2003,6:15-17.
[37]卢周焕.电信业务网络安全技术研究,[学位论文].北京:北京邮电大学,2005.
[38]杨义先,周亚建.SOC在电信网络安全中的应用[J].电信技术,2006,5:16-18.
[39]褚龙,陈鹏,范俊波.网络安全动态防御体系研究及应用[J].成都信息工程学院学报,2004,19(3):403-407.
[40]姜宁.建设主动防御的信息安全体系[J].计算机安全,2005,11:35-36.
[41]刘益和,沈昌祥.基于应用区域边界体系结构的安全模型[J].计算机科学,2006,33(2):83-86.
[42]沈昌祥.网络安全应急体系探究[J].信息网络安全,2006,1:19-20.
[43]陈炜,罗霄峰,罗万伯.一种全面的信息安全管理方案的设计[J].四川大学学报(工程科学版),2004,36(4):103-106.
[44]郭宁.综合信息安全风险评估模型研究[J].信息技术与标准化,2006,1-2:27-31.
[45]赵阳.电信网安全评估方法及实施探讨[J].电信网技术,2006,5:11-14.
[46]傅坚,张翎.骨干网安全与电信运营商应急体系建设[J].电信科学,2006,2:27-30.