大中型企业网络安全设计方案的研究与应用
|
摘要
计算机网络作为信息社会的基础,已经成为我们日常工作、学习和生活中的重要工具。随着网络技术应用范围的日益拓宽,人们对计算机及网络的安全性的要求也越来越高。
本论文以河北省某地矿企业的一次内部网络的建设为例,着重解决了安全系统的方案设计和产品部署问题。此系统设计是以“信息安全等级保护”为指导思想,以内部网络的安全防护为核心目标,辅以对企业内网安全隐患和风险的分析,并结合存在的风险及问题,采取了“防、测、控、管、评”的安全实施策略,完成了网络安全防护系统总体安全设计和架构实现,取得阶段性成效,达到预期的网络安全目标。本论文的具体工作成果如下:
1.将“信息安全等级保护”的有关理论应用到方案的具体设计中,并分步部署安全产品,综合平衡了安全成本和风险,优化了信息安全资源的配置。
2.在企业网关对防火墙、入侵检测等设备进行策略部署,加强网络安全系数,有效防御网络攻击、病毒感染等安全事件的发生。
3.在企业内部网络中组建虚拟VPN专网,通过网到网的加密传输功能和访问控制功能,保证了企业数据在网络上传输的安全性。
4.对企业的互联网利用情况进行监督和管理,优化网络资源的利用,降低内网用户泄密的风险,构建了有效的上网行为监控系统。
5.采用了硬件防病毒产品与企业版防病毒软件协同策略部署,实现全网病毒的集中防护。
通过该网络安全防护方案的具体实现,其结果验证了所提方法的有效性。
As the basis of information society, computer network is the important tool of our daily work, study and life. As the application of network is increased, people’s requirements on the security of computer and network are more increasingly.
This paper taking hebei province some enterprise of an internal network construction for example, emphatically resolve the security system design and product deployment issues. this system design is on "information security level protection" as the guiding ideology, taking the internal network security protection as the core target of enterprise, complementary network security hidden danger and risk analysis, and combining the risk and problems, the author puts forward "the preventing and measurement, control, administer and commentaries"security strategies, completed the network safe protection design and architecture realization of all safety system, it’s obtained phased effect and achieved the desired goal of network security. Main results in this article are as follows:
1. Relevant theories on information security protection level is applied in the design, planed security products in turn, comprehensively reduced security cost and risk and optimized resource allocation for information security.
2. Equipment for firewall and detecting intrusion was strategically carried out in the gateway of the enterprise. In which not only can strengthen network security, but can effectively prevent accidences from network attack and virus infection.
3. One invented net is established in internal network of the enterprise. It guaranteed transfer security through encrypting from net to net and visit control.
4. One effective internet connecting system is established for supervision and management of internet utilization to internal enterprise, to optimize network utilization and reduce risks from internal user.
5. Virus intensively protection is realized in the network making use of joint strategy to combine hardware anti-virus products with anti-virus software of enterprise vision. Method effectivity mentioned in this article was identified by the network security protection practically realized.
本论文以河北省某地矿企业的一次内部网络的建设为例,着重解决了安全系统的方案设计和产品部署问题。此系统设计是以“信息安全等级保护”为指导思想,以内部网络的安全防护为核心目标,辅以对企业内网安全隐患和风险的分析,并结合存在的风险及问题,采取了“防、测、控、管、评”的安全实施策略,完成了网络安全防护系统总体安全设计和架构实现,取得阶段性成效,达到预期的网络安全目标。本论文的具体工作成果如下:
1.将“信息安全等级保护”的有关理论应用到方案的具体设计中,并分步部署安全产品,综合平衡了安全成本和风险,优化了信息安全资源的配置。
2.在企业网关对防火墙、入侵检测等设备进行策略部署,加强网络安全系数,有效防御网络攻击、病毒感染等安全事件的发生。
3.在企业内部网络中组建虚拟VPN专网,通过网到网的加密传输功能和访问控制功能,保证了企业数据在网络上传输的安全性。
4.对企业的互联网利用情况进行监督和管理,优化网络资源的利用,降低内网用户泄密的风险,构建了有效的上网行为监控系统。
5.采用了硬件防病毒产品与企业版防病毒软件协同策略部署,实现全网病毒的集中防护。
通过该网络安全防护方案的具体实现,其结果验证了所提方法的有效性。
As the basis of information society, computer network is the important tool of our daily work, study and life. As the application of network is increased, people’s requirements on the security of computer and network are more increasingly.
This paper taking hebei province some enterprise of an internal network construction for example, emphatically resolve the security system design and product deployment issues. this system design is on "information security level protection" as the guiding ideology, taking the internal network security protection as the core target of enterprise, complementary network security hidden danger and risk analysis, and combining the risk and problems, the author puts forward "the preventing and measurement, control, administer and commentaries"security strategies, completed the network safe protection design and architecture realization of all safety system, it’s obtained phased effect and achieved the desired goal of network security. Main results in this article are as follows:
1. Relevant theories on information security protection level is applied in the design, planed security products in turn, comprehensively reduced security cost and risk and optimized resource allocation for information security.
2. Equipment for firewall and detecting intrusion was strategically carried out in the gateway of the enterprise. In which not only can strengthen network security, but can effectively prevent accidences from network attack and virus infection.
3. One invented net is established in internal network of the enterprise. It guaranteed transfer security through encrypting from net to net and visit control.
4. One effective internet connecting system is established for supervision and management of internet utilization to internal enterprise, to optimize network utilization and reduce risks from internal user.
5. Virus intensively protection is realized in the network making use of joint strategy to combine hardware anti-virus products with anti-virus software of enterprise vision. Method effectivity mentioned in this article was identified by the network security protection practically realized.
引文
[1]公安部2009年全国信息网络安全状况暨计算机病毒疫情调查报告.http://wenku.baidu.com/view/a368 a04e852458fb770b56b9.html
[2]李涛.网络安全概论[M].北京:电子工业出版社,2004.
[3]孙丕恕.全面落实安全等级保护制度、提升我国信息安全保护水平[C].第十一届全国人民代表大会.2008.
[4]石正喜,张君华.国内外信息安全研究现状及发展趋势[J].科技情报开发与经济,2007,17(10):97-98.
[5]冯登国.国内外信息安全研究现状及发展趋势(摘编)[J].信息网络安全,2007,第1期.
[6]互联网.http://www.chinabyte.com/35/7636535.shtml
[7]安全周报.2010年8月第3期.http://wenku.baidu.com/view/6f18a77931b765ce0508140c.html
[8]Damianou,N.A Poliey Framework for Management of Distributed Systems[D].Ph.D.thesis. Imperial College of science.Technology and Medicine of London University,2002.
[9]Moffett,J.D.and M.S.Sloman.policy Hierarchies for Distributed Systems Management[A]. In:IEEE JSAC Special Issue on Network Management,1993,11(9):1404一1414.
[10]彭军.网络安全策略监控模型及关键技术研究[D].郑州:解放军信息工程大学,2009.
[11]Denis Trcek.Security policy management for network information systems[C].Network Operations and Management Symposium.2000.
[12]A.Westerinen et al.Terminology for Poliey-based Management[S].RFC3198.2001.
[13]Sloman,M.S.Policy Driven Management for Distributed Systems[J].Journal of Network and Systems Management,1994,2(4):333一360.
[14]温红子.商务安全策略及其形式分析研究[D].北京:中国科学院软件研究所,2004.
[15]马时来.计算机网络使用技术教程[M].北京:清华大学出版社,2003.
[16]刘三满.论我国信息安全的现状及对策[J].山西电子技术,2002,(2):16-18.
[17]段卫国.专用计算机信息网中安全体系的研究[D].昆明:昆明理工大学,2006.
[18]王芸.军队院校信息安全管理问题研究[D].北京:国防科学技术大学,2005.
[19]刘喆,王蔚然.分布式防火墙的网络安全系统研究[J].电子科技大学学报,2005,34(3):351-354.
[20]光华DB_Audti数据库安全审计白皮书[EBC/D].上海:上海复旦光华有限公司,2005.
[21]顾昕.某内部网络安全防护系统的设计与实现[D].成都:四川大学,2006.
[22]Erie Maiuald.Networking Seeurity[J]MCGraw Hill,2003,(1):145一248.
[23]张翼春.信息安全管理为先[J].计算机安全,2006,(1):36.
[24]王新清,游晓勇,赵国成.计算机网络安全与防火墙[J].内蒙古科技与经济,2008,14(11):56.
[25]Alfaro,J.G,Cuppens,F.and Cuppens Boulahia,N.Aggregating and Deploying Network Access Control Policies[C].In lrst Symposium on Frontiers in Availability,Reliability and Security(FARES),2nd International Conference on Availability,Reliability and Security(ARES2007),Vienna,Austria.2007.
[26]代向东.安全策略管理系统中策略描述及策略翻译关键技术研究[D].郑州:解放军信息工程大学,2007.
[27]周原冰,丁书耕,潘亚利,等.SIS工程的网络安全防护设计[J].中国电力,2005,38(6):64-68.
[28]周生,吴翔.SIS系统的网络安全分析及防范措施[J].安徽电器工程职业技术学院学报,2007,12(1):102-105.
[29]葛青林,李静,王莹莹.主动型网络安全防护体系的构建[J].信息网络安全,2009,(4):66-68.
[30]Dynamic Markets Limited对全球办公室上网情况的调查报告. http://tech.sina.com.cn/roll/2008-08-18/ 1106771715.shtml
[31]2006年ICSA统计报告.http://www.sac.net.cn/newcn/home/info_detail.jsp? info_id=1184916911100 &info_type=CMS.STD&cate_id=81183686376100
[32]2010年上半年江民反病毒中心病毒统计报告[S].北京:北京江民新科技术有限公司,2010.
[2]李涛.网络安全概论[M].北京:电子工业出版社,2004.
[3]孙丕恕.全面落实安全等级保护制度、提升我国信息安全保护水平[C].第十一届全国人民代表大会.2008.
[4]石正喜,张君华.国内外信息安全研究现状及发展趋势[J].科技情报开发与经济,2007,17(10):97-98.
[5]冯登国.国内外信息安全研究现状及发展趋势(摘编)[J].信息网络安全,2007,第1期.
[6]互联网.http://www.chinabyte.com/35/7636535.shtml
[7]安全周报.2010年8月第3期.http://wenku.baidu.com/view/6f18a77931b765ce0508140c.html
[8]Damianou,N.A Poliey Framework for Management of Distributed Systems[D].Ph.D.thesis. Imperial College of science.Technology and Medicine of London University,2002.
[9]Moffett,J.D.and M.S.Sloman.policy Hierarchies for Distributed Systems Management[A]. In:IEEE JSAC Special Issue on Network Management,1993,11(9):1404一1414.
[10]彭军.网络安全策略监控模型及关键技术研究[D].郑州:解放军信息工程大学,2009.
[11]Denis Trcek.Security policy management for network information systems[C].Network Operations and Management Symposium.2000.
[12]A.Westerinen et al.Terminology for Poliey-based Management[S].RFC3198.2001.
[13]Sloman,M.S.Policy Driven Management for Distributed Systems[J].Journal of Network and Systems Management,1994,2(4):333一360.
[14]温红子.商务安全策略及其形式分析研究[D].北京:中国科学院软件研究所,2004.
[15]马时来.计算机网络使用技术教程[M].北京:清华大学出版社,2003.
[16]刘三满.论我国信息安全的现状及对策[J].山西电子技术,2002,(2):16-18.
[17]段卫国.专用计算机信息网中安全体系的研究[D].昆明:昆明理工大学,2006.
[18]王芸.军队院校信息安全管理问题研究[D].北京:国防科学技术大学,2005.
[19]刘喆,王蔚然.分布式防火墙的网络安全系统研究[J].电子科技大学学报,2005,34(3):351-354.
[20]光华DB_Audti数据库安全审计白皮书[EBC/D].上海:上海复旦光华有限公司,2005.
[21]顾昕.某内部网络安全防护系统的设计与实现[D].成都:四川大学,2006.
[22]Erie Maiuald.Networking Seeurity[J]MCGraw Hill,2003,(1):145一248.
[23]张翼春.信息安全管理为先[J].计算机安全,2006,(1):36.
[24]王新清,游晓勇,赵国成.计算机网络安全与防火墙[J].内蒙古科技与经济,2008,14(11):56.
[25]Alfaro,J.G,Cuppens,F.and Cuppens Boulahia,N.Aggregating and Deploying Network Access Control Policies[C].In lrst Symposium on Frontiers in Availability,Reliability and Security(FARES),2nd International Conference on Availability,Reliability and Security(ARES2007),Vienna,Austria.2007.
[26]代向东.安全策略管理系统中策略描述及策略翻译关键技术研究[D].郑州:解放军信息工程大学,2007.
[27]周原冰,丁书耕,潘亚利,等.SIS工程的网络安全防护设计[J].中国电力,2005,38(6):64-68.
[28]周生,吴翔.SIS系统的网络安全分析及防范措施[J].安徽电器工程职业技术学院学报,2007,12(1):102-105.
[29]葛青林,李静,王莹莹.主动型网络安全防护体系的构建[J].信息网络安全,2009,(4):66-68.
[30]Dynamic Markets Limited对全球办公室上网情况的调查报告. http://tech.sina.com.cn/roll/2008-08-18/ 1106771715.shtml
[31]2006年ICSA统计报告.http://www.sac.net.cn/newcn/home/info_detail.jsp? info_id=1184916911100 &info_type=CMS.STD&cate_id=81183686376100
[32]2010年上半年江民反病毒中心病毒统计报告[S].北京:北京江民新科技术有限公司,2010.