With the deepening of the informatization process and the rapid development of the Internet, networking has become a major trend in enterprise informatization, and information resources have been shared to the greatest extent. However, the network security issues that have followed the development of informatization are becoming increasingly prominent. Network security issues have become a common challenge for mankind in the information age. Network information security issues have become an urgent task. If this problem is not solved well, it will inevitably hinder the process of informatization development.
2. Security attacks, security mechanisms and security services
ITU-T X.800 standard logically defines what we often call "networksecurity", that is, security attack refers to any behavior that damages the security of information possessed by an organization; security mechanism refers to a mechanism designed to detect, prevent security attacks or restore systems; security service refers to a service that uses one or more security mechanisms to resist security attacks and improves the security of the organization's data processing system and information transmission security. The relationship between the three is shown in Table 1.
3. The framework structure of the network security prevention system
In order to effectively understand the security needs of users and choose various security products and policies, it is necessary to establish some systematic methods to prevent network security. The scientificity and feasibility of the network security prevention system are the guarantee for its smooth implementation. Figure 1 shows a three-dimensional security prevention technology framework structure based on DISSP extension. The first dimension is security services, which give eight security attributes (ITU-T REC-X.800-199103-I). The second dimension is the system unit, which gives the composition of the information network system. The third dimension is the structural level, which gives and extends the Open System Interconnection (OSI) model of the International Organization for Standardization ISO.
Each system unit in the framework structure corresponds to a certain protocol level, and several security services are required to ensure the security of the system unit. Network platforms need authentication and access control between network nodes, application platforms need authentication and access control for users, they need to ensure the integrity and confidentiality of data transmission, they need to have anti-refusal and audit functions, and they need to ensure the availability and reliability of application systems. For an information network system, if each system unit has corresponding security measures to meet its security needs, we believe that the information network is safe.
IV. The level of network security prevention system
As a comprehensive and overall network security prevention system, it is also hierarchical, and different levels reflect different security issues. According to the current application status of the network and the structure of the network, we divide the levels of the security prevention system (see Figure 2) into physical layer security, system layer security, network layer security, application layer security and security management.
1. The security of the physical environment (physical layer security)
This level of security includes the security of communication lines, the security of physical equipment, the security of computer rooms, etc. The security of the physical layer is mainly reflected in the reliability of the communication line (line backup, network management software, transmission media), software and hardware equipment security (replacement equipment, dismantling equipment, adding equipment), equipment backup, disaster prevention capabilities, interference prevention capabilities, equipment operating environment (temperature, humidity, smoke), uninterruptible power supply guarantee, etc.
2. Operating system security (system layer security)
This level of security issues comes from the security of operating systems used on the network, such as Windows NT, Windows 2000, etc. It is mainly reflected in three aspects. First, the insecurity factors caused by defects in the operating system itself, mainly including identity authentication, access control, system vulnerabilities, etc. The second is the security configuration of the operating system. The third is the threat to the operating system by viruses.
3. Network security (network layer security)
The security issues at this level are mainly reflected in network security, including network layer identity authentication, access control of network resources, confidentiality and integrity of data transmission, security of remote access, security of domain name system, security of routing system, intrusion detection means, anti-virus of network facilities, etc.
4. Application security (application layer security)
This level of security issues are mainly generated by the security of application software and data used to provide services, including web services, email systems, DNS, etc. In addition, it also includes the threat of viruses to the system.
5. Management security (management security)
Safety management includes the management of safety technology and equipment, safety management systems, organizational rules of departments and personnel, etc. The institutionalization of management greatly affects the security of the entire network. Strict security management systems, clear division of departmental security responsibilities, and reasonable personnel role configuration can greatly reduce security vulnerabilities at other levels.
5. Design guidelines for network security prevention system
According to the security needs to prevent security attacks, security goals to be achieved, security services required for corresponding security mechanisms, etc., referring to international standards such as SSE-CMM ("System Security Engineering Capability Maturity Model") and ISO17799 (Information Security Management Standard), comprehensively considering the aspects of implementability, manageability, scalability, comprehensive completeness, system balance, etc., the network security prevention system should follow the following nine principles in the overall design process:
1. The principle of wooden barrels for network information security
The principle of wooden barrels for network information security refers to the balanced and comprehensive protection of information. "The maximum volume of a barrel depends on the shortest piece of wood". Network information system is a complex computer system. Various physical, operational and management loopholes constitute the security vulnerability of the system. In particular, the complexity and resource sharing of the multi-user network system itself make it difficult to prevent pure technical protection. The "most permeability principle" used by an attacker must attack in the weakest parts of the system. Therefore, fully, comprehensively and completely analyzing the system's security vulnerabilities and security threats, evaluating and detecting (including simulated attacks) are necessary prerequisites for designing information security systems. The primary purpose of security mechanisms and security services is to prevent the most commonly used attack methods, and the fundamental purpose is to improve the security performance of the "security lowest point" of the entire system.
2. The principle of integrity of network information security
It is required that in the event of an attack or sabotage incident in the network, the services of the network information center must be restored as quickly as possible to reduce losses. Therefore, the information security system should include a security protection mechanism, a security detection mechanism and a security recovery mechanism. The security protection mechanism is a corresponding protective measure taken based on various security threats in the specific system to avoid illegal attacks. The security detection mechanism is to detect the operation of the system and promptly detect and stop various attacks on the system. The safety recovery mechanism is to carry out emergency treatment and restore information as much as possible in the event of the failure of the safety protection mechanism to reduce the degree of damage to the supply.
3. Safety evaluation and balance principle
For any network, absolute security is difficult to achieve and is not necessarily necessary, so it is necessary to establish a reasonable and practical security and user needs evaluation and balance system. The security system design must correctly handle the relationship between needs, risks and costs, ensure security and availability, and be implemented in an organization. There are no absolute judgment standards and measurement indicators to evaluate whether information is safe, and it can only be determined by the user needs of the system and the specific application environment, depending on the scale and scope of the system, the nature of the system and the importance of the information.
4. Standardization and consistency principles
The system is a huge system project, and the design of its security system must follow a series of standards, so as to ensure the consistency of each sub-system and ensure that the entire system is safely interconnected and information shared.
5. The principle of combining technology and management
The security system is a complex system project that involves human, technology, operation and other factors. It is impossible to achieve by technology alone or by management alone. Therefore, it is necessary to combine various safety technologies with operation and management mechanisms, personnel ideological education with technical training, and safety rules and regulations construction.
6. Coordinate planning and step-by-step implementation principles
Due to the uncertainty of policy regulations and service needs, changes in environment, conditions and time, and the progress of attack methods, security protection cannot be achieved in one step. Under a relatively comprehensive security plan, a basic security system can be established first according to the actual needs of the network to ensure basic and necessary security. With the expansion of network scale and increase in applications in the future, network applications and complexity will change, network vulnerability will continue to increase. Adjust or enhance security protection efforts to ensure the most fundamental security needs of the entire network.
7. The principle of hierarchy
Highlights principle refers to the security level and security level. A good information security system must be divided into different levels, including hierarchical information confidentiality, hierarchical user operation permissions, hierarchical network security (secure subnets and security areas), and hierarchical system structures (application layer, network layer, link layer, etc.), so as to provide comprehensive and optional security algorithms and security systems for security objects of different levels to meet various actual needs in the network at different levels.
8. Dynamic development principle
We must constantly adjust security measures according to changes in network security, adapt to the new network environment, and meet new network security needs.
9. Ease of operation principle
First of all, safety measures need to be completed manually. If the measures are too complex and the requirements for people are too high, it will reduce safety itself. Secondly, the adoption of measures cannot affect the normal operation of the system.
VI. Conclusion
Due to the openness of the Internet and the security defects of communication protocols, as well as the distributed characteristics of data storage and access and processing in the network environment, the data transmitted on the Internet is easily leaked and destroyed, and the network is subject to serious security attacks, so it is even more urgent to establish an effective network security prevention system. In fact, ensuring network security not only requires reference to various network security standards to form reasonable evaluation criteria, but more importantly, it is necessary to clarify the framework system of network security, the hierarchy of security prevention and the basic principles of system design, analyze all unsafe links of the network system, find security vulnerabilities, and be targeted.
Article entry: aaadxmm Editor in charge: aaadxmm