Shulou(Shulou.com)06/01 Report--

I. demand

After years of development, the construction of the computer room of the Provincial Development and Reform Commission has begun to take shape, with the online examination and approval supervision platform for the province's investment projects, the "two bases" management platform for the province's fixed assets investment projects, and the province's credit information public service platform. The construction of the information system has applied the current mainstream hardware and application software platforms. From the network, it can be divided into two parts: the e-government external network and the Internet.

The external network of e-government is connected by the offices and offices of the whole province, the USG-FW-12600GP of enabling XXX is set as the core switching domain firewall, the USG-FW-12600GP of enabling XXX is also set as the application security domain firewall between the core switch and the application server, and the USG-FW-12600 of enabling XXX is set as the data security domain firewall between the core switch and the database server. AF-1860-IPS intrusion detection is set up in the core exchange area.

From the outside to the core switch, the Internet boundary is successively set up the DDOS equipment of XX, the XNF1000 exit firewall of the network, the AF-1860-IPS intrusion prevention, and the XXWAF firewall TWF-6213.

XNF3000 Gigabit Border Firewall, XXXUSG-FW- 2000GPGigabit Border Firewall, Sky XXTOPACM5000 Network behavior Audit and Sky XXTOPScanner7000 loophole scanning are set up between the e-government extranet and the Internet as boundary protection.

II. Plan

Based on the current NDRC information system topology diagram, embed our data security equipment to form the following solution:

As shown in the figure above, our data security products are deployed in the database security domain of the e-government extranet and the Internet respectively. The e-government extranet is relatively more important. Double links are used in the architecture, and the deployment of our products is slightly different:

(1) E-government extranet programme:

1. Connect the database firewall system in series on the double links in front of the database security domain, filter the access requests of the database, alarm the suspicious requests, and block the malicious or misoperated database instructions such as deleting the database, deleting the table, clearing the database, etc.

2. Deploy a database audit system on the access switch in front of the database security domain to log the access requests to the database. On the one hand, it acts as a deterrent, on the other hand, it traces back to the source when something goes wrong:

1) the switch bypass mirror port can be used to audit the access to the database based on the physical machine (the best way)

2) the software probe (a packet forwarding program) deployed in the operating system where the database is located in the virtual machine can be used to forward the database access traffic to the audit system to realize the access audit of the database in the virtual machine.

3) for the database that has been set up with the database firewall, the log of the firewall can also be forwarded directly to the audit server to realize the audit.

3. Deploy a situational awareness server in the security management domain, which can be reachable with the database audit route and can be displayed in the form of a chart on the big screen:

1) where is the sensitive data

2) where is the sensitive data?

3) who is accessing sensitive data

4. Deploy the database encryption system on the access switch in front of the database security domain, encrypt the sensitive data in each database table, and turn the plaintext data into ciphertext storage, so as to fundamentally eliminate the risk of data leakage.

5. Deploy a real-time database desensitization system on the access switch in front of the database security domain to desensitize the display of unnecessary sensitive data in the business system, desensitize the query results of database users who do not have business query authority, and desensitize the database query results related to operation and maintenance.

6. Deploy the database batch desensitization system on the access switch in front of the database security domain to provide processed quasi-real data (the format remains unchanged and does not affect the false data of the development test) for the development, testing and training area.

(B) Internet programme:

1. Connect the database firewall system in series in front of the database security domain (two computers are hot standby, two firewall server management ports are connected to the same vlan of the same switch, backup each other, one fails, and the other immediately takes over), filter database access requests, alarm suspicious requests, and block malicious or misoperated database instructions such as database deletion, table deletion, database clearance, etc.

2. Deploy the database audit system on the access switch in front of the database security domain, and realize the audit and data security situation awareness in the same way as the e-government extranet.

III. Value

Specifically, the database security hardening system can bring the following value:

1. Simplify business governance and improve the ability of data security management. Because the database system is a complex software "black box", its visualization degree is very low. It is difficult for database administrators to say that data is accessed at any time, which poses great difficulties for business governance. Especially in the cloud environment, the degree of invisibility is even more serious. The company's products comprehensively monitor data access through various means, and provide rich preset statistical reports to graphically visualize data access and risks, thereby providing access control capability. it greatly simplifies business governance and improves the ability of data security management.

2. Improve the defense system in depth and enhance the overall security protection capability. It is the consensus of information security construction to establish an in-depth defense system. The section from database to application system is the last kilometer and the last line of defense of information security, which involves the most direct security management of sensitive data and is directly related to the security of sensitive data. At the same time, strengthening security protection in the data / business layer has gradually become a new direction of information security. The company's system is close to the core data and provides rich protection means for the last kilometer of information security and the data / business layer, which is helpful to improve the defense system in depth and enhance the overall security protection capability.

3. Reduce the infringement of core data assets and ensure business continuity. The most valuable asset of information system is data, which is the ultimate goal for attackers to peep, tamper, and even delete. The core data are violated, light ones lead to business interruption, serious cases lead to leaks and tampering, seriously affect the reputation and even survival of enterprises and institutions, the attack and defense confrontation around the core data will exist for a long time. The company's system products closely fit the data, providing data discovery, risk assessment, audit, firewall, encryption and other means to achieve the visibility and control of data security, and ultimately reduce the possibility of core data assets being infringed, to ensure normal business.

Prevention and control from the SQL statement level of accessing the database and the field level of viewing the database completely prevent attacks such as SQL injection from the root.

4. Meet the compliance requirements and pass the evaluation quickly. Products achieve independent audit and access control, directly output compliance reports, meet the requirements of a number of government regulations and standards, and quickly pass a variety of security inspection and evaluation, such as security evaluation.

To sum up, Zhong an Visa data security products can provide omni-directional, round-the-clock protection for important sensitive data.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.