Shulou(Shulou.com)06/01 Report--

Security domain division and network transformation are not only the basic work of systematic security construction, but also the basis of hierarchical three-dimensional defense, the implementation of security management policy and the formulation of reasonable security management system. This process ensures the security defense of the system at the basic level of the network.

The theoretical basis of goal programming

Introduction to Security Domain

Security domain refers to subnets or networks that have the same security protection requirements, trust each other, and have the same security access control and boundary control policy in the same system, and the same network security domain shares the same security policy.

Compared with the above definition of security domain, the generalized concept of security domain refers to the collection of IT elements with the same and similar security requirements and policies. These IT elements include, but are not limited to: physical environment, policies and processes, business and mission, people and organizations, network areas, hosts and systems.

Overall architecture

As shown in the following figure: the security domain is divided as follows:

The proposed division method is three-dimensional, that is, each domain is not a simple intersection or isolation relationship, but there are different levels of network and management.

The network infrastructure domain is the foundation of all domains, including all network equipment and network communication support facilities.

The network infrastructure domain is divided into backbone area, convergence area and access area.

The supporting facility domain is the part that other upper domains need to be used publicly, including: security system, network management system and other supporting systems.

Computing domain is mainly all kinds of servers, databases and so on, which is mainly divided into general service area, important service area and core area.

The boundary access domain is the boundary of all kinds of access devices and terminals and business systems, which can be divided into Internet access, extranet access, intranet access and intranet access according to the access type.

Content of construction planning

I. Border access domain

Division of boundary access domain

According to the actual situation of the company, the division of the boundary access domain corresponds to the access type defined by ISO 13335 as follows:

ISO 13335

Actual situation

A connection controlled separately by the organization

Intranet access (terminal access, such as office network); business boundary (such as core service boundary)

Connection to the public network

Internet access (such as external access to Web and mail servers, Internet access to office networks, etc.)

Connections between different organizations

Extranet access (such as access between departments, etc.)

Remote connections within the organization

Intranet access (unit access and other departments through private network access)

People in the organization access from the outside.

Remote access (such as mobile office and remote maintenance)

Threat Analysis of Border access Domain

Because the boundary access domain is the boundary connected to the outside in the company's information system, the main threats are:

* (external * *)

Malicious code (virus worm)

Ultra vires (unauthorized access)

Terminal illegal operation

……

In view of the main threats to the border access domain, the corresponding protection measures are:

Access control (such as firewall) is used to deal with external × ×

Remote access management (such as × ×) is used to deal with unauthorized access

Virus detection and defense (IDS&IPS) is used to deal with external × × and worms.

Malicious code protection (anti-virus) is used to deal with worms

Terminal management (injection control, patch management, asset management, etc.) for compliance management of terminals

Second, computing domain

Division of computing domain

A computing domain is a collection of local computing devices such as application services, middleware, mainframes, databases, and so on. According to the behavior and threats of the computing environment, it is divided into the following three zones:

General service area

Used to store information assets with low protection level (asset level less than or equal to 3) that need to provide services directly to the outside world, such as office servers, etc., the general service area is directly connected to the outside world, at the same time, the core area cannot be accessed (avoid being used as a springboard for × × core area)

Important service area

The important service area is used to store high-level (asset level greater than 3) information assets that do not need to provide services directly, such as front machines, etc., the important service area is generally connected to the outside world through the general service area, and can directly access the core area.

Core area

The core area is used to store very high-level information assets (asset level greater than or equal to 4), such as the core database. External access to the core area needs to be transferred through the important service area.

For the division of computing domains, see the following figure:

Threat analysis in computing domain

Because the computing domain is inside the information system, the main threats are:

Ultra vires and abuse of internal personnel

Internal personnel operation error

Software and hardware failure

Insiders tamper with data

Insider repudiation behavior

The external service system suffers from * * and illegal * *.

In view of the fact that the computing domain is mainly an internal threat, the following protective measures are mainly adopted:

Application and business development to maintain security

Application-based audit

Identity Authentication and behavior Audit

At the same time, it is also supplemented by other protective means:

Detection of network abnormal behavior

Access control of information assets

III. Supporting facilities area

Division of supporting facilities domain

Placing network management, security management and business operation and maintenance (business operation monitoring) in an independent security domain can not only effectively protect the above three high-level information systems, but also help to ensure the backup communication capability in emergencies.

Among them, security devices, network devices, and management ports for business operation monitoring should all be in an independent management VLAN. If conditions permit, security VLAN, network management VLAN and business management VLAN should be divided respectively.

Threat Analysis of supporting facilities Domain

The supporting facility domain spans multiple business systems and geographies, with high confidentiality and integrity requirements and slightly lower availability requirements, and the main threats are:

Leakage of network transmission (eg network managers eavesdropping on business data on network devices)

Unauthorized access and abuse (such as business operators ultra vires to operate other business systems)

Internal repudiation (eg repudiation of misoperation, etc.)

In view of the threat characteristics and levels of the supporting facility domain, the following protective measures should be taken:

Out-of-band management and network encryption

Authentication and access control

Audit and testing

IV. Network infrastructure domain

Division of network infrastructure domain

Threat Analysis of Network Infrastructure Domain

The main threats are:

Network equipment failure

Network leaks

Physical environment threat

The corresponding protective measures are as follows:

Ensure the availability of the basic network through backup and redundancy

Ensure the confidentiality of the basic network through network transmission encryption

Ensure the integrity of the basic network through network-based authentication

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.