CN101635730B - Method and system for safe management of internal network information of small and medium-sized enterprises - Google Patents
Method and system for safe management of internal network information of small and medium-sized enterprises Download PDFInfo
- Publication number
- CN101635730B CN101635730B CN2009101697252A CN200910169725A CN101635730B CN 101635730 B CN101635730 B CN 101635730B CN 2009101697252 A CN2009101697252 A CN 2009101697252A CN 200910169725 A CN200910169725 A CN 200910169725A CN 101635730 B CN101635730 B CN 101635730B
- Authority
- CN
- China
- Prior art keywords
- security
- module
- assets
- management
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000007726 management method Methods 0.000 claims abstract description 265
- 238000001514 detection method Methods 0.000 claims abstract description 76
- 230000002155 anti-virotic effect Effects 0.000 claims description 26
- 230000004044 response Effects 0.000 claims description 26
- 230000005641 tunneling Effects 0.000 claims description 21
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 15
- 238000012360 testing method Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000012546 transfer Methods 0.000 claims description 10
- 230000036541 health Effects 0.000 claims description 9
- 241000700605 Viruses Species 0.000 claims description 6
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 claims description 5
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 claims description 5
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 claims description 5
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims description 5
- 230000009471 action Effects 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 230000003442 weekly effect Effects 0.000 claims description 3
- 238000007596 consolidation process Methods 0.000 claims description 2
- 238000013479 data entry Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 abstract description 33
- 238000012545 processing Methods 0.000 description 32
- 230000008569 process Effects 0.000 description 26
- 238000012098 association analyses Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 6
- 238000012502 risk assessment Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 4
- 230000015572 biosynthetic process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000004907 flux Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000282326 Felis catus Species 0.000 description 1
- 244000188472 Ilex paraguariensis Species 0.000 description 1
- 101000896740 Solanum tuberosum Cysteine protease inhibitor 9 Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000001459 mortal effect Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safe management method of internal network information of small and medium-sized enterprises, wherein an enterprise rents a bandwidth used for redirecting a message and a file space used for storing message detection logs and report forms from a safe service provider. The method also comprises the following steps: respectively providing a terminal safety management and control function and a host safety management and control function provided by the safe service provider on an internal network terminal and hosts; providing a network equipment safety management and control function provided by the safe service provider on at least one host to manage and control all network equipment which supports an SNMP protocol; on outlet edge equipment, redirecting a message with a preset protocol to a message detection system provided by the safe service provider; establishing an IPSec VPN tunnel to the safe service provider and logging in an internal network information safe management system of the small and medium-sized enterprises in a network of the safe service provider; and controlling the safe management and control functions of the terminal, the hosts and network equipment through the tunnel.
Description
Technical field
The invention belongs to a kind of security custodial method and system.
Background technology
In today of computer technology and the continuous development of network technology, the day-to-day operations of enterprise has be unable to do without information network, no matter is consortium, large enterprise, or medium-sized and small enterprises, or even the foundation workshop of ground zero, and the internal network of oneself is all arranged.Although network makes and collects market information, new technology and remote collaboration and become more convenient with exchanging, for the operation and the development of enterprise brought facility.But network security but is a mortal malady of business administration all the time.The virus that emerges in an endless stream, more and more subtler hacking technique and unique inside employee constitute a threat in the Knowledge Assets to enterprise all the time.Alleviate Cyberthreat, let the network be the Real Choice that the instrument of enterprise development has become enterprise administrator all the time.
For consortium and large enterprise,, employ experienced engineer and deal with network security problem because its technological accumulation, management and control experience and fiscal solvency for many years has the ability to buy best network security product; But for medium-sized and small enterprises, network security problem is particularly outstanding, because rely on its existing technical capability, limited human resources and limited capital budgeting, is to be difficult to solve present information security issue.
Just present; The Intranet information security of medium-sized and small enterprises; General through disposing the terminal anti-virus software; And between corporate intranet and internet interface, dispose traditional firewall equipment or UTM (being Unified Threat Management, UTM) firewall box is dealt with, information security person post is not set.Under this pattern, can introduce these potential safety hazards: 1) traditional firewall box, can only detect message, content is not detected, thereby can't prevent hacker's attack, also can't stop and utilize the long-range pilferage enterprise knowledge of wooden horse assets; 2) dispose the UTM fire compartment wall, anti-virus, simple intrusion detection, VPN (being Virtual Private Network, Virtual Private Network), Bandwidth Management can be provided; Improve on the net in protection than disposing traditional fire compartment wall, still, function too much that UTM fire compartment wall itself is integrated; Influenced its overall performance, simultaneously, non-professional anti-virus, simple intrusion detection; Still can't stop virus and invasion attack, even these functions may become weakness and the illegal utilization of quilt; 3) the terminal anti-virus software needs often upgrading, and maintenance cost is high, and needs hand inspection, all upgrades to guarantee each terminal.
The part medium-sized and small enterprises can be purchased complete intranet security managing and control system, and setting information safety person post, are used for Intranet is carried out security management and control.The advantage of this pattern is: disposed specialist tools software and be used to assist the intranet security management, arranged the special messenger to be engaged in security management and control, helped providing intranet security; But its shortcoming is: procurement management system needs special fund; Need to arrange the professional to carry out regular job, so that use this management system to carry out daily management and control; Need to reserve staff salary.In addition, also need the later stage to drop into, like upgrade cost, staff training expense etc.Worse; The research and development producer of intranet security managing and control system can't obtain more actual operation experience from the product of having sold, because many time, and the problem that corporate intranet safety occurs; Security official by enterprises has solved, and its processing procedure can't be notified manufacturer.Cause the producer can't be thus, and then improve its properties of product and knowledge sharing effectively from the user side acquire knowledge.
Summary of the invention
The present invention has proposed a kind of new corporate intranet information security mandatory system and method after the defective and deficiency of having analyzed above-mentioned medium-sized and small enterprises intranet security management-control method and system.
Core concept of the present invention is: construct a security custodial system that supports message detection and assets management and control; Being used for that enterprise is stressed the message that orientation comes detects and the assets running state data that enterprise's side is submitted to through vpn tunneling is handled; And after various anomalous events are carried out individual event analysis, event chain analysis and risk assessment, respond based on preset security strategy; Native system provides strict authentication and data permission management and control, after enterprise-level attendant signs in to system, can and only can carry out security management and control to its Intranet assets, can and only can browse the safe operation form relevant with corporate intranet.
A kind of medium-sized and small enterprises security custodial system comprises assets security management and control module, message detection module, security strategy module, terminal security management and control module, Host Security management and control module and network equipment security management and control module;
Said assets security management and control module; Link to each other with the message detection module with said terminal security management and control module, Host Security management and control module, network equipment security management and control module, security strategy module, be used for according to the information architecture corporate intranet assets security of operation snapshot that reports, handle security incident, manual long-range management and control Intranet assets and the safe operation form is provided according to preset security strategy;
Said message detection module; Link to each other with the security strategy module with said assets security management and control module; Be used for handling the redirection message of said enterprise, and submit to security incident to said assets security management and control module according to the preset security strategy of said security strategy module;
Said security strategy module links to each other with the message detection module with said assets security management and control module, is used to set assets security benchmark, event handling rule, event response strategy and application layer protocol response policy in violation of rules and regulations;
Said terminal security management and control module links to each other with said assets security management and control module, is used to collect the health data and the daily record data of said corporate intranet terminal computer, and is submitted to said assets security management and control module; Receive and handle the control command of said assets security management and control module;
Said Host Security management and control module links to each other with said assets security management and control module, is used to collect the health data and the daily record data of said corporate intranet main frame, and is submitted to said assets security management and control module; Receive and handle the control command of said assets security management and control module;
Said network equipment security management and control module; Link to each other with said assets security management and control module; Be used for collecting and receiving said corporate intranet supporting that SNMP (is Simple Network Management Protocol; Simple Network Management Protocol) health data of the network equipment of agreement and SNMP Trap (being the self-trapping message of Simple Network Management Protocol) data, and be submitted to said assets security management and control module; Receive the control command of said assets security management and control module, and after being converted into the SNMP instruction, be submitted to destination network device.
Preferably, said assets security management and control module comprises assets snapshot module, vulnerability scanning module, security incident administration module, security monitoring module and Security Report module;
Said assets snapshot module receives the data that said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module report, and according to the safe operation snapshot of the data construct assets that report; According to preset assets security benchmark, produce security incident, and be submitted to said security incident administration module; Receive the Long-distance Control message that said security monitoring module issues, and be relayed to said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module;
Said vulnerability scanning module is used for the leak information and the network topological information of the said corporate intranet action message of remote scanning assets, and scanning result is submitted to said assets snapshot module;
Said security incident administration module receives the security incident that said assets snapshot module and said message detection module are submitted to, and according to predetermined strategy, from dynamic response, and the preset enterprise security manager personnel of notice; The final result that security incident is handled is submitted to said Security Report module;
Said security monitoring module receives and shows the security alarm that said security incident administration module is submitted to; The operating system of submitting the attendant to is to said assets snapshot module;
Said Security Report module receives the security incident that said security incident administration module is submitted to, and generates the safe operation form automatically according to preset report form template.
Preferably, said message detection module comprises application layer protocol proxy module, intrusion detection module, anti-virus module and security incident client modules;
Said application layer protocol proxy module receives the redirection message that said enterprise submits to, and message is submitted to said intrusion detection module and anti-virus module successively, and will act on behalf of the message through detecting; Submit to the local security incident to said security incident client modules;
Said intrusion detection module receives the message that said application layer protocol proxy module is submitted to, and based on local preset rules message is carried out intrusion detection, submits to testing result to said application layer protocol proxy module; Submit to the local security incident to said security incident client modules;
Said anti-virus module receives the message that said application layer protocol proxy module is submitted to, and based on local preset rules message is carried out virus and detect, and submits to testing result to said application layer protocol proxy module; Submit to the local security incident to said security incident client modules;
Said security incident client modules is used for receiving the local security incident that other module of said message detection module is submitted to, and regular turn to consolidation form after, be submitted to the said security incident administration module of said assets security management and control module.
Preferably; Said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module; Be deployed in the Intranet of said enterprise; Through IPSec VPN (being Internet Protocol Security Virtual Private Network) tunnel between said enterprise and said medium-sized and small enterprises security custodial system, with said assets security management and control module communication based on the VPN of ipsec protocol; The content-encrypt of said communication information;
The leak information and the network topological information of the said corporate intranet action message of said remote scanning assets only can carry out remote scanning through IPSec vpn tunneling between said enterprise and said medium-sized and small enterprises security custodial system.
Preferably, the attendant of said enterprise only can browse the safe operation form relevant with said corporate intranet assets; Only can carry out remote scanning to said corporate intranet; Only can browse and control said corporate intranet assets;
The attendant of said enterprise can only visit said medium-sized and small enterprises security custodial system through IPSec vpn tunneling between said enterprise and said medium-sized and small enterprises security custodial system; Said IPSec vpn tunneling can only initiatively be created by said enterprise.
The present invention also provides a kind of medium-sized and small enterprises Intranet information security trustship method, and its core is: at first, enterprise and security service provider are signatory, rent its file space and message and detect flux capacity; Secondly, on the borde gateway equipment that corporate intranet links to each other with public network, with the message detection server of preset application layer protocol message redirecting to security service provider; Again secondly, on said border, client modules is downloaded and installed to the IPSec vpn tunneling between foundation and security service provider on the Intranet assets through this tunnel; At last, the medium-sized and small enterprises Intranet information security mandatory system through security service provider carries out security management and control to the Intranet assets of this enterprise.
A kind of medium-sized and small enterprises Intranet information security trustship method, wherein enterprise leases the bandwidth that is used for redirection message and is used to preserve the file space that message detects daily record and form to security service provider, also comprises:
(a) security service terminal security management and control function that provider is provided and Host Security management and control function are provided respectively on interior network termination and main frame; The security service network equipment security management and control function that provider is provided is provided at least one main frame, and the network equipment of all support snmp protocols of management and control;
(b) on the outlet edge device, the message detection system that the message redirecting of preset protocol is provided to security service provider;
(c) be established to the IPSec vpn tunneling of security service provider; Sign in to the medium-sized and small enterprises Intranet information security mandatory system that is arranged in security service provider network, and said terminal security management and control function, Host Security management and control function and network equipment security management and control function in the step (a) are carried out security control through this tunnel.
Preferably, the message detection system of security service provider is carried out after attack protection, anti-virus detect the redirection message of enterprise, and acts on behalf of the legal message of transfer through application layer protocol; The bandwidth of said redirection message only can be used the said capacity of leasing bandwidth; And,
The said medium-sized and small enterprises Intranet information security mandatory system of security service provider is analyzed log event information and health information that said terminal security management and control function, Host Security management and control function and the network equipment security management and control function of corporate intranet reports, and responds based on preset safe benchmark.
Preferably, said application layer protocol agency comprises SMTP agency, POP3 agency, HTTP Proxy, MSN communication agent and transparent transmission agency, is respectively applied for the inspection of contact Mail Contents, url filtering, MSN communication content audit and transparent transmission message; Suspicious Mail Contents and annex, and MSN communication message summary info all are kept at said leasing in the file space with document form.
Preferably, customizable data entries kind and the content that is reported to the said medium-sized and small enterprises Intranet information security mandatory system of said security service provider of said terminal security management and control function, Host Security management and control function and network equipment security management and control function; Said medium-sized and small enterprises Intranet information security mandatory system only allows the enterprise-level attendant to check the Intranet assets security of operation situation of this enterprise; Said medium-sized and small enterprises Intranet information security mandatory system provides the safe operation form to said enterprise, comprises daily paper, weekly, monthly magazine, quarterly report and annual report.
Preferably, the vpn tunneling that the said medium-sized and small enterprises Intranet information security mandatory system of said security service provider can be set up through said step (c), the leak information and the network topological information of remote scanning Intranet assets; And,
The said medium-sized and small enterprises Intranet information security mandatory system of said security service provider in time notifies said enterprise preset safety manager after finding security risk.
The invention provides a kind of corporate intranet information security trustship method; Enterprise need not to purchase new complete security management and control equipment, also need not to be provided with the corporate intranet safety officer; But can rely on the existing product and service that security service operator provides, can obtain the security service of specialty.Not only reduce the security maintenance cost of enterprise, simultaneously, also improved the intranet security of enterprise.
The present invention provides in the medium-sized and small enterprises security custodial system; Information interaction between the security custodial system of corporate intranet information assets and security service provider; The IPSec vpn tunneling that all-pass is crossed between enterprise and security service provider carries, and has guaranteed information private property; The enterprise customer can customize the run case that need report; Simultaneously, enterprise by enterprise's active maintenance, has strengthened enterprise customer's independence to the vpn tunneling between security service provider;
The present invention provides in the medium-sized and small enterprises security custodial system; The enterprise customer only can sign in to the security custodial system through the vpn tunneling between itself and security service provider; And only can browse and control its corresponding Intranet assets, further protect enterprise's privacy information.
The present invention provides in the medium-sized and small enterprises security custodial system; Can carry out anti-virus and intrusion detection to the message that enterprise is redirected; Realized that message content detects in real time between enterprise and public network, can carry out effective management and control mail, communication, internet access in time.
Description of drawings
Fig. 1 is a medium-sized and small enterprises Intranet information security mandatory system functional block diagram according to the invention
Fig. 2 is a medium-sized and small enterprises Intranet information security trustship method flow diagram according to the invention
Fig. 3 is the event handling flow chart in the medium-sized and small enterprises Intranet information security trustship method according to the invention
Embodiment
As shown in Figure 1; For medium-sized and small enterprises Intranet information security mandatory system functional block diagram according to the invention, comprise assets management and control module M0, message detection module M1, security strategy module M2, terminal security management and control module M3, Host Security management and control module M4, network equipment security management and control module M5 and authentication module M6.
Wherein, Terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 supply SME users to download; And be installed on terminal, main frame and the PC server of the Intranet of enterprise; Be used to collect host terminal, main frame and controlled network equipment running data, and reception sources is from the control command of assets management and control module M0.
Assets management and control module M0, message detection module M1, security strategy module M2 and authentication module M6 are deployed in the protected machine room of security service provider.
The module that is positioned at corporate intranet is passed through IPSec VPN (based on the VPN of ipsec protocol) tunnel communication with the module that is positioned at security service provider side, to realize running state monitoring and security management and control.
Assets management and control module M0 is used for the corporate intranet assets security management and control of medium-sized and small enterprises Intranet information security mandatory system according to the invention, and self can be encapsulated as stand-alone service, to support that the enterprise customer carries out management and control to its Intranet assets.Receive the logon message and the heartbeat message of also processing terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 submission; Response policy according to security strategy module M2 configuration generates response instruction automatically, and is issued to terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5; Receive attendant's configuration-direct, and be issued to terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5; Receive and handle the security event data that message detection module M1 submits to; Receive response policy and the safe reference data of security strategy module M2.
Assets management and control module M0 inside comprises assets snapshot module M01, security incident administration module M02, Security Report module M03, security monitoring module M04 and reveals from scan module M05.
Assets snapshot module M01 links to each other with network equipment security management and control module with the terminal management and control module M3 that is deployed in corporate intranet, Host Security management and control module M4, is used for reception and handles these modules submission registration message and heartbeat message; Simultaneously, control command is issued to these modules.Assets snapshot module M01 utilizes registration message and heartbeat message to make up the operation conditions safety snapshot of Intranet assets; And the attribute that has departed from preset safe benchmark in the snapshot warned and construct security incident; Simultaneously; Make up security incident according to the daily record data that meets the log information filtercondition, and incident is submitted to security incident administration module M02; Assets snapshot module M01 links to each other with security monitoring module M04 with vulnerability scanning module M05 simultaneously, receives and handles vulnerability scanning module M05 and submit leak information, topology information and operation system fingerprint information to; Receive and handle the control command that security monitoring module M04 submits to.
Security incident administration module M02; Link to each other with assets snapshot module M01, message detection module M1, security monitoring module M04 and Security Report module M03; Be used for the incident that is derived from riskless asset snapshot module M01 submission, the security incident that message detection module M1 submits to are handled, comprise that individual event is handled, event chain is handled and risk assessment is handled; Simultaneously,, incident and response command are submitted to security monitoring module M04, all incidents after treatment are submitted to Security Report module M03 according to the response policy of security strategy module M2.
Security Report module M03, M02 links to each other with the security incident administration module, is used to receive the incident that security incident administration module M02 submits to, and generates form according to preset report form template; This module provides user interface, so that the operator defines, revises, deletes report form template.Can be set to make enterprise-class tools only can manage the safe operation form of own Intranet assets.
Security monitoring module M04; Link to each other with assets snapshot module M01 with security incident administration module M02; Be used to receive the event data and automatic response command that security incident administration module M02 submits to, and event data is warned with acousto-optic, simultaneously; According to response command indication, notify the business administration people with Email or MSN or QQ with event data; Perhaps,, order is submitted to assets snapshot module M01, order is sent to correct execution body by the latter according to the response command indication.
Vulnerability scanning module M05, M01 links to each other with the assets snapshot module, is used to scan leak information, operation system fingerprint information and the network topological information in the intended target equipment and/or the target network segment, and the information that scans is submitted to assets snapshot module M01.
Message detection module M1 links to each other with security strategy module M2 with assets management and control module M0, is used to receive and handle the redirection message that medium-sized and small enterprises borde gateway equipment is submitted to.Redirection message after intrusion detection processing, anti-virus are handled, is acted on behalf of transparent transfer through application layer protocol; After detecting unusually, produce security incident, and be submitted to assets management and control module M0; The journal file that produces during message detects is kept in the file space that the enterprise customer rents.
Message detection module M1 inside comprises application layer protocol proxy module M11, intrusion detection module M12, anti-virus module M13 and security incident client modules M14.
Application layer protocol proxy module M11 links to each other with security incident client modules M14, anti-virus module M13 and intrusion detection module M12, is used to receive and handle the redirection message that enterprise's borde gateway equipment is submitted to.To being derived from the redirection message that enterprise submits to, will cross after intrusion detection processing, anti-virus handle, act on behalf of transparent transfer message by different application layer protocols; To the returned packet that is derived from internet, applications, after intrusion detection and anti-virus processing, just be issued to the borde gateway equipment of enterprise.Legal borde gateway equipment need be configured to this module, and this module detects to the message of coming in and going out, and abandons all unregistered message of source address or destination address automatically.This inside modules is integrated smtp protocol agency, POP3 agency by agreement, http protocol agency, MSN agency, QQ agency and do not distinguish agency by agreement, be respectively applied for handle postal matter, WEB page browsing, in time communication and transparent transfer message.When each agency by agreement notes abnormalities when operation, can create corresponding security incident, and be submitted to security incident client modules M14; The application layer protocol proxy module is submitted to security incident client modules M14 to the message flow statistical information with the mode of security incident.
Application layer protocol proxy module M11 during the transfer message, utilizes token bucket to carry out flow control, is derived from the message of same legitimate enterprise, a shared bucket.Surpass the message of flow threshold, will directly be abandoned.
Intrusion detection module M12, M11 links to each other with the application layer protocol proxy module, receives the message that application layer protocol proxy module M11 submits to, and carries out intrusion detection and handle.This module finishes to be derived from the detection rule that full policy module M2 submits to, and message is carried out global detection.Detect when attacking, produce security incident, be submitted to security incident client modules M14; Simultaneously, request application layer protocol proxy module M11 interrupt current exception message related session.
Anti-virus module M13, M11 links to each other with the application layer protocol proxy module, receives the message that application layer protocol proxy module M11 submits to, and carries out anti-virus and handle; The anti-virus process result saves as journal file, and function is excavated in the integrated daily record in inside can regularly detect log content, after the discovery virus, produces security incident, and submits security incident client modules M14 to; Simultaneously, request application layer protocol proxy module M11 interrupt current exception message related session.
Security incident client modules M14; Link to each other with anti-virus module M13 with application layer protocol proxy module M11, intrusion detection module M12; Be used to receive the security incident that these modules are submitted to; After the row format of the going forward side by side inspection, be submitted on the security incident administration module M02 of assets management and control module M0, security incident handled by the latter.This module receives the control of security strategy module M2, the security incident that a reporting policy is specified.When default, report all security incidents.
Security strategy module M2 links to each other with message detection module M1 with assets management and control module M0, is used for the attendant and disposes different security baseline, security incident processing policy, inbreak detection rule, security incident and report etc.Security baseline data and security incident processing policy data are submitted to assets management and control module M0; Report regular data to be submitted to message detection module M1 inbreak detection rule, security incident.The strategy that system-level keeper according to the invention sets, visible to all enterprise-class tools; And the strategy that enterprise-class tools sets is only visible to other keeper of this enterprise.Selected strategy must be launched by each enterprise-class tools, when default, and the equal not enabled of All Policies.
Terminal security management and control module M3; Link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions at Windows terminal, simultaneously; Receive the control command of assets snapshot module M01, realize corporate intranet terminal wealth security management and control.Collect hardware information, neighbor information and software information structure message identifying after utilizing startup, apply for the registration of to assets snapshot module M01; Simultaneously, utilize the log information structure heartbeat message that regularly collects hardware information, neighbor information, software information and excavate in service, report operation conditions to assets snapshot module M01.Alternatively, terminal security management and control module M3 irregularly initiates authentication to authentication module M6, have only authentication to pass through after, terminal security management and control module M3 just gets into the operate as normal attitude, otherwise, can locking terminal, cause the terminal unavailable.
Host Security management and control module M4; Link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions of main frame, simultaneously; Receive the control command of assets snapshot module M01, realize the management and control of corporate intranet main frame class assets security.This module is at first initiated ID authentication request to authentication module M6, after the authentication intercommunication, just registers and report heartbeat message to assets snapshot module M01.Log-on message comprises hardware device and the software information that collects; Heartbeat message comprises hardware information, software information that regularly collects and the log information that filters out.Host Security management and control module M4 allows administrative staff that the content of registration message and heartbeat message is customized, so that masked segment process and information on services.
Network equipment security management and control module M5; Link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions of each network equipment of pipe of having jurisdiction over, simultaneously; Receive the control command of assets snapshot module M01; After being converted into standard SNMP order, be submitted to destination network device, realize security management and control target device.This module can a plurality of support snmp protocols of management and control the network equipment.This module immediately to authentication module M6 application authentication, after checking is passed through, is gathered the hardware information and the software information of host's machine of this module, and is the basis with these information after startup, and the structure logon message is registered to assets snapshot module M01; Simultaneously, according to preset order and temporal frequency, gather the running state data of each network equipment, and be reported to assets snapshot module M01, this assets snapshot module M01 will be with this type of status data building network equipment running snapshot; Receive SNMPTrap (Simple Network Management Protocol the is self-trapping) message of the network equipment, and be saved in buffer area after the format, the information of this buffer area will regularly be submitted to assets snapshot module M01.
Authentication module M6 links to each other with network equipment security management and control module M5 with terminal security management and control module M3, Host Security management and control module M4, is used for each module that is deployed in corporate intranet is carried out the node authentication; Simultaneously, when the enterprise administrator is signed in to system according to the invention, carry out subscriber authentication.This module adopts the X 509 digital certificate node two-way authentication modes of PKI mechanism that node is carried out authentication defaultly; Adopt X 509 digital certificate user unidirectional authentications that user identity is verified.After the authentication success, this module request firewall system is decontroled client to the communication path between system service according to the invention; Regularly detection node and user's online state, find not enough line after, ask the wall firewall system to close client immediately and arrive the communication path between system service according to the invention.
As shown in Figure 2, for medium-sized and small enterprises Intranet information security trustship method flow diagram according to the invention, comprise the steps:
Step S1: intranet security management and control software is installed; Comprise from the service network of security service provider and download Windows terminal security management and control software, Linux Host Security management and control software, Unix Host Security management and control software, Windows Host Security management and control software, network equipment security management and control software, and be respectively installed on terminal computer, main frame and the idle computer.
Before carrying out this step; Enterprise must sign an agreement with security service provider; Just lease redirection message flow detection dedicated bandwidth capacity and preserve the file space capacity that Security Report, safety inspection daily record use and reach an agreement; And to obtain security service provider be that usemame/password, security custodial system manager's user/password are used in the VPN client access of its distribution; And general vpn server IP address, security custodial system ip address etc.
The enterprise customer is after obtaining above-mentioned access information; At first utilize VPN client user name/password; After successfully being established to the IPSec VPN of security service provider network; Through this vpn tunneling access security mandatory system, and from its Web website download terminal security management and control software, Host Security management and control software and network element security management and control software.
Said terminal security management and control software; Be the terminal security management and control module M3 in the medium-sized and small enterprises Intranet information security mandatory system according to the invention; Only support Windows Terminal Type security management and control, inside comprises software white list management and control, file protection management and control, safety operation log searching and assets management and control function.When mounted, generate the local software white list automatically, white list management and control and file safeguard function module are driver, load automatically with operating system; The file destination of white list content and file management and control all is reported in the security custodial system automatically, so that the maintenance person of enterprise is through the Windows terminal in this security management and control system its Intranet of centralized control; File protection management and control protects white list driving, white list file not visited by unauthorized process automatically, and promptly the terminal use can not visit these files.During terminal security management and control software startup, can initiatively report assets information, comprise hardware information, the hardware assets information of in " equipment manager " of Windows, tabulating like CPU, internal memory, hard disk, monitor, network adapter, video card etc.; User profile comprises user and group information; Information on services comprises Service name, state, process number, description, executable file long filenames etc.; Active port comprises port numbers, agreement; Flexibly connect, comprise local IP, local port, the other side IP, the other side's port, agreement; Share directory information; Network configuration information; Neighbor information comprises MAC (being Media Access Control, medium access control) address, IP address; Active process information comprises process name, process IP, process context module information; Startup group information comprises the EXENAME of registry key, title and band absolute path; Kernel module information comprises short filename, long filenames; All these information; Obtain through WMI (being the Windows management interface) or windows kernel function; And the medium-sized and small enterprises Intranet information security mandatory system of submission security service provider side, this system will rebuild assets operation snapshot with the data of terminal security management and control software submission; Simultaneously, in this system, except hardware assets, the maintenance person of enterprise can carry out management and control to software asset, comprise the service of closing, end process, close connection, close shared etc.Terminal security management and control software need move with keeper's identity.
Said terminal security management and control software; In running; Regularly report heartbeat message to the medium-sized and small enterprises Intranet information security mandatory system of security service provider; In this heartbeat message except comprising the content item that reporting information is comprised when starting; Also comprise the daily record that from running log, retrieves; Comprise time, OS Events ID, event description etc.; And be translated into unified log event form, comprise detector (terminal security management and control software), event flag (OS Events ID), time (OS Events time), source IP (terminal IP or from journal entries, filter and the source IP that comes), source port (ANY or from journal entries, filter and the source port that comes), Target IP (terminal IP or from journal entries, filter and the Target IP that comes), target port (ANY or from journal entries, filter and the target port that comes), event content (event description).Log searching adopts the LUA regular expression, and each incident to needs are paid close attention to defines a different LUA regular expression.
Said Host Security management and control software, the Host Security management and control module M4 in the medium-sized and small enterprises Intranet information security mandatory system promptly according to the invention comprises totally 3 big types of the management and control of Windows Host Security, the management and control of Linux Host Security and the management and control of Unix Host Security.This type software needs at first on the medium-sized and small enterprises Intranet information security mandatory system of security service provider, to issue digital certificate for it, otherwise, do not launch X 509 entity authentications between this type of software and said medium-sized and small enterprises Intranet information security mandatory system.During Host Security management and control software startup, can the local runtime environmental information be reported to said medium-sized and small enterprises Intranet information security mandatory system; Simultaneously,, can control, comprise forced termination process, defrag file, close flexible connection, force users rolls off the production line, restarts service etc. running environment information through said medium-sized and small enterprises Intranet information security mandatory system.Running environment information described here comprises load information, include disk size and load, memory size and be responsible for, CPU capacity and load, network capacity and load; Active port information includes port numbers, process number; Active process information includes the module name (long filenames and SOCKET) of CPU consumption, memory consumption, fill order name, the user name that starts, association etc.; Active user information includes user name, terminal name, IP address, on-line time etc.; Flexible connection information includes local IP, local port, far-end IP, remote port and active state; The safety operation log information includes time, user name, IP address, description as a result etc.; All information all adopt api function but not the SHELL order is gathered.
Said Host Security management and control software; In service normally; Also regularly report the condition information of main frame; When starting the content item in the reporting information, also comprise from safety operation daily record, operating system daily record including the description of time, operating result, content of operation in this information through the journal entries information of character string comparison match; And be translated into unified log event form, comprise detector (Host Security management and control software), event flag (event id that finds according to the keyword of coupling), time (OS Events time), source IP (host ip or from log information, filter and the source IP that comes), source port (ANY or from log information, filter and the source port that comes), Target IP (host ip or from log information, filter and the Target IP that comes), target port (ANY or from log information, filter and the target port that comes), event content (union of operating result and content of operation).The log event collection also is to utilize LUA (being the LUA language) regular expression to extract content.
Said network element security management and control software; Network equipment security management and control software just; Be the network equipment security management and control module M5 in the medium-sized and small enterprises Intranet information security mandatory system according to the invention; The network equipment that is used for the management and control corporate intranet comprises that router, switch and fire compartment wall etc. support the equipment of snmp protocols.This network element security management and control software independent part is deployed at least one the main frame, in order to the network equipment of the ability management and control different sub network segment.Network element security management and control software is compared with terminal security management and control software in front, Host Security management and control software, and a cover network element security management and control software can a plurality of network equipments of management and control.Network element security management and control software receives the health data of watch-dog through the snmp protocol collection, and embedded mainstream vendor is like Huawei, H3C, Cisco, D-Link company disclosed MIB storehouse.Simultaneously, the SNMP Trap message of receiving equipment.When configuration receives the IP address of the management and control network equipment, can only dispose the IP address of its management mouth; Network element security management and control software is supported the running state data of CLI (being Command Line Interface, command line interface) order collecting device simultaneously; But when launching the CLI mode, must dispose producer, the unit type that receives management and control devices, because the CLI order is tightly coupled with the equipment of different manufacturers different model.
Behind the said network element security management and control software startup, self is to said medium-sized and small enterprises Intranet information security mandatory system transmit status message, and this message is consistent with the assets information content that said terminal security management and control software reports; In service subsequently; Can be at interval based on frequency preset; Gather the service data of each controlled network equipment; Like network throughput, cpu load, internal memory load etc.; Simultaneously; With the SNMP Trap message of current time circle at a distance from interior this equipment; Resolve to the event data of set form, comprise detector (network element security management and control software), event flag (according to SNMP Trap message content retrieval event label table gained), time (event time), source IP (network element IP or from SNMP Trap content, filter and the source IP that comes), source port (ANY or from the Trap content, filter and the source port that comes), Target IP (network element IP or from SNMP Trap content, filter and the Target IP that comes), target port (ANY or from SNMP Trap content, filter and the target port that comes), event content (character string that SNMP Trap changes into), be reported to said medium-sized and small enterprises Intranet information security mandatory system.Through the operation interface of medium-sized and small enterprises Intranet information security mandatory system, the business data that the keeper can manual extraction specified network equipment is like routing table, generate tree and rule etc.Simultaneously, can specify and whether configuration of devices information carried out integrity verification, network element security management and control software will regularly be gathered the configuration data of the network equipment of having specified integrity verification; And compare; When finding change, will create log event immediately, it is cached in the log event formation.Said log event formation is made up of a plurality of subqueues, and the head node of all subqueues is the IP address designation that receives management and control devices.
Simultaneously, syslog (being the syslog agreement) service function that said network element security management and control software is embedded as long as opened this function, can be forced to upload to the syslog daily record of the equipment of supporting the syslog agreement on the host at this network element security management and control software place; In case opened the syslog service function, then the daily record analytical capabilities is opened automatically.Further; Said network element security management and control software is also integrated simultaneously, and TFTP (is Trivial File Transfer Protocol; TFTP) service function; In case open this TFTP service, can require then to support that the equipment of TFTP agreement uploads to local daily record on the host at this network element security management and control software place.This function is according to preset filtering rule (being the LUA regular expression); Filtering content from the said journal entries of uploading; In case be filled into content; Then construct log event; Comprise detector (network element security management and control software), event flag (filtercondition that matees according to the journal entries content and decide), time (daily record time of origin), source IP (daily record comes the IP of source machine), source port (ANY or from log content, filter and the source port that comes), Target IP (daily record comes the IP of source machine or from log content, filters and the Target IP that comes), target port (ANY or from log content, filter and the target port that comes), event content (daily record description); And be cached in the log event formation; Said network element security management and control software can read the content in this formation with constant interval, and is reported on the said medium-sized and small enterprises Intranet information security mandatory system.Only report success, just the log event clauses and subclauses in the buffer area are removed; In case buffer area is full, then dumps to local file, and empties the buffer area content; The file of unloading will be uploaded when finding that said medium-sized and small enterprises Intranet information security mandatory system can reach immediately.
Step S2: be redirected outer outgoing packet and detect service system to message; The enterprise administrator is within it on the edge device between net and public network, and predetermined application layer protocol message redirecting is detected service system to the message of said medium-sized and small enterprises Intranet information security mandatory system, by this system the message that is redirected detected.
Said message detects service system, the message detection module M1 in the medium-sized and small enterprises Intranet information security mandatory system promptly according to the invention, and this module can independently be disposed, thereby externally shows as the independent message detection service system that is.
If the edge device support is redirected by agreement,, can the message redirecting of specified protocol (or not distinguishing agreement) be detected service system to message like application level gateway equipment; If all edge devices are not all supported message redirecting, then need at first be established to the vpn tunneling that message detects service system, this tunnel adopts IP-over-IP (being IP encapsulation IP) mode encapsulated message, then through sending out all messages outside this tunnel; Utilize when the vpn tunneling transmission is outer transmits messages literary composition, possibly when message flow is big, can influence performance, therefore; Need build many tunnels, simultaneously according to actual conditions; Again plan the enterprises topological structure,, arrive different tunnels in the Intranet active shunt through different routing relation is set.
The flow of the redirection message that enterprise submits to can not surpass its flux capacity of leasing.The message detection system of security service provider side through Token Bucket Policing restriction transfer flow, if surpassed the flux capacity of leasing, then directly abandons the message of exceed capacity.
After the message detection system that is positioned at security service provider machine room is received redirection message, at first can be to the source end, and/or destination verifies, and a process source end or the registered message of destination IP, other message will directly abandon; Then the message foundation is submitted to inner different application layer protocol proxy module M11 successively.
Application layer protocol agency comprises smtp protocol agency, POP3 agency by agreement, http protocol agency, MSN agency, QQ acts on behalf of and do not distinguish agency by agreement, be respectively applied for the network mail management and control, based on the visit management and control of webpage, the communicate by letter simple management and control of management and control and branch agreement in time.When default, the application layer protocol message can be submitted on the application corresponding layer protocol agency, but the enterprise administrator can specify a message detection system individual processing part agreement, and like http protocol, and other agreement all is submitted to and does not distinguish agency by agreement.
The smtp protocol agency adopts similar treatment mechanism with the POP3 agency by agreement: at first based on the movable Mail Contents of protocol-decoding, then to the mail of going out, filter based on keyword, if the information of being filled into then writes the file space of renting with Mail Contents; If be filled into the content of core engine level of confidentiality, then preserve content to the file space, simultaneously, produce warning information, this mail of not transfer; To the annex in the mail, be saved in the file space simply, so that artificial audit, attachment content is not decoded; Last transparent transmission message.
Http protocol is acted on behalf of at first record protocol header field information; Then based on preset URL blacklist, direct dropping packets; Based on preset time period and client's section relation strategy, directly abandon visit in violation of rules and regulations then; And final transparent transmission HTTP message.All header field information, are saved on the file space according to the time period with the XML file format.
MSN agency and QQ agency adopt similar treatment mechanism: its line duration is also upgraded and message transmission frequency in the IP address of record source end; Alternatively, conversation content and contact annex are saved in the file space; Last transparent transmission message.Because the conversation content of MSN and QQ is all encrypted, default is not preserve talk information.
Do not distinguish the only simple record source end IP of agency by agreement, source end port, agreement, Target IP, target port and message length information, and transparent transfer message;
The application layer protocol agency carries out intrusion detection and anti-virus earlier and handles before handling the contact message.Message at first is submitted to intrusion detection module M12, and this module can be handled based on the intrusion detection of known regimes message from as NIDS (being Network Intrusion Detection System, Network Intrusion Detection System).After intrusion detection module M12 detected definite attack signature, directly notification applications layer protocol proxy module M11 closed related with it session, and produced alarm event; If detect attack signature but when uncertain, then only produce alarm event; Message can be submitted to anti-virus module M13 subsequently; This module is certainly as Anti-Virus; Embedded processing module can be gathered the running log (utilizing regular expression to extract content) of Anti-Virus in real time; When finding virus, can produce alarm equally, and require application layer protocol proxy module M11 to close related with it active session.
The alarm that produces in the message detection system is submitted to assets management module M0 through its inner security incident client modules M14.Security incident client modules M14 checks at first whether the event format of other module submission is correct, after the submission time attribute is gone up in interpolation then, is submitted to assets management module M0 through famous pipeline or network interface.The attribute of incident comprises detector (concrete module id), event flag (concrete event identifier), time (event time), source IP (fill in according to concrete incident by detector; The source IP address of incident), (detector is filled in according to concrete incident for source port (ANY or concrete port), Target IP; Default preferred object IP address is a source IP address during driftlessness IP address), target port (ANY or concrete port), event content (event content of filling in according to actual conditions by detector).
IDS (being Intrusion Detection System, the intruding detection system) strategy that message detection system module M1 is used can be provided with through security strategy module M2 by the attendant of enterprise; The file process strategy of preserving; And the security incident strategy that reports is all set by the attendant of enterprise; Security service provider can set this type of strategy that all enterprises all are suitable for through security strategy module M2; But the attendant of enterprise can control this type strategy, as not launching.The strategy that each enterprise sets up on their own only detects effectively the redirection message of this enterprise.
Step S3: the intranet security management and control, enterprise administrator can sign in to the enterprise content information security mandatory system of security service provider through vpn tunneling, and its Intranet IT assets are carried out security management and control.
Enterprise administrator at first is established to the IPSec vpn tunneling of security custodial system; Detect the daily record of the terminal security management and control software, Host Security management and control software and the network equipment security management and control software that are installed in Intranet then; Confirm that this type of software can arrive the security custodial system through this IPSec vpn tunneling submission message, " wait service end response timeout " or " data are sent failure " class promptly occurs and points out in daily record.Default ground, this IPSec vpn tunneling exists always.
Enterprise administrator will be preserved the hardware unit of identity information; Like USB KEY, be connected to computer, and through browser access security custodial system; In " authentication mode ", select " USBKEY ", and input enterprise numbering, enterprise's password, keeper's name and password;
Web plug-in unit in the security custodial system can be a fiducial value with current enterprise's numbering, enterprise's password, keeper's name and password and random number; After utilizing its HASH of MD5 algorithm computation (being Hash) value; Call the signature interface of USB KEY, the HASH value is signed; And be content with the HASH value behind fiducial value, the signature, construct message identifying, and call the encipher interface of USB KEY, to the message identifying content-encrypt; Message identifying after will encrypting at last sends to the authentication module M6 of security custodial system.On USB KEY; Integrated PKI (being Public Key Infrastructure, PKIX) supporting chip has been preserved the private key of user identity and the public key data of security custodial system in this chip; Signature is all carried out on sheet with encryption, and private key data can't be derived by the external world.USB KEY can adopt PKI supporting chip ready-made on the market can realize this function.
The authentication functional module M6 of security custodial system is after receiving the authentification of user message, and at first with self PKI decrypted message content, and after extracting enterprise's numbering and user name, the retrieve data table is to obtain this user's public key data; And separate label with the public key data that obtains, obtain original HASH value; Simultaneously, utilize MD5 (being Message DigestAlgorithm5, message digest algorithm 5) algorithm, calculate the HASH value of message identifying content, when having only original HASH value consistent, just confirm the identity success with calculating HASH value; And generate the dynamic-configuration rule, require fire compartment wall to decontrol the message path of this user to the service of security custodial internal system.Password in the message, this is kept at the password in the database as through the calculated value behind the MD5, is the MD5 calculated value equally.
After enterprise administrator successfully signs in to system; Can carry out management and control to the IT assets of its internal network, comprise and browse topological diagram, check the assets security state, check security incident, revise white list, rev down process rev and service, force users roll off the production line, vulnerability scanning, topologically sweeping, all kinds of strategies of setting, patch installing and restart system etc.Administrative staff can also handle oneself renting the file of preserving in the file space, comprise retrieval, browse, delete and download; Administrative staff can also serve the Security Report that window is checked to be provided by the security custodial system at Security Report, simultaneously, when not surpassing the report form type amount of norm, can also define the form of oneself, and specify the form authority and send strategy.
The assets security management and control module M0 of security custodial system receives and handles logon message, heartbeat message and the event message of terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 in the corporate intranet; Receive and handle the incident that message detection module M1 submits to; Receive and handle operation user's control operation.
Be derived from the message of terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5; After being submitted to assets snapshot module M01, this module is to each logon message, and at first testing this IP address and MAC (is Media Access Control; Medium access control) whether the definite assets of address information exist; If new assets is current assets then according to its IP address and new assets of MAC Address structure, and with new assets; Otherwise, be current assets with the assets that retrieve; Then, utilize the hardware information in the logon message, fill the hardware attributes of current assets; Fill the user profile attribute of current assets with user profile; Fill the Service Properties of current assets with information on services; Fill the flexible connection attribute of current assets with flexible connection information; Fill the network configuration attributes of current assets with network configuration information; Fill the active process attribute of current assets with active process information; Fill the startup group attribute of current assets with startup group information; Fill the kernel module attribute of current assets with kernel module information; Upgrade the annexation attribute between current assets and neighbours' assets with neighbor information, and redraw the connecting line between assets; Neighbor information is used for finding new assets equally, if do not existed by the definite assets of neighbor information (IP, MAC Address), then a new assets node has been found in expression.
When utilizing log-on message to construct the operation snapshot of assets, can find assets inside modification information immediately, comprise that property content increases, revises and deleted, simultaneously, can also pass through to compare the currency of attribute and the gap between safe benchmark, send alarm departing from.Alarm event comprises detector (assets snapshot module), event flag (according to the actual conditions growth, can be hardware change, software change, violate baseline or find new assets), time (current time), source IP address (real ip address of assets), source port (NULL), Target IP (NULL), target port (NULL), event content (specific descriptions), asset identification (internal indicators of current assets), time of reception (current time), confidence level (10), handles sign (1) and processing policy (NULL).
Likewise; The heartbeat message that assets snapshot module M01 submits to terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5; Except with carry out logon message handles the samely; To the log event clauses and subclauses in the heartbeat message; Carry out individual processing, comprising: at first construct internal event, and directly copy the corresponding field of the internal event of neotectonics to from the attribute of the detector of log event, event flag, time, IP address, port, event content; Simultaneously, be internal event affix asset identification (internal indicators of current assets), time of reception (current time), confidence level (0), processing sign (0) and processing policy (NULL); Then,, the internal event of current neotectonics is filtered,, then upgrade confidence level and indicate with handling according to filtercondition if meet filtercondition according to the preset daily record sensitive words filtercondition relevant with these assets.Default ground indicates that direct modification is 1 if confidence level greater than 5, is then handled, and is used to point out this incident to be sure of to be anomalous event, and the module of back can be accelerated the processing to this type of incident.At last, the numbering of the incident of neotectonics is saved in the corresponding log event tabulation of assets, simultaneously, if confidence level greater than 5, then this event identifier is shown in red, reminds the attendant to note.
Assets snapshot module alarm event that M01 produces, or internal event can be submitted to security incident administration module M02.Security incident administration module M02 carries out Unified Treatment to being derived from all kinds of incidents of assets snapshot module M01, message detection module M1 submission.
Simultaneously, assets snapshot module M01 receives the scanning result of vulnerability scanning module M05, and the leak data of utilizing scanning to be obtained, upgrades the leak tabulation of current assets; The network node data and the link data that utilize scanning to obtain, more link information between new node and node simultaneously, is upgraded topological diagram.In case found new node or annexation, then construct alarm event immediately, simultaneously, show new node and be connected, with the caution attendant with special color.Assets snapshot module M01 receives the control command from the initiation of attendant on security management and control module M04; As force users roll off the production line, rev down process rev or service, extraction document etc.; And through with corresponding desired asset between existing active tunnel, be issued on terminal security management and control module M3 and/or Host Security management and control module M4 and/or the network equipment security management and control module M5.
Integrated vulnerability scanning functional module among the vulnerability scanning module M05 is like the Nessus instrument; Integrated TCP function is like the Nmap instrument; Integrated operation system fingerprint identification is like the P0f instrument; Integrated link layer discovery feature is like CDP (being Cisco Discovery Protocol, cisco discovery protocol) and SNMP MIB (being SNMP Management Information Base, snmp management information) storehouse; Integrated IP subnet scan function; And other function, like ARPWatch instrument, fornication outer net checking tool etc.Can carry out remote scanning to intended target, specified network, so that find leak and network topology.After the attendant successfully signed in to the security custodial system, the function that can use this module scanned the Intranet of oneself.
The security custodial system allows the attendant of the security service provider level of mandate to check all information of preset enterprise, comprises topological diagram, security strategy and Security Report; But, do not allow to visit enterprise and rent the file in the file space.This class file only allows enterprise-level operator visit.
In the intranet security management and control, are cores of this step, after all kinds of incidents are carried out safety analysis, calculate security risk, thereby instruct the attendant correctly Intranet to be carried out security management and control to the processing of all kinds of incidents.The process chart of incident is as shown in Figure 3, comprising:
Step S31: incident preliminary treatment.Preliminary treatment is mainly used in event data and detects and the event handling rule search, to accelerate event handling.
Security incident administration module M02 is to the standardized internal event that is derived from assets snapshot module M01; The local event cache pool writes direct; And to being derived from the incident that message detection module M1 submits to; Behind additional asset identification (internal indicator that arrives according to the IP address search of incident), time of reception (current time), confidence level (0), processing sign (0) and processing policy (NULL) after this incident, write the local event cache pool again.
Whether to every incident in the incident pond, at first testing asset identification is empty, if be empty, the processing policy of then filling in this incident does not promptly carry out any processing for (NULL); Otherwise, be condition according to the detector properties and the event identifier attribute of incident, the corresponding processing policy of retrieval in the event handling strategy.When there were many in processing policy, selecting the strategy of limit priority was processing policy; If limit priority is identical, then up-to-date strategy is a processing policy entry-into-force time.Processing policy comprises attributes such as tactful numbering, policy name, detection sign, event identifier, rise time, entry-into-force time, priority level, processing sign.Wherein processing ID comprises that single event is handled sign, event chain is handled sign and risk assessment sign.The priority of processing policy will be attached to the back of event data, be expressed as the priority of this incident.Said priority is 0~5 grade, and 5 grades is highest.
In the present invention, all incidents are all produced by detector and report, therefore, and type (being event identifier) that can control event, thereby, can be that all event types are set processing policies.Processing policy initialization during by system start-up according to the invention, the attendant of enterprise of mandate can revise this type of strategy, to meet the present situation of own enterprise.
Step S32: incident independent process.The incident independent process is that individual event is analyzed.
Being masked as very if the single event of event handling strategy is handled, then need carrying out independent analysis to current event, mainly is leak association analysis and asset association analysis.
The leak association analysis be the tabulation of the leak on incident and the assets is carried out related, if related success then improves the confidence level of this incident.Otherwise the incident independent process finishes.The asset association analysis is after the leak association analysis; When having confirmed that incident is related with leak; Again the trigger condition of leak is compared with the actual operating state of assets; Verifying that can this leak trigger, thereby further improve the confidence level (related success) of incident or reduce confidence level (related failure) and accuse to eliminate false-alarm.Leak association analysis and asset management are only analyzed, and processing events is masked as 0 incident.
The leak association analysis is described below: in preset leak and event correlation table; Retrieve current event sign related leaky sign (manual maintenance of this relation table; New events, new leak to each system supports all need increase leak, event relation); Leak tabulation on the comparison object assets (the asset identification attribute of incident confirm) the leak set of whether coming out with retrieval exists and occurs simultaneously then, if be empty, then related successful, the confidence level of incident brings up to 5; Otherwise the confidence level of incident remains unchanged, and the End Event independent process.
The asset association analysis is described below: during determined leak occurs simultaneously in the leak association analysis; To each leak; (this table is manual to be safeguarded from leak Back ground Information table; Be used to preserve the essential information of leak, comprise leak numbering, title, operating system and version thereof, application and version thereof, port, agreement, consequence etc.) retrieve operating system and version, application and version thereof, port and protocol, and form set A; At first, whether the operating system and the version thereof of test target assets (asset identification by incident is confirmed) are included in determined operating system of set A and the version thereof, if; Then the confidence level of incident increases 1; If do not match, then the incident confidence level puts 0, and finishes asset association; Secondly, test target assets co-relation to < active port, agreement>whether with set A in < port, agreement>common factor is arranged, if having, then the confidence level of incident is constant, otherwise port and agreement do not match, the incident confidence level puts 0, and the end asset association; At last, whether application on the test target assets and version thereof are complementary with determined application of set A and version thereof, if coupling, then the confidence level of incident puts 10, otherwise confidence level puts 0.
Step S33: event chain is handled.Event chain is handled to be mainly used in current incident to be analyzed and known event chain rule is mated, thereby excavates new events.
Be masked as very if the event chain of event handling strategy is handled, then need carry out the event chain association analysis current event.The event chain association analysis is mainly used in based on the leading incident on the known event chain, the incident of deriving and making new advances, thereby forecast in advance, and caution the attendant take measures.
The inter-process flow process that event chain is handled is described below:
Step 1: based on experience accumulation, network is disclosed and the event chain of third party's instrument rule, structure is fit to the event chain rule that reasoning of the present invention is used.Among the present invention, event chain always has an inlet incident, i.e. root incident, and this incident is the first incident in the event chain; A plurality of branches are arranged under the root incident, and each branch can cause different new events.Therefore, event chain always is organized into tree.This tree is not the tree of a standard, because possibly there be ring, promptly different leading incidents may be derived same incident.
The rule attribute comprises: the target port of the detector of new events sign, new events description, new events confidence level, the event identifier of incident to be analyzed, incident to be analyzed, the time interval, statistical value, the source IP of incident to be analyzed, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed, source IP rule, attributes such as source port is regular, Target IP is regular, target port is regular, level, child node pointer.
Step 2: whether the test current event is subordinated to the successor of the current chain of life event; With all active rules on all movable event chain rule trees in current event and the buffer area relatively, if coupling, then the event chain processing finishes, and produces new events; Simultaneously, the content of source IP, source port, Target IP and the target port of current event is saved in the target port of the source IP of the incident to be analyzed of rule, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed; And revise the active rule chain of current event chain rule, all child nodes of current matched rule are inserted in the active rule chain, current matched rule is deleted from the active rule chain.Otherwise, change step 3.
When carrying out the active rule coupling, verify at first whether the detector of current event and event flag are comprised by desired detector of certain active rule and event flag collection, if comprise, then top level of matched success; Then; Content according to the bottom matching constraint of rule (source IP rule, source port is regular, Target IP is regular, target port is regular); The respective attributes of existing incident compares on the event chain that source IP, source port, Target IP and the target port of current event and bottom matching constraint is indicated; If comparative result is true, be only the success of incident and rule match.
The new events that is produced; Its event identifier, event content and confidence level are from the defined new events sign of rule, new events description and letter incident confidence level; Detector (security incident administration module), outside the time (current time), other attribute directly copies the respective attributes content of current event; New events writing events pond is so that analyze this incident.
Event chain rule tree in the buffer area can be empty at the active rule chain, or after the time-to-live inefficacy, disposed automatically.
Step 3: whether the test current event belongs to the inlet incident of event chain.The all preset regular root rules of event chain of current event and system are compared; If mate successfully; Then current event is the root incident of particular event chain; Current event matching chain rule tree is copied in the buffer area; Simultaneously, the content of source IP, source port, Target IP and the target port of current event is saved in the target port of the source IP of the incident to be analyzed of root rule on the event chain rule tree, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed; And all child nodes of root rule are inserted in the active rule chain.
Incident and root rule is relatively the time, and whether the detector of only simple relatively incident is comprised by the detector of rule and sign with an event identifier, in case comprise, then think and mate successfully, and no longer with as yet not relatively regular comparison of root of other event chain.The necessary mutual exclusion of root rule of strictly all rules chain, otherwise the rule chain that comes the back can't trigger.
Step S34: event risk assessment.Calculate the value-at-risk and the risk class of current event.
If the risk assessment of the processing policy of pending incident is masked as very, then need carry out the risk assessment operation to this incident.
At first, detect the confidence level and additional priority of incident, if any one zero, then the value-at-risk of current event is 0; Otherwise; Through the asset identification attribute of incident, (this table is manual to be safeguarded, is used to preserve the business value of assets from the assets value table; Professional value by 0~5 grade; 5 grades are the highest) after, utilize object risk=confidence level * priority * assets value grade/10, calculate the object risk (being target device) of incident; If the source IP and the Target IP of incident are inconsistent; After then utilizing source IP attribute to obtain asset identification (being the main body of assets sign); After utilizing this asset identification from the assets value table, to obtain the value of these assets again; Utilize main body risk=confidence level * priority * assets value grade/10, calculate the main body risk (being source device) of incident.And be the value-at-risk of current event with the big person in object risk, the main body risk;
Secondly, the risk class of update event main body and incident object; If the value-at-risk of incident is greater than 0; Be that then this incident produces serial number,, utilized value-at-risk and the risk class mapping relations preset on the corresponding assets of incident object institute the object value-at-risk that a last step calculates; Calculate the pairing risk class of object value-at-risk; And, in the risk tabulation of the determined assets of asset identification attribute of insertion current event, upgrade the risk class statistical number of these assets simultaneously with current event serial number, risk class; The main body of assets sign that the last step of main body value-at-risk, utilization that a last step is calculated retrieves retrieves value-at-risk and the risk class mapping relations on the corresponding assets; Calculate the pairing risk class of main body value-at-risk; And with current event serial number, risk class; Insert main body of assets and identify in the risk tabulation of determined assets, upgrade the risk class statistical number of these assets simultaneously.
Further, as long as change has taken place the risk class statistical number of assets, then upgrade the risk class statistical number of this assets place subnet automatically.
Step S35: warn and automatic response process.According to preset response policy, the attendant that warns, and from dynamic response.
The response policy that security incident administration module M02 sets according to security strategy module M2, to the event alarm of value-at-risk greater than threshold value, and from dynamic response.Said threshold value is set by the attendant, and the value-at-risk of incident is 0~25, and when default, alarm threshold is 5.
The response policy that security strategy module M2 sets comprises attributes such as strategy number, the sign that comes into force, the time started of coming into force, the concluding time of coming into force, inner execute flag, outside execute flag, regular expression and order.Wherein, regular expression is used for extracting content from incident, like source IP, Target IP; Order is concrete executable instruction, is explained by security monitoring module M04.Placeholder in the order is filled by the content that regular expression extracts.Order can be simply for warning, send Email or sending timely message; Also can be Shell order, SNMP instruction etc.
Through being condition with event identifier property value in the incident, (this table is manual safeguards that be used for strategy and event correlation, every new events sign that increased if desired from dynamic response, then need be this event configuration strategy for search strategy and event correlation table; Every New Policy that increased, then need be assigned to incident after, this strategy just possibly be performed), can retrieve corresponding security strategy, thereby can accurately respond to incident that system supported.
Security incident administration module M02 comprises event identifier, event content, source IP, source port, Target IP, target port, time of origin with event data, and the specific instructions of response policy, submits security monitoring module M04 to.
Security monitoring module M04 carries out from dynamic response according to the specific instructions of response policy, comprises that incident is showed, sound alarm; Event data is sent to preset enterprise administrator's mailbox; Or utilize GSM Modem (promptly supporting the cat of GSM) to give preset enterprise administrator's cell phone number transmission note; Maybe order is packaged into the interface message bag; Be submitted to assets snapshot module M01; Through the current active channel, send to correct terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5 by the latter, instruct latter's fill order.
Security monitoring module M04 receives operator's hand-guided equally, on control panel, after the Control Parameter that the collection operator selectes and the value of input, is configured to standard interface message bag, and is submitted to assets snapshot module M01.
Step S36: Security Report is handled.To the incident after handling through security incident administration module M02, add up automatically and aggregation process.
The incident that security incident administration module M02 handled the most at last behind the affix incident serial number, is submitted to Security Report module M03; Security Report module M03 will focus on incident, comprise by event identifier statistics, by the detector statistics, by source IP statistics, IP statistics etc. according to target.
In addition; Security Report module M03 is to having comprised the incident of source IP, source port, agreement, Target IP, target port and message length information in the security incident of submitting to from message detection module M1; To further handle its event content; Utilize these to generate statistical report form, comprise agreement distribution form, IP distribution form, TOPN form etc.All forms, default daily paper, weekly, monthly magazine, quarterly report and the annual report of all providing.
The automatic attribute of all report form templates is genuine form, after its report file generates, with being saved in the file space that enterprise leases.
Claims (9)
1. medium-sized and small enterprises Intranet information security trustship method, wherein enterprise leases the bandwidth that is used for redirection message and is used to preserve the file space that message detects daily record and form to security service provider, it is characterized in that, also comprises:
(a) security service terminal security management and control function that provider is provided and Host Security management and control function are provided respectively on interior network termination and main frame; The security service network equipment security management and control function that provider is provided is provided at least one main frame, and the network equipment of all support snmp protocols of management and control;
(b) on the outlet edge device, the message detection system that the message redirecting of preset protocol is provided to security service provider;
(c) be established to the IPSec vpn tunneling of security service provider; Sign in to the medium-sized and small enterprises Intranet information security mandatory system that is arranged in security service provider network, and said terminal security management and control function, Host Security management and control function and network equipment security management and control function in the step (a) are carried out security control through this tunnel.
2. a kind of according to claim 1 medium-sized and small enterprises Intranet information security trustship method; It is characterized in that; The message detection system of security service provider is carried out after attack protection, anti-virus detect the redirection message of enterprise, and acts on behalf of the legal message of transfer through application layer protocol; The bandwidth of said redirection message only can be used the said capacity of leasing bandwidth; And,
The said medium-sized and small enterprises Intranet information security mandatory system of security service provider is analyzed log event information and health information that said terminal security management and control function, Host Security management and control function and the network equipment security management and control function of corporate intranet reports, and responds based on preset safe benchmark.
3. like the said a kind of medium-sized and small enterprises Intranet information security trustship method of claim 2; It is characterized in that; Said application layer protocol agency; Comprise SMTP agency, POP3 agency, HTTP Proxy, MSN communication agent and transparent transmission agency, be respectively applied for the inspection of contact Mail Contents, url filtering, MSN communication content audit and transparent transmission message; Suspicious Mail Contents and annex, and MSN communication message summary info all are kept in the said file space with document form.
4. a kind of according to claim 1 medium-sized and small enterprises Intranet information security trustship method; It is characterized in that said terminal security management and control function, Host Security management and control function and network equipment security management and control function be customizable to be reported to the data entries kind and the content of the said medium-sized and small enterprises Intranet information security mandatory system of said security service provider; Said medium-sized and small enterprises Intranet information security mandatory system only allows the enterprise-level attendant to check the Intranet assets security of operation situation of this enterprise; Said medium-sized and small enterprises Intranet information security mandatory system provides the safe operation form to said enterprise, comprises daily paper, weekly, monthly magazine, quarterly report and annual report.
5. a kind of according to claim 1 medium-sized and small enterprises Intranet information security trustship method; It is characterized in that; The vpn tunneling that the said medium-sized and small enterprises Intranet information security mandatory system of said security service provider can be set up through said step (c), the leak information and the network topological information of remote scanning Intranet assets; And,
The said medium-sized and small enterprises Intranet information security mandatory system of said security service provider in time notifies said enterprise preset safety manager after finding security risk.
6. a medium-sized and small enterprises security custodial system is characterized in that, comprises assets security management and control module, message detection module, security strategy module, terminal security management and control module, Host Security management and control module and network equipment security management and control module;
Said assets security management and control module; Link to each other with the message detection module with said terminal security management and control module, Host Security management and control module, network equipment security management and control module, security strategy module, be used for according to the information architecture corporate intranet assets security of operation snapshot that reports, handle security incident, manual long-range management and control Intranet assets and the safe operation form is provided according to preset security strategy;
Said message detection module; Link to each other with the security strategy module with said assets security management and control module; Be used for handling the redirection message of said enterprise, and submit to security incident to said assets security management and control module according to the preset security strategy of said security strategy module;
Said security strategy module links to each other with the message detection module with said assets security management and control module, is used to set assets security benchmark, event handling rule, event response strategy and application layer protocol response policy in violation of rules and regulations; And,
Said terminal security management and control module links to each other with said assets security management and control module, is used to collect the health data and the daily record data of said corporate intranet terminal computer, and is submitted to said assets security management and control module; Receive and handle the control command of said assets security management and control module;
Said Host Security management and control module links to each other with said assets security management and control module, is used to collect the health data and the daily record data of said corporate intranet main frame, and is submitted to said assets security management and control module; Receive and handle the control command of said assets security management and control module; And,
Said network equipment security management and control module; Link to each other with said assets security management and control module; Be used for collecting and receive health data and the SNMP Trap data that said corporate intranet is supported the network equipment of snmp protocol, and be submitted to said assets security management and control module; Receive the control command of said assets security management and control module, and after being converted into the SNMP instruction, be submitted to destination network device.
7. like the said a kind of medium-sized and small enterprises security custodial of claim 6 system, it is characterized in that said assets security management and control module comprises assets snapshot module, vulnerability scanning module, security incident administration module, security monitoring module and Security Report module;
Said assets snapshot module receives the data that said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module report, and according to the safe operation snapshot of the data construct assets that report; According to preset assets security benchmark, produce security incident, and be submitted to said security incident administration module; Receive the Long-distance Control message that said security monitoring module issues, and be relayed to said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module;
Said vulnerability scanning module is used for the leak information and the network topological information of the said corporate intranet action message of remote scanning assets, and scanning result is submitted to said assets snapshot module;
Said security incident administration module receives the security incident that said assets snapshot module and said message detection module are submitted to, and according to predetermined strategy, from dynamic response, and the preset enterprise security manager personnel of notice; The final result that security incident is handled is submitted to said Security Report module;
Said security monitoring module, the security alarm result who receives and show said security incident administration module submission; And the operating system that will warn event data among the result to be committed to the attendant maybe is committed to said assets snapshot module with the automatic response command among this result; And,
Said Security Report module receives the security incident that said security incident administration module is submitted to, and generates the safe operation form automatically according to preset report form template.
8. like the said a kind of medium-sized and small enterprises security custodial of claim 7 system, it is characterized in that said message detection module comprises application layer protocol proxy module, intrusion detection module, anti-virus module and security incident client modules;
Said application layer protocol proxy module receives the redirection message that said enterprise submits to, and message is submitted to said intrusion detection module and anti-virus module successively, and will act on behalf of the message through detecting; Submit to the local security incident to said security incident client modules;
Said intrusion detection module receives the message that said application layer protocol proxy module is submitted to, and based on local preset rules message is carried out intrusion detection, submits to testing result to said application layer protocol proxy module; Submit to the local security incident to said security incident client modules;
Said anti-virus module receives the message that said application layer protocol proxy module is submitted to, and based on local preset rules message is carried out virus and detect, and submits to testing result to said application layer protocol proxy module; Submit to the local security incident to said security incident client modules; And,
Said security incident client modules is used for receiving the local security incident that other module of said message detection module is submitted to, and regular turn to consolidation form after, be submitted to the said security incident administration module of said assets security management and control module.
9. like the said a kind of medium-sized and small enterprises security custodial of claim 8 system; It is characterized in that; Said terminal security management and control module, said Host Security management and control module and said network equipment security management and control module; Be deployed in the Intranet of said enterprise, through IPSec vpn tunneling between said enterprise and said medium-sized and small enterprises security custodial system, with said assets security management and control module communication; The content-encrypt of said communication information; And,
The leak information and the network topological information of the said corporate intranet action message of said remote scanning assets only can carry out remote scanning through IPSec vpn tunneling between said enterprise and said medium-sized and small enterprises security custodial system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101697252A CN101635730B (en) | 2009-08-28 | 2009-08-28 | Method and system for safe management of internal network information of small and medium-sized enterprises |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101697252A CN101635730B (en) | 2009-08-28 | 2009-08-28 | Method and system for safe management of internal network information of small and medium-sized enterprises |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101635730A CN101635730A (en) | 2010-01-27 |
| CN101635730B true CN101635730B (en) | 2012-05-02 |
Family
ID=41594788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101697252A Active CN101635730B (en) | 2009-08-28 | 2009-08-28 | Method and system for safe management of internal network information of small and medium-sized enterprises |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101635730B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102385677B (en) * | 2010-09-01 | 2015-04-29 | 北京启明星辰信息技术股份有限公司 | Unified threat management system and data processing method thereof |
| CN101997786B (en) * | 2010-12-12 | 2012-03-14 | 成都东方盛行电子有限责任公司 | Efficient and safe heterogeneous media gateway |
| CN102624717B (en) * | 2012-03-02 | 2015-11-18 | 深信服网络科技(深圳)有限公司 | Automatically the method generated based on the security strategy of vulnerability scanning and device |
| CN102916963B (en) * | 2012-10-26 | 2014-12-31 | 中国人民解放军信息工程大学 | Safe data exchange method, device, nodes and safe data exchange system |
| CN103646161A (en) * | 2013-11-05 | 2014-03-19 | 华为技术有限公司 | Terminal system credibility state judgment method, device and terminal |
| CN103927491A (en) * | 2014-04-30 | 2014-07-16 | 南方电网科学研究院有限责任公司 | Security baseline assessment method based on SCAP |
| CN105227338B (en) * | 2014-06-25 | 2018-07-17 | 北京奇安信科技有限公司 | The recognition methods of web station system information and device |
| CN105743726A (en) * | 2014-12-10 | 2016-07-06 | 中兴通讯股份有限公司 | Traffic statistics and analysis method for feature data message and corresponding device |
| CN104853346B (en) * | 2015-02-12 | 2018-10-19 | 数据通信科学技术研究所 | It is a kind of to realize that mobile terminal data flows to the method and system that bypassed |
| CN107294751B (en) * | 2016-03-31 | 2020-07-31 | 上海层峰网络科技有限公司 | Wide area optical network based on leased circuit and topology adjusting method and device |
| CN108781167A (en) * | 2016-04-06 | 2018-11-09 | 华为技术有限公司 | Flow control methods and equipment in software defined network SDN |
| CN106230800B (en) * | 2016-07-25 | 2019-07-05 | 恒安嘉新(北京)科技股份公司 | A kind of method of pair of assets active probe and loophole early warning |
| CN106973068B (en) * | 2017-05-11 | 2020-10-13 | 北京北信源软件股份有限公司 | Illegal device discovery method and device |
| CN107579966B (en) * | 2017-08-28 | 2020-12-08 | 新华三技术有限公司 | Control method, device and system for remotely accessing intranet and terminal equipment |
| CN109495331B (en) * | 2017-09-11 | 2020-09-11 | 大唐移动通信设备有限公司 | System monitoring method and device of network management system |
| CN108667812B (en) * | 2018-04-18 | 2020-12-25 | 北京中科兴安技术有限公司 | White environment credibility analysis method for multi-index scoring of special host |
| CN109257391A (en) * | 2018-11-30 | 2019-01-22 | 北京锐安科技有限公司 | A kind of access authority opening method, device, server and storage medium |
| CN109831452A (en) * | 2019-03-07 | 2019-05-31 | 北京华安普特网络科技有限公司 | A kind of distributed fire wall |
| CN113162956A (en) * | 2020-01-22 | 2021-07-23 | 华为技术有限公司 | Method, device and network equipment for establishing communication connection |
| CN112615842B (en) * | 2020-12-11 | 2022-09-06 | 黑龙江亿林网络股份有限公司 | Network security implementation system and method based on big data platform |
| CN112532658B (en) * | 2021-02-08 | 2021-05-07 | 腾讯科技(深圳)有限公司 | Cloud network escape event scanning method and device and computer readable storage medium |
| CN113360894A (en) * | 2021-06-01 | 2021-09-07 | 北京天空卫士网络安全技术有限公司 | User behavior recording method and device |
| CN114553734A (en) * | 2022-01-05 | 2022-05-27 | 重庆东电通信技术有限公司 | Open type Internet of things terminal evaluation system |
| CN116346904B (en) * | 2023-05-19 | 2023-09-22 | 北京奇虎科技有限公司 | Information pushing method, device, equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564507A (en) * | 2004-04-22 | 2005-01-12 | 上海三盈通信科技有限公司 | Distinguishing method and system combined information security software, hardware with user's status of enterprise |
| CN101252441A (en) * | 2008-02-20 | 2008-08-27 | 深圳市永达电子有限公司 | Acquired safety control method and system based on target capable of setting information safety |
-
2009
- 2009-08-28 CN CN2009101697252A patent/CN101635730B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564507A (en) * | 2004-04-22 | 2005-01-12 | 上海三盈通信科技有限公司 | Distinguishing method and system combined information security software, hardware with user's status of enterprise |
| CN101252441A (en) * | 2008-02-20 | 2008-08-27 | 深圳市永达电子有限公司 | Acquired safety control method and system based on target capable of setting information safety |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101635730A (en) | 2010-01-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101635730B (en) | Method and system for safe management of internal network information of small and medium-sized enterprises | |
| CN105391687A (en) | System and method for supplying information security operation service to medium-sized and small enterprises | |
| CN101610264B (en) | Firewall system, safety service platform and firewall system management method | |
| Burger et al. | Taxonomy model for cyber threat intelligence information exchange technologies | |
| Kent et al. | Guide to Computer Security Log Management:. | |
| CN103391216B (en) | A kind of illegal external connection is reported to the police and blocking-up method | |
| US8667556B2 (en) | Method and apparatus for building and managing policies | |
| US8561175B2 (en) | System and method for automated policy audit and remediation management | |
| US20070139231A1 (en) | Systems and methods for enterprise-wide data identification, sharing and management in a commercial context | |
| US20040039921A1 (en) | Method and system for detecting rogue software | |
| US7733844B2 (en) | Packet filtering apparatus, packet filtering method, and computer program product | |
| CN103413083A (en) | Security defending system for single host | |
| Safford et al. | The TAMU security package: An ongoing response to internet intruders in an academic environment | |
| CN116471109A (en) | Data transmission method, system, first end and control equipment | |
| CN104063633A (en) | Safe auditing system based on filter driver | |
| CN107948235A (en) | Cloud data safety management and audit device based on JAR | |
| CN112837194A (en) | Intelligent system | |
| Fry et al. | Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks | |
| Kent et al. | Sp 800-92. guide to computer security log management | |
| CN101453388B (en) | Inspection method for Internet service operation field terminal safety | |
| CN115776517A (en) | Service request processing method and device, storage medium and electronic equipment | |
| Chu | CCNA Cyber Ops SECOPS–Certification Guide 210-255: Learn the skills to pass the 210-255 certification exam and become a competent SECOPS associate | |
| CN116506231B (en) | Network security event tracing and tracking method and system based on block chain | |
| WO2007081960A2 (en) | Enterprise-wide data identification, sharing and management | |
| Hajdarevic | Cyber Security Audit in Business Environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: SHENZHEN YONGDA ELECTRONIC INFORMATION CO., LTD. Free format text: FORMER NAME: SHENZHEN RONGDA ELECTRONICS CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 518057 Shenzhen Aerospace Science and Technology Innovation Research Institute, South ten road, Nanshan District science and technology, Guangdong, Shenzhen D301-D309 Patentee after: Shenzhen Yongda electronic Touchplus information Corp Address before: 518057 Shenzhen Aerospace Science and Technology Innovation Research Institute, South ten road, Nanshan District science and technology, Guangdong, Shenzhen D301-D309 Patentee before: Shenzhen Rongda Electronics Co., Ltd. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method and system for safe management of internal network information of small and medium-sized enterprises Effective date of registration: 20190807 Granted publication date: 20120502 Pledgee: Bank of Beijing Limited by Share Ltd Shenzhen branch Pledgor: Shenzhen Yongda electronic Touchplus information Corp Registration number: Y2019440020003 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20201203 Granted publication date: 20120502 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: SHENZHEN Y&D ELECTRONICS INFORMATION Co.,Ltd. Registration number: Y2019440020003 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method and system of Intranet Information Security trusteeship in small and medium sized enterprises Effective date of registration: 20201216 Granted publication date: 20120502 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: SHENZHEN Y&D ELECTRONICS INFORMATION Co.,Ltd. Registration number: Y2020980009416 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20220408 Granted publication date: 20120502 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: SHENZHEN Y&D ELECTRONICS INFORMATION Co.,Ltd. Registration number: Y2020980009416 |