CN106790231A - The generation method of security domain, device and safe operation and maintenance supervising system - Google Patents
The generation method of security domain, device and safe operation and maintenance supervising system Download PDFInfo
- Publication number
- CN106790231A CN106790231A CN201710032712.5A CN201710032712A CN106790231A CN 106790231 A CN106790231 A CN 106790231A CN 201710032712 A CN201710032712 A CN 201710032712A CN 106790231 A CN106790231 A CN 106790231A
- Authority
- CN
- China
- Prior art keywords
- security domain
- domain
- business
- security
- visual angle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
A kind of generation method of security domain, device and safe operation and maintenance supervising system are the embodiment of the invention provides, is related to information system management technical field.The security domain includes business visual angle security domain, and methods described includes:Obtain the multiple components in described information system;Purposes or effect visual angle according to the multiple components in described information system divide global view, generate the business visual angle security domain global view;Wherein, the business visual angle security domain global view includes business service application security domain, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal security domain and security protection supervision security domain, is classified with the layering of each component in this visually exhibition information system point domain.
Description
Technical field
The present invention relates to information system management technical field, in particular to a kind of generation method of security domain, device
And safe operation and maintenance supervising system.
Background technology
Existing safe O&M class supervisory systems is managed as information system top layer, the handgrip of integrated management, but without very
The good safe domain view of offer goes to the layering point domain of each element in visually exhibition information system to be classified, and without level
Nested global view realization is associated with network topology view in kind.And merely by network topology view editor's information system
The real network topology schematic diagram of system, when each element is very more in information system, causes network topology view very not beautiful
See, it is directly perceived, have a strong impact on Consumer's Experience, and show each monitoring object category in a network topology view without stereovision
Property information, performance and state, the information such as daily record and event, flow, leak, the response of displaying interface can be caused slow, to server
Process performance propose very big challenge.
The content of the invention
In view of this, the purpose of the embodiment of the present invention is to provide a kind of generation method of security domain, device and safety fortune
Dimension supervisory systems, to improve above mentioned problem.To achieve these goals, the technical scheme that the embodiment of the present invention is taken is as follows:
In a first aspect, the embodiment of the invention provides a kind of generation method of security domain, management information system is applied to, institute
Stating security domain includes business visual angle security domain, and methods described includes:Obtain the multiple components in described information system;According to
The purposes of the multiple components in described information system or effect visual angle divide global view, generate business visual angle safety
Domain global view.Wherein, the business visual angle security domain global view includes business service application security domain, business service application
Support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal security domain and security protection supervision security domain.
The intercommunication in the business service application security domain and the business service application support safety domain.The business service should
With the intercommunication of support safety domain and the zone boundary security domain.The zone boundary security domain and the network service
The intercommunication of security domain.The intercommunication of the zone boundary security domain and the user terminal security domain.The use
The intercommunication in family terminal security domain and the Network Communicate Security domain.Security protection supervision security domain respectively with it is described
Business service application security domain, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user
Terminal security domain is in communication with each other.
Second aspect, the embodiment of the invention provides a kind of generating means of security domain, be applied to management information system, institute
Stating security domain includes business visual angle security domain, and described device includes:Acquiring unit, for obtaining the multiple in described information system
Component.Generation unit, divides complete for the purposes according to the multiple components in described information system or effect visual angle
Office's view, generates the business visual angle security domain global view.Wherein, the business visual angle security domain global view includes business
It is served by security domain, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal
Security domain and security protection supervision security domain.The business service application security domain and the business service application support safety domain
Intercommunication.The intercommunication of the business service application support safety domain and the zone boundary security domain.It is described
The intercommunication in zone boundary security domain and the Network Communicate Security domain.The zone boundary security domain and user's end
Hold the intercommunication of security domain.The intercommunication in the user terminal security domain and the Network Communicate Security domain.It is described
Security protection supervision security domain respectively with the business service application security domain, business service application support safety domain, regional edge
Boundary's security domain, Network Communicate Security domain, user terminal security domain are in communication with each other.
The third aspect, the embodiment of the invention provides a kind of safe operation and maintenance supervising system, and the system includes above-mentioned industry
Business visual angle security domain global view.
A kind of generation method of security domain, device and safe operation and maintenance supervising system are the embodiment of the invention provides, is applied to
Management information system, the security domain includes business visual angle security domain, and methods described includes:It is many in acquisition described information system
Individual component;Purposes or effect visual angle according to the multiple components in described information system divide global view, generation
The business visual angle security domain global view.Wherein, the business visual angle security domain global view is pacified including business service application
Universe, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal security domain and peace
Full protection supervises security domain.Phase intercommunication between the business service application security domain and the business service application support safety domain
Letter.The intercommunication of the business service application support safety domain and the zone boundary security domain.The zone boundary peace
The intercommunication in universe and the Network Communicate Security domain.The zone boundary security domain and the user terminal security domain it
Intercommunication.The intercommunication in the user terminal security domain and the Network Communicate Security domain.The security protection prison
Pipe security domain respectively with the business service application security domain, business service application support safety domain, zone boundary security domain, net
Network communication security domain, user terminal security domain are in communication with each other.With dividing for each component in this visually exhibition information system
The classification of layer point domain.
Other features and advantages of the present invention will illustrate in subsequent specification, also, partly become from specification
It is clear that or being understood by implementing the embodiment of the present invention.The purpose of the present invention and other advantages can be by saying for being write
Specifically noted structure is realized and obtained in bright book, claims and accompanying drawing.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be attached to what is used needed for embodiment
Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, thus be not construed as it is right
The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this
A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is a kind of structured flowchart that can be applied to the electronic equipment in the embodiment of the present application;
The flow chart of the generation method of the security domain that Fig. 2 is provided for first embodiment of the invention;
The structured flowchart of the business visual angle security domain global view that Fig. 3 is provided for first embodiment of the invention;
The structured flowchart of regional body's visual angle security domain global view that Fig. 4 is provided for first embodiment of the invention;
The structured flowchart of the generating means of the security domain that Fig. 5 is provided for second embodiment of the invention;
The structured flowchart of the safe operation and maintenance supervising system that Fig. 6 is provided for third embodiment of the invention.
In figure:100- electronic equipments;110- memories;111- storage controls;112- processors;Pacify at 200- business visual angle
Universe global view;210- business service application security domains;220- business service application support safeties domain;Pacify 230- zone boundaries
Universe;240- Network Communicate Securities domain;250- user terminal security domains;Security domain is supervised in 260- security protections;300- regions machine
Structure visual angle security domain global view;310- higher level regional body security domain;This grade of regional body's security domain of 320-;Area of 330- subordinates
Domain mechanism security domain;400- devices;410- acquiring units;420- generation units;The safe operation and maintenance supervising systems of 500-;510- painting canvas
Editing machine;511- painting canvas backgrounds;512- increases security domain;513- editing safeties domain;514- deletes security domain;515- views are sent out
Cloth;516- views are printed;517- show canvas.
Specific embodiment
Below in conjunction with accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Ground description, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Generally exist
The component of the embodiment of the present invention described and illustrated in accompanying drawing can be arranged and designed with a variety of configurations herein.Cause
This, the detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit claimed invention below
Scope, but it is merely representative of selected embodiment of the invention.Based on embodiments of the invention, those skilled in the art are not doing
The every other embodiment obtained on the premise of going out creative work, belongs to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi
It is defined in individual accompanying drawing, then it need not be further defined and explained in subsequent accompanying drawing.Meanwhile, of the invention
In description, term " first ", " second " etc. are only used for distinguishing description, and it is not intended that indicating or implying relative importance.
The efficient public security system of existing information system builds reference standard international ISO27000 series standards, national grade
The cascade protection series standard of protection series standard and Information System Security is built.These standards are required to information system
Carry out the protection of hierarchical layered point domain.And clearly definition, division principle and method are proposed to security domain, it is specific as follows:
Security domain is by the working environment for interconnecting, with same or analogous safeguard protection demand and protection plan
Slightly, mutual trust, the set of interrelated or interaction IT key elements.
Partition security domain mode:Divided according to regional body's division, delineation of activities, level of security and security strategy.
For different industries because business is different, the method for division is also different, and the result of division is also different.So specific
The division of security domain should be carried out with reference to itself according to different industries, different user, different demands in the experience accumulation of industry.
Although all proposing specific requirement to partition security domain in the efficient public security system construction requirements of all kinds of standard series.
Existing network topology view does not have hierarchical relationship, cannot preferably embody the partition security domain theory in layering point domain, no yet
Network topology view can be at a glance got by drilling from partition security domain visual angle to check.
In view of this, a kind of generation method of security domain, device and safe operation and maintenance supervising system be the embodiment of the invention provides
System, to improve above mentioned problem.
Fig. 1 is referred to, Fig. 1 shows a kind of structured flowchart of the electronic equipment 100 that can be applied in the embodiment of the present application.
The electronic equipment 100 can as user terminal, or computer or server, the user terminal can for mobile phone or
Panel computer.As shown in figure 1, electronic equipment 100 can include memory 110, storage control 111, processor 112 and safety
The generating means in domain.
Directly or indirectly electrically connected between memory 110, storage control 111, each element of processor 112, to realize
The transmission or interaction of data.For example, between these elements electricity can be realized by one or more communication bus or signal bus
Connection.The generation method of security domain can be stored in including at least one in the form of software or firmware (firmware) respectively
Software function module in reservoir 110, such as software function module or computer journey that the generating means of described security domain include
Sequence.
Memory 110 can store various software programs and module, such as life of the security domain that the embodiment of the present application is provided
Into the corresponding programmed instruction/module of method and device.Processor 112 is by running storage software program in the memory 110
And module, so as to perform various function application and data processing, that is, realize the generation of the security domain in the embodiment of the present application
Method.Memory 110 can include but is not limited to random access memory (Random Access Memory, RAM), read-only to deposit
Reservoir (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only Memory,
PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM), electric erasable
Read-only storage (Electric Erasable Programmable Read-Only Memory, EEPROM) etc..
Processor 112 can be a kind of IC chip, with signal handling capacity.Above-mentioned processor can be general
Processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network
Processor, abbreviation NP) etc.;Can also be digital signal processor (DSP), application specific integrated circuit (ASIC), ready-made programmable
Gate array (FPGA) or other PLDs, discrete gate or transistor logic, discrete hardware components.It can
To realize or perform the disclosed each method in the embodiment of the present application, step and logic diagram.General processor can be micro-
Processor or the processor can also be any conventional processors etc..
First embodiment
Fig. 2 is refer to, a kind of generation method of security domain is the embodiment of the invention provides, management information system is applied to,
The security domain includes business visual angle security domain, and methods described includes:
Step S200:Obtain the multiple components in described information system;
Step S210:Purposes or effect visual angle according to the multiple components in described information system divide the overall situation and regard
Figure, generates the business visual angle security domain global view.
Fig. 3 is refer to, the business visual angle security domain global view 200 includes business service application security domain 210, business
It is served by support safety domain 220, zone boundary security domain 230, Network Communicate Security domain 240, the and of user terminal security domain 250
Security domain 260 is supervised in security protection.The business service application security domain 210 and the business service application support safety domain
220 intercommunication.Between the business service application support safety domain 220 and the zone boundary security domain 230 mutually
Communication.The intercommunication in the zone boundary security domain 230 and the Network Communicate Security domain 240.The zone boundary peace
The intercommunication of universe 230 and the user terminal security domain 250.The user terminal security domain 250 is logical with the network
Believe the intercommunication of security domain 240.Security protection supervision security domain 260 respectively with the business service application security domain
210th, business service application support safety domain 220, zone boundary security domain 230, Network Communicate Security domain 240, user terminal peace
Universe 250 is in communication with each other.
The business service application security domain 210 includes door class website, service class application, the application of office class, operation class
Using, supervision class application, the application of decision commanding class and server storage system.
The business service application support safety domain 220 can include but is not limited to real name entity authentication, trusted time, electricity
Sub- seal, digital signature, digital envelope, Union user management, unified authorization management, unified access control, unified responsibility audit,
It is shared exchanged with e-file, resource service management, resource service utilization, workflow management service, list management service, content mesh
Record management, space time information service, portal service and application development tool.
The zone boundary security domain 230 can include but is not limited to Network anti-virus gateway, terminal access control, network
Fire wall, network invasion monitoring, network intrusion prevention.
The Network Communicate Security domain 240 can include but is not limited to routing device, switching equipment, safe encryption device.
The user terminal security domain 250 can include internal user terminal security subdomain, external user terminal security
Domain.The internal user terminal security subdomain includes office terminal, service process terminal, the manager terminal of internal user.Together
Reason, the external user terminal security subdomain includes office terminal, service process terminal, the manager terminal of external user.
The security protection supervision security domain 260 can include but is not limited to vulnerability scanning system, host monitor audit system
System, terminal security login system, host antivirus software system, movable storage medium management system, comprehensive operation and maintenance supervising system, synthesis
Safety management system, integrated operation maintenance system, system configuration management, tactical management control centre.
The security domain can also include regional body's visual angle security domain, and methods described also includes:
The visual angle managed according to vertical level management and same level sub-agencies divides global view, and formation zone mechanism regards
Angle security domain global view 300.
Refer to Fig. 4, the regional body visual angle security domain global view 300 include higher level regional body security domain 310,
This grade of regional body's security domain 320 and regional body of subordinate security domain 330.Described level regional body security domain 320 is distinguished
With the intercommunication of higher level regional body security domain 310, regional body of subordinate security domain 330.
Business visual angle security domain global view 200 can be next layer of regional body visual angle security domain global view 300
Level view, such as be this grade of safe domain view in business visual angle of the next level of regional body's security domain 320;Can also be directly as
Top layer global view.
Security domain generation global view, regional body visual angle are divided from business visual angle divide security domain generation global view,
Classified and shown based on one kind classification principle and method, met the reason that information system hierarchical layered point domain protection safety is ensured
Read.Whole information system has divided how many security domains, and each security domain includes which entity object, entity object in security domain
Between relation etc., can be shown by view.Directly this theory is represented in the way of view, can with very clear,
There is provided professional from safe visual angle;For information system cascade protection, hierarchical protection system evaluation and test and appraisal provide reference;Original
On the basis of single network topology view, the thought based on virtual view, container view is that former network topology view is encapsulated
One layer of global view, local network topology view is decomposed into by the division of security domain by network topology view;Solve multiple
Equipment is various in network topology view in miscellaneous information system, and View user experience effect is poor, the problem of server performance pressure.
It should be noted that security domain can include geographic area visual angle security domain etc., can be with based on the above method
Generation geographic area visual angle security domain global view, principle is similar to, repeats no more here.
A kind of generation method of security domain provided in an embodiment of the present invention, is applied to management information system, the security domain
Including business visual angle security domain, methods described includes:Obtain the multiple components in described information system;According to described information
The purposes of the multiple components in system or effect visual angle divide global view, generate the business visual angle security domain overall situation and regard
Figure.Wherein, the business visual angle security domain global view includes business service application security domain, business service application support safety
Domain, zone boundary security domain, Network Communicate Security domain, user terminal security domain and security protection supervision security domain.Based on one kind
Sort out principle and method to be classified and shown, with the layering of each component in this visually exhibition information system point domain point
Level.
Second embodiment
Fig. 5 is refer to, a kind of generating means 400 of security domain are the embodiment of the invention provides, agrment information system is applied to
System, the security domain includes business visual angle security domain, and described device 400 includes:
Acquiring unit 410, for obtaining the multiple components in described information system.
Generation unit 420, divides for the purposes according to the multiple components in described information system or effect visual angle
Global view, generates the business visual angle security domain global view.
Wherein, the business visual angle security domain global view 200 includes business service application security domain 210, business service
Using support safety domain 220, zone boundary security domain 230, Network Communicate Security domain 240, user terminal security domain 250 and safety
Protection supervision security domain 260.The business service application security domain 210 and the business service application support safety domain 220 it
Intercommunication.The intercommunication of the business service application support safety domain 220 and the zone boundary security domain 230.
The intercommunication in the zone boundary security domain 230 and the Network Communicate Security domain 240.The zone boundary security domain
230 with the intercommunication of the user terminal security domain 250.The user terminal security domain 250 is pacified with the network service
The intercommunication of universe 240.Security protection supervision security domain 260 respectively with the business service application security domain 210,
Business service application support safety domain 220, zone boundary security domain 230, Network Communicate Security domain 240, user terminal security domain
250 are in communication with each other.
Above each unit can be that now, above-mentioned each unit can be stored in memory 110 by software code realization.
Above each unit can equally be realized by hardware such as IC chip.
The technique effect of the generating means 400 of security domain provided in an embodiment of the present invention, its realization principle and generation and preceding
State embodiment of the method identical, to briefly describe, device embodiment part does not refer to part, refers to phase in preceding method embodiment
Answer content.
3rd embodiment
Fig. 6 is refer to, a kind of safe operation and maintenance supervising system 500, the safe operation and maintenance supervising is the embodiment of the invention provides
System 500 includes above-mentioned business visual angle security domain global view 200.
Used as a kind of implementation method, the safe operation and maintenance supervising system 500 can set above-mentioned according to the demand of user
Business visual angle security domain global view 200.User can also be according to itself industry characteristic and actual conditions, with reference to the above-mentioned of acquiescence
Business visual angle security domain global view 200 divides view, the security domain global view of self-defined editor's demand.Global view can be with
Level nesting part/global view, until part/global entities's assets object network topology schematic diagram.
In order to meet self-defined editor's demand of user, the safe operation and maintenance supervising system 500 can also include but not limit
In painting canvas editing machine 510, painting canvas background 511, increase security domain 512, editing safety domain 513, deletion security domain 514, view hair
Cloth 515, view prints 516 and show canvas 517.
In the present embodiment, self-defined editor's demand security domain global view process is as follows:
Painting canvas editing machine 510 provide dotted line security domain boundaries, realize security domain boundaries, vessel safety domain border, text box,
Picture, unidirectional arrow, dotted arrow, realize connecting line, dashed connection line, color filling, automatic aligning and adjust automatically spacing,
Expand the instruments such as diminution.Safe operation and maintenance supervising system 500 includes many set painting canvas backgrounds 511, and user can select and using passing through
The painting canvas background picture of picture processing system generation is used as painting canvas background 511.
After it have selected painting canvas background 511, can by painting canvas provide increase security domain 512, editing safety domain 513,
Delete the functions such as security domain 514 and add, edit and delete a security domain respectively;And security domain title etc. is set by text box
Brief information.
Increase after a security domain, safe domain view border can be selected:Dashed box security domain boundaries, real frame security domain side
One of boundary and vessel safety domain border, its size can be edited, and safe operation and maintenance supervising system 500 provides many sleeve containes patterns.
After with the addition of a security domain, can add the information system entity object that should include in security domain and with
The shorthand information frame that Table tag formats show, entity object size can freely expand/scale, freely pull, freely put
Put, it is possible to which the annexation between each entity object is edited based on painting canvas editing machine 510, layout is laid out, each entity object
Chart can form entity object network topology schematic diagram with self-defined and selection.
With the addition of after multiple security domains, the annexation between security domain, access relation and data flow can be added and closed
It is arrow and line;
The function that entity object can show, such as flow information, access plan can be set on connecting line, connection arrow
Summary, access log, intrusion detection and defence information, abnormal events information etc..
The function that object can show, such as performance and status information, flow can be set on the entity object of addition
Information, daily record and event information, vulnerability information etc..
Entity object sets supervision index threshold values, acquisition abnormity event, security incident etc., reality during triggering supervision index threshold values
When alert, the Real-time Alarm when event that notes abnormalities, security incident, alarm according to severity level alert warn, to alert sudden strain of a muscle
Bright color distinguishes alarm severity level.
Alarm warning can be in the global view of top, such as regional body visual angle security domain global view 300 and business
Warned on visual angle security domain global view 200;After keeper has found warning on global view, view is drilled through layer by layer, until office
The network topology schematic diagram of the entity object of portion or the overall situation, can more intuitively determine entity object title, IP, the announcement of alarm
Alert information etc.;
Whole security domain boundaries can be issued as global view after finishing, and hide editting function, according to shielding ratio certainly
Dynamic extension is scaled, and self adaptation ratio displaying, system is automatically generated and preserves the various configuration informations in global view.Need again
During the editing mode of the secondary safe domain view of display, show canvas 517 is used to show the editing machine and actions menu of selection painting canvas.Depending on
Figure issue 515 is used to issue global view.View printing 516 is used for the global view printing of issue, directly generates security domain
Global view.
The embodiment of the invention provides a kind of safe operation and maintenance supervising system 500, including above-mentioned business visual angle security domain is complete
Office's view 200.By setting with different levels business visual angle security domain global view 200, will directly be represented in the way of view, can
With very clear, provide professional from safe visual angle;For information system cascade protection, hierarchical protection system evaluation and test and appraisal are provided
With reference to.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, it is also possible to pass through
Other modes are realized.Device embodiment described above is only schematical, for example, flow chart and block diagram in accompanying drawing
Show the device of multiple embodiments of the invention, the architectural framework in the cards of method and computer program product,
Function and operation.At this point, each square frame in flow chart or block diagram can represent one the one of module, program segment or code
Part a, part for the module, program segment or code is used to realize holding for the logic function for specifying comprising one or more
Row instruction.It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be being different from
The order marked in accompanying drawing occurs.For example, two continuous square frames can essentially be performed substantially in parallel, they are sometimes
Can perform in the opposite order, this is depending on involved function.It is also noted that every in block diagram and/or flow chart
The combination of the square frame in individual square frame and block diagram and/or flow chart, can use the function or the special base of action for performing regulation
Realized in the system of hardware, or can be realized with the combination of computer instruction with specialized hardware.
In addition, each functional module in each embodiment of the invention can integrate to form an independent portion
Divide, or modules individualism, it is also possible to which two or more modules are integrated to form an independent part.
If the function is to realize in the form of software function module and as independent production marketing or when using, can be with
Storage is in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used to so that a computer equipment (can be individual
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need
Illustrate, herein, such as first and second or the like relational terms be used merely to by an entity or operation with
Another entity or operation make a distinction, and not necessarily require or imply these entities or there is any this reality between operating
The relation or order on border.And, term " including ", "comprising" or its any other variant be intended to the bag of nonexcludability
Contain, so that process, method, article or equipment including a series of key elements are not only including those key elements, but also including
Other key elements being not expressly set out, or it is this process, method, article or the intrinsic key element of equipment also to include.
In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including the key element
Process, method, article or equipment in also there is other identical element.
The preferred embodiments of the present invention are the foregoing is only, is not intended to limit the invention, for the skill of this area
For art personnel, the present invention can have various modifications and variations.It is all within the spirit and principles in the present invention, made any repair
Change, equivalent, improvement etc., should be included within the scope of the present invention.It should be noted that:Similar label and letter exists
Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, then it is not required in subsequent accompanying drawing
It is further defined and is explained.
The above, specific embodiment only of the invention, but protection scope of the present invention is not limited thereto, and it is any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all contain
Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or deposited between operating
In any this actual relation or order.And, term " including ", "comprising" or its any other variant be intended to
Nonexcludability is included, so that process, method, article or equipment including a series of key elements not only will including those
Element, but also other key elements including being not expressly set out, or also include being this process, method, article or equipment
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Also there is other identical element in process, method, article or equipment including the key element.
Claims (10)
1. a kind of generation method of security domain, it is characterised in that be applied to management information system, the security domain is regarded including business
Angle security domain, methods described includes:
Obtain the multiple components in described information system;
Purposes or effect visual angle according to the multiple components in described information system divide global view, generate the business
Visual angle security domain global view;
Wherein, the business visual angle security domain global view includes business service application security domain, business service application support peace
Universe, zone boundary security domain, Network Communicate Security domain, user terminal security domain and security protection supervision security domain, the industry
Business is served by security domain and the intercommunication in the business service application support safety domain, the business service application support
The intercommunication of security domain and the zone boundary security domain, the zone boundary security domain and the Network Communicate Security domain
Intercommunication, the intercommunication of the zone boundary security domain and the user terminal security domain, the user terminal
The intercommunication in security domain and the Network Communicate Security domain, the security protection supervision security domain takes with the business respectively
Business application security domain, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal peace
Universe is in communication with each other.
2. method according to claim 1, it is characterised in that the business service application security domain includes door class net
Stand, service class application, office class application, the application of operation class, the application of supervision class, the application of decision commanding class and server storage system
System.
3. method according to claim 1, it is characterised in that the business service application support safety domain includes real name reality
Realization card, trusted time, E-seal, digital signature, digital envelope, Union user management, unified authorization management, unified access
Control, unified responsibility audit, it is shared exchanged with e-file, resource service management, resource service utilization, workflow management service,
List management service, contents directory management, space time information service, portal service and application development tool.
4. method according to claim 1, it is characterised in that the zone boundary security domain includes Network anti-virus net
Pass, terminal access control, network firewall, network invasion monitoring, network intrusion prevention.
5. method according to claim 1, it is characterised in that the Network Communicate Security domain includes routing device, exchanges
Equipment, safe encryption device.
6. method according to claim 1, it is characterised in that the security protection supervision security domain includes vulnerability scanning system
System, host monitor auditing system, terminal security login system, host antivirus software system, movable storage medium management system, synthesis
Operation and maintenance supervising system, Integrated Security Management System, integrated operation maintenance system, system configuration management, tactical management control centre.
7. method according to claim 1, it is characterised in that the security domain also includes regional body's visual angle security domain,
Methods described also includes:
The visual angle managed according to vertical level management and same level sub-agencies divides global view, generates the regional body and regards
Angle security domain global view.
8. method according to claim 7, it is characterised in that the regional body visual angle security domain global view includes upper
Level regional body security domain, this grade of regional body's security domain and regional body of subordinate security domain, described level regional body peace
Universe respectively with higher level regional body security domain, the intercommunication of regional body of subordinate security domain.
9. a kind of generating means of security domain, it is characterised in that be applied to management information system, the security domain is regarded including business
Angle security domain, described device includes:
Acquiring unit, for obtaining the multiple components in described information system;
Generation unit, divides the overall situation and regards for the purposes according to the multiple components in described information system or effect visual angle
Figure, generates the business visual angle security domain global view;
Wherein, the business visual angle security domain global view includes business service application security domain, business service application support peace
Universe, zone boundary security domain, Network Communicate Security domain, user terminal security domain and security protection supervision security domain, the industry
Business is served by security domain and the intercommunication in the business service application support safety domain, the business service application support
The intercommunication of security domain and the zone boundary security domain, the zone boundary security domain and the Network Communicate Security domain
Intercommunication, the intercommunication of the zone boundary security domain and the user terminal security domain, the user terminal
The intercommunication in security domain and the Network Communicate Security domain, the security protection supervision security domain takes with the business respectively
Business application security domain, business service application support safety domain, zone boundary security domain, Network Communicate Security domain, user terminal peace
Universe is in communication with each other.
10. a kind of safe operation and maintenance supervising system, it is characterised in that the system is included as described in claim any one of 1-8
Business visual angle security domain global view.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710032712.5A CN106790231A (en) | 2017-01-16 | 2017-01-16 | The generation method of security domain, device and safe operation and maintenance supervising system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710032712.5A CN106790231A (en) | 2017-01-16 | 2017-01-16 | The generation method of security domain, device and safe operation and maintenance supervising system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106790231A true CN106790231A (en) | 2017-05-31 |
Family
ID=58946138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710032712.5A Pending CN106790231A (en) | 2017-01-16 | 2017-01-16 | The generation method of security domain, device and safe operation and maintenance supervising system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790231A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN109472136A (en) * | 2018-10-26 | 2019-03-15 | 山东钢铁集团日照有限公司 | Virtualization cloud desktop security access method based on defense-in-depth |
| CN116566747A (en) * | 2023-07-11 | 2023-08-08 | 华能信息技术有限公司 | Safety protection method and device based on industrial Internet |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130007451A1 (en) * | 2004-12-07 | 2013-01-03 | Luc Vantalon | Methods and apparatuses for secondary conditional access server |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN105701703A (en) * | 2016-03-09 | 2016-06-22 | 浪潮软件集团有限公司 | Tax industry application domain division method |
| CN105847255A (en) * | 2016-03-24 | 2016-08-10 | 广东三盟信息科技有限公司 | Method and device for dividing virtual security domains based on virtual switched network |
-
2017
- 2017-01-16 CN CN201710032712.5A patent/CN106790231A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130007451A1 (en) * | 2004-12-07 | 2013-01-03 | Luc Vantalon | Methods and apparatuses for secondary conditional access server |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN105701703A (en) * | 2016-03-09 | 2016-06-22 | 浪潮软件集团有限公司 | Tax industry application domain division method |
| CN105847255A (en) * | 2016-03-24 | 2016-08-10 | 广东三盟信息科技有限公司 | Method and device for dividing virtual security domains based on virtual switched network |
Non-Patent Citations (3)
| Title |
|---|
| 佟敏等: "BOSS安全域的划分与边界整合分析", 《电信技术》 * |
| 罗俊: ""一种基于安全域的网络信息系统安全性评估方法"", 《通信技术》 * |
| 赖金志: "高职院校校园网信息安全防护体系研究", 《电脑与电信》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN109472136A (en) * | 2018-10-26 | 2019-03-15 | 山东钢铁集团日照有限公司 | Virtualization cloud desktop security access method based on defense-in-depth |
| CN116566747A (en) * | 2023-07-11 | 2023-08-08 | 华能信息技术有限公司 | Safety protection method and device based on industrial Internet |
| CN116566747B (en) * | 2023-07-11 | 2023-10-31 | 华能信息技术有限公司 | Safety protection method and device based on industrial Internet |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10021138B2 (en) | Policy/rule engine, multi-compliance framework and risk remediation | |
| US10339321B2 (en) | Cybersecurity maturity forecasting tool/dashboard | |
| US10019677B2 (en) | Active policy enforcement | |
| US8769412B2 (en) | Method and apparatus for risk visualization and remediation | |
| US9712548B2 (en) | Privileged analytics system | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| CN109471846A (en) | User behavior auditing system and method on a kind of cloud based on cloud log analysis | |
| CN110140125A (en) | Threat information management in safety and compliance environment | |
| US20060155738A1 (en) | Monitoring method and system | |
| JP2018077597A (en) | Security measure planning support system and method | |
| CN106790231A (en) | The generation method of security domain, device and safe operation and maintenance supervising system | |
| Mantha et al. | Cybersecurity in construction: Where do we stand and how do we get better prepared | |
| US20230396640A1 (en) | Security event management system and associated method | |
| KR20060058186A (en) | Information technology risk management system and method the same | |
| Etoty et al. | A survey of visualization tools assessed for anomaly-based intrusion detection analysis | |
| CN112149112A (en) | Enterprise information security management method based on authority separation | |
| Ngamassi et al. | Social Media Visual Analytic Toolkits for Disaster Management: A Review of the Literature. | |
| Malyuk et al. | Information security theory for the future internet | |
| Szabó | Cybersecurity issues of pension payments | |
| CN109840719B (en) | Management and control method and device for organization domain and server | |
| WO2006077666A1 (en) | Observation data display device, observation data display method, observation data display program, and computer-readable recording medium containing the program | |
| CN113222563A (en) | Audit data evidence storing and tracing system based on block chain | |
| Al Mahmoud et al. | Achieving Operational Efficiencies from a Centralized Alarm Management System | |
| CN111092857A (en) | Information security early warning method and device, computer equipment and storage medium | |
| US11500997B1 (en) | ICS threat modeling and intelligence framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |