Summary of the invention
The objective of the invention is concentrated design and control and management by security strategy, one cover network security management system is provided, realize security strategy customization, distribution, management and control unified under the network environment, and collaborative early warning by security incident and location fast, both protected the safety of network also to protect the safety of host computer system; Both prevented the leakage of sensitive information, and also better stoped inside and outside attack, and to reduce the client be the great number managed cost that ensures safety and need pay.
Another object of the present invention provides a kind of network safety managing method.
The present invention seeks to realize like this.
A kind of network security management system based on security strategy comprises:
---system's supporting platform, this system's supporting platform is installed in the network that needs protection as the server of management system, is responsible for the Policy Enforcement Point and the tactical management center of administration network are authenticated, authorize, and is responsible for the issue and the preservation of security strategy; The legal hosts fragility discovery of network is found and linked to the illegal host of linking network.
---tactical management center, this tactical management center are responsible for the safety of administration network is managed, and are responsible for security strategy is defined, and specify the application of security strategy;
---Policy Enforcement Point, this Policy Enforcement Point are installed in the system and equipment that needs protection, and are responsible for downloading and implementation strategy, and place equipment and system are protected;
---log server, this log server are responsible for collecting, gathering log information, so that concentrate audit and incident to trace.System's supporting platform has following functional module:
The distributed coordination module is responsible for the back-office support of the distributed management of system, is responsible for the information interchange and the command analysis of each level system supporting platform;
Administration module is responsible for reception and the processing order from the tactical management center, and is called other module and carry out this order;
Authentication module is responsible for the tactical management center in institute's compass of competency, Policy Enforcement Point and following level system supporting platform are carried out authentication and authorization;
Line module is responsible for carrying out alternately with Policy Enforcement Point, and management strategy is carried out every information of point, and gives other modules with these feedback information;
The interlock module is responsible for the mutual of native system and other products, forms the interlock protection with other products;
Configuration module is responsible for the configuration of native system and the backstage of data and is preserved and inquiry;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
The vulnerability scanning module is responsible for the leak of the existence of legal hosts is scanned;
Illegal external connection is found module, and the illegal host in the network is linked in responsible discovery.
The tactical management center has following functional module:
Man Machine Interface, responsible mutual with the manager, realize man-machine interaction, administration interface is provided;
The control of authority module is responsible for gerentocratic authority is limited, and different managers has different configurations and administration authority;
Enquiry module is responsible for response log inquiry and configuration retrieval command, and return results;
Configuration module is responsible for the every configuration operation of response, and gives system's supporting platform with the Notification of Changes of configuration;
Remote monitoring module is responsible for response management person's monitor command, and return results;
The login authentication module is responsible for carrying out gerentocratic authentication request, with the system's mutual back of supporting platform return results;
The consistency operation relevant with daily record is responsible in log management;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data;
Each Policy Enforcement Point comprises a policy download engine and N policy execution engine, N 〉=1.
The policy download engine is responsible for download policy and configuration home environment, and it comprises as lower module:
Man Machine Interface, responsible mutual with the local user, administration interface is provided;
User management module is responsible for local user's management, response configuration and query manipulation, and return results;
The login authentication module, responsible mutual with system's supporting platform, authenticate;
Log management module is responsible for the unified management of local daily record, and is saved in the remote data storehouse alternately with log server;
Strategy local management module is responsible for this locality of strategy and is preserved and renewal;
Local communication module, responsible mutual with policy execution engine, transmission policy and daily record;
The communication encryption module is responsible for the encryption and decryption and the classification of network communication data, guarantees the safety of communication data;
Policy execution engine is responsible for implementation strategy, and the system and the equipment at protection place, and it comprises as lower module:
The local Executive Module of strategy is responsible for the execution of strategy, and is returned response;
Strategy analyzing module is responsible for parses policy;
Local communication module is responsible for communicating by letter transmission policy and daily record with the policy download engine.
Log server has following functional module:
The log analysis module is responsible for the daily record that receives is analyzed and preserved;
Alarm module is responsible for daily record according to the classification processing of reporting to the police;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
System's supporting platform is supported multilevel distributed deployment, when large scale network is disposed, system's supporting platform can be divided into the N level according to affiliated network size and supervisory level, there is the administration relation in N 〉=1 between the platforms at different levels, wherein the one-level management secondary reaches with subordinate, the secondary management reaches with subordinate for three grades, and the like, the separate work of each system's supporting platform, also can with the collaborative work of other system supporting platform.
Network security management system based on security strategy can link with other safety products and networking products, thereby reaches the purpose of common defence, comprises the interlock with fire compartment wall, anti-virus, vulnerability scanning, intrusion detection, the network equipment etc.
A kind of network safety managing method based on security strategy, security strategy are the definition of needs being carried out the target and the method for safeguard protection, and definition, issue, operation that this method is based on security strategy realize, comprise the steps:
1. in tactical management center definition security strategy, set the target that needs protection;
2. by system's supporting platform with policy issue to the Policy Enforcement Point of target device and system;
3. after the Policy Enforcement Point implementation strategy with the result notification log server.
The 1. middle security strategy of above-mentioned steps is divided into firewall policy collection, application security, mail protection, Web protection, authority protection, intrusion detection, high-level policy, system's supervision, anti-Denial of Service attack, data backup and reduction, encryption and safe transmission.
Safety management control system of the present invention adopts integrated network safety defence thought; follow the P2DR security model; the theory and the technology of application integration defence are supported distributed architecture, can protect terminal use's main frame and various network services device, the network equipment and safety means.
Network security management system based on security strategy is an integrated defence system, and multinomial safe practices such as safety certification, information audit, intrusion detection, access control, data protection are overlapped powerful safety management control system by make up one based on the management method of security strategy, unified security control management platform, distributed architecture.
The effect of invention
1, can in a network, realize the unified planning and the deployment of safety well based on the network security management system of security strategy, thereby reach the effect that overall security improves.
2, safety function, the present invention had both stoped in fail safe from outside or inner attack, had also prevented the leakage of sensitive information.Provide than other safety systems rich functions (as shown in table 1) more based on the network security management system of security strategy:
The function contrast of table 1 native system and other system
Function point | Fire compartment wall | Intrusion detection | Backup recovers | VPN | Anti-virus | Vulnerability scanning | Information filtering | Authentication | The security policy manager system |
Authentication | | | | | | | | Y | Y |
Access control | Y | | | | | | | | Y |
Intrusion detection | Y | Y | | | | | | | Y |
System's supervision | | | | | | | | | Y |
Anti-DoS | Y | Y | | | | | | | Y |
Web filters | | | | | | | Y | | Y |
The operating system protection | | | | | | | | | Y |
Hardware constraints | | | | | | | | | Y |
Vulnerability scanning | | | | | | Y | | | Y |
Illegal external connection is found | | | | | | | | | Y |
The mail protection |
|
|
|
|
Y |
|
Y |
|
Y |
The application program protection |
|
|
|
|
|
|
|
|
Y |
Reduction of data and protection |
|
|
Y |
|
|
|
|
|
Y |
Encrypted transmission |
|
|
|
Y |
|
|
|
|
Y |
Anti-virus |
|
|
|
|
Y |
|
|
|
Self can anti-internet worm; And can link with anti-virus, can expand |
3, to the strick precaution of large scale network virus
Can guarantee that based on the network security management system of security strategy network takes precautions against internet worms such as the Sasser that occurred in nearly 2 years, shock wave effectively.By the set of strategy such as application firewall strategy, operating system patch strategy, before can occurring in new extensive virus with network in the safety of All hosts bring up to the stage that is enough to take precautions against.Like this, even there is the part main frame to infect internet worm, but can not propagate into other main frames.
4, safe construction cost reduces
From the cost angle, the explicit cost that safety is built mainly comprises: equipment cost and staff training cost; In addition, also have huge invisible cost, for example: keeper's cost of labor, information loss cost, network configuration change cost and keeper's maintenance cost or the like.
Employing is about 1/2 of employing conventional security solution cost based on the equipment purchase cost of the network security management system of security strategy;
Also greatly reduce client's invisible cost based on the network security management system of security strategy.(as shown in table 2)
The contrast of table 2 invisible cost
| Network security management system based on security strategy | The conventional security solution |
Keeper's cost of labor | Only need single keeper | Distinct device may need different keepers |
The information loss cost | Prevented from outside and inner unauthorized access and attack | Can only prevent unauthorized access and attack from the outside |
Network configuration changes cost | Do not need to change network configuration | Usually need to change network configuration |
Keeper's regular maintenance cost | Seldom, can remote maintenance | The on-site maintenance cost is very high |
5, effectively adapt to the variation of customer location
Can effectively adapt to the variation of customer location based on the network security management system of security strategy.No matter where user's main frame connects network,, can obtain consistent safeguard protection no matter the user uses any main frame in the network.Broken away from of the restriction of conventional security solution to Network Access Point.
The invention will be further described below in conjunction with accompanying drawing.
The present invention realizes the protection of important information, IT system and the unified safety management of information assets towards various scale users.Both protect the safety of network also to protect the safety of host computer system, both prevented the leakage of sensitive information, also better stoped inside and outside attack.
One, the present invention is made up of four parts, is respectively system's supporting platform (SSP), tactical management center (PMC), Policy Enforcement Point (PEP), log server, and each several part working mechanism is as follows:
System's supporting platform (SSP): the back-office support of the Certificate Authority of responsible system, log management, tactical management, the issue and the preservation of the security information of responsible collection network system and host computer system and management information, responsible strategy.The support distributed multi-stage is disposed, and can be applicable to the application of large-scale network environment, and Fig. 1 is the cut-away view of system's supporting platform.
The working mechanism of system's supporting platform
Initialization step:
As shown in Figure 2, installation system supporting platform in the administration territory at first, the administration territory of each platform of initialization and relation each other, and start platforms at different levels
Authenticating step:
1, receives the connection request of PMC and PEP
2, receive the authentication request of PMC and PEP, verify, return success or fail
If 3 failures disconnect connection
Configuration step:
1, SSP receives the configuring request of PMC
2, carry out config update, and transmit configuring request as required
3, return the config update success or not and give PMC
Monitoring or commands steps:
1, SSP receives the command request of PMC
2, according to the destination object of order, SSP and PEP are given in local execution or forward command request
3, receive execution result, and be transmitted to PMC
Information gathering and query steps:
Cycle is collected every information (comprising: the network equipment, PEP, PSP), safeguards writing to each other and state information between at different levels.
Tactical management center (PMC): be responsible for organization's management, user management, policy definition and application, system monitoring, system's setting, log query, statement analysis, a unified management platform is provided.Fig. 3 is a tactical management central inner structure chart.
The working mechanism at tactical management center.
Initialization step:
As shown in Figure 4.Mounting strategy administrative center, and dispose system's supporting platform and the administration territory that can manage, can there be inclusion relation in the corresponding one or more administrations of a system's supporting platform territory between the territory.Define keepers at different levels, comprising: other role of manager of each level such as system manager, each domain administrator, operator, auditor, the authority person of examining.Definition needs the network equipment and the targeted customer of management or collaborative work.
Login step:
1, keeper input manager person account information
2, PMC sets up the network connection to system's supporting platform, and sends authentication request
3, according to keeper's jurisdiction, system's supporting platform authenticates it
4, after the checking of system's supporting platform was passed through, login entered into management system, reads current configuration.Otherwise the process of logging off.
Configuration step:
1, organization and the customer group in definition and the configuration administration territory defines and disposes keepers at different levels, defines and dispose each network equipment.
2, configuration distributing is given system's supporting platform, whether returns success after system's supporting platform verification
Monitoring and commands steps:
1, sends monitored instruction or special command to SSP (destination object can be SSP or PEP)
2, receive monitoring content or the execution result that SSP returns
Nullify step:
1, PMC sends de-registration request to SSP
2, PMC disconnects and being connected of SSP.
Policy Enforcement Point (pEP): the operation policy execution engine, the safety of responsible protection host computer system, server and the network equipment, the security strategy that customizes is carried out in the various security information and the daily record of gathering system.Policy Enforcement Point is deployed on the main frame that needs protection, server and the network equipment.Cut-away view such as Fig. 5, Fig. 6, shown in Figure 7.
Working mechanism comprises:
Initialization step:
As shown in Figure 8.The equipment mounting strategy that needs protection is carried out point, the watch-dog of needs is provided with relevant parameters.
Registration step:
1, input usersaccount information and login territory
2, set up network to scope system of institute supporting platform and connect, and send authentication request
3, to the SSP update user information
Login step:
1, input usersaccount information and login territory
2, set up network to scope system of institute supporting platform and connect, and send authentication request (network breaks down and can switch to the standby system supporting platform)
3, system's supporting platform authenticates it
4, after the checking of system's supporting platform is passed through, download and implementation strategy
Monitoring and commands steps:
1, receives order and the monitoring request that SSP transmits
2, local fill order, and the result returned to this SSP
Nullify step:
1, sends de-registration request to SSP
2, stop and the communicating by letter of SSP
Log server: be responsible for collecting, gathering log information, so that concentrate audit and incident to trace.(as shown in Figure 9).
Working mechanism comprises:
Initialization procedure:
As shown in figure 10.Installation database system and log server, and configuration log server and Database Systems be connected and communication mode (ODBC, ADO, DAO, OLEDB or Database Systems mode) the starting log server.
Collector journal:
Log server is collected the log information of various piece and is recorded in the database, and the needs alarm log is sent warning message.
Network communication protocol of the present invention comprises: the tactful login protocol between SSP and the PEP is based on ICP/IP protocol, and based on the UDP/IP agreement, the tactical management agreement between SSP and the PMC is based on TCP/IP between SSP and PEP.Because the user is a lot, considers scaling concern, can adopt TCP and UDP dual mode to realize between SSP and the PEP, heartbeat mechanism generally adopts UDP to realize, and login adopts TCP to realize.ICP/IP protocol is adopted in the interlock of SSP and miscellaneous equipment.
The present invention can with other safety product joint-action mechanisms, thereby reach the purpose of common defence.Based on the network security management system support of security strategy and the interlock of multiple existing safety means.Comprise as follows:
Interlock with fire compartment wall
As shown in figure 11, based on the network security management system and the firewall linkage of security strategy, can guarantee to have only main frame to conduct interviews to specific resources through safeguard protection.
1, Policy Enforcement Point is to system's supporting platform application authentication;
2, behind the authentication success, system's supporting platform is notified fire compartment wall with user's IP address;
3, fire compartment wall determines whether allowing this user to pass through according to the notice of system's supporting platform.
Notice between system's supporting platform and the fire compartment wall can adopt following several mechanism:
1, proactive notification in time.System's supporting platform one finds to have authenticated user to change, and just notifies fire compartment wall;
2, regularly notify.System's supporting platform is just notified fire compartment wall at set intervals;
3, initiatively inquiry.Fire compartment wall is in case discovery has new IP address access request, with regard to active inquiry system supporting platform.
Interlock with anti-virus
Utilization can realize the automatic mandatory upgrade of anti-virus client based on the long-range virus base upgrade function of the network security management system of security strategy.
Interlock with vulnerability scanning
The interlock of shown in Figure 12 and vulnerability scanning.
Based on the network security management system of security strategy and vulnerability scanning interlock, can guarantee that system's supporting platform is deployed to efficient strategy on the Policy Enforcement Point.
1, vulnerability scanning carries out vulnerability detection to protected host (Policy Enforcement Point);
2, according to result's (risk class and leak type) untill further notice system supporting platform of surveying;
3, system's supporting platform is formulated corresponding strategy in view of the above, and is applied on the Policy Enforcement Point.
Interlock with intrusion detection
As shown in figure 13, network security management system and intrusion detection interlock based on security strategy can guarantee security incident is in time responded, and prevent the further deterioration of security incident.
1, intruding detection system reports to system's supporting platform with detected security incident;
2, according to detecting content, system's supporting platform can be taked different strategies: if the source of incident is authentic Policy Enforcement Point, then strategy will be forbidden the associative operation of this Policy Enforcement Point; If the source of incident is not the Policy Enforcement Point of current authentication, strategy will notify relevant Policy Enforcement Point that the malicious act in this source is taked corresponding protection and precautionary measures.
Interlock with networking products
As shown in figure 14, network security management system and networking products interlock based on security strategy can guarantee to have only the main frame through safeguard protection to conduct interviews to specific resources.
1, Policy Enforcement Point is to system's supporting platform application authentication;
2, behind the authentication success, system's supporting platform is with user's IP address informing network product;
3, networking products determine whether allowing this user to pass through according to the notice of system's supporting platform.
Notice between system's supporting platform and the networking products can adopt following several mechanism:
1, proactive notification in time.System's supporting platform one finds to have authenticated user to change, with regard to the informing network product;
2, regularly notify.System's supporting platform at set intervals, with regard to the informing network product;
3, initiatively inquiry.Networking products are in case discovery has new IP address access request, with regard to active inquiry system supporting platform.
The present invention adopts multistage open-ended user management system (territory-tissue-user), and the territory and the organization and system of support multilayer, as shown in figure 15, can there be keeper separately in each territory, and the keeper also supports four kinds of supervisory levels (system manager, domain administrator, domain operator, auditor) according to the difference of authority.A plurality of territories can be deployed on the SSP.Also can independent part be deployed on the SSP.The differentiated control in territory is that the classification by SSP realizes.
Two, the present invention is based on the secure network management method of security strategy, and adopts the distributed multi-stage management system, and each several part is to have certain independence separately, and complementing each other again simultaneously constitutes a complete integrated defence system, may further comprise the steps:
1, at first dispose and the installation system supporting platform, system's supporting platform is disposed and is supported multilevel distributed deployment, and can match with the actual management system of network.In the multiple management system, system's supporting platform can be divided (one-level, secondary, three grades ...) according to affiliated supervisory level, have the administration relation between the platforms wherein at different levels, one-level management secondary and with subordinate, the secondary management reaches with subordinate for three grades, and the like.Collaborative work between can defining between peer relation also can separate work, and deployment way is very flexible.Can backup each other between the platform at the same level simultaneously, and support the failover mode.When certain grade platform breaks down, his task can transfer to superior platforms or other platforms at the same level are taken over; Powerful recovery mechanism is provided.
2, in tactical management center definition security strategy, the tactical management central part is deployed on the multiple operation platforms such as PC, notebook, work station, dispose and manage whole system, definition administration territory, keeper's division of functions and powers, definition organization and customer group, definition strategy and set of strategies, distribution policy collection, log query and report generation, user monitoring, network monitoring, system monitoring;
3, be published on the Policy Enforcement Point of target device and system by system's supporting platform, Policy Enforcement Point is deployed on the main frame and/or equipment that needs protection and manage, comprise: PC, notebook, work station, server, the network equipment, safety means, according to default policy or User Defined rule and tactful, carry out corresponding protection;
4, after the execution, system's supporting platform, tactical management center and strategy execution are named a person for a particular job the result with daily record form notice log server, and the needs alarm log is sent warning message;
The present invention is based on security strategy, and security strategy is according to protection purpose and method safe practice have been carried out the classification of science, and it is carried out abstract representing with a kind of unified method.Writing that strategy is described adopts the XML language to realize.Be defined as follows about strategy:
Strategy is divided into several sections: essential part, condition (Condition), action (Action), daily record (Log).A strategy can hold multiple Condition and Action.
In order to support kinds of platform, strategy is distributed to (handle oneself the strategy back that also has some platforms directly to download the XML form) on the dissimilar platforms after being compiled into different forms.Strategy after the compiling has compact more form, and it is little to take memory space, helps the low equipment platform of disposal ability.
Below several assisted class in order to the expression strategy condition:
AppCondition:AppName, AppVersion, AppDegist, AppExePath, AppCreateTimestamp, AppSize etc.
FwAclCondition:AclProto, AclLocalIp, AclRemoteIp, AclLocalPort, AclRemotePort, AclIcmpcode etc.
TimeCondition:TimeMonthMask, TimeDayOfMonthMask, TimeDayOfWeekMask, TimeOfDayMask etc.
The strategy of a complexity, possible its condition are the subclasses of a plurality of classes.And the flexible strategies condition is ExtCondition (an extendible policy condition) more, and it is right that it is based on attribute/value, is called to have prop and two attributes of val
Action be divided into Drop (abandoning), Reject (refusal), Pass (by), Skip (ignoring)
Log is divided into according to rank
Rank | English keyword | Abbreviation | The Chinese keyword | Describe |
0 | Emergencv | Emerg | Emergence message | May cause the mistake of systemic breakdown |
1 | Alert | Alert | Warning information | Gross error must be taked at once |
2 | Critical | Crit | Gross error | Grave error | |
3 | Error | Error | Error message | General mistake |
4 | Warning | Warn | Warning message | Warning message |
5 | Notification | Notice | Announcement information | Important information |
6 |
Informational |
Info |
Information |
General information |
7 |
None |
None |
Not daily record |
Do not produce daily record |
Strategy can be divided into group, and it is as follows that each organizes its basic format:
PolicyGroup{ PolGroupName=POLICYGROUPNAME; PolGroupVersion=POLICYGROUPVERSION; PolGroupPriority=POLICYGROUPPRIORITY; Policy{ pid=PID; PolPriority=POLICYPRIORITY; XXXCondition{};... Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; }; Policy{...}; };
Be the strategy demonstration of a buffer memory below:
PolicyGroup{ PolGroupName=“PG1”; PolGroupVersion=10; PolGroupPriority=20; Policy{ pid=185439; PolPriority=12; AppCondition{ AppName=iexplorer.exe; AppVersion=400000;//Version 4.0 }; Action{ ActionType=Alert; ActionParam=“Upgrade your IE please.”; }; }; Policy{ pid=xxx; PolPriority=0; AppCondition{ AppName=aftp.exe; }; Action{ ActionType=PASS; }; }; Policy{ pid=2001212; PolPriority=0;
AppCondition{ AppName=foxmail.exe; }; FwAclCondition{ AclProto=TCP; AclRemotePort=25,110; }; Action{ ActionType=PASS; }; }; Policy{ pid=xxx; PolPriority=5; TimeCondition{ TimeDayOfWeekMask=0x3E;//Monday~Friday TimeOfDayMask=0x0003CF00;//8:00~12:00,14:00~18:00 }; XXX{}; YYY{}; Action{ ActionType=PASS; }; };
Order shown in the execution map interlinking 16 of wall scroll strategy is finished.
This policy description language has:
(1) extendible: because policy description language need adapt to multiple safe access control mechanism, such as access control based on address, agreement, port, content-based access control etc.; And these mechanism itself are all in constantly changing.
(2) versatility:,, can be supported by kinds of platform so policy description language should be general because strategy can be implemented on kinds of platform.
(3) support policy collision detection: inevitably can have conflict in the complicated security strategy, conflict mutually between promptly several policing rules, this can cause the error configurations or the misunderstanding of security strategy.The method that policy conflict detects is converted into policing rule the regular logic expression way often, adopts special algorithm to detect.
(4) Ce Lve easy to understand: understandable policy language makes things convenient for the keeper to formulate accurate security strategy, convenient correctness examination and maintenance to security strategy.
Though the formulation of strategy is very flexibly, strategy can be very complicated, for the convenience of managing, still common several strategies need be done a classification.
Strategy all can have some options except the primary condition part, such as time conditions, environmental condition (operating system and version thereof, network type, whether be in screen protection state etc.) etc.
Among the present invention strategy is divided into 11 big classes according to function and target.The mode classification of strategy to be present technique use at actual environment the security strategy theory planning and application mode.The classification of strategy is the refinement for policy definition.
The firewall policy collection
Purpose: block inside or outside access to netwoks and attack, the visit of limit network resource.
Content:
Support is based on IP, ICMP, IGMP, TCP, the access control of agreements such as UDP
Support is based on the access control of packet size
Support the access control of particular network application service, for example: HTTP, FTP, POP3, SMTP, TELNET, OICQ,, ICQ, MsnMessager etc.
Support the access control of TCP, the UDP network port
Support is based on the access control of TCP flag bit
File-sharing control based on Netbios
Access control based on time, date
Syntactic description:
FwPolicy{ pid=PID; PolPriority=POLICYPRIORITY; ProtoCondtion{ ProtoType=(IP:ICMP:IGMP:TCP:UDP) ServType=(HTTP:FTP:POP3:SMTP:TELNET:OICQ:ICQ:Custom) PktParam=(PKTSIZE:TCPFLAG:IPADDR:HWADDR) } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
Application security
Purpose: the network access authority of restriction specified application; Limit the execution authority of specified application
Content:
The Version Control of support typical application, completeness check etc., for example: IE browser, OutLook, explorer etc.
Support Version Control, the completeness check of expansion to user-written subroutine
The TCP of defining application, UDP open network port
The operation authority of defining application
The safe operation configuration of defining application
Mandatory use manager of programming's password intensity
Application program based on time, date is used control
Syntactic description:
AppPolicy{ pid=PID; PolPriority=POLICYPRIORITY; AppCondtion{ AppType=(IE、OUTLOOK、...) AppParam=APPPRIV:APPPATH:APPINFO } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER;
}; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
The mail protection
Purpose: the leakage of information that limits mail Network Based; The audit Mail Contents is blocked possible malice mail
Content:
Filtrating mail based on black, ash, white list
Forbid the transmission and the acceptance of certain content or keyword mail
The filtration and the detection of multiple form Email attachment are provided
Restriction of Email attachment size and the restriction of Mail Contents size are provided
Filtrating mail based on sender and addressee
Mail based on time, date uses control
Support is to specifying the automatic encrypted transmission of mail of posting address
Support is deciphered automatically to the mail of specifying the outbox address
Syntactic description:
MailPolicy{ pid=PID; PolPriority=POLICYPRIORITY; MailCondtion{ MailAddr=RECVER:SENDER MailAttach=ATTACHINFO MailArgu=FORMAT:TYPE } ContentConditio{ Content=OBJKEY } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
The Web protection
Purpose: the web browsing access rights of restriction protected host; Block possible invalid information issue
Content:
Limit the authority that user network is browsed
Support is based on the home page filter of URL
Support is based on the home page filter of keyword
Support the home page filter and the restriction (pornographic, politics, management, news, inartful etc.) of content-based classification
Limiting network forum delivers authority
File type, medium type filter
Limiting uploading, file in download
Restriction JavaApplet, JavaScript, ActiveX
Restriction Cookie
Limit the Popup advertisement or eject similar window
WEB based on time, date uses control
Syntactic description:
WebPolicy{ pid=PID; PolPriority=POLICYPRIORITY; WebCondtion{ WebUrl=OBJURL WebArgu=MIME:REQUEST:REPLY:PRIV } ContentConditio{ Content=OBJKEY } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
The authority protection
Purpose: the rights of using of protection main frame valuable source
Content:
The rights of using of protection main frame valuable source
Limit to use specific local file resource (for example: the reading/revise of directory access, disk protect, file/carry out authority)
Limit Share Permissions
Limit system service unlatching, close
The protection registration table is not distorted
Protection operating system customized configuration is not modified
The execution of restriction certain system configurations
The use of restriction given hardware device (for example: USB device and jaws equipment (printer), serial equipment (Com1, Com2), floppy disk, CDROM CD-ROM drive, DVD drive, infrared interface, ZIP dish etc.)
The binding of equipment such as CPU, hard disk, network interface card (IP, MAC), mainboard or address
Authority based on time, date is used control
Syntactic description:
PrivPolicy{ pid=PID; PolPriority=POLICYPRIORITY; FILECondtion{ PrivResource=FILE:DISK PrivArgu=PATHINFO
} DevCondtion{ PrivResource=DEVICE(USB,PRINTER,CD/DVD....) PrivArgu=DEVINFO } SysCondtion{ SysEnv=REGISTER:SYSSERVICE PrivArgu=OSINFO } ProtectCond{ ProtectType=READ:WRITE:LIST:EXEC:DO } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
Intrusion detection
Purpose: detect and block possible network intrusions and attack
Protection:
Intrusion detection based on feature is provided
Support is based on unusual intrusion detection
Stop scanning attacks such as network sweep, TCP, operating system scanning
Support virus to detect
Syntactic description:
IdsPolicy{ pid=PID; PolPriority=POLICYPRIORITY; IdsCondtion{ IdsSig=IDSSIGNATURE } VirusCondtion{ VirusSig=VIRUSSIGNATURE } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{
logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
High-level policy
Purpose: custom-built system global policies and making an announcement
Protection:
The custom-built system information broadcast
Force remote operating system auto-update and automatic installing operating system patch
Force long-range virus base auto-update
Force the remote application auto-update
Force long-range PEP auto-update
Remote system is locked
Force the password screen protection
Mandatory administration person's password password intensity
Restricted Sniffer network monitoring
Default network state (allow, forbid) is set
The limited dialing access rights
User's IP, MAC binding
Legal hosts fragility is found
Illegal host is linked discovery
Syntactic description:
AdvPolicy{ pid=PID; PolPriority=POLICYPRIORITY; AdvCondtion{ AdvType=MSG:UPDATE:PROTECT:MONITOR AdvArgu=ADVARGU (according to TYPE) } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; ; Action{ actionType=ACTIONTYPE; ActionParam=ACTIONPARAMETER; ; Log{ logGrade=LOGGRADE; LogParam=LOGPARAMETER; ;
System's supervision
Purpose: the operating state of supervision and Control Network main frame and server; The operating state of monitoring network equipment and safety means
Content:
Monitor the network traffics of protected equipment
Monitor the network interface card operating state (mode of operation, bandwidth) of protected equipment
Monitor the operating position of the every resource of protected equipment
The operating state of monitoring and mandate supervisory systems service and process
Monitoring and mandate supervision fdisk and data backup and reduction
The file system backup and reduction of monitoring and mandate supervision main frame
Authorize long-range intercepting host computer system screen
Authorize and long-range the host computer system keyboard is supervised
Syntactic description:
MonPolicy{ pid=PID; PolPriority=POLICYPRIORITY; MonCondtion{ MonType=FLOW:NICMODE:OS:DISKRECOVER:FILERECOVER:SCREEN:K EY MonArgu=MONARGU (according to TYPE) } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; ; Action{ actionType=ACTIONTYPE; ActionParam=ACTIONPARAMETER; ; Log{ logGrade=LOGGRADE; LogParam=LOGPARAMETER; ;
Anti-Denial of Service attack
Purpose: protection and reduction main frame and service suffer the infringement of Denial of Service attack
Protection:
Restriction ARP reports to the police and attacks
Restriction UdpFlood attacks
Restriction ICMPFlood attacks
The bonding strength of restricted T CP agreement
The characteristic (length, frequency) of restriction ICMP packet
Dynamic control based on the weights analysis
The flow size of the network segment is specified in restriction
Support the visit intensity restriction of address section Network Based
Syntactic description:
DOSPolicy{ pid=PID; PolPriority=POLICYPRIORITY; DosCondition{ DosType=DYNAMIC:STATIC:ANALYSIS } ArpCondtion{ ArpMac=SRCMAC:DSTMAC ArpLimit=LIMIT } TcpCondtion{ Tcp=TCPINFO TcpLimit=LIMIT }
UdpCondtion{ Udp=UDPINFO UdpLimit=LIMIT } IcmpCondtion{ Icmp=ICMPINFO IcmpLimit=LIMIT } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
Data backup and reduction
Purpose: backup and recovery hard disc data, effectively take precautions against loss of data and system crash that formatting hard disk, virus attack or artificial destruction cause; Protected file system, effectively recovery file and data
Content:
Support the data protection of super large hard disk
Support the protection of cmos data
Support the protection of partition level and disk level
Support hiding, the read-write protection of subregion
Support is based on the data protection of file directory
Support is based on the data protection of file type
Support Win2000, Xp, 2003 operating systems
Support FAT16, Fat32, file system such as NTFS
3/10000ths disk occupancy
Support moment restore data technology
Support automatic recovery, manual recovery, preservation automatically, the manual preservation
Support long-range installation, Long-distance Control, remote backup and recovery
Support password protection
Formats such as anti-FDISK
With subregion instrument compatibilities such as PQ Magic
Support the file or the subdirectory of particular category to encrypt
Syntactic description:
RecoverPolicy{ pid=PID; PolPriority=POLICYPRIORITY; RecvCondition{ RecvType=DISK:FILE:PATH RecMothod=MANUAL:AUTO ProtecType=FULL:PASS:HIDE }
TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE logParam=LOGPARAMETER; }
Encrypt and safe transmission
Purpose: confidentiality and the integrality of protected data in transmission course
Content:
Support the VPN encrypted transmission the when user visits assigned address
Support the plaintext transmission the when user visits non-assigned address
Syntactic description:
CryptPolicy{ pid=PID; PolPriority=POLICYPRIORITY; CryptCondition{ CrypType=DES、ADES、MD5,SHA... AuthType=CLEARTEXT:CERT:SSL:TLS :OTP:KERBEROS:SASL } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; }; Action{ actionType=ACTIONTYPE; actionParam=ACTIONPARAMETER; }; Log{ logGrade=LOGGRADE; logParam=LOGPARAMETER; } };
The ways of distribution of security strategy among the present invention comprises following content:
" pushing away ", " drawing " combination are adopted in the distribution of strategy, carry out in the mode of " drawing ".SSP adopts the means of " pushing away " to inform PEP in all management domains after strategy change, and this can adopt multicast mode, to raise the efficiency.If network can not be supported multicast, perhaps network size is little, also can adopt the mode of clean culture.PEP can initiatively " draw strategy " and come after signing in to SSP.
In addition, PEP regularly sends " heartbeat " (Heartbeat) signal to strategic server, to inform the information relevant with strategy with some that exists of SSP oneself, such as current main frame login user, host operating system and version, current strategies version number etc.
Application example
Certain client is a nationwide mechanism, be divided into several levels such as national center, provincial center and center, each department from institutional framework, the technical force at national center and provincial center is relative stronger, but the intown technical force in various places relatively a little less than, organization internal often runs into a lot of safety problems, and for example: internet worm spreads unchecked, in time installation system patch, system default are shared opening, can't be prevented that inside from having the people to visit the illegal website, can't prevent that internal user from leaking outside information or the like.
Practical problem and demand at the client, the client provides the network security management system solution based on security strategy, whole system is made up of several parts: as shown in figure 17, one or more (realization load balancing) system's supporting platform and tactical management center is respectively disposed at national center and provincial center; The network security manager utilizes the tactical management center can set the strategy and the authority of different user in the compass of competency; These strategies and authority and user profile are kept on system's supporting platform; System's supporting platform at national center and provincial center is formed a tree, guarantees the synchronous and tactful unification of each information; Each user's strategy is different and different according to affiliated grouping.
Mounting strategy is carried out engine on all subscriber's main station and the server in tissue, when user's logging in network, engine can be from affiliated system's supporting platform download security strategy automatically, and automatically perform in this locality.
Testing time: on October 14th, 2004
Testing tool: X-Scan v3.1, scan base select in August, 2004 detection range: 192.168.2.86 for use
Main security strategy:
Forbid two-way wooden horse
Do not allow to obtain this machine title
Forbid that everyone connects low port
Forbid all open sharing
Allow outside ftp, telnet, http, smtp, pop3
Do not allow others to survey, allow outside ping to survey with the ping order
Behind the network security management system of deployment based on security strategy, solve and prevented the various safety and the problem of management that occur in the original system effectively, greatly reduced the maintenance and management cost of keeper to subscriber's main station, the transparent safety that guarantees subscriber's main station effectively, and the propagation of taking precautions against and having resisted extensive worm-type virus effectively.
Before the network security management system of disposing based on security strategy, there is very big potential safety hazard in this main frame, and risk class is higher; Utilization has shielded this main frame overwhelming majority leak based on the network security management system of security strategy, makes the system risk rank reduce greatly.