CN103856486A - Large-scale network logical safety domain access control method - Google Patents
Large-scale network logical safety domain access control method Download PDFInfo
- Publication number
- CN103856486A CN103856486A CN201410070159.0A CN201410070159A CN103856486A CN 103856486 A CN103856486 A CN 103856486A CN 201410070159 A CN201410070159 A CN 201410070159A CN 103856486 A CN103856486 A CN 103856486A
- Authority
- CN
- China
- Prior art keywords
- border
- control method
- boundary
- application
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a large-scale network logical safety domain access control method for independent and differentiated protection of different safety domains. The method includes the first step of dividing boundaries between the safety domains into external network boundaries, internal network boundaries, application boundaries, longitudinal boundaries and horizontal boundaries according to connection and information relations between application systems with different types and different grades, and the second step of enabling the external network boundaries to implement one-way data input for physical isolation by adopting mobile storage media, and adopting a one-way safe isolation method and a two-way safe isolation method for logical isolation. According to the large-scale network logical safety domain access control method, the independent and differentiated protection of the different safety domains are achieved, architectures of networks and systems can be straightened out, logical structures of information systems can be more clear, and complexity for system design is simplified.
Description
Technical field
The present invention relates to a kind of security domain access control method, especially a kind of large scale network logical security domain browsing control method.
Background technology
In a lot of large-scale distributed information systems, related to multiclass application subsystem, comprised again multiple subsystems in different subsystems, different subsystems and subsystem have accessed again a lot of support safeguards systems, make the network configuration more sophisticated of information system
Summary of the invention
The invention provides a kind of independent of different security domains, large scale network logical security domain browsing control method of differentiation protection of realizing.
The large scale network logical security domain browsing control method that realizes the object of the invention, comprises the steps:
(1) connection and the information relationship between the application system of, different stage dissimilar according to information system, is outer net border, Intranet border, application boundary, longitudinal boundary and horizontal boundary five classes by the boundary demarcation between security domain;
(2) described outer net border adopts mobile memory medium to implement one-way data importing and realizes physical isolation; Adopt one-way safety partition method and bidirectional safe partition method to realize logic isolation;
Described Intranet border Adoption Network access control method, virus and malicious code filter method, authentication and authorization method and intrusion detection and the isolation of auditing method implementation strategy;
Described application boundary Adoption Network access control method, access authentication and authorize control method and execute application isolation;
Described longitudinal boundary Adoption Network access control method, virus and malicious code filter method, discriminating/mandate/authentication method and intrusion detection and auditing method practice isolation;
Described horizontal boundary Adoption Network access control method, virtual subnet method and access list approach are guaranteed data exchange safety.
Described outer net border is the border of application system or its external network such as network and the Internet relying on;
Described Intranet border is the border between application system and the network that relies on thereof;
Described application boundary is the border between different application systems;
Described longitudinal boundary is the border between the superior and the subordinate or the similar application system of sane level;
Described horizontal boundary is the exchanging visit border between the inner different operating of application system territory.
The beneficial effect of large scale network logical security domain browsing control method of the present invention is as follows:
Large scale network logical security domain browsing control method of the present invention, for meeting the various demands for security of operation system and network system of information system complexity, take a point principle for territory protection, according to the type of business, importance, the difference of managerial class and safe class, carry out the division of logical security territory, according to " classification, classification, subregion " pattern, under total defense System Framework, classify according to the function of system and purposes, homogeneous system is carried out classification according to position and the importance of disposing, similar internal system at the same level forms subregion according to system, demand for security is decomposed step by step, form defense module independently one by one, it is logical security territory, by the access mechanism between Different Logic security domain is made overall planning, independently safety and Protection is carried out in different security domains inside, realize the independent of different security domains, differentiation protection, so that make the framework of network and system in order, make the logical construction of information system more clear, thereby simplify the complexity of system.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of large scale network information system logical security territory boundary demarcation of the present invention.
Embodiment
As shown in Figure 1, large scale network logical security domain browsing control method of the present invention, comprises the steps:
(1) connection and the information relationship between the application system of, different stage dissimilar according to information system, is outer net border, Intranet border, application boundary, longitudinal boundary and horizontal boundary five classes by the boundary demarcation between security domain;
Described outer net border is the border of application system or its external network such as network and the Internet relying on;
Described Intranet border is the border between application system and the network that relies on thereof;
Described application boundary is the border between different application systems;
Described longitudinal boundary is the border between the superior and the subordinate or the similar application system of sane level;
Described horizontal boundary is the exchanging visit border between the inner different operating of application system territory;
(2) described outer net border adopts mobile memory medium to implement one-way data importing and realizes physical isolation; Adopt one-way safety partition method and bidirectional safe partition method to realize logic isolation;
Described Intranet border Adoption Network access control method, virus and malicious code filter method, authentication and authorization method and intrusion detection and the isolation of auditing method implementation strategy;
Described application boundary Adoption Network access control method, access authentication and authorize control method and execute application isolation;
Described longitudinal boundary Adoption Network access control method, virus and malicious code filter method, discriminating/mandate/authentication method and intrusion detection and auditing method practice isolation;
Described horizontal boundary Adoption Network access control method, virtual subnet method and access list approach are guaranteed data exchange safety.
Physical security technological means is for guaranteeing Environmental security, installation security and the media safety of information system, Environmental security comprises the safety of the environment at information system place, installation security comprises the safety of information system relevant device, and media safety comprises the safety of media data and the safety of media itself.
Network security technology means are mainly for the fail safe of basic network and availability, realize the functions such as network access security, network exchange safety and virus filtration, emphasis solves border access security problem, guarantee the safety of communication and exchange, and information system is carried out to Real-Time Monitoring, the weak link in active searching network, and in the time attacking generation, can find in time its inherent law, judge in real time, exactly source, means, the point of attack and the Harm of attack.
The safety problem of the main settlement server of Host Security technological means and terminal, realize the security protection to server and terminal: provide host computer system security protection and monitor audit ability, can carry out security monitoring and audit to behaviors such as main frame access in violation of rules and regulations, illegal external connection, peripheral hardware copy and accesss to netwoks, take precautions against secret leaking event to occur; Security risk assessment and hidden danger ability of discovery are provided, find in time and repair leak; Main frame virus killing ability is in real time provided, realizes the antivirus protection to server and terminal.
Application safety technological means is take certificate management system as basis, provide the function such as authentication and rights management for applied business, by Secure Application DLL (dynamic link library) or application proxy mode, the services such as confidentiality, integrality, non-repudiation, access control are provided for application system, and possess the security audit ability to application system, can register user, the behavior such as system use carries out audit trail.
Technology On Data Encryption means are for guaranteeing integrality and the confidentiality of system significant data information at transmitting procedure and storing process, and while guaranteeing completeness error to be detected in storing process, have corresponding measure information is recovered.
Embodiment recited above is described the preferred embodiment of the present invention; not scope of the present invention is limited; design under spiritual prerequisite not departing from the present invention; various distortion and improvement that the common engineers and technicians in this area make technical solution of the present invention, all should fall in the definite protection range of claims of the present invention.
Claims (2)
1. a large scale network logical security domain browsing control method, comprises the steps:
(1) connection and the information relationship between the application system of, different stage dissimilar according to information system, is outer net border, Intranet border, application boundary, longitudinal boundary and horizontal boundary five classes by the boundary demarcation between security domain;
(2) described outer net border adopts mobile memory medium to implement one-way data importing and realizes physical isolation; Adopt one-way safety partition method and bidirectional safe partition method to realize logic isolation;
Described Intranet border Adoption Network access control method, virus and malicious code filter method, authentication and authorization method and intrusion detection and the isolation of auditing method implementation strategy;
Described application boundary Adoption Network access control method, access authentication and authorize control method and execute application isolation;
Described longitudinal boundary Adoption Network access control method, virus and malicious code filter method, discriminating/mandate/authentication method and intrusion detection and auditing method practice isolation;
Described horizontal boundary Adoption Network access control method, virtual subnet method and access list approach are guaranteed data exchange safety.
2. large scale network logical security domain browsing control method according to claim 1, is characterized in that: described outer net border is the border of application system or its external network such as network and the Internet relying on;
Described Intranet border is the border between application system and the network that relies on thereof;
Described application boundary is the border between different application systems;
Described longitudinal boundary is the border between the superior and the subordinate or the similar application system of sane level;
Described horizontal boundary is the exchanging visit border between the inner different operating of application system territory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410070159.0A CN103856486A (en) | 2014-02-28 | 2014-02-28 | Large-scale network logical safety domain access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410070159.0A CN103856486A (en) | 2014-02-28 | 2014-02-28 | Large-scale network logical safety domain access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103856486A true CN103856486A (en) | 2014-06-11 |
Family
ID=50863700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410070159.0A Pending CN103856486A (en) | 2014-02-28 | 2014-02-28 | Large-scale network logical safety domain access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103856486A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337971A (en) * | 2015-10-20 | 2016-02-17 | 上海电机学院 | Electric power information system cloud safety guarantee system and implementation method thereof |
| CN105808987A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | Mobile data interaction method and device |
| CN110768832A (en) * | 2019-10-24 | 2020-02-07 | 中国计量大学 | Method for monitoring information security domain of industrial control system |
| CN112910921A (en) * | 2021-03-02 | 2021-06-04 | 中核武汉核电运行技术股份有限公司 | Industrial control boundary network safety protection method |
| CN114826760A (en) * | 2022-05-12 | 2022-07-29 | 深圳铸泰科技有限公司 | Network security analysis method based on boundary theory |
| CN115766189A (en) * | 2022-11-10 | 2023-03-07 | 贵州电网有限责任公司 | Multi-channel isolation safety protection method and system |
| CN115766189B (en) * | 2022-11-10 | 2024-05-03 | 贵州电网有限责任公司 | Multichannel isolation safety protection method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101916342A (en) * | 2010-08-16 | 2010-12-15 | 武汉天喻信息产业股份有限公司 | Secure mobile storage device and method for realizing secure data exchange by using same |
| CN202495968U (en) * | 2011-05-06 | 2012-10-17 | 辽宁省电力有限公司信息通信分公司 | Enterprise integration information platform |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
-
2014
- 2014-02-28 CN CN201410070159.0A patent/CN103856486A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101916342A (en) * | 2010-08-16 | 2010-12-15 | 武汉天喻信息产业股份有限公司 | Secure mobile storage device and method for realizing secure data exchange by using same |
| CN202495968U (en) * | 2011-05-06 | 2012-10-17 | 辽宁省电力有限公司信息通信分公司 | Enterprise integration information platform |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
Non-Patent Citations (1)
| Title |
|---|
| 蒋诚智、等: "基于等级保护的智能电网信息安全防护模型研究", 《计算机与现代化》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808987A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | Mobile data interaction method and device |
| CN105337971A (en) * | 2015-10-20 | 2016-02-17 | 上海电机学院 | Electric power information system cloud safety guarantee system and implementation method thereof |
| CN110768832A (en) * | 2019-10-24 | 2020-02-07 | 中国计量大学 | Method for monitoring information security domain of industrial control system |
| CN110768832B (en) * | 2019-10-24 | 2022-07-26 | 中国计量大学 | Method for monitoring information security domain of industrial control system |
| CN112910921A (en) * | 2021-03-02 | 2021-06-04 | 中核武汉核电运行技术股份有限公司 | Industrial control boundary network safety protection method |
| CN114826760A (en) * | 2022-05-12 | 2022-07-29 | 深圳铸泰科技有限公司 | Network security analysis method based on boundary theory |
| CN114826760B (en) * | 2022-05-12 | 2023-08-15 | 深圳铸泰科技有限公司 | Network security analysis method based on boundary theory |
| CN115766189A (en) * | 2022-11-10 | 2023-03-07 | 贵州电网有限责任公司 | Multi-channel isolation safety protection method and system |
| CN115766189B (en) * | 2022-11-10 | 2024-05-03 | 贵州电网有限责任公司 | Multichannel isolation safety protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Habibzadeh et al. | A survey on cybersecurity, data privacy, and policy issues in cyber-physical system deployments in smart cities | |
| Nguyen et al. | {FLAME}: Taming backdoors in federated learning | |
| Mughal | Cybersecurity Architecture for the Cloud: Protecting Network in a Virtual Environment | |
| Sookhak et al. | Security and privacy of smart cities: a survey, research issues and challenges | |
| US7779465B2 (en) | Distributed peer attack alerting | |
| US20130086685A1 (en) | Secure integrated cyberspace security and situational awareness system | |
| US20130086376A1 (en) | Secure integrated cyberspace security and situational awareness system | |
| CN105409164A (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| Kebande et al. | Real-time monitoring as a supplementary security component of vigilantism in modern network environments | |
| CN105430000A (en) | Cloud computing security management system | |
| CN103856486A (en) | Large-scale network logical safety domain access control method | |
| CN104065651A (en) | Information flow dependability guarantee mechanism for cloud computation | |
| CN109587106A (en) | Cross-domain safety in the cloud of password subregion | |
| Heinrich et al. | Security requirements engineering in safety-critical railway signalling networks | |
| Gupta et al. | A light weight centralized file monitoring approach for securing files in cloud environment | |
| Magare et al. | Security and privacy issues in smart city: Threats and their countermeasures | |
| Miloslavskaya et al. | Big data information security maintenance | |
| Gonzalez-Granadillo et al. | Using an event data taxonomy to represent the impact of cyber events as geometrical instances | |
| Thaseen et al. | Improving security and privacy in cyber-physical systems | |
| Alert | Advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations | |
| Prakash et al. | A survey of security challenges, attacks in IoT | |
| Márquez Díaz | Cybersecurity and Internet of Things. Outlook for this decade | |
| Ruha | Cybersecurity of computer networks | |
| Hill et al. | Poster: DyPolDroid: User-centered counter-policies against android permission-abuse attacks | |
| CN113452718B (en) | Active defense method and system for exclusive storage space |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140611 |