A kind of positive information safety operation and maintenance platform
Technical field
The present invention relates to information security, network management and service management technical field, refer more particularly to a kind of implementation method of information safety operation and maintenance platform.
Background technology
At present, the information system of a lot of enterprise is provided with the information technoloy equipments such as a fairly large number of information safety devices, the network equipment, and on the other hand, the operation of enterprise information system is faced with professional not strong, the not high predicament of efficiency.Industry there is no a information safety operation and maintenance platform and solves each enterprise information system institute problems faced, and provides the safe O&M service of " one-stop " for these enterprises.
Summary of the invention
In view of this, the invention provides a kind of method for designing of positive information safety operation and maintenance platform.
The technical scheme that the present invention solves the problem is:
Described information safety operation and maintenance platform comprises safe operation/maintenance data acquisition module, safe operation/maintenance data analysis module, safe O&M business module and safe operation/maintenance data library module.
Described safe operation/maintenance data acquisition module comprises safety information acquisition submodule, network management information gathers submodule and business information gathers submodule.
Described safety information acquisition submodule can gather the security event information sended over of the various information safety means in each enterprise information system in several ways.The mode of collecting comprises following several: (1) is based on SNMP Trap and Syslog mode Collection Events; (2) the regarding safety information of equipment in various database is obtained by ODBC bank interface;
(3) by OPSec interface event.It is sent to the safe operation/maintenance data storehouse of owned enterprise after the security information form received is carried out standardization, such as, as the safe operation/maintenance data storehouse of the enterprise 1 in Fig. 1.
Described network management information gathers submodule can gather the network management information that disparate networks equipment in each enterprise information system and safety means send in several ways.The mode of collecting comprises following several: (1) collects network management information (also can revise Equipments Setting) based on SNMP and MML mode; (2) the relevant network management information of equipment in various database is obtained by odbc database interface; (3) by XML interface network management information.It occurs to the safe operation/maintenance data storehouse of owned enterprise after the network management information received is carried out standardization, such as, as the safe operation/maintenance data storehouse of the enterprise 2 in Fig. 1.
Described business information gathers the business information sended over that submodule can gather disparate networks equipment in each enterprise information system and safety means in several ways.The mode of collecting comprises following several: (1) sing on web Service mode collects business information; (2) relevant service information of equipment in various database is obtained by odbc database interface;
(3) by XML interface business information.It occurs to the safe operation/maintenance data storehouse of owned enterprise after the business information received is carried out standardization, such as, as the safe operation/maintenance data storehouse of the enterprise N in Fig. 1.
Described safe operation/maintenance data analysis module comprises monitoring in real time and event handling submodule, statistical analysis submodule and event correlation and alarm association submodule.
Described real-time monitoring and event handling submodule are by monitoring the log informations such as the various network equipment of each enterprise network, safety means and server, the security incident that Timeliness coverage and is occurring and equipment alarm, and take measures, ensure safety, the reliability service of network and operation system.
Described statistical analysis submodule can be analyzed to remove a hidden danger etc. to each enterprise network flow, use service conditions etc. to add up to grasp the internet behavior of user to user.
Described association analysis submodule analyzes each enterprise security O&M event respectively, by built-in security O&M rule base, originally isolated real-time event is carried out longitudinal time shaft and historical events comparison and horizontal attribute axis and other event comparison, identify threat event; The warning information produced by said process carries out safe O&M information standardization, standardization by XML format, and warning information is centrally stored in safe operation/maintenance data storehouse, can meet the demand held long-time information and store.
Described safe O&M business module comprises risk assessment submodule, Topology Management submodule, event response submodule and safe O&M strategy submodule.
Enterprise Information Security risk is divided into five grades by described risk assessment submodule exactly, is respectively from low to high: gentle breeze danger, average risk, medium risk, excessive risk and high risk; Utilize the result of risk assessment to carry out setting loss analysis, and triggering tasks list and response reduce asset risk automatically, the effect reaching management and control risk.
Described Topology Management submodule can (1) find to add the equipment in enterprise network and connection thereof by Network Sniffing automatically, obtains the assets information that each enterprise is initial; (2) network topology is monitored, the running status of monitoring enterprise network node; (3) node that enterprise network newly adds and exits is identified; (4) enterprise network topology structure is changed.
Described event response submodule by the interlock of each system, event information passing interface is provided to third party, exports the modes such as task work order and realize; Automatic response mechanism can be passed through for the safe O&M event confirmed, provide as multiple alarm modes such as safe O&M panel board display, mail, notes on the one hand, on the other hand, by safety interaction mechanism, attack as router Long-distance Control, switch remote control etc. stop; Link between each system by the integrated information in conjunction with fire compartment wall, intrusion detection, Anti-Virus, scanner, by automatically adjusting the security strategy of each safety means of each enterprise, to weaken or to eliminate the impact of safe O&M event.
Described safe O&M strategy submodule is responsible for the security strategy of each enterprise information system, and be managed for configuration, configuration is unified to the assets of each enterprise information system and strategy is unified issues, change current needs each equipment administrative burden of bringing of distributing policy respectively, and constantly optimize and adjust.
Described safe operation/maintenance data library module comprises safe O&M daily record storehouse and safe O&M policy library.
Described safe O&M daily record storehouse be exactly storage security operation/maintenance data acquisition module collect security log, webmaster daily record and business diary.Can the Sybases such as Oracle, SQLServer be adopted realize.
Described safe O&M policy library, its major function transmits all kinds of safe O&M information, all kinds of safe O&M method of process and scheme collected meanwhile, forming safe sharing database, providing training resource for cultivating the high-quality safe O&M talent.The information that this database stores comprises safe O&M information, risk assessment information, safe O&M early warning information, safe O&M strategy and safe O&M case library etc.
Information safety operation and maintenance platform provided by the present invention, there is extensibility and high availability, the information safety operation and maintenance service of " one-stop " can be provided for the information system of various enterprise, specific to the service of each enterprise, can customize respectively according to the demand of enterprise, with the demand for services of satisfied different enterprise.
Accompanying drawing explanation
Fig. 1 is information safety operation and maintenance paralell composition provided by the invention;
Fig. 2 is the procedure chart of data acquisition.
Embodiment
Here be with reference to the accompanying drawings with example to further description of the present invention:
A kind of positive information safety operation and maintenance paralell composition provided by the invention as shown in Figure 1.This platform comprises safe operation/maintenance data acquisition module, safe operation/maintenance data analysis module, safe O&M business module and safe operation/maintenance data storehouse.
Safe operation/maintenance data acquisition module
This module comprises safety information acquisition submodule, network management information gathers submodule and business information gathers submodule; These 3 submodules are responsible for gathering security information, network management information and the business information in each enterprise information system respectively, and are stored into respectively in enterprise safe operation/maintenance data storehouse separately.Platform can gather the security information of all kinds of safety means, the network equipment and server in each enterprise information system, network management information and business information in several ways.The mode gathered comprises following several:
(1) information is collected based on SNMP and Syslog mode;
(2) the regarding safety information of equipment in various database is obtained by odbc database interface;
(3) by OPSec interface information;
(4) information is received by MML, XML and web Service interface.
Security information, network management information and business information gather submodule after these information of reception, also message format standardization will be carried out, just can be sent in safe operation/maintenance data storehouse, and store respectively according to enterprise's difference, such as, safe operation/maintenance data storehouse (enterprise 1) in Fig. 1, safe operation/maintenance data storehouse (enterprise 2) and safe operation/maintenance data storehouse (enterprise N).
Safe operation/maintenance data analysis module
Association analysis: respectively association analysis is carried out to the safe operation/maintenance data storehouse of each enterprise, and output in the respective safe operation/maintenance data storehouse of enterprise and panel board.By built-in security O&M rule base, originally isolated real-time event is carried out longitudinal time shaft and historical events comparison and horizontal attribute axis and other event comparison, identify threat event; Association analysis submodule is the part that safe operation platform is the most complicated, and it comprises correlation analysis, structured analysis, intrusion path analysis, behavioural analysis.
Real-time monitoring and event handling: the safe operation situation being responsible for real-time monitor network grasps one of the attack threat of each enterprise network and the important means of alarm status in real time.By monitoring the log informations such as the various network equipment of each enterprise network, host computer system, safety means, the security incident that Timeliness coverage and is occurring and equipment alarm, and taking measures, ensureing safety, the reliability service of network and operation system.The warning information produced by said process carries out safe O&M information standardization, standardization by XML format, and warning information is centrally stored in safe operation/maintenance data storehouse, can meet the demand held long-time information and store.
Statistical analysis: can analyze to remove a hidden danger to each enterprise network flow, uses service conditions to add up to grasp user's internet behavior etc. to the user of enterprise network.
Safe O&M business module
Safe O&M business module respectively each enterprise provides safe O&M service, and the kind of safe O&M service comprises following but is not limited to as follows:
(1) security evaluation service
At present according to GB (GB/T20984-2007 information security risk evaluation specification), information system security risk is divided into five grades, is respectively from low to high: gentle breeze danger, average risk, medium risk, excessive risk and high risk; Platform, by receiving the analysis result of safe operation/maintenance data analysis module, completes the Information Security Risk evaluation work of assets, and carries out setting loss analysis, and triggering tasks list and response reduce asset risk automatically, the effect reaching management and control risk.
(2) Topology Management service
This submodule function has: 1) automatically find to add the equipment in enterprise network and connection thereof by Network Sniffing, obtain initial assets information; 2) network topology is monitored, the running status of monitor node; 3) node newly adding and exit is identified; 4) network topology structure is changed.
(3) event response service
This submodule by the interlock of each system, event information passing interface is provided to third party, exports the modes such as task work order and realize; Automatic response mechanism can be passed through for the security incident confirmed, provide as multiple alarm modes such as safe O&M panel board display, mail, notes on the one hand, on the other hand, by safety interaction mechanism, attack as router Long-distance Control, switch remote control etc. stop; Link between each system by the integrated information in conjunction with fire compartment wall, intrusion detection, Anti-Virus, scanner, by automatically adjusting the security strategy of each safety means of owned enterprise, to weaken or to eliminate the impact of safe O&M event.
(4) safe O&M policy service
This submodule is responsible for the security strategy of each enterprise information system, be managed for configuration, configuration is unified to the assets of each enterprise information system and strategy is unified issues, change current needs each equipment administrative burden of bringing of distributing policy respectively, and constantly optimize and adjust.
The flow process of data acquisition module as shown in Figure 2.Data acquisition module supports syslog, SNMP, SMTP, HTML etc.It is made up of agency by agreement, application proxy and scheduler.
Agency by agreement receives the information (such as, the attack of Apache 2.0 server) sended over by host-host protocols such as such as syslog, SNMP, and makes received data send to scheduler.Scheduler, after determining this type of message, will forward this message to relevant application proxy.
Application proxy is responsible for these information format standardization, and sends respectively in the safe operation/maintenance data storehouse of owned enterprise and store.These two agencies realize interconnecting by scheduler.
The foregoing is only preferred embodiment of the present invention, be not used for limiting practical range of the present invention; Every equivalence done according to the present invention changes and amendment, is all regarded as the scope of the claims of the present invention and contains.