CN106209808B - A kind of encapsulation control safety protecting method of information system group - Google Patents

A kind of encapsulation control safety protecting method of information system group Download PDF

Info

Publication number
CN106209808B
CN106209808B CN201610516250.XA CN201610516250A CN106209808B CN 106209808 B CN106209808 B CN 106209808B CN 201610516250 A CN201610516250 A CN 201610516250A CN 106209808 B CN106209808 B CN 106209808B
Authority
CN
China
Prior art keywords
encapsulation
area
network
access
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610516250.XA
Other languages
Chinese (zh)
Other versions
CN106209808A (en
Inventor
王富强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Original Assignee
Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing City Branch Co Of China Joint Network Communication Co Ltd filed Critical Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Priority to CN201610516250.XA priority Critical patent/CN106209808B/en
Publication of CN106209808A publication Critical patent/CN106209808A/en
Application granted granted Critical
Publication of CN106209808B publication Critical patent/CN106209808B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides the encapsulation of information system group a kind of to manage safety protecting method, comprising the following steps: according to security level and function, network logically S1, network security region division management: is divided into five kinds of regions;S2, systematic group encapsulation manager;Management is interconnected between S3, system;S4, systematic group control: to each logical network region after systematic group encapsulation, safety management standardization base class rule is defined;S5, access path encapsulation;S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and record of the audit and analysis are carried out to the access behavior of various resources.The invention proposes the safety protecting method for being packaged control to information system group, this method applies corresponding control strategy by the way that information system group, access path to be packaged, and realizes the security protection of the fining to systematic group solid.

Description

A kind of encapsulation control safety protecting method of information system group
Technical field
The present invention relates to the security protections of information system group, and in particular to a kind of encapsulation control safety of information system group is anti- Maintaining method.
Background technique
In large enterprise, by informatization in the latest 20 years, possess the information system of substantial amounts at present, These systems form information system group due to interrelated.These substantial amounts carry enterprise core business data, pipe Data, the core system of operation data are managed, with the development of network and enterprise, have inevitably directly or indirectly been exposed to mutually In networking.
Due to the deficiency that protecting information safety is realized originally, safety is primarily rested on the storage in network closure by these System is become increasingly popular in internet under the environment increasingly serious with Situation on Information Security, these systematic groups just seem very fragile.
System protection method traditional at present is to carry out from host level, network level etc. to each independent single system Protection.The deficiency of this means of defence is mainly reflected in:
1, each system can not be formed anti-in the various aspects means such as network, application, management, respective decentralization of responsibility security management and control Shield resultant force;
2, since system quantity is more, association is complicated, cause the complexity of safety management, workload surprising, it is implementable to grasp The property made is low, therefore often hundred close one dredges, and implementation result is poor;
3, the dispersion control of decentralized system, due to taking enumeration methodology, the strict logic of preventive means is insufficient, often difficult It is horizontal with accurate evaluation authentic security.
It is one huge for enterprise thus when facing the security protection problem of large number of inventory information systematic group Hang-up.
Summary of the invention
In view of the above drawbacks of the prior art and problem, the technical problem to be solved by the present invention is to existing information systems Security protection is more complicated, and the protection efficiency of information system is not high.
In order to achieve the above object, the invention provides the following technical scheme:
A kind of encapsulation control safety protecting method of information system group, comprising the following steps:
S1, network security region division management: according to security level and function, network is logically divided into five kinds of areas Domain, five kinds of regions are core system area, security control area, third party's interface area, public network access area, office terminal area, each region Between it is relatively independent, forbid free access, specific mode and designated port can only be passed through and carry out controlled access;
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, first by importance dimension into Row assessment classification, then require dimension to classify from system network environment, second step is packaged systematic group, according to importance It is required with network exposure, each system and its subsystem is accordingly deployed in above-mentioned five kinds of regions respectively and are packaged;
Management is interconnected between S3, system: for be deployed in core system area system, subsystem, the interconnection between host, no Change original interconnecting relation, freely interconnect, for core system area and third-party interconnection, then interface system is included in third Square interface area is managed;
S4, systematic group control: it to each logical network region after systematic group encapsulation, defines safety management and standardizes base class Rule;
S5, access path encapsulation: by being deployed in the 4A system in security control area or the system of similar functions, with fort machine Mode as operation maintenance personnel to the access path of core data and core system;
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to each The access behavior of kind resource carries out record of the audit and analysis, and the control strategy includes the centralized management of account permission, access control Management, sensitive operation management.
In above-mentioned technical proposal, in step sl, the core system area optionally sets up one or more.
In above-mentioned technical proposal, in step s 2, requires dimension to classify from system network environment, be divided into: do not expose, The exposure of corporate intranet part, public network exposure.
In above-mentioned technical proposal, in step s 2, is required according to importance and network exposure, core system data will be carried It is deployed in network core system area with the host of application, storage system, 4A system and other safety products of overall importance are deployed in Security control area will be deployed in third party's interface area with the interactive interface that affiliate interconnects, will answer public network opening With public network access area is deployed in, corporate intranet office terminal is deployed in office terminal area.
In above-mentioned technical proposal, in step s 4, the safety management standardization base class rule includes the network rule in each area Then, the controlled rule of restriction rule, information and section flow rule are accessed.
The invention proposes the safety protecting method for being packaged control to information system group, this method is by by information system System group, access path are packaged, and apply corresponding control strategy, realize that the safety of the fining to systematic group solid is anti- Shield.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is systematic group encapsulation and control schematic diagram of the invention;
Fig. 2 is access path encapsulation and control schematic diagram of the invention.
Specific embodiment
Below in conjunction with attached drawing of the invention, technical solution of the present invention is clearly and completely described, it is clear that institute The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, Every other embodiment obtained by those of ordinary skill in the art without making creative efforts, belongs to this hair The range of bright protection.
The invention proposes the safety protecting methods that control is packaged to information system group.This method is by by information system System group, access path are packaged, and apply corresponding control strategy, realize that the safety of the fining to systematic group solid is anti- Shield.
Encapsulation management-control method proposed by the present invention, encapsulation and control, the encapsulation of access path and control including systematic group. Systematic group encapsulation and control, are making overall plans and coordinate by various means, turn parts into the whole, and significantly simplify the object of security protection. Specifically include interconnection management between the management of network security region division, systematic group encapsulation manager, system, control regulation management;Access The encapsulation and control in channel, the main problem of solution are how system background operation maintenance personnel legally accesses and safeguard and sealed The systematic group of dress, and effective strategy control is carried out to their behavior in access process.
According to Fig. 1, Fig. 2, safety protecting method is managed in the encapsulation as a kind of information system group shown in embodiment The following steps are included:
S1, network security region division management: according to security level and function, network is logically divided into five kinds of areas Domain, five kinds of regions are core system area, security control area, third party's interface area, public network access area, office terminal area, core system System area optionally sets up one or more, relatively independent between each region, forbids free access, by specific mode and can only refer to Fixed end mouthful carries out controlled access.The purpose of network partition, first is that preparing for systematic group encapsulation, second is that greatly simplifying network layer peace Full management mode and difficulty.
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, presses importance dimension first (generally high, medium and low) carries out assessment classification, then requires dimension to classify from system network environment, is divided into: not exposing, looks forward to Local exposure, public network exposure are netted in the industry;Second step is packaged systematic group, is required according to importance and network exposure, Each system and its subsystem are accordingly deployed in above-mentioned five kinds of regions respectively to be packaged.It is wanted according to importance and network exposure It asks, host, the storage system of core system data and application will be carried, be deployed in network core system area;By 4A (4A refers to: Authentication, account Account, authorization Authorization, audit Audit are authenticated, Chinese is unified security Manage Platform Solution.Authentication, authorization, audit and account are defined as to four big component parts of network security, from And establish status and effect of the authentication in whole network security system) etc. safety product of overall importance, be deployed in safety Control zone;The interactive interface that will be interconnected with affiliate is deployed in third party's interface area;The application that public network will be opened, It is deployed in public network access area;Corporate intranet office terminal is deployed in office terminal area.After disposing in this way, the data of core system With application, it is packaged in core system area, in addition to the corresponding port of fixed application interface, even for other regions of Intranet It is sightless.
Management is interconnected between S3, system: between enterprises system, between each subsystem, between each host of system, can be existed a large amount of Demand for interconnection, it might even be possible to say, not interconnect many systems and just do not existed.These interconnections are often because historical reasons survival is very long Time, relationship are complicated.For be deployed in core system area system, subsystem, the interconnection between host, due to all in external Sightless closed state can not change original interconnecting relation, freely interconnect.For with third-party interconnection, then need Interface system is included in third party's interface area to be managed, this is related to some adjustment work.If newly-built system, third party's interface In application layer, needs customized special purpose interface and take safeguard procedures, to promote interface self-security.
S4, systematic group control: it to each logical network region after systematic group encapsulation, defines safety management and standardizes base class Rule.Safety management standardization base class rule includes the networking rule in each area, access restriction rule, the controlled rule of information and area Between flow rule.The safety management rule of each subregion and directly reference base class in practice, can also be extended on its basis, But the basic principle in base class cannot be violated.In this way, the normalisation rule base class by subregion is set, it is on the one hand different subregions Security doctrine boundary is set, provides the unified safety management standard of standard for similar subregion;On the other hand or it is each The safety management of subregion provides simplified, unified mode.
For example, core system area, can define such base class rule: to access is limited outside area, externally close in network layer All of the port is closed, all agreements is blocked to pass through;To in area, freely interconnected between system.In this way, under default condition, core system Unite area network level will self-isolation at an information island.When having requirements for access, then the envelope by access path is needed Tubulature control carries out tactical management.
S5, access path encapsulation: on the basis of subregion encapsulation, core data, core application are in core system area, by In this encapsulation region every core system area resource is invisible to corporate intranet and outer net in addition to the port of individual solidification interfaces. But day-to-day operation maintenance personnel, data analyst work in office terminal area, need in core system area system and Data are safeguarded or are accessed.Accordingly, it is desirable to provide at this moment a kind of addressing means are needed to operation and maintenance or analysis personnel to this A little access paths are packaged integrated, centralized management.It, can be by being deployed in 4A system (or the class in security control area in practice Like the system of function), use the mode of fort machine to provide the access path to core data and core system as operation maintenance personnel.
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to each The access behavior of kind of resource carries out record of the audit and analysis, control strategy include the centralized management of account permission, access control management, Sensitive operation management.
The basis of this method is encapsulation, and core is control, is simplified by packaging belt, feasibility, brings thing by control In security control power and subsequent safe tracing ability.Through the invention, complicated systematic group is packaged into an entirety, and Access path is packaged, concentration is managed, and can greatly reduce the complexity of the security protection of information system, greatly The protection efficiency effect of information system is promoted, and the protection of systematic group can be made to reach a kind of tightness in logic.
Systematic group means of defence proposed by the present invention based on encapsulation control, by being packaged to information system group, right Access path is packaged, and keyholed back plate strategy is imposed on the basis of encapsulation, and it is whole for realizing information system group conjunction zero, at number The quantity for managing object is reduced to magnitude to very few range, management difficulty is considerably reduced, considerably reduces Security risk point, strong operability realize that difficulty is relatively small.This method can form a kind of safety of solid to information system group Protection system, to reach a kind of safe effect foreseeable in logic.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (5)

1. safety protecting method is managed in the encapsulation of information system group a kind of, which comprises the following steps:
Network: according to security level and function, being logically divided into five kinds of regions by S1, network security region division management, and five Kind region is core system area, security control area, third party's interface area, public network access area, office terminal area, phase between each region To independence, forbid free access, controlled access can only be carried out by specific mode and designated port;
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, is commented first by importance dimension Estimate classification, then require dimension to classify from system network environment, second step is packaged systematic group, according to importance and net Network exposure requires, and each system and its subsystem are accordingly deployed in above-mentioned five kinds of regions respectively and are packaged;
Management is interconnected between S3, system: for be deployed in core system area system, subsystem, the interconnection between host, do not change Original interconnecting relation, freely interconnects, and for core system area and third-party interconnection, then interface system is included in third party and connect Mouth region is managed;
S4, systematic group control: to each logical network region after systematic group encapsulation, safety management standardization base class rule are defined Then;
S5, access path encapsulation: the 4A system by being deployed in security control area uses the mode of fort machine as operation maintenance personnel pair The access path of core data and core system;
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to various moneys The access behavior in source carries out record of the audit and analysis, the control strategy including the centralized management of account permission, access control management, Sensitive operation management.
2. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step In rapid S1, the core system area viewing system quantity and functional character situation set up one or more.
3. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step In rapid S2, require dimension to classify from system network environment, be divided into: not exposed, corporate intranet part exposure, public network are sudden and violent Dew.
4. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step In rapid S2, is required according to importance and network exposure, carrying core system data and the host of application, storage system are deployed in 4A system and other safety products of overall importance are deployed in security control area, will interconnected with affiliate by network core system area Interactive interface be deployed in third party's interface area, application that will be open to public network be deployed in public network access area, will be in enterprise Net office terminal is deployed in office terminal area.
5. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step In rapid S4, the safety management standardization base class rule includes the networking rule in each area, access restriction rule, the controlled rule of information And section flow rule.
CN201610516250.XA 2016-07-01 2016-07-01 A kind of encapsulation control safety protecting method of information system group Expired - Fee Related CN106209808B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610516250.XA CN106209808B (en) 2016-07-01 2016-07-01 A kind of encapsulation control safety protecting method of information system group

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610516250.XA CN106209808B (en) 2016-07-01 2016-07-01 A kind of encapsulation control safety protecting method of information system group

Publications (2)

Publication Number Publication Date
CN106209808A CN106209808A (en) 2016-12-07
CN106209808B true CN106209808B (en) 2019-05-03

Family

ID=57465791

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610516250.XA Expired - Fee Related CN106209808B (en) 2016-07-01 2016-07-01 A kind of encapsulation control safety protecting method of information system group

Country Status (1)

Country Link
CN (1) CN106209808B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108921365A (en) * 2017-12-29 2018-11-30 广州英丹网络科技有限公司 A kind of enterprise's health intelligent management system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1917514A (en) * 2006-01-18 2007-02-21 中国科学院计算技术研究所 Method for building globle network safety system in tracing to the source in each sub domain
CN101582883A (en) * 2009-06-26 2009-11-18 西安电子科技大学 System and method for managing security of general network
CN101815032A (en) * 2010-03-16 2010-08-25 中国电子科技集团公司第三十研究所 Method for classifying and isolating information based on integrated network security service architecture
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1917514A (en) * 2006-01-18 2007-02-21 中国科学院计算技术研究所 Method for building globle network safety system in tracing to the source in each sub domain
CN101582883A (en) * 2009-06-26 2009-11-18 西安电子科技大学 System and method for managing security of general network
CN101815032A (en) * 2010-03-16 2010-08-25 中国电子科技集团公司第三十研究所 Method for classifying and isolating information based on integrated network security service architecture
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Also Published As

Publication number Publication date
CN106209808A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
US20090205018A1 (en) Method and system for the specification and enforcement of arbitrary attribute-based access control policies
US10867044B2 (en) Automatic computer system change monitoring and security gap detection system
Hoffmann et al. Networks and geopolitics: how great power rivalries infected 5G
Kadam Security issues in cloud computing a transparent view
CN107426152B (en) Multitask security isolation system and method under cloud platform actual situation Interconnection Environment
Peterson Don't trust. and verify: A security architecture stack for the cloud
CN109117664A (en) The access control method and device of application program
CN108173830B (en) A kind of data safety between net is shared with management method and system
Matulevičius et al. Towards model transformation between SecureUML and UMLsec for role-based access control
Ferraiolo et al. Composing and combining policies under the policy machine
CN106209808B (en) A kind of encapsulation control safety protecting method of information system group
Adjei et al. A critical overview of digital twins
CN106257482B (en) The control of data analysis result is placed
CN102185836A (en) Standalone electronic document protection system based on information stream model
Fægri et al. A software product line reference architecture for security
CN106888224A (en) Network safety prevention framework, method and system
Zhou et al. Data flow security analysis for system-of-systems in a public security incident
Gupta et al. Towards a heterogeneous IoT privacy architecture
Alpers et al. Identifying Needs for a Holistic Modelling Approach to Privacy Aspects in Enterprise Software Systems.
Chehida et al. Risk assessment in iot case study: Collaborative robots system
Cenys et al. Designing role-based access control policies with UML
Fathy et al. Security access control research trends
Zeng et al. Data resources in dynamic environments
Mir et al. Zero trust user access and identity security in smart grid based scada systems
Belim et al. Using the decision support algorithms combining different security policies

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190503

Termination date: 20190701

CF01 Termination of patent right due to non-payment of annual fee