CN106209808B - A kind of encapsulation control safety protecting method of information system group - Google Patents
A kind of encapsulation control safety protecting method of information system group Download PDFInfo
- Publication number
- CN106209808B CN106209808B CN201610516250.XA CN201610516250A CN106209808B CN 106209808 B CN106209808 B CN 106209808B CN 201610516250 A CN201610516250 A CN 201610516250A CN 106209808 B CN106209808 B CN 106209808B
- Authority
- CN
- China
- Prior art keywords
- encapsulation
- area
- network
- access
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides the encapsulation of information system group a kind of to manage safety protecting method, comprising the following steps: according to security level and function, network logically S1, network security region division management: is divided into five kinds of regions;S2, systematic group encapsulation manager;Management is interconnected between S3, system;S4, systematic group control: to each logical network region after systematic group encapsulation, safety management standardization base class rule is defined;S5, access path encapsulation;S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and record of the audit and analysis are carried out to the access behavior of various resources.The invention proposes the safety protecting method for being packaged control to information system group, this method applies corresponding control strategy by the way that information system group, access path to be packaged, and realizes the security protection of the fining to systematic group solid.
Description
Technical field
The present invention relates to the security protections of information system group, and in particular to a kind of encapsulation control safety of information system group is anti-
Maintaining method.
Background technique
In large enterprise, by informatization in the latest 20 years, possess the information system of substantial amounts at present,
These systems form information system group due to interrelated.These substantial amounts carry enterprise core business data, pipe
Data, the core system of operation data are managed, with the development of network and enterprise, have inevitably directly or indirectly been exposed to mutually
In networking.
Due to the deficiency that protecting information safety is realized originally, safety is primarily rested on the storage in network closure by these
System is become increasingly popular in internet under the environment increasingly serious with Situation on Information Security, these systematic groups just seem very fragile.
System protection method traditional at present is to carry out from host level, network level etc. to each independent single system
Protection.The deficiency of this means of defence is mainly reflected in:
1, each system can not be formed anti-in the various aspects means such as network, application, management, respective decentralization of responsibility security management and control
Shield resultant force;
2, since system quantity is more, association is complicated, cause the complexity of safety management, workload surprising, it is implementable to grasp
The property made is low, therefore often hundred close one dredges, and implementation result is poor;
3, the dispersion control of decentralized system, due to taking enumeration methodology, the strict logic of preventive means is insufficient, often difficult
It is horizontal with accurate evaluation authentic security.
It is one huge for enterprise thus when facing the security protection problem of large number of inventory information systematic group
Hang-up.
Summary of the invention
In view of the above drawbacks of the prior art and problem, the technical problem to be solved by the present invention is to existing information systems
Security protection is more complicated, and the protection efficiency of information system is not high.
In order to achieve the above object, the invention provides the following technical scheme:
A kind of encapsulation control safety protecting method of information system group, comprising the following steps:
S1, network security region division management: according to security level and function, network is logically divided into five kinds of areas
Domain, five kinds of regions are core system area, security control area, third party's interface area, public network access area, office terminal area, each region
Between it is relatively independent, forbid free access, specific mode and designated port can only be passed through and carry out controlled access;
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, first by importance dimension into
Row assessment classification, then require dimension to classify from system network environment, second step is packaged systematic group, according to importance
It is required with network exposure, each system and its subsystem is accordingly deployed in above-mentioned five kinds of regions respectively and are packaged;
Management is interconnected between S3, system: for be deployed in core system area system, subsystem, the interconnection between host, no
Change original interconnecting relation, freely interconnect, for core system area and third-party interconnection, then interface system is included in third
Square interface area is managed;
S4, systematic group control: it to each logical network region after systematic group encapsulation, defines safety management and standardizes base class
Rule;
S5, access path encapsulation: by being deployed in the 4A system in security control area or the system of similar functions, with fort machine
Mode as operation maintenance personnel to the access path of core data and core system;
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to each
The access behavior of kind resource carries out record of the audit and analysis, and the control strategy includes the centralized management of account permission, access control
Management, sensitive operation management.
In above-mentioned technical proposal, in step sl, the core system area optionally sets up one or more.
In above-mentioned technical proposal, in step s 2, requires dimension to classify from system network environment, be divided into: do not expose,
The exposure of corporate intranet part, public network exposure.
In above-mentioned technical proposal, in step s 2, is required according to importance and network exposure, core system data will be carried
It is deployed in network core system area with the host of application, storage system, 4A system and other safety products of overall importance are deployed in
Security control area will be deployed in third party's interface area with the interactive interface that affiliate interconnects, will answer public network opening
With public network access area is deployed in, corporate intranet office terminal is deployed in office terminal area.
In above-mentioned technical proposal, in step s 4, the safety management standardization base class rule includes the network rule in each area
Then, the controlled rule of restriction rule, information and section flow rule are accessed.
The invention proposes the safety protecting method for being packaged control to information system group, this method is by by information system
System group, access path are packaged, and apply corresponding control strategy, realize that the safety of the fining to systematic group solid is anti-
Shield.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is systematic group encapsulation and control schematic diagram of the invention;
Fig. 2 is access path encapsulation and control schematic diagram of the invention.
Specific embodiment
Below in conjunction with attached drawing of the invention, technical solution of the present invention is clearly and completely described, it is clear that institute
The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention,
Every other embodiment obtained by those of ordinary skill in the art without making creative efforts, belongs to this hair
The range of bright protection.
The invention proposes the safety protecting methods that control is packaged to information system group.This method is by by information system
System group, access path are packaged, and apply corresponding control strategy, realize that the safety of the fining to systematic group solid is anti-
Shield.
Encapsulation management-control method proposed by the present invention, encapsulation and control, the encapsulation of access path and control including systematic group.
Systematic group encapsulation and control, are making overall plans and coordinate by various means, turn parts into the whole, and significantly simplify the object of security protection.
Specifically include interconnection management between the management of network security region division, systematic group encapsulation manager, system, control regulation management;Access
The encapsulation and control in channel, the main problem of solution are how system background operation maintenance personnel legally accesses and safeguard and sealed
The systematic group of dress, and effective strategy control is carried out to their behavior in access process.
According to Fig. 1, Fig. 2, safety protecting method is managed in the encapsulation as a kind of information system group shown in embodiment
The following steps are included:
S1, network security region division management: according to security level and function, network is logically divided into five kinds of areas
Domain, five kinds of regions are core system area, security control area, third party's interface area, public network access area, office terminal area, core system
System area optionally sets up one or more, relatively independent between each region, forbids free access, by specific mode and can only refer to
Fixed end mouthful carries out controlled access.The purpose of network partition, first is that preparing for systematic group encapsulation, second is that greatly simplifying network layer peace
Full management mode and difficulty.
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, presses importance dimension first
(generally high, medium and low) carries out assessment classification, then requires dimension to classify from system network environment, is divided into: not exposing, looks forward to
Local exposure, public network exposure are netted in the industry;Second step is packaged systematic group, is required according to importance and network exposure,
Each system and its subsystem are accordingly deployed in above-mentioned five kinds of regions respectively to be packaged.It is wanted according to importance and network exposure
It asks, host, the storage system of core system data and application will be carried, be deployed in network core system area;By 4A (4A refers to:
Authentication, account Account, authorization Authorization, audit Audit are authenticated, Chinese is unified security
Manage Platform Solution.Authentication, authorization, audit and account are defined as to four big component parts of network security, from
And establish status and effect of the authentication in whole network security system) etc. safety product of overall importance, be deployed in safety
Control zone;The interactive interface that will be interconnected with affiliate is deployed in third party's interface area;The application that public network will be opened,
It is deployed in public network access area;Corporate intranet office terminal is deployed in office terminal area.After disposing in this way, the data of core system
With application, it is packaged in core system area, in addition to the corresponding port of fixed application interface, even for other regions of Intranet
It is sightless.
Management is interconnected between S3, system: between enterprises system, between each subsystem, between each host of system, can be existed a large amount of
Demand for interconnection, it might even be possible to say, not interconnect many systems and just do not existed.These interconnections are often because historical reasons survival is very long
Time, relationship are complicated.For be deployed in core system area system, subsystem, the interconnection between host, due to all in external
Sightless closed state can not change original interconnecting relation, freely interconnect.For with third-party interconnection, then need
Interface system is included in third party's interface area to be managed, this is related to some adjustment work.If newly-built system, third party's interface
In application layer, needs customized special purpose interface and take safeguard procedures, to promote interface self-security.
S4, systematic group control: it to each logical network region after systematic group encapsulation, defines safety management and standardizes base class
Rule.Safety management standardization base class rule includes the networking rule in each area, access restriction rule, the controlled rule of information and area
Between flow rule.The safety management rule of each subregion and directly reference base class in practice, can also be extended on its basis,
But the basic principle in base class cannot be violated.In this way, the normalisation rule base class by subregion is set, it is on the one hand different subregions
Security doctrine boundary is set, provides the unified safety management standard of standard for similar subregion;On the other hand or it is each
The safety management of subregion provides simplified, unified mode.
For example, core system area, can define such base class rule: to access is limited outside area, externally close in network layer
All of the port is closed, all agreements is blocked to pass through;To in area, freely interconnected between system.In this way, under default condition, core system
Unite area network level will self-isolation at an information island.When having requirements for access, then the envelope by access path is needed
Tubulature control carries out tactical management.
S5, access path encapsulation: on the basis of subregion encapsulation, core data, core application are in core system area, by
In this encapsulation region every core system area resource is invisible to corporate intranet and outer net in addition to the port of individual solidification interfaces.
But day-to-day operation maintenance personnel, data analyst work in office terminal area, need in core system area system and
Data are safeguarded or are accessed.Accordingly, it is desirable to provide at this moment a kind of addressing means are needed to operation and maintenance or analysis personnel to this
A little access paths are packaged integrated, centralized management.It, can be by being deployed in 4A system (or the class in security control area in practice
Like the system of function), use the mode of fort machine to provide the access path to core data and core system as operation maintenance personnel.
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to each
The access behavior of kind of resource carries out record of the audit and analysis, control strategy include the centralized management of account permission, access control management,
Sensitive operation management.
The basis of this method is encapsulation, and core is control, is simplified by packaging belt, feasibility, brings thing by control
In security control power and subsequent safe tracing ability.Through the invention, complicated systematic group is packaged into an entirety, and
Access path is packaged, concentration is managed, and can greatly reduce the complexity of the security protection of information system, greatly
The protection efficiency effect of information system is promoted, and the protection of systematic group can be made to reach a kind of tightness in logic.
Systematic group means of defence proposed by the present invention based on encapsulation control, by being packaged to information system group, right
Access path is packaged, and keyholed back plate strategy is imposed on the basis of encapsulation, and it is whole for realizing information system group conjunction zero, at number
The quantity for managing object is reduced to magnitude to very few range, management difficulty is considerably reduced, considerably reduces
Security risk point, strong operability realize that difficulty is relatively small.This method can form a kind of safety of solid to information system group
Protection system, to reach a kind of safe effect foreseeable in logic.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (5)
1. safety protecting method is managed in the encapsulation of information system group a kind of, which comprises the following steps:
Network: according to security level and function, being logically divided into five kinds of regions by S1, network security region division management, and five
Kind region is core system area, security control area, third party's interface area, public network access area, office terminal area, phase between each region
To independence, forbid free access, controlled access can only be carried out by specific mode and designated port;
S2, systematic group encapsulation manager: the first step is classified each system and its subsystem, is commented first by importance dimension
Estimate classification, then require dimension to classify from system network environment, second step is packaged systematic group, according to importance and net
Network exposure requires, and each system and its subsystem are accordingly deployed in above-mentioned five kinds of regions respectively and are packaged;
Management is interconnected between S3, system: for be deployed in core system area system, subsystem, the interconnection between host, do not change
Original interconnecting relation, freely interconnects, and for core system area and third-party interconnection, then interface system is included in third party and connect
Mouth region is managed;
S4, systematic group control: to each logical network region after systematic group encapsulation, safety management standardization base class rule are defined
Then;
S5, access path encapsulation: the 4A system by being deployed in security control area uses the mode of fort machine as operation maintenance personnel pair
The access path of core data and core system;
S6, access path control: after access path encapsulation, implement a variety of control strategies on this basis, and to various moneys
The access behavior in source carries out record of the audit and analysis, the control strategy including the centralized management of account permission, access control management,
Sensitive operation management.
2. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step
In rapid S1, the core system area viewing system quantity and functional character situation set up one or more.
3. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step
In rapid S2, require dimension to classify from system network environment, be divided into: not exposed, corporate intranet part exposure, public network are sudden and violent
Dew.
4. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step
In rapid S2, is required according to importance and network exposure, carrying core system data and the host of application, storage system are deployed in
4A system and other safety products of overall importance are deployed in security control area, will interconnected with affiliate by network core system area
Interactive interface be deployed in third party's interface area, application that will be open to public network be deployed in public network access area, will be in enterprise
Net office terminal is deployed in office terminal area.
5. safety protecting method is managed in the encapsulation of information system group according to claim 1 a kind of, which is characterized in that in step
In rapid S4, the safety management standardization base class rule includes the networking rule in each area, access restriction rule, the controlled rule of information
And section flow rule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610516250.XA CN106209808B (en) | 2016-07-01 | 2016-07-01 | A kind of encapsulation control safety protecting method of information system group |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610516250.XA CN106209808B (en) | 2016-07-01 | 2016-07-01 | A kind of encapsulation control safety protecting method of information system group |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106209808A CN106209808A (en) | 2016-12-07 |
CN106209808B true CN106209808B (en) | 2019-05-03 |
Family
ID=57465791
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610516250.XA Expired - Fee Related CN106209808B (en) | 2016-07-01 | 2016-07-01 | A kind of encapsulation control safety protecting method of information system group |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209808B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108921365A (en) * | 2017-12-29 | 2018-11-30 | 广州英丹网络科技有限公司 | A kind of enterprise's health intelligent management system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1917514A (en) * | 2006-01-18 | 2007-02-21 | 中国科学院计算技术研究所 | Method for building globle network safety system in tracing to the source in each sub domain |
CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
CN101815032A (en) * | 2010-03-16 | 2010-08-25 | 中国电子科技集团公司第三十研究所 | Method for classifying and isolating information based on integrated network security service architecture |
CN105205370A (en) * | 2015-08-24 | 2015-12-30 | 北京恒信安科技有限公司 | Safety protection method for mobile terminal, mobile terminal, safety system and application method |
-
2016
- 2016-07-01 CN CN201610516250.XA patent/CN106209808B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1917514A (en) * | 2006-01-18 | 2007-02-21 | 中国科学院计算技术研究所 | Method for building globle network safety system in tracing to the source in each sub domain |
CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
CN101815032A (en) * | 2010-03-16 | 2010-08-25 | 中国电子科技集团公司第三十研究所 | Method for classifying and isolating information based on integrated network security service architecture |
CN105205370A (en) * | 2015-08-24 | 2015-12-30 | 北京恒信安科技有限公司 | Safety protection method for mobile terminal, mobile terminal, safety system and application method |
Also Published As
Publication number | Publication date |
---|---|
CN106209808A (en) | 2016-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20090205018A1 (en) | Method and system for the specification and enforcement of arbitrary attribute-based access control policies | |
US10867044B2 (en) | Automatic computer system change monitoring and security gap detection system | |
Hoffmann et al. | Networks and geopolitics: how great power rivalries infected 5G | |
Kadam | Security issues in cloud computing a transparent view | |
CN107426152B (en) | Multitask security isolation system and method under cloud platform actual situation Interconnection Environment | |
Peterson | Don't trust. and verify: A security architecture stack for the cloud | |
CN109117664A (en) | The access control method and device of application program | |
CN108173830B (en) | A kind of data safety between net is shared with management method and system | |
Matulevičius et al. | Towards model transformation between SecureUML and UMLsec for role-based access control | |
Ferraiolo et al. | Composing and combining policies under the policy machine | |
CN106209808B (en) | A kind of encapsulation control safety protecting method of information system group | |
Adjei et al. | A critical overview of digital twins | |
CN106257482B (en) | The control of data analysis result is placed | |
CN102185836A (en) | Standalone electronic document protection system based on information stream model | |
Fægri et al. | A software product line reference architecture for security | |
CN106888224A (en) | Network safety prevention framework, method and system | |
Zhou et al. | Data flow security analysis for system-of-systems in a public security incident | |
Gupta et al. | Towards a heterogeneous IoT privacy architecture | |
Alpers et al. | Identifying Needs for a Holistic Modelling Approach to Privacy Aspects in Enterprise Software Systems. | |
Chehida et al. | Risk assessment in iot case study: Collaborative robots system | |
Cenys et al. | Designing role-based access control policies with UML | |
Fathy et al. | Security access control research trends | |
Zeng et al. | Data resources in dynamic environments | |
Mir et al. | Zero trust user access and identity security in smart grid based scada systems | |
Belim et al. | Using the decision support algorithms combining different security policies |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190503 Termination date: 20190701 |
|
CF01 | Termination of patent right due to non-payment of annual fee |