CN111314282A - Zero trust network security system - Google Patents
Zero trust network security system Download PDFInfo
- Publication number
- CN111314282A CN111314282A CN201911280054.7A CN201911280054A CN111314282A CN 111314282 A CN111314282 A CN 111314282A CN 201911280054 A CN201911280054 A CN 201911280054A CN 111314282 A CN111314282 A CN 111314282A
- Authority
- CN
- China
- Prior art keywords
- port
- switch
- server
- database
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002265 prevention Effects 0.000 claims description 28
- 238000013461 design Methods 0.000 abstract description 11
- 230000008901 benefit Effects 0.000 abstract description 6
- 230000007123 defense Effects 0.000 description 38
- 238000004891 communication Methods 0.000 description 35
- 230000006870 function Effects 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 8
- 238000000034 method Methods 0.000 description 7
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 6
- 238000011217 control strategy Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000002776 aggregation Effects 0.000 description 4
- 238000004220 aggregation Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 239000010410 layer Substances 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000002441 reversible effect Effects 0.000 description 3
- 102100033270 Cyclin-dependent kinase inhibitor 1 Human genes 0.000 description 2
- 101000944380 Homo sapiens Cyclin-dependent kinase inhibitor 1 Proteins 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 101100435070 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) APN2 gene Proteins 0.000 description 1
- 101100401199 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SAM2 gene Proteins 0.000 description 1
- 101100268779 Solanum lycopersicum ACO1 gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000005923 long-lasting effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a zero trust network security system, which comprises a service area and a management area; the service area comprises a service area, a second database server, a third switch and a second server cluster which are connected with each other, wherein the second database server is respectively connected with the fifth switch and the sixth switch; the management area comprises a management server, a seventh switch and a fortress machine which are connected in sequence. The zero-trust network security system provided by the application has the advantages of scientific and reasonable structural design, hierarchical structural design and strong attack resistance, reduces the network security risk, and can well meet the requirements of practical application.
Description
Technical Field
The application relates to the technical field of computer networks, in particular to a zero-trust network security system.
Background
The most prominent topologies for computer networks are bus-type topologies, ring topologies, tree topologies, star topologies, hybrid topologies, and mesh topologies. Among them, ring topology, star topology, and bus topology are three of the most basic topologies. In local area networks, the star configuration is most used. Other topologies are essentially not used and all are not discussed.
The star topology suffers from the following disadvantages:
(1) the cable length and installation effort is considerable.
(2) The central node is burdened and forms a bottleneck. Failure of the central node can lead to network failure.
(3) The distributed processing capacity of each site is low.
(4) The network sharing capability is poor, and the utilization rate of the communication line is not high.
Advanced Persistent Threat (APT), which threatens the data security of an enterprise. The APT is a "malicious commercial spy threat" which is a long-lasting consummated object for hackers to steal core data and aim at network attacks and attacks launched by clients. Such activities are often conducted and planned for a long period of time and are highly concealed. The APT attack method is to hide itself, steal data for a specific object in a long-term, planned and organized manner, and the actions of stealing data and collecting information in a digital space are the actions of 'network spy'.
Advanced Persistent Threats (APT) are bypassing traditional code-based security schemes (e.g., antivirus, firewall, IPS, etc.) in all ways and remain latent in the system for a longer period of time, making traditional defense systems difficult to detect.
In the network attack and defense, firstly, a server with weak WEB vulnerability invasion protection is used, then other server equipment slightly serving as a system vulnerability attack network is used, and finally, a key server (a database and a file server) is controlled to steal sensitive information. This technical route has become a general attack idea.
The network security industry has no absolute security system, and when facing internet security threats, the network security industry faces not only known threats but also unknown threats, including the threat of an ODAY vulnerability. When facing unknown threats, all protection measures of a network system are in a failure state, and attacks of the unknown threats cannot be effectively defended. No countermeasure is taken in the prior art. In the existing technical system, defense at a network entrance is emphasized, and effective defense equipment such as an intrusion defense system, an anti-virus gateway, a firewall and other safety equipment is deployed. However, when an intruder uses an unknown vulnerability to attack, the defense devices cannot identify the unknown vulnerability, so that the server device in a protection state is controlled by the intruder, after the intruder controls the server device, the device uses an operating system vulnerability to initiate an attack on an internal network, the scope of intrusion is rapidly expanded, and the whole network is possibly controlled by the intruder.
The existing star network has the hidden trouble of single point failure of functions, which is the inherent shortage of the star network. The existing star network can achieve the defense of subareas and domains, but cannot achieve the special purpose of a private network, such as: the service area only listens to 80 or 443 ports to avoid operating system vulnerability attacks. The data flow direction can not be unidirectional and normalized, the management and maintenance operation is more complicated, the influence range is larger during the equipment maintenance, and the uncontrollable risk exists. The core switch has high calculation pressure, and the low-end equipment cannot be realized. Security prevention and control means in the security domain cannot be implemented. The minimum security protection unit cannot be a host or an application (the switch does not support a large number of access control lists), that is, the security protection function of the switch cannot be fully exerted. The database security domain cannot avoid internet routing, and the internet attack threat exists (access is limited only by a firewall, single-layer defense of the database security domain is caused, and the possibility of being broken through exists). When unauthorized controlled equipment exists in the network due to unknown vulnerability attack, the damage range cannot be limited, and when extreme conditions occur, the safety of the whole network is uncontrollable. The security pressure at the network entrance and exit is too high, the defense pressure cannot be dispersed, and the hierarchy and depth of the network cannot be realized.
Disclosure of Invention
The application aims to provide a zero trust network security system. The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key/critical elements nor delineate the scope of such embodiments. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
According to one aspect of the embodiment of the application, a zero trust network security system is provided, which comprises a service area and a management area; the service area comprises a service area, a second database server, a third switch and a second server cluster which are connected with each other, wherein the second database server is respectively connected with the fifth switch and the sixth switch; the management area comprises a management server, a seventh switch and a fortress machine which are connected in sequence; at least one of the firewall, the first system intrusion prevention system, the first switch, the first server cluster, the fourth switch, the second system intrusion prevention system, the fifth switch, the first database server, the sixth switch, the database backup server and the second server cluster is connected with the seventh switch.
Further, the management area further comprises a private virtual network connected with the bastion machine.
Furthermore, the firewall, the first system intrusion prevention system, the first switch, the first server cluster, the fourth switch, the second system intrusion prevention system, the fifth switch, the first database server, the sixth switch, the database backup server and the second server cluster are all connected with the seventh switch.
Further, the first port of the database backup server is connected to the third port of the sixth switch.
Further, a third port of the database backup server is connected to the first port of the seventh switch.
Further, a first port of the first server cluster is connected to a second port of the second switch, the second port of the first server cluster is connected to the second port of the second server cluster and the first port of the fourth switch, respectively, and a third port of the first server cluster is connected to the third port of the first database server and the first port of the seventh switch, respectively.
Further, the first port of the second server cluster is connected to the second port of the third switch, the second port of the second server cluster is connected to the second port of the first server cluster and the first port of the fourth switch, and the third port of the second server cluster is connected to the third port of the second database server and the first port of the seventh switch.
Further, the first port of the first database server is connected to the third port of the fifth switch, the second port of the first database server is connected to the first port of the sixth switch, and the third port of the first database server is connected to the first port of the seventh switch.
Further, the first port of the second database server is connected to the third port of the fifth switch, the second port of the second database server is connected to the first port of the sixth switch, and the third port of the second database server is connected to the first port of the seventh switch.
The technical scheme provided by one aspect of the embodiment of the application can have the following beneficial effects:
the zero-trust network security system provided by the embodiment of the application has the advantages of scientific and reasonable structural design, hierarchical structural design and strong anti-attack capability, reduces the network security risk, and can well meet the requirements of practical application.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the application, or may be learned by the practice of the embodiments. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 shows a schematic structural diagram of a zero trust network security system of one embodiment of the present application;
fig. 2 shows an interface diagram of a server cluster in a case where a server has no link backup in another embodiment of the present application;
fig. 3 shows an interface diagram of a server cluster in a case where a server has a link backup in another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It will be understood by those within the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
A first embodiment of the present application provides a zero trust network security system, comprising a service area and a management area; the service area comprises a service area, a second database server, a third switch and a second server cluster which are connected with each other, wherein the second database server is respectively connected with the fifth switch and the sixth switch; the management area comprises a management server, a seventh switch and a fortress machine which are connected in sequence; at least one of the firewall, the first system intrusion prevention system, the first switch, the first server cluster, the fourth switch, the second system intrusion prevention system, the fifth switch, the first database server, the sixth switch, the database backup server and the second server cluster is connected with the seventh switch.
In some embodiments, the management area further comprises a private virtual network connected to said bastion.
In some embodiments, the firewall, the first system intrusion prevention system, the first switch, the first server cluster, the fourth switch, the second system intrusion prevention system, the fifth switch, the first database server, the sixth switch, the database backup server, and the second server cluster are all connected to the seventh switch.
A second embodiment of the present application provides a zero trust network security system that includes a service zone and a management zone.
The service area comprises a firewall, a first switch, a second switch, a third switch, a fourth switch, a fifth switch, a sixth switch, a first system intrusion prevention system, a second system intrusion prevention system, a first server cluster, a second server cluster, a first database server, a second database server and a database backup server.
The management area comprises a seventh switch, a bastion machine, a special virtual network and a management server.
In some embodiments, the private virtual network may be implemented using servers or hardware.
The first port of the firewall is connected with the first port of the system intrusion prevention system,
the second port of the firewall is connected with the second port of the system intrusion prevention system and is also connected with the second port of the first switch,
the third port of the first system intrusion prevention system is connected with the first port of the first switch;
the third port of the first switch is respectively connected with the first port of the second switch and the first port of the third switch;
the second port of the second switch is connected with the first port (eth0 port) of the first server cluster;
the second port of the third switch is connected with the first port (eth0 port) of the second server cluster;
the second port (eth1 port) of the first server cluster is connected with the second port (eth1 port) of the second server cluster, and both are connected with the first port of the fourth switch;
the third port (eth3 port) of the first server cluster is respectively connected with the third port (eth3 port) of the first database server, the second port of the firewall, the second port of the first system intrusion prevention system, the second port of the second system intrusion prevention system, the second port of the first switch, the second port of the fourth switch, the second port of the fifth switch and the second port of the sixth switch, the third port (eth3 port) of the second server cluster, the third port (eth3 port) of the second database server and the third port (eth3 port) of the database backup server; the third port (eth3 port) of the first server cluster, the third port (eth3 port) of the first database server, the second port of the firewall, the second port of the first system intrusion prevention system, the second port of the second system intrusion prevention system, the second port of the first switch, the second port of the fourth switch, the second port of the fifth switch and the second port of the sixth switch, the third port (eth3 port) of the second server cluster, the third port (eth3 port) of the second database server, and the third port (eth3 port) of the database backup server are all connected with the first port of the seventh switch.
A first port (eth0 port) of the first database server and a first port (eth0 port) of the second database server are respectively connected with a third port of the second switch;
the second port of the first database server (eth1 port) is connected to the second port of the second database server (eth1 port) and both are connected to the first port of the sixth switch;
the third port of the first switch is connected to the first port of the database backup server (eth0 port).
The second port of the seventh switch is connected with the first port of the fort machine;
the second port of the bastion machine is connected with the first port of the private virtual network VPN;
the third port of the seventh switch is connected to the first port of the management server.
The service area is responsible for processing internet user access, and the management area is responsible for managing and maintaining operations.
A third embodiment of the present application provides a zero trust network security system that includes a service zone and a management zone. The service area is responsible for processing internet user access, and the management area is responsible for managing and maintaining operations.
The service area comprises 1 firewall FW, 6 switches (respectively represented as SW1, SW2, SW3, SW4, SW5 and SW6), 2 system intrusion prevention systems (WAF1 and WAF2), 2 server clusters (Webserver1 and Webserver2), 2 database servers (DBserver1 and DBserver2) and one database backup server DBbackup; the management area includes a switch SW7, a bastion machine, a private virtual network VPN, and a management server.
The 1 port of the firewall FW is connected with the 1 port of the system intrusion prevention system WAF, the 2 ports of the firewall FW are connected with the 2 ports of the system intrusion prevention system WAF and are simultaneously connected with the 2 ports of the switch SW1, and the 3 ports of the system intrusion prevention system WAF are connected with the 1 port of the switch SW 1; the port 3 of the switch SW1 is connected with the port 1 of the switches SW2 and SW 3; 2 ports of the switch SW2 are connected with the eth0 end of the server cluster Webserver 1; the port 2 of the switch SW3 is connected with the eth0 end of the Webserver 2; the server cluster Webserver1 is connected with the eth1 end of Webserver2 and the 1 port of switch SW 4; an eth3 port of the server cluster Webserver1 is connected with an eth3 end of a database server DBserver1, and is simultaneously connected with a port 2 of a firewall FW, a system intrusion prevention system WAF1, a port 2 of a WAF2, ports 2 of switches SW1, SW4, SW5 and SW6, an eth3 end of the server cluster Webserver2, an eth3 end of the database server DBserver2 and an eth3 end of the database backup server DBbackups; these points of connection are in turn connected to port 1 of switch SW 7. The eth0 ends of the database servers DBserver1 and DBserver2 are connected with the 3 ports of the SW2 of the switch; the eth1 ends of the database servers DBserver1 and DBserver2 are connected with the 1 port of the SW6 of the switch; the port 3 of the switch SW6 is connected to the eth0 of the database backup server DBbackup up.
The management area comprises a switch SW7, a bastion machine, a special virtual network VPN and a management server; the port 2 of the switch SW7 is connected with the port 1 of the fort machine; the port 2 of the bastion machine is connected with the port 1 of the special virtual network VPN; the 3 ports of the switch SW7 are connected to the management server1 port.
During operation, the system accesses the internet, enters a convergence switch through firewalls FW and WAF, and is distributed to different WEB security domains according to different access targets, only monitors 80 and 443 ports on a first block or a first group of network cards of a WEB server in the different security domains, provides HTTP/HTTPS service, namely internet service, and does not monitor other ports.
The access switch in the security domain is configured with an access control strategy, communication between servers in the security domain is forbidden, and for a function group server (a group of servers need to communicate with each other to complete the function of the server group, firstly, an internet-based communication mode is selected, and if software limits need to use internal address communication, the access control strategy of a source IP, a port-target IP and a port is opened in the switch).
The second block or the second group of network cards are uniformly converged to the rear-mounted switch, an access control strategy is started on the rear-mounted switch, data communication between servers is forbidden on the switch, and a source IP is started at each used port: port-database server IP: the access control policy of the port only allows access to the specified database server; the rear switch is connected to a database firewall in a downward mode, the database firewall starts a white list strategy based on SQL statements, and malicious SQL codes and position SQL codes are forbidden to enter the database to be executed.
The database firewall is connected to a database preposed access switch in a downward mode, the switch is configured with an access control strategy, communication between database servers is forbidden (the internal communication of a database cluster needs to open an access control strategy of a source IP (port) -target IP (port), and the communication of a cluster service does not need a communication port), and WEBIP is configured: port-dbserver: port (to restrict unauthorized WEB server connection to database); the first network card or the first group of network cards of the downlink access database server only monitors 1521, 3306 and 1433 ports (according to different monitoring ports of the database), and a user name and a password of each database, namely a database weight-sharing rule, need to be configured in the database.
A second block or a second group of network cards of the database server are connected with a database security domain in a downstream mode and then are connected with an access switch, the switch is configured with an access control list, communication among the database servers is forbidden, and an access control list source database server IP is configured: port-database backup server IP: a port; and the data is connected to a database backup server in a downstream mode to perform dynamic database backup.
The fourth or eighth network card, all switches and the safety equipment management port of each server are accessed to the management area switch, an access control list is configured in the management area switch, and communication among the equipment is forbidden; configuring a fourth network card monitor 22 and 3389 at the server (a used remote management port, if the server changes a service port, the network card monitor port and the switch access control list change the control port); the switch configures an access control list controlled end IP: port-bastion host IP: and the port only allows the bastion host to access the management port. The security equipment management is based on WEB page management, if the bastion host does not support WEN access, a management server is arranged in a management area for managing the security equipment, and an access control list is configured in a management security area switch: security device IP: 443/80-management server IP: a port.
And after the two-layer switch passes through the firewall and the database firewall, the two-layer switch receives data calculation by the database firewall and returns to the WEB server after 4 and 7 layers of security defense respectively, and then the data are returned to the Internet user by the WEB server. The database transmits the operation log to DBBACKUP in real time, and the DBBACKUP restores the content of the operation log to achieve the function of real-time backup of the database.
In some embodiments, as shown in fig. 2, in the case of a server without a link backup, the ETH0 is a WEB user accessing a dedicated network card that only listens to the 80, 443 ports. The ETH1 is a dedicated network card for database connection, and the network card is connected to the aggregation switch only and then connected to the database server according to the access policy. The ETH2 is used for extended use, such as building backup areas. The ETH3 is used for the connection management area, and the network card is connected to the bastion host according to the access policy after being connected to the aggregation switch only.
In some embodiments, as shown in FIG. 3, in the case of a server with a link backup, Team1 is a WEB user accessing a dedicated network card that only listens to 80, 443 ports. The Team2 is a special network card connected with the database, and the network card is connected to the database server only after being connected to the aggregation switch according to the access strategy. The ETH4, 5 and 6 are used for expanding use, and functions such as building backup areas, clustering heartbeats and the like can be used. The ETH7 is used for the connection management area, and the network card is connected to the bastion host according to the access policy after being connected to the aggregation switch only.
In the technical scheme of this embodiment, the security defense should be changed from the previous key direction (network entry defense) into two key defense ideas, i.e. inside and outside two-way defense: the external defense means that defense measures need to be strengthened at a network entrance, and the aim is to ensure that an intruder has the greatest difficulty in invading any server equipment and application programs; the internal defense means that when there is an illegally controlled server device in the network, the intruder cannot expand the control range. The deployment of the internal defense measures mainly means that the safety defense basic unit of the internal network is a server/application program, and different servers/application programs are not trusted with each other and are considered as internet access. This defense system is a trust network.
In the technical solution of this embodiment, the technical implementation idea is as follows: devices such as a firewall, a website/application firewall (WAF), an intrusion prevention system, an anti-virus gateway and the like which are deployed at a network entrance and a security domain entrance implement external defense; the switch, the micro-isolation and other equipment implement the inner defense, thereby achieving the purpose that the attack between the internal networks can not be initiated.
In the technical solution of this embodiment, the security defense basic unit refers to a server (group)/application (group) that uses the same group (series) of security defense policies for defense in security defense. Mainly refers to a server/application cluster that implements the same function, the same set of functions.
The security defense minimum unit refers to a server/application in security defense. Mainly referring to all servers/applications under security defense.
Limited trust: communication between the server groups/application groups using standard/non-standard ports is required, allowing communication between the server groups/application groups using restricted ports to be limited trust.
Infinite trust: the communication between the server group/application group is unlimited in trust without being limited by security policy (no security policy).
Zero trust: the communication between the server group/the application program group is accessed through the internet, namely when the server group/the application program group needs data interaction communication, a communication route is detected by safety defense equipment arranged at a network entrance and then enters an intranet to carry out data interaction, and a communication mechanism for carrying out data interaction between the non-intranet server group/the application program group through the intranet is adopted.
A collar trust network: a network adopting a data interaction communication mechanism with a main collar trust communication and an auxiliary limited trust is a collar trust network.
The technical scheme of the embodiment realizes a strict security domain division mechanism, limited communication is needed between security domains, and isolation equipment is deployed at the security domain outlet.
The technical scheme of the embodiment realizes a transverse absolute defense technology, strictly limits communication in a security domain, allows all equipment and application programs to communicate with the Internet only, prohibits communication in the security domain, and practically realizes that an ARP list cannot see MAC addresses of equipment without communication requirements.
The technical scheme of the embodiment uses the security domain as a basic protection unit of the whole network WEB to perform effective WEB defense, and sets a single site as a minimum protection unit by combining a network defense mechanism to perform maximum WEB defense.
In the technical scheme of the embodiment, the server is used as a basic protection unit in the security domain, so that the server is limited to only accept the access of internet users, and the access of equipment in the security domain is forbidden. The application program must have access to the Internet and can configure Internet routing access. If the application program does not support the access mode, the ACL policy is opened between the equipment, and the source IP is allowed to: port-to-destination IP: communication strategy of the port.
The technical scheme of the embodiment strictly controls the private network private mechanism and closes the non-private network use port. For example: the internet direction needs to prohibit port monitoring of 22, 1521 and the like. The application access end only opens 80 and 443 port listening. The database area is positioned at the rear part of the network, and the internet is accessed without a route, so that the risk of internet attack is avoided.
The technical scheme of the embodiment adopts a database area post-setting principle, a server-dedicated network card is required to be started to connect a database-dedicated area when accessing the database area, and an isolation device, a database protection system and a database auditing system are deployed at an outlet of a database security domain.
According to the technical scheme of the embodiment, a management area separation principle is sampled, a special management area network card is started in all the equipment to establish the management area, the network card only monitors 22, 3389 and other management and maintenance ports, does not contain 1433, 1521 and other database communication ports, but contains communication ports of all the equipment such as a management and maintenance platform and the like. Forbidding the source IP opened except the service requirement: port-to-destination IP: all communications other than port communications. The emphasis is to inhibit communication between the lateral communication devices.
The database firewall supplements the deficiency of WAF defense in the aspect of sql script to form a reverse protection effect.
The technical scheme of the embodiment realizes the decoring of network design and standardizes the data flow direction.
The technical scheme of the embodiment introduces a switch security defense mechanism, expands intranet defense work and prohibits communication with network segment equipment.
The management and maintenance operations of the network equipment, the security equipment and the server equipment only authorize the management and maintenance area to operate by using the specified port.
The technical scheme of the embodiment provides a link credible communication principle, namely that a communication source is credible and communication is not allowed in an unauthorized mode. After one WEB server is invaded by unknown bugs, an attacker can not sense the equipment in the same network segment, namely, the attacker can not initiate intranet attack. The effects of controllable loss and minimized loss are achieved.
The technical scheme of the embodiment provides a chain defense principle. Namely, the back end reverse protection front end, and the database defense reverse protection WEB system, thereby achieving the goal of maximum intrusion difficulty.
The technical scheme of the embodiment provides a network concept of hierarchical design. The network side is hierarchical to minimize loss and maximize intrusion difficulty when an intrusion occurs.
The technical scheme of the embodiment provides a special idea of the whole network private network, and reduces attack surfaces to the maximum extent. And a defense measure in the security domain is provided, and intranet attack in the security domain cannot be initiated on the premise that devices such as a firewall, a WAF and the like are bypassed.
The zero-trust network security system provided by the embodiment of the application has the advantages of scientific and reasonable structural design, hierarchical structural design and strong anti-attack capability, reduces the network security risk, and can well meet the requirements of practical application.
The technical scheme of the embodiment improves the safety and is mainly embodied in the following aspects:
1. WEB security risk has been reduced, and in the face of novel attack based on database script vulnerability, after penetrating through WAF, the attack script can't pass database firewall and execute malicious script in the database, and the attack intention can't be realized.
2. The private network special mechanism effectively reduces the attack surface facing the internet and the intranet. If attack can not be carried out by using operating system loopholes in a service network and a data backup network; an attack based on operating system vulnerabilities cannot be made to the database server within the production environment.
3. The perception range of an attacker is reduced, and the existence of the device irrelevant to the service cannot be perceived on any device. Even if the devices in the intranet are authorized by hackers, the intranet attack cannot be widely spread.
4. The use model of the network equipment is reduced, the use principle of network design hardware is the low-end of the whole network equipment, and the construction cost is saved.
5. The network is decored, and the threat of whole network paralysis caused by the failure of key nodes is eliminated.
6. The maintenance is simplified, the data flow direction is effectively normalized due to the adoption of the design idea special for the private network, and the whole network operation (partial orderly suspension of functions) cannot be influenced when the maintenance operation of software and hardware needs that individual equipment cannot be used.
It should be noted that:
in the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: this application is intended to cover such departures from the present disclosure as come within known or customary practice in the art to which this invention pertains. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the application, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The above-mentioned embodiments only express the embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (9)
1. A zero trust network security system is characterized by comprising a service area and a management area; the service area comprises a service area, a second database server, a third switch and a second server cluster which are connected with each other, wherein the second database server is respectively connected with the fifth switch and the sixth switch; the management area comprises a management server, a seventh switch and a fortress machine which are connected in sequence; at least one of the firewall, the first system intrusion prevention system, the first switch, the first server cluster, the fourth switch, the second system intrusion prevention system, the fifth switch, the first database server, the sixth switch, the database backup server and the second server cluster is connected with the seventh switch.
2. The zero trust network security system of claim 1, wherein the management area further comprises a private virtual network connected to the bastion.
3. The zero trust network security system of claim 1, wherein a firewall, a first system intrusion prevention system, a first switch, a first cluster of servers, a fourth switch, a second system intrusion prevention system, a fifth switch, a first database server, a sixth switch, a database backup server, and a second cluster of servers are connected to the seventh switch.
4. The zero trust network security system of claim 1, wherein the first port of the database backup server is connected to the third port of the sixth switch.
5. The zero trust network security system of claim 4, wherein the third port of the database backup server is connected to the first port of the seventh switch.
6. The zero trust network security system of claim 1, wherein the first port of the first server cluster is coupled to the second port of the second switch, the second port of the first server cluster is coupled to the second port of the second server cluster and the first port of the fourth switch, respectively, and the third port of the first server cluster is coupled to the third port of the first database server and the first port of the seventh switch, respectively.
7. The zero trust network security system of claim 1, wherein the first port of the second server cluster is connected to the second port of the third switch, the second port of the second server cluster is connected to the second port of the first server cluster and the first port of the fourth switch, respectively, and the third port of the second server cluster is connected to the third port of the second database server and the first port of the seventh switch, respectively.
8. The zero trust network security system of claim 1, wherein the first port of the first database server is connected to the third port of the fifth switch, the second port of the first database server is connected to the first port of the sixth switch, and the third port of the first database server is connected to the first port of the seventh switch.
9. The zero trust network security system of claim 1, wherein the first port of the second database server is connected to the third port of the fifth switch, the second port of the second database server is connected to the first port of the sixth switch, and the third port of the second database server is connected to the first port of the seventh switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911280054.7A CN111314282A (en) | 2019-12-06 | 2019-12-06 | Zero trust network security system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911280054.7A CN111314282A (en) | 2019-12-06 | 2019-12-06 | Zero trust network security system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111314282A true CN111314282A (en) | 2020-06-19 |
Family
ID=71146802
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911280054.7A Pending CN111314282A (en) | 2019-12-06 | 2019-12-06 | Zero trust network security system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314282A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112367188A (en) * | 2020-10-16 | 2021-02-12 | 零氪科技(北京)有限公司 | Privatization safety system based on zero trust model and implementation method |
| CN113179253A (en) * | 2021-03-30 | 2021-07-27 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113301056A (en) * | 2021-06-30 | 2021-08-24 | 北京世纪盛通环境工程技术有限公司 | Remote operation and maintenance safety protection device for biological safety laboratory |
| CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
| CN107508833A (en) * | 2017-09-22 | 2017-12-22 | 江苏海事职业技术学院 | A kind of Network Safety on Campus protection system dispositions method |
| CN107659582A (en) * | 2017-10-27 | 2018-02-02 | 李刚 | A kind of depth defense system for successfully managing APT attacks |
| CN211183990U (en) * | 2019-12-06 | 2020-08-04 | 李刚 | Zero trust network security system |
-
2019
- 2019-12-06 CN CN201911280054.7A patent/CN111314282A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
| CN107508833A (en) * | 2017-09-22 | 2017-12-22 | 江苏海事职业技术学院 | A kind of Network Safety on Campus protection system dispositions method |
| CN107659582A (en) * | 2017-10-27 | 2018-02-02 | 李刚 | A kind of depth defense system for successfully managing APT attacks |
| CN211183990U (en) * | 2019-12-06 | 2020-08-04 | 李刚 | Zero trust network security system |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112367188A (en) * | 2020-10-16 | 2021-02-12 | 零氪科技(北京)有限公司 | Privatization safety system based on zero trust model and implementation method |
| CN112367188B (en) * | 2020-10-16 | 2023-08-29 | 零氪科技(北京)有限公司 | Privately-owned security system based on zero trust model and implementation method |
| CN113179253A (en) * | 2021-03-30 | 2021-07-27 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113179253B (en) * | 2021-03-30 | 2022-04-01 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113301056A (en) * | 2021-06-30 | 2021-08-24 | 北京世纪盛通环境工程技术有限公司 | Remote operation and maintenance safety protection device for biological safety laboratory |
| CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
| CN114338105B (en) * | 2021-12-16 | 2024-04-05 | 山西云时代研发创新中心有限公司 | Zero trust based system for creating fort |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111314282A (en) | Zero trust network security system | |
| Sari et al. | A review of ip and mac address filtering in wireless network security | |
| US7213265B2 (en) | Real time active network compartmentalization | |
| Markham et al. | Security at the network edge: A distributed firewall architecture | |
| Mell et al. | A denial-of-service resistant intrusion detection architecture | |
| Holmberg et al. | BACnet wide area network security threat assessment | |
| US7194767B1 (en) | Screened subnet having a secured utility VLAN | |
| He | Research on computer network security based on firewall technology | |
| CN107659582B (en) | Deep defense system for effectively treating APT attack | |
| CN211183990U (en) | Zero trust network security system | |
| US20050076236A1 (en) | Method and system for responding to network intrusions | |
| Devi et al. | Understanding of intrusion detection system for cloud computing with networking system | |
| Markham et al. | Distributed embedded firewalls with virtual private groups | |
| Pedapudi et al. | A Comprehensive Network Security Management in Virtual Private Network Environment | |
| Cisco | Managing Sensors with CSPM | |
| Cisco | Pre-Installation Considerations | |
| Cisco | Pre-Installation Considerations | |
| Meredith | A summary of the autonomic distributed firewalls (ADF) project | |
| Nikoi et al. | Enhancing the Design of a Secured Campus Network using Demilitarized Zone and Honeypot at Uew-kumasi Campus | |
| Labuschagne et al. | The use of real-time risk analysis to enable dynamic activation of countermeasures | |
| Holmberg et al. | Using the BACnet® firewall router | |
| Lai et al. | Network security improvement with isolation implementation based on ISO-17799 standard | |
| bin Baharin et al. | Third party security audit procedure for network environment | |
| Frihat et al. | General guidelines for the security of a large scale data center design | |
| Daru et al. | Packet Filtering Gateway and Application Layer Gateway on Mikrotik Router Based Firewalls for Server and Internet Access Restrictions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |