CN113365277A - Wireless network safety protection system - Google Patents
Wireless network safety protection system Download PDFInfo
- Publication number
- CN113365277A CN113365277A CN202010640978.XA CN202010640978A CN113365277A CN 113365277 A CN113365277 A CN 113365277A CN 202010640978 A CN202010640978 A CN 202010640978A CN 113365277 A CN113365277 A CN 113365277A
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- security
- mobile
- wireless
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the application provides a wireless network security protection system, relates to a network security technology, and is used for overcoming the problem of information security caused by an open and intelligent mobile office platform in the related technology. The system comprises: the wireless network security unit is used for performing wireless security detection, wireless intrusion prevention, wireless access control and wireless positioning; the boundary access unit is used for performing boundary protection, identity authentication and safety isolation and establishing a network safety channel between the information outer network and the information inner network; and the mobile terminal safety unit is used for managing the mobile terminal, the mobile application and the content.
Description
Technical Field
The application relates to a network security technology, in particular to a wireless network security protection system.
Background
A tv station is a media mechanism that plays tv programs via radio signals, satellite signals, cable network or internet, and is a media mechanism that makes tv programs and plays tv programs via tv or internet. It can transmit video and audio synchronized information that can provide the public with paid or free video programs by wire or wirelessly. The television station has important responsibility for social public opinion propaganda, and safe broadcasting is the life line of the television station. With the continuous development of the technology, the television stations gradually develop from the television station production and broadcasting network to the direction of media fusion.
With the rapid development of media convergence services in recent years, the demand for accessing to the dedicated services of television stations through a wireless network mode is more and more common. In order to comply with the development requirements of mobile services, television stations gradually strengthen the construction of internal wireless networks: the television station establishes a wireless local area network system, and realizes the comprehensive coverage of a wireless network in an office area; in the aspect of mobile application construction, mobile office of services such as program production, message query and the like is already realized in the mobile station. However, the open and intelligent mobile office platform makes the mobile terminal become a security gap of the wireless local area network system of the television station, malicious codes are easily introduced into the mobile terminal to be implanted, so that the problems of mixing of personal applications and enterprise applications, data leakage and the like occur, and the problems bring great challenges to enterprise information security.
Disclosure of Invention
The embodiment of the application provides a wireless network security protection system which is used for overcoming the problem of information security caused by an open and intelligent mobile office platform in the related technology.
The embodiment of the application provides a wireless network safety protection system, including:
the wireless network security unit is used for performing wireless security detection, wireless intrusion prevention, wireless access control and wireless positioning;
the boundary access unit is used for performing boundary protection, identity authentication and safety isolation and establishing a network safety channel between the information outer network and the information inner network;
and the mobile terminal safety unit is used for managing the mobile terminal, the mobile application and the content.
In one possible implementation manner, the wireless network security unit is specifically configured to:
identifying and detecting the attack behavior; the attack behavior comprises at least one of: denial of service, rogue access to an access point, wireless scanning, wireless spoofing, wireless phishing, denial of service DoS, wireless cracking behavior;
when an attack behavior is detected, the attack behavior is blocked by packet sending blocking or radio frequency blocking;
and when the attack behavior is detected, positioning an attack source of the attack behavior through triangulation positioning or fingerprint positioning.
In one possible implementation manner, the wireless network security unit is specifically configured to perform at least one of the following:
carrying out identity authentication, authority limitation and data encryption;
controlling the access right to the wireless network and prohibiting a user who does not obtain the access right from accessing;
monitoring data, recording various operations, and giving an alarm when the illegal behavior is confirmed to exist according to the data or the operations;
controlling a physical area corresponding to the issued wireless access point;
and transmitting by adopting a digital signature technology or a set audio and video file format or a set protocol.
In one possible implementation manner, the border access unit is specifically configured to perform at least one of the following:
grouping management is carried out on users according to preset categories;
storing information of each user;
according to the security level of the user, authenticating the user by adopting an authentication mechanism of a corresponding level; or, configuring the mobile terminal;
managing the authority of the user according to the category of the user;
limiting the access authority according to the position of the user;
carrying out authority management according to the type of the mobile terminal;
the duration of sessions established by a plurality of users is managed.
In one possible implementation manner, the mobile terminal security unit includes:
the mobile terminal management module is used for carrying out full life cycle management on the registration, activation, use and elimination of the mobile terminal;
the mobile application management module is used for carrying out aggregation management on the detection, reinforcement and distribution of the mobile application;
and the mobile content management module is used for managing the content storage, the content transmission, the content distribution and the file document.
In one possible implementation manner, the mobile terminal management module is specifically configured to execute at least one of the following:
detecting whether a mobile terminal to be accessed has a security risk, and allowing the mobile terminal to be accessed when the mobile terminal is determined not to have the security risk;
registering, grouping and grouping management are carried out on the accessed mobile terminals;
managing the mobile terminal according to a preset strategy; the preset strategy comprises at least one of the following strategies: a screen locking and screen locking clearing strategy, a screen locking password strategy, an illegal action strategy, a user strategy and an auditing strategy;
positioning or erasing data of the mobile terminal out of control;
configuring and managing the function authority, the application program authority, the safety and the privacy of the terminal equipment of the target user;
data protection is carried out on the mobile terminal which is lost;
and carrying out virus protection processing on the mobile terminal, and upgrading the anti-virus system according to the virus identified by the mobile terminal.
In one possible implementation manner, the mobile application management module is configured to perform at least one of the following:
carrying out security detection on the mobile application before online, and repairing the vulnerability when the vulnerability is detected;
encrypting the mobile application before online;
and carrying out security check and security reinforcement on the mobile application before release.
In one possible implementation manner, the mobile content management module is configured to perform at least one of the following:
adopting sandbox technology to manage internal data and personal data of TV station;
encrypting a document to be uploaded or transmitted by adopting an encryption algorithm;
carrying out unified management and directional distribution on the documents to be distributed;
and carrying out directional pushing on the notification message.
In one possible implementation manner, the system further includes:
and the risk evaluation unit is used for periodically analyzing the wireless network security protection system and evaluating the occurrence probability of the security event.
In one possible implementation manner, the system further includes:
the emergency response unit is used for generating an emergency signal when an abnormal event is detected, and the emergency signal is used for triggering corresponding prompt or disconnecting network connection; the abnormal event comprises at least one of the following: attack event, detection of information destruction event, detection of information content security event.
The wireless network safety protection system provided by the embodiment of the application is characterized in that a wireless network safety unit, a boundary access unit and a mobile terminal safety unit are arranged; the wireless network security unit can provide a secure indoor environment and a wireless transmission channel for the wireless network by performing wireless security detection, wireless intrusion prevention, wireless access control and wireless positioning; the boundary access unit can ensure the safety of the boundary by performing boundary protection, identity authentication and safety isolation, and establishes a network safety channel between the information internal network and the information external network to provide a safe network access service; the mobile terminal safety unit can manage mobile application and content of the mobile terminal, and is favorable for improving the safety of the mobile terminal. Therefore, the system can reduce or even avoid unsafe factors from multiple aspects, is favorable for avoiding safety problems of malicious codes implanted into a wireless network through the mobile terminal, data leakage and the like, and can further provide guarantee for the wireless network safety of the television station.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a wireless network security protection system according to an exemplary embodiment;
FIG. 2 is an architecture diagram of a wireless network security protection system provided in an exemplary embodiment;
fig. 3 is a flowchart illustrating a mobile terminal accessing an information network according to an exemplary embodiment.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In the related art, with the rapid development of the media convergence service, the requirement of accessing to the dedicated service of the television station through the wireless network mode is more and more common. In order to comply with the development requirements of mobile services, television stations gradually strengthen the construction of internal wireless networks: the television station establishes a wireless local area network system, and realizes the comprehensive coverage of a wireless network in an office area; in the aspect of mobile application construction, mobile office of services such as program production, message query and the like is already realized in the mobile station. However, the open and intelligent mobile office platform makes the mobile terminal become a security gap of the wireless local area network system of the television station, malicious codes are easily introduced into the mobile terminal to be implanted, so that the problems of mixing of personal applications and enterprise applications, data leakage and the like occur, and the problems bring great challenges to enterprise information security.
In order to overcome the above problems, the present embodiment provides a wireless network security protection system, where a wireless network security unit, a boundary access unit, and a mobile terminal security unit are provided, the wireless network security unit can establish a secure physical environment and a wireless transmission channel between a mobile terminal and an information intranet application server, the boundary access unit can establish a network security channel between the information intranet and an information extranet, and provide a secure network access service, and the mobile terminal security unit can move the mobile terminal, the mobile application and the mobile content of the mobile terminal are managed, so that unsafe factors are eliminated from multiple links, and it is beneficial to avoid security problems such as malicious codes from implanting into a wireless network through the mobile terminal, and avoiding data disclosure.
The structure, function and implementation process of the wireless network security protection system provided in this embodiment are described below with reference to the accompanying drawings.
As shown in fig. 1, the wireless network security system provided in this embodiment may be used in a television station or other enterprises, and includes:
a wireless network security unit 11, configured to establish a wireless transmission channel between an accessed mobile terminal and an information intranet application server;
a boundary access unit 12, configured to establish a network security channel between the information extranet server and the information intranet application server;
and a mobile terminal security unit 13, configured to manage the mobile terminal, and manage mobile applications and mobile contents of the mobile terminal.
The wireless network security protection system can be applied to a wireless local area network of a television station, and as shown in fig. 2, the wireless network security protection is performed from several levels of data security, application security, network security, host security, physical security and the like by adopting the idea of layered surface protection and referring to the relevant standards of level protection; and realizing wireless link safety, authentication and authorization, mobile terminal safety, APP (Application) life cycle management, safety management and safety operation and maintenance according to preset requirements. In addition, the wireless network security protection system provided by the example has certain expansibility, and can be correspondingly improved according to the actual condition of service development of the television station.
The wireless network safety unit can improve the wireless safety protection capability. According to the principles of safety, reliability, advancement, applicability, manageability and easy expansion, the wireless network security unit integrates wireless security detection, wireless intrusion prevention, wireless access control and wireless positioning, provides a secure physical environment and a wireless transmission channel for a wireless network, and is used for realizing wireless link security. Specifically, attack events are discovered in time by detecting attack behaviors such as DoS (Denial of Service), AP (Access Point) cheating, illegal signals, illegal terminals and the like; data is encrypted by adopting encryption technologies such as VPN (Virtual Private Network), WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), WPA2(WPA second edition) and the like, so that transmission safety is guaranteed; the attack behavior is accurately blocked by technologies such as bundle blocking, radio frequency blocking and the like; the attack source is effectively positioned by technologies such as triangulation positioning, fingerprint positioning and the like. The implementation of security measures such as attack detection, data encryption, accurate blocking, effective positioning and the like ensures the security of wireless network equipment and physical and network layers of the television station, and provides a security channel for a mobile application service system of the television station.
The border access unit is established according to the strategies of uniform access management, uniform application audit, uniform operation monitoring and uniform strategy deployment. The boundary access unit adopts a strategy of distinguishing link security defense, and integrates boundary protection, identity authentication, application security and security isolation. On the premise of ensuring the safety of the boundary access, the boundary access unit establishes a network safety channel between the internal network and the external network, and provides a safe network access service. The border access unit is used for realizing authentication and authorization. Legal users are identified through a perfect identity authentication mechanism, and a multi-dimensional authority control system performs fine-grained authority control to ensure the controllability and the safety of a wireless network of a television station.
The mobile terminal security unit is used for realizing the security of the mobile terminal. The mobile terminal is used as an entrance of a wireless network and a service system, when the mobile terminal accesses the network, a strict access auditing mechanism is required, only trusted terminal equipment is allowed to access the network, and the safety risk brought by terminal access is reduced. The all-round protection of the terminal is realized through the management of the mobile terminal, the management of the mobile application and the management of the mobile content, and the safety of the mobile terminal equipment, the application safety and the data safety are guaranteed.
The mobile security management platform comprises a mobile terminal management module, a mobile application management module and a mobile content management module. The mobile terminal management module is used for carrying out full life cycle management on each link of registration, activation, use and elimination of the mobile terminal; the mobile application management module is used for carrying out integrated aggregation management on detection, reinforcement and distribution of the application programs, and the overall management efficiency of enterprise application is improved; the mobile content management module is used for managing content storage, memory transmission, content distribution and file documents and preventing the content from being tampered.
In addition, the operation maintenance and management working mechanism of the boundary security access platform and the mobile security management platform can be established, and the normal operation of the boundary security access platform and the mobile security management platform can be guaranteed through standard access configuration, standard security monitoring and standard operation disposal operation. For safety management, safety management needs to be performed from the aspects of a safety management system, a safety management organization, personnel and the like according to the strict level protection requirements. For operation and maintenance safety, continuous operation and maintenance mechanisms such as continuous risk assessment, safety inspection and the like are established, continuous updating of a safety system is guaranteed, and information safety guarantee is provided for a central vision wireless network.
The wireless network security unit can adopt various reinforcement measures such as identity authentication, authority limitation, data encryption and the like, so that the self security of network equipment in the wireless network is improved, and the normal operation of various network equipment is guaranteed.
In a specific implementation: the wireless network security unit is used for carrying out identity authentication on a user logging in the network equipment, and the user name must be unique; the wireless network security unit is used for limiting the login address of the administrator of the network equipment; the wireless network security unit has a login failure processing function, and takes measures of ending a session, limiting the number of illegal login times, automatically quitting when network login connection is overtime and the like after failure; the wireless network security unit is used for starting management modes such as SSH (Secure Shell, Secure Shell protocol) and the like, encrypting management data and preventing the management data from being intercepted by a network; the wireless network security unit is used for starting necessary management ports and closing all the unsafe service ports; the wireless network security unit is used for updating the self upgrade package of the network equipment in time, repairing security loopholes and eliminating the self security risk of the network equipment; in addition, because the identity authentication information has the characteristic of difficult impossibility, when the user sets the password, the wireless network security unit prompts the user that the password setting needs more than 3 characters and the length is not less than 8 bits, and prompts the user to replace the password at regular intervals.
The wireless network security unit can establish a wireless interference detection and defense mechanism for identifying and blocking wireless attack behaviors such as rogue AP, wireless scanning, wireless spoofing, wireless phishing, DoS, wireless cracking and the like. In a specific implementation: the wireless network security unit is used for identifying wireless attack behaviors and effectively intercepting and protecting the wireless attack behaviors by adopting a wireless interference detection defense technology or through related equipment; the wireless network security unit is used for detecting and blocking rogue AP, wireless phishing attack, illegal external connection of an internal terminal and the like; the wireless network security unit is used for forbidding employees in the television station to privately access the AP; the wireless network security unit is used for detecting wireless network scanning behaviors; the wireless network scanning and wireless DoS attack detection is supported; the wireless network security unit is used for detecting and blocking wireless wired Jolt2, Land-Base, Smurf, Ping of death, winnuke, teardrop, Syn flag, TCP Flood, ARP attack, DeAutomation attack, DeAssociation attack, time slice attack in wireless domain and other attack behaviors based on a wireless security event strategy.
The wireless network security unit is used for performing access control management on a wireless network, controlling access authority of the wireless network, preventing unauthorized user access and guaranteeing wireless network service security. During specific implementation, a wireless access control technology or related products can be deployed, a wireless security policy is formulated in advance according to business requirements and security requirements, and the wireless network security unit is used for preventing wireless illegal invasion according to the wireless security policy, so that authorized access of wireless network resources is realized, and unauthorized use is avoided. Wherein, the wireless security policy includes: and setting a security access strategy for conditions such as a wireless terminal, a wireless access point, a wireless network, a source interface, a destination interface, a security domain, a protocol type, a source address, a destination address, message communication time and the like.
Specifically, the wireless network security unit is configured to perform bandwidth control on a specific object based on a policy, for example, perform bandwidth control according to conditions such as a single host IP (Internet Protocol; Internet Protocol) or a sub-network segment, a target IP and a sub-network segment, a service type, time allocation, and the like; policy bandwidth guarantees are supported. The wireless network security unit is used for supporting a wired and wireless integrated Portal authentication function free of a client, and a user can access a specific network only after authentication. The wireless network security unit is used for carrying out physical isolation on an internal office network, an internal internet and a visitor network, strictly limiting the access right in the network, opening only necessary network ports, preventing abnormal flow caused by viruses or P2P (peer to peer lending or peer-to-peer, internet financial point-to-point lending platform) software, carrying out accurate flow control and preventing virus trojans from spreading in the wireless network.
The wireless network security unit is used for setting an auditing mechanism at the wireless network boundary, monitoring data, recording various operations and alarming the confirmed violation. The cross-regional security threat can be found through audit analysis, and the security events occurring in the network can be comprehensively analyzed in real time. And performing safety audit on the mobile terminal, the user and the service application system, and tracking the abnormal event. In a specific implementation: the wireless network security unit audits the user behavior according to the user information, the access resource, the access time and the like; the wireless network security unit performs access audit on the service object according to application system information, data transmission flow, transmission time, transmission units and the like; and the wireless network safety unit performs abnormal behavior audit according to time periods, application systems, user unit analysis statistics user behaviors, abnormal behaviors of business application systems and the like.
The wireless network security unit is also used for transmitting by adopting a digital signature technology, a specific audio/video file format, a specific protocol or an equivalent strength technical means and the like, ensuring the data integrity in the communication process and recovering when the integrity is found to be damaged. In a specific implementation: the wireless network Security unit adopts products or technical measures such as SSL (Secure Sockets Layer Secure socket Protocol), IPSEC (Internet Protocol Security), VPN, trusted network connection and the like to realize the integrity check of network transmission data; the wireless network Security unit supports SSL/TLS (Transport Layer Security), IPSec and other network Security protocols; the VPN client side supports a hardware password card or UKey; the VPN client supports digital certificates in the form of software.
The wireless network security unit is also used for reasonably publishing the wireless access points and distinguishing office areas published by the wireless access points, so that the risk of malicious access of the wireless access points is reduced, and the security of the wireless network is guaranteed. In a specific implementation: the wireless network security unit can issue corresponding wireless access points as required, and reduce the physical area issued by the wireless access points; except for special areas, the wireless access points are required to be distributed in the whole office area; when determining the distribution area, the minimum principle of the distribution area is followed; the wireless network security unit can physically isolate the visitor access point from the access point in the station; the wireless access point of the special Service needs to be distributed to a specific physical area in a manner of hiding SSID (Service Set Identifier).
On one hand, the boundary access unit can clearly define the network boundary of the mobile office private network and provide conditions for the perfection of the wireless private network and the realization of boundary precaution measures; on the other hand, the data exchange mode between different network security domains is standardized, the operation flow of data sharing between departments is simplified, interconnection and intercommunication are realized, and the security support of the network boundary is provided for further developing application interaction.
The boundary access unit is used for carrying out unified user management. The boundary access unit is specifically used for combing wireless network users, grouping the users and providing a data basis for unified authentication and authorization; the user information is named and stored uniformly in a standard mode, and the user ID is globally unique; the border access unit is further specifically configured to perform group management or classified management on the users according to attributes of internal employees, outsourced employees, visitors, and the like.
The border access unit is also used for carrying out unified user authentication. Illustratively, the border access unit is configured to store user information of all application systems in a unified manner, all operations related to a user by the application systems are completed through the secure access platform, and operations such as authorization are completed by each application system itself, that is, unified storage and distributed authorization. In a specific implementation: the border access unit is specifically used for providing a user attribute list for the application system, such as attributes of name, telephone, address, mail and the like, and the application system can select part or all of the attributes required by the system; the boundary access unit specifically supports the function of automatically synchronizing interfaces with other APP and application system accounts; the boundary access unit specifically supports processing requests of an application system for adding, modifying, deleting, inquiring and the like of the basic information of the user; the boundary access unit specifically supports the application system to reserve user management functions, such as user grouping, user authorization and the like; the boundary access unit specifically supports a perfect log function and records the operation of each application system on the security access platform in detail; the boundary access unit specifically supports that a user automatically logs out from all logged-in application systems at the same time after logging out from the security access platform; the boundary access unit specifically supports the limitation of the single-user simultaneous online equipment, and in principle, only one equipment of the same type of equipment can be online; the boundary access unit specifically supports binding of the special account used by the special mobile terminal, and ensures that the special account can only be used on the special mobile terminal.
The boundary access unit is also used for carrying out a unified authentication mode. The boundary access unit can establish authentication mechanisms of different levels according to the security levels of different application systems, so that the security of the wireless network is guaranteed. In particular implementations, the authentication mechanism may be as follows: the visitor wireless network adopts Portal authentication, is physically isolated from the internal network of an office area, can only access the Internet, supports the modes of WeChat, short message, two-dimensional code and the like, and simply, quickly and easily realizes the safe wireless access of visitor access; the internal office wireless network access adopts a user name/password mode, and provides wireless access with higher security by combining an MAC (Message Authentication Code) and a security access platform, and after Authentication, the next login uses the same equipment and the same account password without secondary Authentication; the mobile application supports CA certificate authentication of a national cryptographic algorithm, when the mobile terminal starts APP application, the certificate corresponding to the CA server can be adjusted to verify the identity of a user, and meanwhile, when the user quits the mobile application and the user logs off, the application certificate needs to be submitted to the server, so that the flow integrity of safety protection when the CA certificate is applied is ensured.
The border access unit is also used for configuring the mobile terminal. Wherein, the mobile terminal device should have the installation configuration condition of the mobile application. In a specific implementation: the mobile terminal should support the installation and operation of the digital certificate; the mobile terminal supports the installation and operation of a VPN client and online upgrade; the mobile terminal supports the installation and operation of a mobile security management platform client and online upgrade; the mobile terminal should support the installation and operation of the virtualized client, as well as online upgrade.
The border access unit is also used for session connection management. The boundary access unit can intelligently lose abnormal session connection according to the established session duration management mechanism, and data access safety is guaranteed. In a specific implementation, the session duration management mechanism is as follows: the session must have consistency and persistence, and the authentication state should be maintained in the session process to prevent unauthorized access of information; the session identifier should be unique, random, and non-guessable; the session should be set with timeout time, and the session should be automatically terminated when the idle time exceeds the set time; after the session is finished, the session information is cleared in time; when one of the two communication parties of the application system does not respond within a specified time, the other party should be able to automatically end the session.
The border access unit is also used for user-based rights management. In order to more conveniently manage the authority of the user, authority management mechanisms based on different user identities are pre-established, and the boundary access unit is used for managing the authority according to the established authority management mechanisms based on the user, so that the safety of a wireless network is ensured. In a specific implementation, the user-based rights management mechanism is as follows: the visitor user has the lowest authority, can only access the visitor wireless network, access the Internet and can not access the internal network of the television station; the outsourced staff can grant part of authority of the internal staff in limited limit under partial conditions due to business requirements, when the business requirements are finished, the authority needs to be cancelled in time, and the outsourced staff can only access a specific information system of a television station after accessing a network by adopting an authentication mode combining a user name/password, an IP (Internet protocol), a time period and the like; an internal staff user can access an internal business system of a television station, strict equipment management and control and identity authentication are required, and an authentication mode combining a user name/password and a digital certificate is adopted.
The border access unit is also used for location-based rights management. And a position-based authority management mechanism is pre-established, and the boundary access unit limits the access authority according to the position of the user according to the position-based authority management mechanism, so that the safety of the wireless network is ensured. In particular implementations, the location-based rights management mechanism is as follows: positioning a wireless network user by adopting a wireless positioning technology; wireless network applications with high security requirements can only access in specific areas; temporarily building a wireless network in a designated area during large-scale activities or large-scale live programs; users other than tv stations can only access a specific information system through VPN access.
The border access unit is also used for carrying out authority management based on the terminal. And a permission management mechanism based on the terminal type is established in advance, and permission management is respectively carried out according to different terminal types, so that the safety of the wireless network is ensured. In specific implementation, the authority management mechanism based on the terminal is as follows: only allowing the mobile terminal device to use the wireless network; the personal mobile terminal has low reliability and opens necessary access authority according to actual business requirements; the mobile application with higher requirement on security level suggests to use a special mobile terminal distributed in the mobile station, which is special for a special machine.
The television station has gradually applied mobile terminal devices such as smart phones and tablet computers to key services such as daily office work and media content production, and because of the flexibility and mobility of the mobile terminal devices, the mobile terminal devices are the weakest link in safety protection, and the safety management of the mobile terminal needs to be enhanced.
A unified mobile security management platform integrating mobile terminal management, mobile application management and mobile content management is built, namely a mobile terminal security unit, and the mobile terminal security unit can realize efficient and safe unified management on the mobile terminal from three dimensions of equipment, application and content. The platform supports differential management of the special mobile terminal and the personal mobile terminal; the special mobile terminal is mobile terminal equipment uniformly distributed by a television station; the personal mobile terminal refers to a mobile terminal device for a staff person to purchase a user to work in a mobile manner. The mobile application platform is safe to log in, unauthorized access is prevented, various behaviors such as impersonation, tampering and repudiation are prevented, and information leakage and damage are prevented.
During specific implementation, the mobile terminal security unit can prohibit the existence of a weak password, wherein the weak password is a password with the minimum length lower than 8 characters, namely the minimum length of the password allowed by the mobile terminal security unit is not lower than 8 characters; when a user inputs a login password, the mobile terminal security unit can provide a timely encryption function; the mobile terminal security unit does not allow the new password and the old password to be the same, and forces the client to modify the initial password when logging in for the first time when the initial password exists; the mobile terminal security unit can prohibit the plaintext from displaying the password, and the uniform special characters (such as a and #) with the same digits are used for replacement; the mobile terminal security unit can prohibit plaintext storage keys, prohibit local storage keys, prohibit hard coding form storage keys, close Webview automatic password storage function, and prohibit unsafe SharedFrefs configuration to cause password leakage; filling in a login name and a password in a login interface of a mobile terminal security unit, and clearing input information after cutting out; if the application is switched to another application after logging in, the application is required to automatically quit within 2 minutes; the mobile terminal security unit has a session overtime protection measure, after the mobile terminal is not operated for more than 5 minutes, the session is overtime and requires to log in again, and if the idle time of one session exceeds a certain time, the user is required to input the password again to reactivate the terminal application; the mobile terminal security unit should employ one or more effective methods to prevent brute force guessing of the password, including but not limited to: setting the limit of password authentication times; the complexity of the password is improved; when using the mobile phone short message dynamic password, the following requirements are ensured: when a mobile phone dynamic password is opened or a mobile phone number is changed, the identity of a client is effectively verified, the mobile phone dynamic password is randomly generated, the length of the mobile phone dynamic password is not less than 6 bits, the effective time of the mobile phone dynamic password is set, the maximum time is not more than 10 minutes, the mobile phone dynamic password is immediately invalidated after the effective time is exceeded, and key information and the dynamic password are sent to the client together and prompt the client to confirm; when the method is applied to processing the warning information of the interface function, the warning information must be properly processed and is not required to be displayed randomly.
And the mobile terminal management module of the mobile terminal security unit is used for managing the mobile terminal. The mobile terminal management module carries out complete mobile terminal life cycle management from each link of equipment registration, activation, use, offline and the like, and the safety of the mobile terminal of the television station is guaranteed.
And the mobile terminal safety unit controls the admission of the mobile terminal. The mobile terminal safety unit adopts an admission control mechanism of the mobile terminal equipment to detect the compliance of the mobile terminal equipment accessed by the wireless network so as to find the potential safety risk of the mobile terminal and prevent the access of the mobile terminal which does not meet the safety requirement.
In a specific implementation: the mobile terminal safety unit is used for not allowing access when detecting that the mobile terminal is in a ROOT/jail-crossing state or has ROOT/jail-crossing behaviors; the mobile terminal security unit supports two-factor access control; the mobile terminal security unit supports the starting of an application white list for the mobile terminal equipment; the mobile terminal security unit supports security detection on whether the operating system version of the mobile terminal equipment is in compliance, whether an authorized SIM card is used by a SIM (Subscriber Identity Module) card, and the like. Wherein, the special mobile terminal supports the above each implementation mode; the first two are implementations supported by personal mobile terminals.
The mobile terminal management module is also used for carrying out security registration. The mobile terminal management module is used for carrying out safe registration on the mobile terminal equipment of the television station, grouping the mobile terminal equipment and carrying out classified management. In a specific implementation: the mobile terminal management module supports mail push, browser URL (Uniform Resource locator), two-dimensional code scanning and other modes to download the client of the mobile security management platform and register the mobile terminal user; the mobile terminal management module supports the identification and registration of information such as a system version, equipment identification, equipment model, an equipment MAC (Media Access Control) address, an operator, a holder, an operating system and the like of equipment; the mobile terminal management module supports grouping, classifying and managing the mobile terminal equipment according to the equipment attribute and the television station organization structure; the mobile terminal management module supports strict monitoring and uniform configuration management on all state information and operation behaviors of the mobile terminal in the whole life cycle of the network, and ensures that the mobile terminal equipment of the television station belongs to a controllable range. And the special mobile terminal is pre-installed with a client corresponding to the mobile terminal management module during distribution.
The mobile terminal management module is also used for carrying out policy management. The mobile terminal management module is used for carrying out strategy centralized management on the mobile terminal according to a strategy management mechanism established by the real service. In a specific implementation: the mobile terminal management module supports the device screen locking and screen locking clearing strategies issued to the mobile terminal. After the mobile security management platform sets the password rule strategy, the mobile security management client prompts to set a screen locking password according to the set password strategy; the mobile terminal management module supports setting of terminal violation strategies and executes operations such as access limiting, warning, locking, forbidding, system restoration, data erasing and the like; the mobile terminal management module supports setting of user strategies, supports binding of a user with a plurality of mobile terminal devices, and supports management control through user grouping and associated roles; the mobile terminal management module supports an audit strategy, audits security events such as equipment state change, user violation and the like of the mobile terminal, and terminates access after a security problem is found; the Android system of the mobile terminal management module supports the distribution of virus scanning tasks, so that the rapid scanning, the discovery and the searching and killing of mobile phone viruses and trojans are facilitated; the mobile terminal management module supports policy control of loss of contact of the equipment.
The mobile terminal management module is also used for tracking and erasing data. The mobile terminal management module is also used for adopting a positioning technology and a data erasing technology to perform safety processing on the out-of-control equipment in time, so that the safety of core data of the television station is guaranteed, and sensitive information is prevented from leaking.
In a specific implementation: the terminal device should support remote positioning, and the positioning technology is not limited to GPS positioning, but may also perform accurate positioning through network facilities such as GPRS (General Packet Radio Service), 3G (3rd-Generation, third Generation mobile communication technology), 4G (4th Generation, fourth Generation mobile communication technology), WiFi (Wireless Fidelity, Wireless internet access), and the like; the terminal equipment supports action track collection and drawing so as to master the action tracks of the mobile terminal and the mobile terminal user; the terminal device should support location positioning of the terminal by collecting the positioning information. If the terminal is lost, the staff can locate and retrieve the mobile terminal through a Global Positioning System (GPS); the terminal equipment supports remote password setting, locking the mobile terminal, erasing enterprise application data, erasing personal privacy data (photos, address lists, short messages, call records and the like); the mobile terminal management module supports an anti-unloading mechanism, and when the client corresponding to the mobile terminal management module is unloaded, the client and local enterprise data are automatically erased.
The mobile terminal management module is also used for carrying out authority management. The mobile terminal management module can realize configuration and management of the function permission, the application program permission, the safety and the privacy permission of the appointed user equipment through fine-grained permission control.
In a specific implementation: the client of the mobile terminal management module is started to automatically run, and real-time monitoring of the mobile terminal is kept; the mobile terminal management module can be used for managing and controlling screen capture of the mobile terminal equipment; the mobile terminal management module can be used for managing and controlling the mobile terminal equipment pasting board; the special mobile terminal cannot be installed and applied randomly; the mobile terminal management module can be used for managing and controlling the camera of the mobile terminal equipment; the mobile terminal management module can be used for managing and controlling the ring tone of the mobile terminal equipment; the mobile terminal management module can be used for managing and controlling the Bluetooth of the mobile terminal equipment; the mobile terminal management module can be used for limiting functions or permissions aiming at users or groups; the mobile terminal management module can be used for issuing configuration to the specified equipment. The dedicated mobile terminal supports the above-mentioned implementation modes, and the personal mobile terminal supports the above-mentioned first 3 implementation modes.
The mobile terminal management module is also used for detecting loss of contact. The mobile terminal management module is used for protecting data of the lost connection mobile terminal equipment by adopting a lost connection detection technology and preventing sensitive data from leaking. In a specific implementation: the mobile terminal management module is used for erasing enterprise data of the equipment lost connection, locking, recovering the factory settings of the equipment and the like, and ensuring the enterprise data security of the equipment in the state of lost connection. The mobile terminal management module is used for remotely carrying out logout, forbidding and locking management on the mobile terminal equipment. The terminal equipment supports the offline management and control of the equipment, and the equipment automatically executes a corresponding equipment offline rule in the state of loss or incapability of networking; management regulations of the personal mobile terminal and the special mobile terminal need to be made in advance, and corresponding offline rules are started by the personal mobile terminal and the special mobile terminal according to the management regulations.
The mobile terminal management module is also used for carrying out virus protection on the terminal equipment. The mobile terminal management module strengthens the virus protection capability of the terminal and timely upgrades the malicious code software version and the malicious code library based on the deployed system anti-virus system. In a specific implementation: the Android system supports the functions of detecting, searching and killing viruses, trojans and worms, and realizes the safety real-time protection of the mobile terminal equipment.
And the mobile application management module of the mobile terminal security unit is used for carrying out mobile application management. The mobile application management module can be used for autonomously managing and controlling various application attributes of the mobile terminal, and safety of the mobile application APP is guaranteed through safety detection, safety reinforcement and safety distribution of the mobile application.
The mobile application management module is also used for carrying out security detection. The method comprises the steps that safety detection is needed before the mobile application APP is on line, and when a bug is detected, the bug is repaired based on a corresponding solution. In a specific implementation: the mobile application management module supports the detection of system authority required by operation; the mobile application management module supports login authentication security detection; the mobile application management module supports keyboard input security detection; the mobile application management module supports process injection protection detection; the mobile application management module supports sensitive information leakage detection; the Android system supports anti-piracy capability detection; the Android system supports the safety detection of components such as Activity, Service, BroadCast, ContentProvider and the like; a third party is supported to carry out conventional detection, expert-level reverse analysis and vulnerability; and (5) carrying out manual detection such as excavation.
The mobile application management module is also used for security reinforcement. Before the mobile application APP is online, security encryption and shell protection are required. In a specific implementation: the mobile application management module supports security protection measures such as backward analysis resistance, disassembling resistance and the like, and prevents an attacker from debugging, analyzing and tampering the mobile application; the mobile application management module supports anti-memory DUMP, and a memory space needs a safety protection mechanism when a program runs to prevent files such as so, DEX and the like from coming out of the DUMP in the memory; the mobile application management module supports mechanisms that prevent signature verification inhibition from being bypassed; the mobile application management module supports decompiling processing of the DEX file of the APP, such as shell adding, flower adding, class loading, class extracting and the like; the mobile application management module supports decompiling processing of the so file of the APP, such as loading the so file by using a custom loader, realizing dynamic encryption and decryption by using a key function of the so file, using a malformed so piece and the like.
The mobile application management module supports anti-debugging, prevents a process/thread attachment mechanism, and exits a program if detecting that a protected APK is attached; the mobile application management module supports a mutual verification mechanism between the anti-debugging and the DEX shell, the integrity of the whole DEX shell and the anti-debugging is ensured, and if the DEX shell and the anti-debugging part in the protected APK are detected to be tampered, the protected APK program automatically exits. The mobile application management module supports a debug mechanism which is prevented from being started by the shell; the mobile application management module supports ZjDroid-prevention plug-in memory and prevents dump DEX mechanism; the mobile application management module supports a memory tamper resistant mechanism. The mobile application management module supports a mechanism for preventing the system core library from being attacked by HOOK. The mobile application management module supports a secure compiler protection mechanism. Wherein the Android system supports the first 11 specific implementation modes; the IOS system supports the last embodiment.
The mobile application management module is also used for application distribution. Mobile application APP is released through a unified mobile application market, safety check and safety reinforcement are needed before release, and safety distribution is guaranteed. In a specific implementation: the mobile application management module supports unified uploading of mobile applications APP, and the mobile applications APP are distributed in different departments, groups and roles; the mobile application management module supports statistics of the downloading amount of the mobile application APP; the mobile application management module supports the user to feed back the use opinion; the mobile application management module supports channel monitoring of published applications.
And the mobile content management module of the mobile terminal security unit is used for managing the mobile content. The mobile content management module realizes the functions of mobile application storage safety, transmission safety, distribution safety and the like by using a sandbox technology, and the safety of enterprise data on the mobile terminal is guaranteed.
The mobile content management module is used for carrying out storage security. By adopting the sandbox technology, the requirements of unified management, physical isolation and safe storage of internal data and personal data of a television station are met. Since the IOS application itself already employs a sandbox mechanism, this function is only for the Android system.
In a specific implementation: the mobile content management module adopts a sandbox technology to isolate and monitor the document and control the distribution and access of sensitive information; the sensitive information stored in the mobile application must be set with the maximum storage time, and the mobile content management module automatically deletes the sensitive information when the maximum storage time exceeds the time; the mobile content management module is used for encrypting and storing the sensitive data or files (except media files); the mobile content management module prohibits the data which is depended by the software in operation from being stored outside; the mobile content management module prohibits the software installation package or the binary code from being stored in an external storage, verifies the integrity of any file (APK, DEX, JAR) positioned in the SD card before installing or loading the file, and judges whether the integrity is consistent with the hash value stored in the internal storage (or downloaded from a server); the mobile content management module is used for limiting the file authority under a private directory (usually located under "/data/data/application name/"), the last three bits of the normal file authority should be null (like "rw-rw-"), that is, anyone except the application itself cannot read and write, and the directory file allows one more execution bit (like "rwxrwx-x").
The mobile content management module is also used for carrying out transmission security. The mobile content management module encrypts the document by adopting a high-strength encryption algorithm, so that the risk of leakage of enterprise data in the uploading or transmission process is avoided.
In a specific implementation: sensitive information such as passwords and the like cannot be transmitted in plaintext on the network by the application; the mobile content management module is used for ensuring that the storage space where the resources such as files, directories and database records in the system are located is completely cleared before being released or reallocated to other users; when the sensitive data is transmitted among other processes of the local software, encryption measures (except media files) are adopted, and the mobile content management module is used for ensuring the confidentiality of the transmission of the sensitive data; the application should ensure the confidentiality of remote data transmission; the sensitive data (except media files) are transmitted through a public network, and an encryption measure is taken, and the mobile content management module is used for ensuring the confidentiality of the sensitive data transmission; the mobile content management module is used for preventing the communication message of the application software and the server from being attacked by the sniffing of a third party; for the communication between the program and the server, the mobile content management module is used for verifying the legality and the consistency of the certificate; applications should have integrity protection measures; the mobile content management module can detect that the integrity of system management data, authentication information and important service data is damaged in the transmission process, and prevent data transmission interruption or tampering; the mobile content management module is used for forbidding a third party to read the document.
The mobile content management module is also used for distribution security. The mobile content management module is used for carrying out unified management and directional distribution on the documents and ensuring the safety of document distribution. In a specific implementation: the mobile content management module can distribute the document to a designated target user terminal according to the service requirement, realize the uniform document issuing and the document sharing, and can see the reading state of the document after the document issuing; the mobile content management module is used for carrying out policy management on enterprise documents, setting corresponding management policies for functions of document sharing, document copying and the like, and setting document watermarks, so that enterprises can conveniently manage the documents; for production type PGC video files, no reservation is made locally.
The mobile content management module is also used for carrying out mobile notification management. The mobile content management module is used for adopting a built-in message management function, and when the mobile content management module is specifically realized, the mobile content management module can be used for carrying out directional whole-member pushing system notification according to a personal or group mode through an MCM mobile content management platform; the system informs that an SSL channel is required to be used, and the mobile content management module is used for encrypting by adopting a high-strength encryption algorithm and has a tamper-proof function.
In this example, the mobile application has certain security requirements. The mobile application APP is safe in the whole life cycle (software design and development stage, release stage and operation and maintenance stage), and covers the stages before, in advance and after software application development.
In the design and development phase: the safety protection of media application APP advanced stage can be with APP's security characteristic cost minimize, establishes the safety consciousness for the development team, promotes the security ability of using. The safety of the prior stage mainly comprises three aspects of mobile application safety training and consultation, a mobile application safety component, mobile application safety evaluation and penetration test. The mobile application security consultation comprises application security design, security framework planning, security design specification, core module security architecture design consultation and the like.
The safety training service is mainly oriented to information safety technology and management personnel, so that technical personnel can acquire safety knowledge, safety awareness is strengthened, safety theory is understood, safety technology is mastered, safety practical experience is obtained, and the safety training service is applied to mobile safety construction through safety certification.
Security sdk is the secure encryption of data local to the media application to improve security protection efficiency. Data needing encryption is transmitted through an open interface, the data are encrypted at the bottom layer, and then a ciphertext is returned, so that the data stored in the memory and the database are the ciphertexts. When the original data needs to be acquired, a ciphertext is transmitted in by calling a decryption interface, and the data is decrypted and returned at the bottom layer.
In the release phase: the safety protection in the release stage of the mobile application mainly comprises two aspects of application safety reinforcement and mobile application big data wind control. The mobile application reinforcement is based on the developed pre-published APP file for reinforcement processing, SO that the safety defect caused by the openness (semi-openness) of a mobile terminal system is overcome, and the application safety is guaranteed through comprehensive application of technologies such as decompilation, integrity protection, memory data protection, local data protection, SO library protection and source code confusion. The mobile application big data wind control system is based on a big data system architecture and collects threat characteristic data of various devices, systems, applications and services from a mobile terminal APP end and a server end; and (3) judging decisions by combining self-defined service threat rules and large data engine (decision tree and graph theory model) based fraudulent behaviors, early warning and positioning various threat behaviors, and generating various threat information based on equipment, application and content.
In the operation and maintenance stage: the mobile application operation and maintenance stage safety protection mainly comprises two aspects of vulnerability response and channel monitoring. The security vulnerability monitoring can enable a television station to deal with security emergency events, find and solve various vulnerability events in time and prevent potential business, capital and reputation loss. The channel monitoring can effectively monitor the piracy issue condition of each large application issue channel, and the piracy issue is visible and controllable. User loss and enterprise loss caused by pirate downloading and using of the user are avoided.
In this example, a security management system needs to be established in advance. Specifically, a safety management system is established, a safety management mechanism is established, and a safety operation and maintenance mechanism is established by establishing a personnel safety management system.
For a safety management system. Various management rules, management methods and temporary rules are made according to the basic requirements of the safety management system. The specification management can be considered from several aspects: registration management, in which each mobile terminal should be strictly registered with files, and the files should be managed by technology and management means, and the file registration should include units, work areas, users, terminal identification codes, machine serial numbers, SIM card numbers, serial numbers and the like; the adoption management is that a management department of getting out and returning after work is finished is registered during working hours, operation data synchronization is carried out in time, and operation completion data are submitted; for loss management, a perfect loss management system should be established, and if loss occurs, loss must be reported in time. Meanwhile, the remote terminal locking and information destruction are supported by matching with technical means.
Regarding the safety operation and maintenance mechanism. Specifically, a risk assessment is performed. With the rapid development of the technology, the current television center basically realizes digital and networked broadcasting and continues to develop to high definition, and a television center broadcasting system is changed from a system formed by simple analog equipment in the past into a comprehensive network information system integrating various analog, digital and IT equipment, and simultaneously relates to a series of related factors such as personnel, management and plans, so that the risk assessment of the television center becomes complicated. According to the technical development of the broadcast television industry, effective and feasible risk assessment is carried out on the safe broadcasting of a television center, the risk degree of a self system is accurately judged, weak links in the safe broadcasting are found in time, targeted protective measures and rectification methods are provided, and scientific basis is provided for preventing and resolving the safe broadcasting risk.
For wireless network security protection, risk assessment work needs to be carried out regularly. The risk assessment work is developed, namely from the perspective of risk management, scientific methods and means are applied, threats and existing vulnerabilities of the whole link of the wireless network are systematically analyzed, the probability of occurrence of a security event and the loss possibly caused once the security event occurs are assessed, protective countermeasures and rectification measures for resisting the threats in a targeted mode are provided according to assessment results, and a basis is provided for preventing and resolving information security risks, controlling the risks to be at an acceptable level and guaranteeing the network and the information security to the maximum extent.
An emergency response is also required. The original purpose of mobile application development design is to solve the actual business problem, however, hackers and reverse crackers do not use the mobile application in the way of normal users, but want to find out the risk and vulnerability of the mobile application and utilize the risk and vulnerability to gain profit. Mobile applications are typically hacked during the operational phase as follows: decompiling and analyzing, operating after function tampering, distributing pirates in a secondary packaging mode, reversely analyzing core service logic, dynamically debugging tools, tampering key service data in the operating mode, carrying out communication packet grabbing analysis, carrying out unshelling attack, phishing imitation and the like. Safety protection is carried out aiming at the risks, and the safety protection level of the media mobile application in the operation stage can be effectively improved.
The pre-established network attack event emergency plan is as follows: when the phenomena that the network is illegally invaded, the mobile application content is tampered, the data of the application server is illegally copied, modified and deleted, or a hacker is attacking and the like are discovered, a user or a manager should disconnect the network and immediately report an emergency group; the emergency group immediately closes the related server, blocks or deletes the broken login account, blocks the channel of the suspicious user entering the network, and timely cleans the system, recovers data and programs, and recovers the system and the network as soon as possible.
The pre-established information corruption event emergency protocol is as follows: when the information is found to be tampered, counterfeited, leaked and the like, the user should immediately inform the emergency group; if the data which is tampered or counterfeited is being submitted or sent, the emergency group should immediately cut off the data transmission; the emergency team searches for reasons of information damage and related responsible persons by tracking the application program, checking the database security audit record and the business system security audit record; and the emergency group provides error correction schemes and measures and informs each service subsystem to process.
The pre-established information content security incident emergency plan is as follows: when the bad information or the network virus is found, the user should immediately disconnect the network connection, stop the propagation of the bad information or the network virus, and report to an emergency group; the emergency group notifies all terminal users according to the conditions, isolates the network, guides each terminal to operate, and guides users to carry out antivirus processing and clear up bad information until the network is in a safe state.
The pre-established compatibility emergency response service is as follows: when incompatible, unstable, low-performance and other problems such as large-area collapse of a reinforced product possibly occur after a newly-marketed mobile phone or an newly-published operating system, a user should immediately report an emergency group; and the emergency group performs bug repair or emergency version updating according to the situation.
The embodiment fully utilizes advanced technical resources around the overall goal of establishing credible, manageable and controllable wireless network security, carries out deep security analysis aiming at the wireless network access service of the television station, provides a whole set of highly available, highly feasible and highly expanded wireless network security protection system, provides a solid technical foundation for the future wireless network security protection technical system construction of the television station, and provides a powerful technical support for the next step of establishing a new pattern of fusion development public opinion guidance.
In specific implementation, the wireless network security protection system provided by this embodiment may be constructed by the following method, where the method includes:
step 1, according to the principles of safety, reliability, advancement, applicability, manageability and easy expansion, a wireless security defense system, namely a wireless network security unit, which integrates wireless security detection, wireless intrusion defense, wireless access control and wireless positioning, is constructed, and a secure physical environment and a wireless transmission channel are provided for a wireless network;
step 2, adopting a strategy for distinguishing link security defense, and constructing a boundary security access platform, namely a boundary access unit, which integrates boundary protection, identity authentication, application security and security isolation; on the premise of ensuring the safety of boundary access, establishing a network safety channel of an internal network and an external network, and providing a safe network access service;
step 3, constructing a mobile security management platform, namely a mobile terminal security unit; the mobile security management platform comprises a mobile terminal management module, a mobile application management module and a mobile content management module; the mobile terminal management module is used for carrying out full life cycle management on each link of registration, activation, use and elimination of the mobile terminal; the mobile application management module is used for carrying out integrated aggregation management on detection, reinforcement and distribution of the application program; the mobile content management module is used for managing content storage, memory transmission, content distribution and file documents;
and 4, establishing operation maintenance and management working mechanisms of the boundary security access platform and the mobile security management platform, and ensuring the normal operation of the boundary security access platform and the mobile security management platform through standard access configuration, standard security monitoring and standard operation disposal operation.
The step 1 of constructing the wireless security defense system may specifically include the following steps:
the method adopts the modes of identity authentication, authority limitation and data encryption, improves the self security of the network equipment and ensures the normal operation of various network equipment;
establishing a wireless interference detection and defense mechanism, and identifying and blocking rogue AP, wireless scanning, wireless deception, wireless phishing, DoS and wireless cracking behaviors;
the access control management is carried out on the wireless network, the access authority of the wireless network is controlled, unauthorized users are prevented from accessing, and the safety of wireless network service is guaranteed;
setting an auditing mechanism at the wireless network boundary, monitoring data, recording various operations, and alarming for confirmed violation;
the digital signature technology, a specific audio and video file format, a specific protocol or an equivalent strength technical means are adopted for transmission, the data integrity in the communication process is ensured, and the recovery is carried out when the integrity is found to be damaged;
the wireless access points are reasonably issued, so that the risk of malicious access of the wireless access points is reduced, and the safety of a wireless network is guaranteed.
The step 2 of constructing the boundary security access platform may specifically include the following steps:
combing wireless network users, and performing grouping unified management on the users;
uniformly storing user information of all application systems;
establishing authentication mechanisms of different levels according to the security levels of different application systems;
keeping the mobile terminal equipment to have a mobile application installation configuration condition;
a session duration management mechanism is established to ensure the data access safety;
establishing an authority management mechanism based on different user identities;
establishing a position-based authority management mechanism, and limiting access authority according to the position of a user;
and establishing a permission management mechanism based on the terminal type, and respectively performing permission management according to different terminal types.
The step 3 of constructing the mobile security management platform may specifically include the following steps:
constructing a mobile terminal management module;
constructing a mobile application management module;
and constructing a mobile content management module.
The construction of the mobile terminal management module comprises the following steps:
the admission control mechanism of the mobile terminal equipment is adopted to detect the compliance of the mobile terminal equipment accessed by the wireless network so as to find the potential safety risk of the mobile terminal and prevent the access of the mobile terminal which does not meet the safety requirement;
registering and grouping the mobile terminal equipment, and performing classified management;
establishing a policy management mechanism aiming at service needs, and performing policy centralized management on the mobile terminal;
the positioning technology and the data erasing technology are adopted to perform safety processing on the out-of-control equipment in time, so that the safety of core data is guaranteed, and sensitive information is prevented from leaking;
the configuration and management of the function authority, the application program authority, the safety and the privacy of the appointed user equipment are realized through fine-grained authority control;
the method comprises the following steps of performing data protection on the loss-of-connection mobile terminal equipment by adopting a loss-of-connection detection technology to prevent sensitive data from leaking;
and deploying an anti-virus system, enhancing the virus protection capability of the terminal equipment and timely upgrading the malicious code software version and the malicious code library.
The construction of the mobile application management module comprises the following steps:
safety detection is carried out before the mobile application APP is online, and a solution of the vulnerability is given;
carrying out security encryption before the mobile application APP is online;
safety inspection and safety reinforcement are carried out before the mobile application APP is released, and safety distribution is guaranteed.
The construction of the mobile content management module comprises the following steps:
the sandbox technology is adopted to manage the internal data and the personal data in a unified way, so that the safe storage is guaranteed;
a high-strength encryption algorithm is adopted for encrypting the document, so that the leakage risk of the data in the uploading or transmission process is reduced;
the documents are managed in a unified mode and distributed directionally, and document distribution safety is guaranteed;
and the safety notice and push are realized by adopting built-in message management.
The establishment of the operation maintenance and management working mechanism comprises the following steps:
establishing a safety management system;
and carrying out safe operation and maintenance.
The establishment of the security management system comprises the following steps:
establishing a perfect safety management system;
establishing a strict safety management mechanism;
and managing the safety of personnel.
The safe operation maintenance comprises the following steps:
carrying out risk assessment work regularly;
the method comprises the steps of formulating a network attack event emergency response plan, an information destruction event emergency response plan and an information content security event emergency response plan and providing a compatible emergency response service.
The following safety principles need to be observed in building the system proposed by the present application.
And (4) overall safety principle. An information security defense system is composed of a plurality of information security devices, and the information security defense level of the information security defense system depends on the information security device with the lowest risk performance aiming at certain information security.
Active defense principle. With the increase of hacker technology, higher requirements are also put on information security. Besides traditional boundary defense equipment, the hacker defense system also needs to be provided with an intelligent, highly automated and fast-response information security product and a local service team with powerful technical power and timely response, so that various preventive detection works can be well done to achieve the purpose of preventing the hacker from getting ill in the bud.
Multiple protection principles. Any security defense is not absolutely secure and may be breached. However, a multiple security protection system is established, the protection of each layer is mutually supplemented, and when one layer of protection is broken, the protection of other layers can still protect the security of information, so that various security risks can be effectively resisted.
And (5) consistency principle. The principle of consistency mainly means that information security problems should exist simultaneously with the work cycle (or life cycle) of the whole network, and the established security architecture must be consistent with the security requirements of the network. In fact, information security countermeasures are considered at the beginning of network construction, and compared with the method of considering security measures after the network is constructed, the method is easy and has much lower cost.
Easy operability principle. Safety measures need to be completed by people, and if the measures are too complicated and the requirements on people are too high, the safety is reduced. Secondly, the adoption of measures cannot influence the normal operation of the system. The information-based construction can not be violated, and the principles of high efficiency and easy operation of the service can not be satisfied on the basis of an application system.
And (4) an extensibility principle. Because the network system and the application expansion range thereof are wide, the network vulnerability is increased with the expansion of the network scale and the increase of the application. It is impractical to solve the information security problem once and for all. At the same time, considerable expenditure is required for implementing information security measures. Therefore, the expandability of the system is fully considered, and the implementation is carried out step by step according to the capital condition, so that the basic requirements of a network system and information safety can be met, and the expense and expenditure can be saved.
Standardization principle. National and industry-related regulations, standards and specifications must be adhered to in terms of software, hardware, network, security and institutional construction. The working characteristics are fully considered, and the supplementary and perfect standards of the information of the actual organization services are met.
With the system provided by this embodiment, as shown in fig. 3, the mobile terminal access process is as follows: the mobile terminal initiates wireless connection to a mobile operator, the mobile operator returns that the connection is successful, and the mobile terminal and the mobile operator establish a wireless access channel; the mobile terminal is connected with the information network through the channel, specifically, the mobile terminal initiates access to the information network to the information extranet through the channel, the information extranet returns access success, and a connection channel is established between the mobile terminal and the information network. After the connection channel is established, the mobile terminal and the safety equipment in the information network mutually perform identity authentication, and both sides are determined to be trustable through authentication of the certificate. The two parties establish a safe data (except media files) encryption transmission channel by using a key negotiation mechanism and a special encryption algorithm approved by the national password administration. The identity authentication of the two parties is utilized to ensure that the mobile terminal is safely and reliably accessed to the information network, and the transmission safety of the service data is ensured through encryption transmission, so that the service data cannot be stolen.
It should be noted that: unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention. In all examples shown and described herein, unless otherwise specified, any particular value should be construed as merely illustrative, and not restrictive, and thus other examples of example embodiments may have different values.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A wireless network security protection system, comprising:
the wireless network security unit is used for performing wireless security detection, wireless intrusion prevention, wireless access control and wireless positioning;
the boundary access unit is used for performing boundary protection, identity authentication and safety isolation and establishing a network safety channel between the information outer network and the information inner network;
and the mobile terminal safety unit is used for managing the mobile terminal, the mobile application and the content.
2. The system of claim 1, wherein the wireless network security unit is specifically configured to:
identifying and detecting the attack behavior; the attack behavior comprises at least one of: denial of service, rogue access to an access point, wireless scanning, wireless spoofing, wireless phishing, denial of service DoS, wireless cracking behavior;
when an attack behavior is detected, blocking the attack behavior through packet sending blocking or radio frequency blocking;
and when the attack behavior is detected, positioning an attack source of the attack behavior through triangulation positioning or fingerprint positioning.
3. The system of claim 1, wherein the wireless network security unit is specifically configured to perform at least one of:
carrying out identity authentication, authority limitation and data encryption;
controlling the access right to the wireless network and prohibiting a user who does not obtain the access right from accessing;
monitoring data, recording various operations, and giving an alarm when the illegal behavior is confirmed to exist according to the data or the operations;
controlling a physical area corresponding to the issued wireless access point;
and transmitting by adopting a digital signature technology or a set audio and video file format or a set protocol.
4. The system of claim 1, wherein the border access unit is specifically configured to perform at least one of:
grouping management is carried out on users according to preset categories;
storing information of each user;
according to the security level of the user, authenticating the user by adopting an authentication mechanism of a corresponding level; alternatively, the first and second electrodes may be,
configuring the mobile terminal;
managing the authority of the user according to the category of the user;
limiting the access authority according to the position of the user;
carrying out authority management according to the type of the mobile terminal;
the duration of sessions established by a plurality of users is managed.
5. The system of claim 1, wherein the mobile terminal security unit comprises:
the mobile terminal management module is used for carrying out full life cycle management on the registration, activation, use and elimination of the mobile terminal;
the mobile application management module is used for carrying out aggregation management on the detection, reinforcement and distribution of the mobile application;
and the mobile content management module is used for managing the content storage, the content transmission, the content distribution and the file document.
6. The system of claim 5, wherein the mobile terminal management module is specifically configured to perform at least one of:
detecting whether a mobile terminal to be accessed has a security risk, and allowing the mobile terminal to be accessed when the mobile terminal is determined not to have the security risk;
registering, grouping and grouping management are carried out on the accessed mobile terminals;
managing the mobile terminal according to a preset strategy; the preset strategy comprises at least one of the following strategies: a screen locking and screen locking clearing strategy, a screen locking password strategy, an illegal action strategy, a user strategy and an auditing strategy;
positioning or erasing data of the mobile terminal out of control;
configuring and managing the function authority, the application program authority, the safety and the privacy of the terminal equipment of the target user;
data protection is carried out on the mobile terminal which is lost;
and carrying out virus protection processing on the mobile terminal, and upgrading the anti-virus system according to the virus identified by the mobile terminal.
7. The system of claim 5, wherein the mobile application management module is configured to perform at least one of:
carrying out security detection on the mobile application before online, and repairing the vulnerability when the vulnerability is detected;
encrypting the mobile application before online;
and carrying out security check and security reinforcement on the mobile application before release.
8. The system of claim 5, wherein the mobile content management module is configured to perform at least one of:
adopting sandbox technology to manage internal data and personal data of TV station;
encrypting a document to be uploaded or transmitted by adopting an encryption algorithm;
carrying out unified management and directional distribution on the documents to be distributed;
and carrying out directional pushing on the notification message.
9. The system of any one of claims 1-8, further comprising:
and the risk evaluation unit is used for periodically analyzing the wireless network security protection system and evaluating the occurrence probability of the security event.
10. The system of any one of claims 1-8, further comprising:
the emergency response unit is used for generating an emergency signal when an abnormal event is detected, and the emergency signal is used for triggering corresponding prompt or disconnecting network connection; the abnormal event comprises at least one of the following: attack event, detection of information destruction event, detection of information content security event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010640978.XA CN113365277A (en) | 2020-07-06 | 2020-07-06 | Wireless network safety protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010640978.XA CN113365277A (en) | 2020-07-06 | 2020-07-06 | Wireless network safety protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113365277A true CN113365277A (en) | 2021-09-07 |
Family
ID=77524444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010640978.XA Pending CN113365277A (en) | 2020-07-06 | 2020-07-06 | Wireless network safety protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113365277A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499844A (en) * | 2022-09-22 | 2022-12-20 | 贵州电网有限责任公司 | Mobile terminal information safety protection system and method |
| CN115499844B (en) * | 2022-09-22 | 2024-04-30 | 贵州电网有限责任公司 | Mobile terminal information safety protection system and method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106792684A (en) * | 2016-12-13 | 2017-05-31 | 国家电网公司信息通信分公司 | The wireless network secure guard system and means of defence of a kind of multiple-protection |
| US20180054737A1 (en) * | 2016-08-18 | 2018-02-22 | Alibaba Group Holding Limited | System and method for wireless network security |
-
2020
- 2020-07-06 CN CN202010640978.XA patent/CN113365277A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180054737A1 (en) * | 2016-08-18 | 2018-02-22 | Alibaba Group Holding Limited | System and method for wireless network security |
| CN106792684A (en) * | 2016-12-13 | 2017-05-31 | 国家电网公司信息通信分公司 | The wireless network secure guard system and means of defence of a kind of multiple-protection |
Non-Patent Citations (3)
| Title |
|---|
| 孙侃: "智能移动终端统一安全管理平台的设计与实现", 《现代电视技术》 * |
| 琚宏伟: "WLAN无线网络安全技术研究及应用初探", 《现代电视技术》 * |
| 赵朔等: "新型网络边界防护技术研究", 《信息通信》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499844A (en) * | 2022-09-22 | 2022-12-20 | 贵州电网有限责任公司 | Mobile terminal information safety protection system and method |
| CN115499844B (en) * | 2022-09-22 | 2024-04-30 | 贵州电网有限责任公司 | Mobile terminal information safety protection system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| US11036836B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| CN109460660B (en) | Mobile device safety management system | |
| CN108600236B (en) | Intelligent information safety comprehensive management system of video monitoring network | |
| KR101386097B1 (en) | Platform validation and management of wireless devices | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| CN102333068B (en) | SSH and SFTP (Secure Shell and Ssh File Transfer Protocol)-based tunnel intelligent management and control system and method | |
| US20220103584A1 (en) | Information Security Using Blockchain Technology | |
| Rani et al. | Cyber security techniques, architectures, and design | |
| Pitropakis et al. | It's All in the Cloud: Reviewing Cloud Security | |
| Miloslavskaya et al. | Ensuring information security for internet of things | |
| CN109600397A (en) | A kind of network security monitoring and managing method | |
| CN113365277A (en) | Wireless network safety protection system | |
| Rocha | Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Ruha | Cybersecurity of computer networks | |
| Zwarico | O‐RAN Security | |
| Frantti et al. | Security Controls for Smart Buildings with Shared Space | |
| Guo et al. | Research on risk analysis and security testing technology of mobile application in power system | |
| CN107819787A (en) | One kind prevents LAN computer illegal external connection system and method | |
| KR101175667B1 (en) | Network access management method for user terminal using firewall | |
| Kujo | Implementing Zero Trust Architecture for Identities and Endpoints with Microsoft tools | |
| Penttilä | Cyber threats in maritime container terminal automation systems | |
| Wickramsekara | WiFi Blackbox-A Tamper-proof Forensic-ready Device for Wifi Networks | |
| KR102160453B1 (en) | Protection system and method of electric power systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210907 |