The first chapter is the preface.
Chapter II Overview of Network Security
Chapter III Network Security Solutions
Chapter IV Typical Application Cases
Chapter V Future Development Trend of Network Security Solutions
The first chapter is the preface.
Today's network operators are experiencing an exciting information explosion era, and the network backbone bandwidth will double every six to nine months on average. As the leading service type, data service requires and drives fundamental changes in the network structure. The emergence of optical Internet has laid a new foundation for network application based on IP technology. With the popularization of network, the application of information network technology and the expansion of key business systems, the security of business systems in telecom industry has become an important issue affecting network efficiency. The openness, internationality and freedom of the Internet not only increase the freedom of application, but also put forward higher requirements for security. Due to the changes in the international situation, the possibility of "cyber war" has intensified, and ensuring the security of network and information is directly related to the country's economic security and even national security. Therefore, how to protect the information network system from hackers and spies has become an important issue to be considered for the healthy development of the national telecom basic network.
In the new telecom market environment, the diversification of demand and the personalization of information consumption have gradually become an inevitable trend, especially in the field of data communication. After several years of hard work, the scale and technical level of public data communication network have made a leap, the number of users has continued to grow at a high speed, and the information service users have developed particularly rapidly. The number of users in the whole country has been increasing, and they have begun to transfer to enterprise users. The government's online project is progressing smoothly and e-commerce is fully launched. China Telecom's security certification system has passed the joint appraisal of China Password Management Committee and the Ministry of Information Industry, and has carried out effective cooperation with the financial sector. Telecom also provides Internet access service, IP telephone service and other services. IP bearer network carries the unified platform of image, voice and data, emphasizes Qos, VPN and accounting, and becomes a multi-service bearer network in the new era. The development direction of China Telecom data communication is network service and personalized service. This kind of network is actually very rich in functions, such as stored-value card business, e-commerce authentication platform, virtual private network and so on. And all this depends on the guarantee of network security. Without security, personalized service is impossible. Only when the basic platform of telecommunications is improved, the functions are strengthened and the security problems are guaranteed can we provide truly personalized services.
Due to the particularity of the telecommunications sector, the transmission of important information is the basis of the entire national communication system. Its security is particularly important. Because some of our technologies are still far behind foreign countries, almost all the existing or under construction networks in China are products of foreign manufacturers. Only by using information security products independently developed by China and security products with independent copyright can we truly grasp the initiative of the information battlefield and fundamentally prevent all kinds of illegal and malicious attacks and sabotage. Nowadays, most computer networks base their security mechanism on the network layer security mechanism, and think that network security is only devices such as firewalls and encryption machines. With the expansion of network interconnection and the diversification of specific applications, this security mechanism is very limited for the network environment. Facing all kinds of threats, we must take effective measures to ensure the security of computer networks. We must have a deep understanding of the network, make a rigorous analysis of the security requirements, and put forward a perfect security solution. According to the specific network environment and application of telecommunication network, this scheme introduces how to establish a complete network security solution for telecommunication department.
Chapter II Overview of Network Security
Definition of network security
What is computer network security? Although this word is very popular now, not many people really have a correct understanding of it. In fact, it is not easy to correctly define computer network security. The difficulty lies in forming a comprehensive and effective definition. Generally speaking, safety means "avoiding risks and dangers". In computer science, security is to prevent:
Unauthorized users access information.
Unauthorized attempts to destroy or change information
This can be rephrased as "security is the ability of a system to protect the confidentiality and integrity of information and system resources". Note that the scope of the second definition includes system resources, namely CPU, hard disk, programs and other information.
In the telecommunications industry, the meaning of network security includes: the reliability of key equipment; Security of network structure and routing; With network monitoring, analysis and automatic response functions; Ensure that the network security related parameters are normal; It can protect the open servers of telecommunication networks (such as dial-up access servers). ) and the security of network data. The key is to meet the requirements of telecommunication network and ensure its security without affecting the network efficiency.
Specific Network Applications in Telecommunication Industry (Combined with Typical Cases)
The technical orientation of the whole telecommunication network is that optical fiber is the main transmission medium and IP is the main communication protocol. Therefore, when choosing security products, we must meet the requirements of telecommunication network. For example, the firewall must meet various routing protocols, QOS guarantee, MPLS technology implementation, speed requirements, redundancy and other requirements. These are the first issues that telecom operators should consider. Telecom network provides channels, so IP optimization is particularly important, including at least the following elements:
IP optimization of network structure. The network architecture is based on IP and embodied in the hierarchical architecture of the network layer, which can reduce the dependence on the traditional transmission system.
Optimization of IP routing protocol.
Optimization of IP packet forwarding. It is suitable for the characteristics of large-scale high-speed broadband networks and the next generation Internet, and provides high-speed route lookup and packet forwarding mechanisms.
Bandwidth optimization. Under reasonable QoS control, the bandwidth of optical fiber can be used to the maximum extent.
Stability optimization. Maximize the ability of fast switching of optical transmission in fault recovery, quickly restore network connection, avoid the whole network shock caused by routing table jitter, and provide reliability and stability to meet the requirements of high-speed broadband network.
This paper discusses the technical requirements of a mobile Internet project in a province from the aspects of backbone network carrying capacity, reliability, QoS, expansibility, network interconnection, communication protocol, network management, security and multi-service support.
Backbone layer network carrying capacity
The high-end backbone router equipment used in backbone network can provide 155M POS port. In addition, dense wavelength division multiplexing (DWDM) technology is supported to provide higher bandwidth. The connection rate between the network core and the information convergence point is 155M, and all connections are optical fiber connections.
The non-blocking switching ability of backbone network equipment has enough capacity to meet the line-speed switching without packet loss between high-speed ports. The switching module or interface module of backbone network equipment should provide sufficient caching and congestion control mechanisms to avoid packet loss in forward congestion.
Reliability and self-healing ability
Including link redundancy, module redundancy, equipment redundancy, routing redundancy and other requirements. It is essential to consider the reliability and self-healing ability of an operation-level broadband IP backbone network such as a mobile Internet project in a province.
Link redundancy. There is reliable line redundancy between backbone devices. It is suggested to adopt the redundant mode of load balancing, that is, under normal circumstances, both connections provide data transmission and backup each other. It fully embodies the advantages of adopting optical fiber technology, and will not cause instantaneous deterioration of service quality and service interruption.
Module redundancy. All modules and environmental components of backbone equipment shall have 1+ 1 or 1: n hot backup function, and the switching time shall be less than 3 seconds. All modules are hot-swappable. The system has more than 99.999% availability.
Equipment redundancy. Provides the ability to form a virtual device from two or more devices. When one of the devices stops working due to a fault, the other device automatically takes over its work, and the routing tables of other nodes are not recalculated, which improves the stability of the network. The switching time is less than 3 seconds to ensure that most IP applications will not experience timeout errors.
Routing redundancy. The structural design of the network should provide sufficient routing redundancy function, but the above redundancy characteristics still cannot solve the problem, and the data flow should be able to find other paths to reach the destination address. In a complex network environment, when the network connection changes, the convergence time of the routing table should be less than 30 seconds.
Congestion control and quality of service guarantee
Congestion control and quality of service (QoS) are important qualities of public service networks. Due to the diversity of access methods, access rates, application methods and data attributes, data traffic bursts in the network are inevitable. Therefore, it is very important for the network to control congestion and handle data streams with different attributes differently.
Business classification. Network equipment should support 6~8 kinds of service classification (CoS). When the user terminal does not provide service classification information, the network equipment should automatically classify the services according to the user's network segment, application type and traffic size.
Access rate control. Services accessing the network should abide by its access rate commitment. Data exceeding the promised rate will be discarded or marked as the lowest priority.
Queuing mechanism. It has advanced queuing mechanism to control congestion, and handles different types of services differently, including different time delays and different packet loss rates.
Advanced congestion control. When there is real congestion in the network, a large number of packets lost in an instant will cause a large number of TCP data to be retransmitted at the same time, which will aggravate the degree of network congestion and cause network instability. Network equipment should have advanced technology, and automatically take corresponding measures to control congestion in advance before network congestion occurs, so as to avoid a large number of packet losses in an instant.
Resource reservation. For very important special applications, it should be possible to ensure their QoS by reserving bandwidth resources.
Port density expansion. The port density of devices should meet the needs of interconnection between devices during network expansion.
Network expansion capability
The expansion ability of the network includes the expansion ability of equipment switching ability, the expansion ability of port density, the expansion ability of backbone bandwidth and the expansion ability of network scale.
Exchange expansion. The switching capacity should have the ability to continue to expand multi-capacity on the existing basis to adapt to the rapid expansion of data services.
Trunk bandwidth expansion. The backbone bandwidth should have high bandwidth expansion ability to adapt to the rapid expansion of data services.
Network scale expansion. Network architecture, routing protocol planning, and CPU routing processing capability of the equipment should meet the needs of this network covering the whole province.
Interconnection with other networks
Ensure seamless connection with cmnet's domestic and foreign exports and the Internet.
Support communication protocol
It mainly supports TCP/IP protocol, IPX, DECNET, APPLE-TALK and other protocols. Provide service-level network communication software and Internet operating system.
Support RIP, RIPv2, OSPF, IGRP, EIGRP, Islamic State and other routing protocols. According to the demand of network scale, OSPF routing protocol must be supported. However, OSPF protocol consumes a lot of CPU and memory, and the future of this network is very huge and complex, so reasonable regional division and routing planning (such as website summary) must be taken to ensure the stability of the network.
Support BGP4 and other inter-domain routing protocols to ensure reliable interconnection with other IP networks.
Support MPLS standard, which is convenient for developing value-added services, such as VPN and te traffic engineering.
Network management and security system
Support the unified network management of various network devices in the whole network system.
Support fault management, billing management, configuration management, performance management and security management.
Support system-level management, including system analysis and system planning; Policy-based management is supported, and policy modification can be immediately reflected to all related devices.
Network devices support multilevel management authority and authentication mechanisms, such as RADIUS and TACACS+.
Ensure the full security of network management, authentication and billing, and other network segments.
Support IP value-added services
The development of technology and a large number of user application requirements will induce a large number of new services based on IP network. Therefore, operators need a simple and integrated service platform to generate services quickly. MPLS technology is just such a means, which is convenient for telecom operators to carry out business on a large scale and quickly.
transmission delay
With the reduction of bandwidth cost, new telecom service providers will take system capacity as the main consideration when planning their networks. However, it should be noted that IP technology itself is a non-connection-oriented technology, and its main feature is that it is prone to congestion in an unexpected state. Therefore, even in high-bandwidth networks, the influence of end-to-end network transmission delay on those time-sensitive services should be fully considered. For example, according to ITU-T standard, the end-to-end VoIP application requires a delay of less than 150 ms, so how to ensure the delay requirement is more important for the application-oriented actual operation network, especially when the network load increases. The key to ensure this is to adopt the delay control ability of the equipment, that is, whether its delay ability is controlled within the tolerable range of sensitive services under the condition of small load and large overload.
RAS (Reliability, Availability and Serviceability)
RAS is a problem that must be considered in the operation level network, and how to provide a network with 99.999% service availability is the main consideration in network planning and design. In the design of network reliability, the key point is that the whole network cannot be paralyzed because of a single point of failure, especially for a provincial backbone network, such as China Mobile. Therefore, it is necessary to provide an overall solution from single-node devices to end-to-end devices. Cisco7500 series routers have the greatest single-node reliability, including power redundancy backup, control panel backup, switching matrix backup, reasonable fan design and other functions. On the whole, by providing MPLSFRR and MPLS traffic engineering technology, Cisco can ensure fast protection switching at the channel level, thus ensuring end-to-end service availability to the greatest extent.
Virtual private network
Virtual private network is widely used at present, and it is also a main way for operators to obtain profits at present. In addition to the original tunnel-based technologies, such as IPSec and L2TP, Cisco also uses MPLSVPN based on the new standard to build internal and external networks, and provides the services of operators through MPLSVPN technology. This opens up a new way from the aspects of network expansibility and operability. At the same time, it greatly simplifies the network operation procedures, thus greatly reducing the operating costs. In addition, the adoption of Cisco technology in multiple AS and multiple intra-domain protocol domains will enable A Province Mobile to expand the implementation of its MPLSVPN service with the continuous growth of its network, and cooperate with other operators to achieve broader business capabilities.
Service quality assurance
Common Internet queuing mechanisms, such as customer queue, priority queue, CBWFQ, WRR, WRED, etc. Can not fully meet the end-to-end delay index required by delay-sensitive services. Therefore, using MDRR/WRED technology, a separate priority queue can be generated for delay-sensitive services to ensure delay requirements; At the same time, it also provides special queue support for multicast-based applications, thus taking a step towards real-time online multimedia applications.
According to the above analysis of typical applications in the telecommunications industry, we believe that the above items are the most concerned issues for operators. When we work out a network security solution for them, we must consider whether we can meet the above requirements without affecting the normal use of the telecommunications network. We can see that the telecommunication network has very high requirements for network security products.
Network security risk analysis
In view of the network security vulnerabilities, various new risks created by hackers will appear constantly. These risks are caused by many factors, which are closely related to the network system structure and system application. The following are classified and described from physical security, network security, system security, application security and management security:
1, physical security risk analysis
We believe that the physical security of the network is the premise of the security of the whole network system. The risks of physical security mainly include:
Earthquake, flood, fire and other environmental accidents caused the destruction of the whole system.
Power failure leads to equipment power failure, which leads to operating system boot failure or database information loss.
Electromagnetic radiation may cause data information to be stolen or read.
Physical isolation of several networks with different security levels cannot be guaranteed.
2, network security risk analysis
If some security measures are not taken between the internal network and the external network, the internal network is vulnerable to attacks from the external network. Including risks from the Internet and risks from subordinate units.
If there is no corresponding access control between different departments or users in the internal LAN, it may also cause information leakage or illegal attacks. According to the survey statistics, 70% of the network security incidents that have happened come from inside. Therefore, the security risk of intranet is more serious. Internal employees are familiar with the network structure and application of their own enterprises. Self-attack or disclosure of important information, internal and external collusion, is likely to become the most deadly security threat that leads to the system being attacked.
3. Security risk analysis of the system
The so-called system security usually refers to the security of network operating system and application system. The current operating system or application system, whether it is Windows or any commercial UNIX operating system or application system developed by other manufacturers, must have its own back door. And there must be security holes in the system itself. These "back doors" or security vulnerabilities will pose significant security risks. Therefore, we should correctly assess our own network risks and make corresponding security solutions according to our own network risks.
4. Application of safety risk analysis
The security of application system involves many aspects. The application system is dynamic and constantly changing. The security of the application is also dynamic. For example, adding new applications will definitely lead to new security loopholes, and some adjustments must be made in the security strategy to continuously improve it.
4. 1 open server application
Telecom provincial center is responsible for the province's tandem, network management, business management and information services, so the equipment includes user management, billing server, authentication server, security server, network management server, DNS server and other public servers in the province, providing services such as browsing, searching and downloading. Because external users can access these public servers normally, if some access control is not taken, malicious intruders may take advantage of security vulnerabilities (other open protocols, port numbers, etc. ) to control these public servers, and even use the public server network as a bridge to invade the internal LAN and steal or destroy important information. The data recorded on these servers is very important, and its security must be guaranteed by 100% to complete functions such as billing and authentication.
4.2 virus transmission
Internet is one of the best and fastest ways for viruses to spread. Virus programs can sneak into the intranet through online downloading, e-mail, using pirated CDs or floppy disks, and manual delivery. Once a host in the network is infected by a virus, it is entirely possible for the virus program to spread rapidly in a very short time and spread to all hosts on the network. Some viruses will automatically package some files in your system and send them out of the Outbox. It may cause information leakage, file loss, machine crash and other unsafe factors.
4.3 Information storage
The database server is damaged due to natural disasters or other accidents. Failure to adopt the corresponding secure backup and recovery system may lead to data loss, or at least long-term interruption of service.
4.4 Safety risk analysis of management
Management is the most important part of network security. Unclear rights and responsibilities, imperfect safety management system and lack of operability may all cause management safety risks.
For example, some employees or administrators casually let some non-local employees or even outsiders enter the computer room, or employees intentionally or unintentionally disclose some important information they know, but there is no corresponding system to restrict management. When the network is subjected to other security attacks or threats (such as illegal operation by insiders), it is impossible to detect, monitor, report and warn in real time. At the same time, when the accident happens, it can't provide the basis for tracking clues and cracking hacker attacks, that is, it lacks the controllability and auditability of the network. This requires us to record the visit activities of the website at multiple levels and find illegal intrusions in time.
To establish a brand-new network security mechanism, we must deeply understand the network and provide direct solutions. Therefore, the most feasible method is to combine the management system with technical solutions.