Current location - Education and Training Encyclopedia - Graduation thesis - My thesis is entitled "Design and Analysis of Enterprise Network"
My thesis is entitled "Design and Analysis of Enterprise Network"
Analysis and design principles of enterprise network security prevention system

I. Introduction

With the deepening of informatization process and the rapid development of Internet, networking has become the development trend of enterprise informatization, and information resources have been shared to the greatest extent. However, with the development of information technology, the problem of network security has become increasingly prominent, which has become a challenge faced by mankind in the information age, and the problem of network information security has become a top priority. If this problem is not solved well, it will certainly hinder the process of information development.

Second, security attacks, security mechanisms and security services.

The ITU-T X.800 standard logically defines what we often call "network security", that is, security attacks.

(security attack) refers to any behavior that damages the information security owned by the organization; Security mechanism refers to the mechanism designed to detect, prevent security attacks or restore the system; Security service refers to the service that uses one or more security mechanisms to resist security attacks and improve the security of institutional data processing systems and information transmission. The relationship between them is shown in table 1.

Third, the network security system framework

In order to effectively understand users' security needs and choose various security products and strategies, it is necessary to establish some systematic methods to prevent network security. The scientificity and feasibility of network security prevention system is the guarantee of its smooth implementation. Figure 1 shows a three-dimensional security technology architecture based on DISSP extension. The first dimension is security service, and eight security attributes (ITU-T REC-X.800-199103-I) are given. The second dimension is the system unit, which gives the composition of the information network system. The third dimension is the structure layer, which gives and extends the Open Systems Interconnection (OSI) model of ISO.

Each system unit in the framework structure corresponds to a certain protocol level, and several security services are needed to ensure the security of the system unit. Network platform needs authentication and access control between network nodes, application platform needs authentication and access control for users, needs to ensure the integrity and confidentiality of data transmission, needs to have anti-repudiation and audit functions, and needs to ensure the availability and reliability of application systems. For an information network system, if each system unit has corresponding security measures to meet its security requirements, then we think that the information network is secure.

Fourth, the level of network security system

As an all-round and integrated network security system, it is also hierarchical, and different levels reflect different security issues. According to the present situation of network application and the structure of the network, we divide the levels of security system (see Figure 2) into physical layer security, system layer security, network layer security, application layer security and security management.

1. Security of physical environment (physical layer security)

This security level includes the security of communication lines, physical equipment and computer rooms. The security of the physical layer is mainly reflected in the reliability of communication lines (line backup, network management software, transmission media), the security of hardware and software equipment (replacing equipment, disassembling equipment, adding equipment), the backup of equipment, the ability of disaster prevention and anti-interference, the operating environment of equipment (temperature, humidity, smoke and dust), uninterrupted power supply and so on.

2. The security of the operating system (system layer security)

This level of security comes from the security of operating systems used in the network, such as Windows NT and Windows 2000. Mainly manifested in three aspects, one is the unsafe factors brought by the defects of the operating system itself, mainly including identity authentication, access control, system loopholes and so on. The second is the security configuration of the operating system. The third is the threat of viruses to the operating system.

3. Network security (network layer security)

The security problems at this level are mainly reflected in network security, including network layer identity authentication, access control of network resources, confidentiality and integrity of data transmission, security of remote access, security of domain name system, security of routing system, means of intrusion detection, anti-virus of network facilities and so on.

4. Application security (application layer security)

The security problems at this level are mainly caused by the security of application software and data used to provide services, including Web services, e-mail systems, DNS and so on. In addition, it also includes the threat of viruses to the system.

5. Managing Security (Managing Security)

Safety management includes safety technology and equipment management, safety management system, organization rules of departments and personnel, etc. The institutionalization of management has a great influence on the security of the whole network. Strict safety management system, clear division of safety responsibilities of departments and reasonable distribution of personnel roles can greatly reduce security loopholes at other levels.

Five, network security system design criteria

According to the security requirements to prevent security attacks, the security objectives to be achieved, the security services required by the corresponding security mechanisms and other factors, and referring to international standards such as SSE-CMM ("System Security Engineering Capability Maturity Model") and ISO 17799 (Information Security Management Standard), the whole process design of the network security prevention system is carried out, taking into account the aspects of enforceability, manageability, expansibility, comprehensive completeness and system balance.

1. Cannikin Law of network information security

Cannikin Law of network information security refers to the balanced and comprehensive protection of information. The maximum volume of a barrel depends on the shortest piece of wood. Network information system is a complex computer system, and its own physical, operational and management loopholes constitute the security vulnerability of the system, especially the complexity of multi-user network system itself and the enjoyment of resources make it impossible to prevent simple technical protection. The "most permeable principle" used by attackers is bound to attack in the weakest part of the system. Therefore, a full, comprehensive and complete analysis, evaluation and detection (including simulated attacks) of the security vulnerabilities and threats of the system is a necessary prerequisite for designing an information security system. The primary purpose of security mechanism and security service design is to prevent the most commonly used attack means, and the fundamental purpose is to improve the security performance of the "lowest security point" of the whole system.

2. Integrity principle of network information security

It is required that when the network is attacked or destroyed, the service of the network information center must be restored as soon as possible to reduce losses. Therefore, the information security system should include security protection mechanism, security detection mechanism and security recovery mechanism. The security protection mechanism is to take corresponding protection measures according to various security threats existing in a specific system to avoid illegal attacks. Security detection mechanism is to detect the operation of the system, find and stop all kinds of attacks on the system in time. The security recovery mechanism is to deal with emergencies, recover information as soon as possible and reduce the damage of supply when the security protection mechanism fails.

3. Safety evaluation and balance principle

For any network, absolute security is difficult to achieve, and it is not necessarily necessary, so it is necessary to establish a reasonable and practical balance system between security and user needs assessment. The design of security system should correctly handle the relationship between demand, risk and cost, make security and availability compatible, and make it organizationally executable. There are no absolute standards and indicators to evaluate the security of information, which can only be determined according to the needs of users and the specific application environment of the system, depending on the scale and scope of the system, the nature of the system and the importance of information.

4. Principles of standardization and consistency

The system is a huge system engineering, and the design of its security system must follow a series of standards, so as to ensure the consistency of each subsystem, make the whole system interconnected and enjoy information safely.

5. The principle of combining technology with management

Security system is a complex system engineering, involving many factors such as people, technology and operation, which cannot be realized by technology or management alone. Therefore, it is necessary to combine various safety technologies with operation management mechanism, ideological education of personnel with technical training, and construction of safety rules and regulations.

6. The principle of overall planning and step-by-step implementation

Due to the uncertainty of policy and service demand, the change of environment, conditions and time, and the progress of attack means, security protection cannot be achieved in one step. Under a comprehensive security plan, according to the actual needs of the network, a basic security system can be established first to ensure basic and necessary security. With the expansion of network scale, the increase of network application and the change of network application and complexity in the future, network vulnerability will continue to increase. Adjust or strengthen security protection to ensure the most fundamental security requirements of the whole network.

7. The principle of hierarchy

Hierarchical principle refers to security level and security level. A good information security system must be divided into different levels, including the classification of information confidentiality, the classification of user operation rights, the classification of network security (security subnet and security area), and the classification of system implementation structure (application layer, network layer, link layer, etc.). ), so as to provide a comprehensive and optional security algorithm and security system for different levels of security objects and meet various practical needs of different levels in the network.

8. The principle of dynamic development

According to the changes of network security, we should constantly adjust security measures to adapt to the new network environment and meet the new network security requirements.

9. The principle of operability

First of all, security measures need to be done manually. If the measures are too complicated and the requirements for people are too high, the security itself will be reduced. Secondly, the measures taken cannot affect the normal operation of the system.

Ending of intransitive verbs

Because of the openness of the Internet, the security defects of communication protocols and the distributed characteristics of data information storage, access and processing in the network environment, the data information transmitted on the Internet is easy to be leaked and destroyed, and the network is seriously attacked by security, so it is more urgent to establish an effective network security prevention system. In fact, to ensure network security, it is not only necessary to refer to various standards of network security and form a reasonable evaluation standard, but more importantly, it is necessary to clarify the framework system of network security, the hierarchical structure of security prevention and the basic principles of system design, analyze all unsafe links of the network system, find security loopholes, and be targeted.

Related articles
  • Legal model essay
  • Why is information exchange not as good as face-to-face communication?
  • Scientific Research Achievements of School of Public Policy and Management, Xi Jiaotong University
  • There are many masters in the entertainment circle, and there are also many uneducated people. Do you know which stars subverted the scene?
  • Knowledge contest activity plan
  • Can ipad do ppt and write papers?
  • Is the debate between Tianjin University of Finance and Economics stuck?
  • New research shows that even under mild conditions, COVID-19 can cause brain atrophy. Is this loss irreversible?
  • To all: Please give artists some due respect.
  • What are the requirements for an adult master's degree in the School of Continuing Education of Shanxi University?

    • copyright 2024 Education and Training Encyclopedia All rights reserved