1.1 Construction ideas
The construction of a data center's security system is not a stack of security products. It is an ecosystem built according to the user's specific business environment, usage habits, security policy requirements and other aspects. It involves many security technologies, and the implementation process needs to involve a lot of Research and consulting work will also involve coordination among many safety manufacturers and product selection. How to maintain the balance of the ecosystem after the safety system is completed is a complex system project. It is generally recommended to invest in construction in stages. From technology to management, gradually realize the strategic goals of the organization.
The overall design idea is to enclose the core business host packages and databases that need to be protected, logically isolate them from other network areas, close all ports and IPs that should not be exposed, and form data islands without affecting existing services. Fixed data access entrance, strict access control and auditing are carried out on the entrance. From the previous passive security to active defense, the occurrence of security accidents is controlled, and the personnel who access the system are effectively authenticated, authorized, and audited to make sensitive operations more transparent and effectively prevent the occurrence of security incidents.
Deploy firewalls, account lifecycle management systems, data encryption systems, token authentication systems, audit systems and other security facilities at the access entrance to control, authorize, and audit all external access to the core area host, and batches out of the core area Sensitive data is encrypted, all encrypted data will be effectively enclosed in the security domain, and the entire life cycle of data generation, reversal, and destruction will be tracked to prevent sensitive data leakage and abuse.
In order to ensure the business continuity of XXX users, all security subsystems are deployed in the network in a bypass mode. The account lifecycle management system, audit system, and database all adopt a dual-computer mode to provide their own high reliability; Encryption systems, privileged account lifecycle management systems, and token authentication systems are all recommended to be deployed on the VMware cloud computing platform, using VMware's powerful server virtualization capabilities to provide good reliability and scalability guarantees for the anti-leakage system.
1.2 Construction requirements
After years of informatization construction for XXX users, various businesses have been carried out smoothly. The data center has accumulated a lot of valuable data. These intangible assets are more important than hardware assets, but they are facing very big security challenges.
In the early system construction process, most users would not consider the issues of data security and application security. After years of development, data centers have become larger and larger, and their businesses have become more and more complex. However, there is no supporting construction for information security. Some security incidents have occurred, such as: database tables are deleted, host passwords are modified, sensitive data is leaked, privileged accounts are used by third-party personnel, etc., and these security incidents are often privileged users directly from the background The operation is very hidden, and it is often impossible to find out at this time.
In fact, the information security construction should be involved in the early stage of the system design, and always run through it, so that the manpower and material resources spent are minimal. When a system is built, problems are discovered, and then come back to consider safe construction, so that the investment cost will become the largest.
1.3 Overall plan
The overall deployment architecture diagram of the information security system
1. Deploy a protective wall module or independent firewall on the core switch to logically isolate important hosts and databases from other subnets, divide security areas, and block unnecessary ports, and isolate the terminal IP to the data center.
2. The IP access control system is bypassed on the switches where the terminals are aggregated to realize illegal outreach and IP real-name system, and effectively control the terminals that access the intranet.
3. Deploy a host account management system, restrict all terminals from accessing the host only through the management system, and control and audit access processes such as Telnet, SSH, RDP, and prevent the terminal from copying data from the host to the local hard disk. Prevent misoperation.
4. Deploy a data account management system, uniformly publish common maintenance tools such as database access tools (PL-SQL) and FTP tools, audit records of front-end database access operations, and surround data on the server side. Strictly control the behavior of downloading data, and encrypt the extracted data.
5. Deploy an encryption system (DLP) to automatically encrypt all data flowing out of the data center, and perform life cycle management on the generation, reversal, editing, and destruction of data.
6. Deploy a database audit system to audit database access behavior, monitor sensitive data access, monitor database operation behavior, record database background changes, and check back afterwards.
7. Deploy a data desensitization system between the production library and the test library to automatically desensitize the data extracted from the online library, and then import the test library to avoid data leakage. Perform authority management for the people who access the online library in the background, and automatically mask the accessed sensitive fields.
8. Deploy an application embedded account management system to effectively custody the privileged account embedded in the application system, and implement security policies such as regular account modification, password strength, and password encryption.
9. Deploy a token authentication system to use two-factor authentication for users who log in to the data center to confirm the identity of those who visit the data center and prevent account sharing.
10. Deploy a cloud computing platform to provide a good operating environment for the anti-leakage system. The cloud computing platform improves the reliability and scalability of the system, reduces downtime, and reduces maintenance costs.
11. All systems use Active Directory authentication, and use dynamic tokens as two-factor authentication to accurately identify users.
1.3.1 IP access control system
Nowadays, many manufacturers at home and abroad have launched their own access control system solutions. The purpose is to check the security of the terminal before it is connected to the network, and only allow legitimate users to access the network, avoiding random access to the network to the system Bring risks. There are two mainstream solutions. The bypass deployment method is based on 802.1X and needs to be linked to the switch; the cascade deployment method does not need to be linked to the switch, but it will bring challenges to the passability and performance of the network. Not many users are adopted. These solutions have not been successfully deployed in the complex Chinese environment. Either the network conditions are very good and the switches support 802.1X, or the network is very flat and the terminals can all converge to the same outlet.
Difficulty in IP address management: all computer equipment connected to the Intranet needs a legal IP address. The allocation and management of IP addresses is a headache for network administrators. The fraudulent use and abuse of IP addresses, MAC addresses, and computer names are widespread. Exist, but managers lack effective monitoring methods. If there are two hosts on the LAN with the same IP address, the two hosts will alarm each other, causing application confusion. Therefore, IP address embezzlement and conflict have become the most troublesome problem for network administrators. When hundreds or even thousands of hosts are online at the same time, how to control IP address embezzlement and conflict is even more urgent.
In practice, the IP address assigned and provided by the network administrator for the network user is only valid after the customer has correctly registered. This provides a way for end users to directly contact IP addresses. Due to the intervention of end users, network users may freely modify their IP addresses. The changed IP address can cause three results when running on the Internet:
Ø Illegal IP address, the IP address modified by oneself is not in the planned network segment, the network call is interrupted.
Ø The duplicate IP address conflicts with a legal IP address that has been allocated and is running on the Internet, and cannot be linked.
Ø Illegal occupation of allocated resources, misappropriation of legal IP addresses of other registered users (and the machine registered with the IP address is not powered on) for network communication.
IPScan can well control illegal IP access, and realize quick and efficient control of the existing networked IP in the intranet by cutting off the network, and minimize the security threat of the intranet in a very convenient way. Through the binding of IP/MAC, IPScan can monitor each IP address in real time. Once an illegal IP address is found and an IP address is illegally operated, it can operate on these IP addresses in time. Effectively prevent IP conflicts. The product is based on the design concept of the second layer (data link layer), which can effectively control the ARP broadcast virus. By detecting the ARP broadcast packet, it can automatically prevent the poisoned host from sending a large number of ARP broadcasts, thereby ensuring the security of the intranet.
By realizing the binding of IP addresses, the real-name system of the network is realized in disguise. All terminals that access the network are granted unique IP addresses. All the logs generated in the network will become very meaningful. It can be linked to Which terminal and which user can make the security log have the role of determining responsibility.
1.3.2 Selection of anti-leakage technology
Foreign countries have a good legal environment, and internal deliberate leaks are relatively rare, and internal personnel are confirmed as credible. Data leaks mainly come from external intrusions and unintentional internal leaks. Therefore, foreign DLP (Data Leakage Prevention) solutions are mainly used to prevent external intrusions and inadvertent internal leaks, which can solve some of the problems, but cannot prevent internal active leaks and can only rely more on management methods.
In the domestic environment, legal deterrence is small and tracking is difficult. It is easier for leakers to escape legal sanctions, and the cost of crime is relatively small. At the same time, various domestic management systems are imperfect, and the probability of inadvertent leaks by internal personnel is relatively high. Domestic DLP takes encryption authority as the core, prevents data leakage from the standpoint of active prevention, encrypts data, and controls it from the source. Even if internal data is lost to the outside, it cannot be used because it has been encrypted, thus ensuring data security. Therefore, domestic DLP can not only prevent internal leakage (including intentional and unintentional internal leakage), but also prevent external intrusion and theft.
1.3.3 Host account life cycle management system
More and more services of the XXX user bureau are outsourced to system providers or other professional maintenance companies. These service systems involve a large amount of sensitive citizen information. How to effectively monitor the operation behaviors of third-party vendors and operation and maintenance personnel and conduct strict audits is a challenge facing users. Strict rules and regulations can only restrict the behavior of some people. Only through strict authority control and operation audit can the effective implementation of the safety management system be ensured. After a safety incident occurs, the scene of the accident can be effectively restored and the person responsible can be accurately located.
The host account life cycle management system can help users establish a centralized and unified host operation and maintenance management platform, realize automated monitoring and auditing, and perform operations on all maintenance personnel and support personnel (Telnet, SSH, RDP, FTP, SFTP, VNC, KVM and other protocols) for monitoring and tracking audit, (to achieve a comprehensive behavioral process audit of all operations of all personnel logging in to the system, to achieve the collection of the operating behavior of the accessed host for real-time monitoring and post-event playback analysis, reproduction and retrieval , To minimize operational accidents, reduce operational risks, and trace responsibility without denial. At the same time, it provides intuitive problem reporting tools to prevent sensitive data from being stolen from the physical layer.
According to regulations, the passwords of the host and database must be modified once within a period of time to meet the security requirements. Often these passwords are too many, and the modification is time-consuming and laborious, and the root password is often forgotten after modification. In many cases, maintenance personnel record the password in a file and save it in plain text on the computer for the convenience of remembering the password. Even if a simple password is added to the file, once the data is leaked, the consequences will be disastrous. The host account life cycle management system can now be used for password trusteeship, and the host password can be set to automatically modify the host password regularly without manual intervention. It not only improves the efficiency of information security work, but also reduces management costs, and also reduces security risks.
1.3.4 Database account life cycle management system
At present, XXX users’ support staff and third-party maintainers use tools such as PL/SQL to directly operate online or offline libraries, and some directly operate the database through certain modules of the business system, resulting in sensitive data being directly edited, Deleted and cannot be centrally controlled. In view of this situation, the current more effective solution is to implement the database account life cycle management system. Through the virtualization technology of the account lifecycle management system, high-risk operating tools (such as PL/SQL, the main interface of the business system, the client of the C/S architecture system, etc.) will be released, the client has zero installation, and the user is The program is called remotely to avoid the transmission and leakage of real data, to avoid data leakage, to track and audit important operations throughout the process, and to provide early warning of important commands.
The system prohibits all data copy operations between the operating terminal and the server, but operators often need to copy a piece of code or script to PL/SQL for query operations. If it is tapped by hand, it will inevitably affect work efficiency. This requires the database account life cycle management system to have one-way data flow control, only allowing data to be copied from the terminal to the system, and prohibiting copying data from the system to the local disk. This not only preserves the user's habits, but also achieves safety. purpose.
If the support staff wants to save the data to the local terminal for secondary processing, they need to export the file to the specified storage path. After the file is generated, it will be automatically encrypted. The support staff can download the encrypted file to the local disk at the specified path , And perform post-secondary processing, and keep a copy of the file on the storage for future reference.
If the support staff needs to upload the modified data to the application system or the host, they need to import the file to the designated storage path. After the file is uploaded, it will be automatically decrypted and processed, and it can be normally recognized by the application system or the host.
1.3.5 Two-factor authentication system
At present, the host account sharing situation in the system is relatively common, and one account is used by multiple people, which creates an embarrassing situation that it is difficult to determine the responsibility afterwards, and static passwords are also easy to obtain. In order to prevent this phenomenon, a two-factor authentication system can be used to strengthen the management of identity authentication.
The traditional way is to enable Agent on each host and database that needs to be protected. If there are a large number of hosts, the configuration workload is very heavy and maintenance is very cumbersome. The solution we recommend to the XXX user bureau is to combine the token authentication system with the host account life cycle management system for two-factor authentication, which greatly reduces the configuration workload while also meeting system security requirements.
In addition, for all important business systems and security systems, two-factor authentication should be used to avoid account sharing, and to accurately determine responsibilities after a security incident.
1.3.6 Database Audit System
The audit system plays a very good supplementary role in the whole system. Although the database account life cycle management system records all the behaviors of operating the database, it only records the operation process of the front desk, but it is still lacking in quickly locating and restoring the entire event process after a security incident occurs. The professional database audit system will audit the database operation, record the daily operation behavior of the database, record the access and modification behavior of sensitive data, and accurately every character. After a security incident occurs, you can accurately use operating commands to retrieve the information that needs to be audited, and even combine several pieces of information to accurately locate, which improves the efficiency of auditing. It can replay all the changes in the database, let users know what kind of results the database has returned after important operations, and what changes have occurred. It can help users restore the original trajectory of the entire event, help restore parameters and forensics . It can also go deep into application layer protocols (such as operation commands, database objects, business operation processes) to achieve detailed security audits, and take measures such as generating alarm records, sending alarm emails (or SMS), and improving according to the security policies set in advance. Risk level.
1.3.7 Data masking system
In our user system, there is a large amount of sensitive information: citizen data, business data, etc. The final stage of business system software development is to use as real data as possible as a series of functions of the basic test software. Especially when implementing or developing large-scale systems such as user systems, the requirements for basic data are very strict. In many cases, the data of the production environment is directly cloned to test the software system, but the subsequent impact is far-reaching. In the production data, first of all, it is a real data, through which the data of the entire database is basically mastered. Secondly, it contains a lot of sensitive data, not only sensitive data, but also real sensitive data. If an information leakage problem occurs in the test environment, it will have fatal consequences for user data security.
In recent years, major sensitive data leakage incidents in the government industry have occurred from time to time, as shown in the following figure:
The construction of the core data desensitization module is based on the dynamic data desensitization technology, which is usually applied to the production system. When a request is made to read data from the database, the dynamic data desensitization implements different desensitization rules according to the role of the accessing user. As shown in the figure below: authorized users can read the complete original data, while non-authorized users can only see the desensitized data.
1.3.8 In-app account management system
A complex IT environment contains scripts, processes, and applications that need to access resources and databases on multiple platforms to access sensitive information. In order to better access these resources, applications and scripts will use accounts on the database to obtain data. Some accounts only have read-only permissions, and some have read-write permissions. Protecting, managing, and sharing such application-related accounts has become a huge challenge for IT departments or application leaders, as well as an audit problem for users.
The survey shows that 42% of users never modify the account password embedded in the application. This is a serious security risk, and it obviously violates the requirements of many laws and regulations. It is also the main reason for the inefficiency of operation and maintenance.
The embedded account of the application usually also has very high permissions and can access the back-end system without any control. If the account is not managed effectively, it will inevitably bring illegal access to bypass the conventional management process.
Take the Billing system in the above figure as an example. The front-end Bill application connects to the database through a built-in database user to update related records in the database. Once unauthorized third-party personnel know the password, they can unscrupulously enter the database, delete records, and modify data.
As described above, the password embedded in the application will bring the following security risks:
Unscheduled password modification: In order to obtain a higher level of security, passwords need to be modified regularly. The password modification process of the embedded password of the application is very complicated, because the password will be written in multiple places in the application.
Both operation and maintenance personnel and developers know the application password: since the application password is embedded in the program and is not regularly modified, the password is usually shared among IT operation and maintenance personnel and developers throughout the enterprise, especially including departing employees And outsourced personnel.
Insufficient password strength: Since the passwords are manually created by IT operation and maintenance personnel or developers, in order to be able to deal with emergency situations, these passwords should be defined as simple as possible and easy to remember. This will result in non-compliance with the policy of the enterprise privileged account password.
The password is stored in plain text: The embedded password is stored in plain text in the configuration file or source code, and sometimes the password does not meet the strength requirements. So these passwords are easily obtained by people who have access to the source code and configuration files.
Lack of auditing of embedded passwords in applications: In emergencies, both IT operation and maintenance personnel and developers need to use application passwords, and existing password solutions cannot provide corresponding control and auditing of usage records.
Auditing and compliance: Application accounts cannot be protected, and auditing their usage records will violate laws and security standards and regulations, and result in failure to pass internal and external audit requirements.
Common requirements for application account management
As described in the previous section, due to the abuse of application passwords, security and compliance risks arise. Once you have an application, you can access the core applications of the enterprise. In order to successfully control these application accounts, the selected solution must meet the following requirements:
Safety requirements:
1. Encryption: The application password must be stored in a safe place, whether it is stored or transmitted to the application, the password must be encrypted.
2. Access control: There must be a strong access control effect on the use of the password, and strictly limit the personnel or applications that can access the password
3. Audit: It can quickly audit any access password activities, including personal access records.
4. High availability: the corresponding application cannot accept downtime. The application can always access these passwords, regardless of network connection problems or storage failures.
Management requirements:
1. Extensive platform support: An enterprise generally has different types of systems, applications and scripts. In order to be able to support the needs of different applications in the enterprise, application password management solutions must support the following broad platforms:
a) Script-Shell, Perl, bat, Sqlplus, JCL, etc.
b) Applications-custom developed C/C++ applications, Java, .NET, Cobol, etc., as well as some commercial systems such as Oracle and SAP
c) Application server-most companies will have at least one of the common application servers: such as IBM WebSphere, OracleWebLogic, JBOSS or Tomcat
2. Simple and flexible integration : The way to change the application to eliminate hard-coded passwords should be simple and clear. The whole approach should simplify and shorten the migration cycle of applications to dynamic password management.
3. Support complex distributed environment: Distributed systems are very common in large enterprises. For example, a centralized data center and many branch offices run applications connected to the center. The network connection is not reliable all the time, and occasionally the network is disconnected or fluctuates. Therefore, the high availability of enterprise applications is very important. The solution should allow branch offices to operate well when the network connecting to the headquarters fails.
The preset account and password management system is generally changing the way the business system requests the preset account. From the traditional application built-in account password, it is changed to initiate a preset account and password request to the preset account and password management system, through the request in the network transmission, The returned data is encrypted, and the request source is authenticated and authorized to safely guarantee the supply of the latest account and password information.
1.3.9 Cloud Computing Platform
At present, most users' data centers have deployed VMware's cloud computing platform, which can be well integrated into the information security system.
Account lifecycle management system, encryption system, two-factor authentication system, active directory, embedded account management, data desensitization system, unified security operation platform, and file server are all standard software applications, all of which can run on the VMware cloud computing platform. Using VMware can easily take snapshots, system migration, system expansion, etc. of the information security subsystem, and quickly restore the system in the event of a failure, providing a good support platform for the information security system, reducing downtime and reducing maintenance costs ,Improve work efficiency.
1.3.10 Firewall
Deploy an independent high-performance firewall in the data center, and use firewall logic to isolate two areas, one is the internal core server and database area (data center area), and the other is the information security system and other external server areas (DMZ demilitarized zone).
After the host account lifecycle management system is online, the data center firewall needs to configure security policies to block FTP, SSH, Telnet, RDP, and all unused ports, and prohibit any external terminal from directly initiating effective connections to the data center host. The terminal directly contacts the assets of the data center, and only allows it to access the data center through the management system, but allows the interconnection between hosts in the data center.
After the database account lifecycle management system is online, the data center firewall needs to implement a security policy to close the database port, prohibit any external terminal from directly using the database tool to operate the database, but allow data synchronization between hosts in the data center.
With the growing size of information architecture and application systems, the current IT architecture is no longer a simple environment of a single system or a single device. The system often contains various security devices, host devices, network devices, application systems, middleware databases, etc. , A huge log file is generated every day, even if it is sent by a special person, it is impossible to deal with it. The tracing of a security incident requires a lot of manpower and time for the problem of combining heterogeneous systems and platforms. Finding problems with heterogeneous platforms cannot effectively manage and reduce costs.
The unified security operation platform can search, alarm and report any user, network, system or application activities, configuration changes and other IT data in real time from a single location.
Eliminate the need to set up multiple consoles, and trace the whereabouts of the attacker from a single location. It is now possible to perform more in-depth analysis and respond more quickly and thoroughly to reduce risks and hazard exposure.
Accident response
When receiving an alarm or report of any suspicious activity, the unified security operation platform will be the first window to deal with it. Just enter the detailed data you have in the search box of the unified security operation platform, including the source and target IP of the IDS alarm, or the customer account ID that thinks its private data has been leaked. The unified security operation platform will immediately return every event related to the search criteria in all applications, hosts and devices in the entire network. Although a lot of data was initially sent back, the unified security operation platform can help users sort out their clues and organize them in the way they want. It automatically captures and allows users to filter time and other fields, and classify events based on keywords and patterns, so users can quickly process all activity data. If a user finds a noteworthy event and wants to track it, he only needs to click on any noun to perform a new search for the clicked word. Because the unified security operation platform can index any IT data-not just security events or log files, users only need to use the unified security operation platform to grasp the overall situation. In this single location, users can search for and discover the current and past programs that the attacker may execute, and view the configuration changes that may have been modified.
Security monitoring
The unified security operation platform makes it easy for users to monitor security events across IT constraints; search for data flow violations in user router and firewall log files, look for violations on servers and applications, or look for unauthorized or insecure Configuration changes. Using the trend analysis, classification, and execution identification functions of the unified security operation platform, you can quickly identify extremely complex usage situations, such as suspicious executions and patterns, or changes in network activities. The alarm function can send notifications via email, RSS, SMS or trigger scripts, and can be easily integrated with the user's existing monitoring console. Alarms can also trigger automated actions to respond to specific situations immediately, such as commanding a firewall to block the intruder's future data flow.
Change detection
Through a unified security operation platform, files on all paths can be continuously monitored without the need to deploy other agents. Every time a file is added, changed or deleted on the path monitored by the user, the unified security operation platform will record an event. Users can also make the unified security operation platform create a snapshot index every time the overall file changes. If a dedicated change monitoring tool has been deployed, there is no impact, as long as the unified security operation platform is used to index the events recorded for it, instead of directly monitoring changes.
Regardless of the source, as long as the data in the index changes, users will be alerted of major configuration settings changes, and can easily track the cause of errors in configuration changes.
Security report
The unified security operation platform provides users with a single location that can generate reports across all IT infrastructures and technologies, including across all servers, devices and applications, provide reports on security events, performance statistics and configuration changes, and use trend charts And summary to identify abnormal and suspicious changes. The interactive report allows users to dig deeper to understand the cause and impact of the problem. Using a unified security operation platform can convey the basic security principles of user infrastructure, check access control, or closely monitor user behavior, and produce automated scheduling reports for users' customers, management or colleagues, or generate specific operations Report. Then list the report results on the dashboard to provide real-time inspections of applications and systems for asset managers in the user organization to increase the ability to grasp the situation.
- Vulnerability scanning service: vulnerability scanning results, comparative analysis report, vulnerability summary table
- System reinforcement service: system reinforcement and optimization solutions, system reinforcement implementation report (auxiliary)
- Baseline assessment: conduct a minimum security strategy assessment on the target system
- Security penetration testing service: penetration testing plan, penetration testing report
- Safety equipment inspection service: inspection specification, inspection report
- System security review service: system security review report (security strategy)
- Security consulting services: information security consulting, security planning, solution consulting.
- Security incident response: Security incident report
- Security station service: provide weekly, monthly, and daily operation and maintenance of security systems
- Security project implementation: research, interviews, business needs
Pay attention to my technical public account, every working day has high-quality technical article push and electronic version plan download.
Scan the QR code below on WeChat to follow:
