Article Directory
This time, we will sort out the main steps involved in Dianbao 2.0:
Dianbao overview, grade filing, gap assessment, planning and design, safety rectification, and test and acceptance.
After grading and filing, we will start the formal evaluation work. We ignore the non-technical aspects such as signing the contract and holding the project kick-off meeting. At the beginning of this section, we will carry out the detailed evaluation according to the ten aspects of the evaluation guide and the evaluation guide. For the analysis, first describe the entire framework before starting.
The last part talked about the secure physical environment. This section writes about the secure communication network and the boundaries of the secure area. In fact, the secure physical environment of the five technical evaluations is relatively simple, because they are relatively dead things, and the other ones are more complicated. , It is impossible to directly give a reference answer according to the standard as in the previous section, because of the equipment of different manufacturers, the evaluation steps are of course different.
Secure communication network
The security communication network part of general security requirements puts forward security control requirements for communication networks. The main objects are wide area networks, metropolitan area networks, and local area networks. The security control points involved include network architecture, communication transmission and trusted verification .
8.1.2.1 Network Architecture
Note here that some devices that have little impact on the normal operation of the system (such as terminal access switches, out-of-band management devices, etc.) have insufficient performance and can be weakened.
When there is a monitoring environment, you should check the resource usage (CPU, memory, etc.) of the main equipment during the peak business period through the monitoring platform; if there is no monitoring environment, log in to the main equipment during the peak business period and use commands to view resource usage Happening. Operation of equipment from different manufacturers:
Cisco network equipment can be viewed using the show process or show process memory (view memory usage), show process cpu (view CPU usage), and show resource usage all (view session connections, optional) commands .
HUAWEI/H3C network devices can be viewed using the display memory (check memory usage), display cpu-usage (check CPU usage), and dis session statistics (check session statistics, optional) commands.
Ruijie network equipment can use the show memory slot (check memory usage), show cpu (check CPU usage) commands to view.
ZTE network equipment can use the show process command to view the equipment's CPU utilization, memory and other information.
Note here that due to the high price of remote access links, some of the tested entities may adopt the principle of maximum utilization for import and export links in order to reduce expenses and effectively use existing resources. In this case, it is necessary to analyze the flow control adopted. Whether the measures can meet the usage requirements of the tested system during the peak business period, such as checking the "Network Traffic Usage Analysis Report" and other documents of the tested organization (see Party A).
Here is mainly to check the network topology diagram to see if VLAN is divided, for example, server area, client area, management area, Internet access area, etc. are divided.
Operation for equipment of 1 different manufacturers:
Cisco can test whether the actual network connection is consistent with the topology diagram through commands such as tracert, traceroute, and show cdp nei.
Huawei/Three can test whether the actual network connection is consistent with the topology map through commands such as tracert display lldp neighbor-information (LLDP: Link Layer Discovery Protocol must be configured under the interface).
Ruijie can use commands such as tracert/traceroute to test whether the actual network connection is consistent with the topology.
Same as above for ZTE.
This mainly depends on whether dual-machine redundancy is configured for the core area.
8.1.2.2 Communication transmission
The integrity here mainly depends on whether the system adopts SSH, HTTPS, FTPS and other protocols, any one of them is sufficient; the confidentiality mainly depends on whether the system adopts a VPN-like protocol.
8.1.2.3 Trusted Verification
This section is the new content of Equal Guarantee 2.0. There are several places where this trusted verification evaluation item is available. Trusted verification in the communication network is generally completed by deploying a bastion machine. For example, in the first point, users modify important configurations Different levels of control (rejection, recording, etc.) can be carried out through the bastion machine when setting parameters; the same can also be controlled for operations like format c: \q in the key execution link of the second point; for the third point, in After the user makes an abnormal operation, the bastion machine should be able to alarm (email, short message); the last point, the audit records should be stored uniformly.
Security zone boundary
The security zone boundary part of the general security requirements puts forward security control requirements for the network boundary (commonly used are devices in the Internet access area, of course, there can also be an area between the intranet and the intranet). The main objects are system boundaries and regional boundaries. The security control points involved include boundary protection, access control, intrusion prevention, malicious code prevention, security auditing, and credibility verification .
8.1.3.1 Border protection
It should be noted here that if access control equipment is not deployed at the network boundary, the border routing and switching equipment need to be configured with ACL lists; focus on the access control strategy for business flow, the access control strategy for remote management, and the access control strategy for high-risk ports (such as database Service port, remote access port) access control strategy.
In particular, check the wireless network.
For the second point of the step, each manufacturer uses the following command to check:
Cisco uses the show run command to check whether the unused port is artificially shut down, or uses the show ip interface brief command to check whether the status of the unused port is ADM: administratively down.
Huawei/Three uses the dis cu command to detect whether the unused ports are artificially shut down, or the dis int brief command to detect whether the status of the unused ports is ADM: administratively down.
Ruijie uses the show run command to detect whether unused ports are artificially shut down.
Same as above for ZTE.
To control unauthorized outreach, you must be equipped with Internet behavior management equipment; the last point is to divide the wireless network into a VLAN as much as possible.
8.1.3.2 Access Control
The first point here mainly depends on whether the device is configured to prohibit all communications by default. Generally, the ACL defaults to the last entry that prohibits all: DENY ALL;
the second point is more general, that is, the fewer ACL rules, the better.
This refers to the port level control.
For step 2, if there is no security device support, check whether the acl configuration of the network device restricts the application layer HTTP, FTP, TELNET, SMTP, POP3 and other protocols (port number 80, 21, 23, 25, 110). The manufacturer uses the following command to check: In the
Cisco network equipment system, use the show ip access-list (or show access-lists) command to check whether the device acl configuration controls the above ports.
In the HUAWEI/H3C network device system, use the dis cu command to view the access control list, or use dis acl all to check whether the device acl configuration controls the above ports.
Ruijie operates the same as Cisco.
Use show run or show acl commands in the ZTE network equipment system to check whether the acl configuration of the equipment controls the above ports.
For the second point, check whether unnecessary services (optional) are turned off by the border device (optional) include: CDP, TCP/UDP Small service, Finger, BOOTp, IP Source Routing, ARP-Proxy, IP Directed Broadcast, WINS and DNS, The specific verification steps of each vendor are as follows:
use the show run command to view the access control list in the Cisco network equipment system, use the show ip access-list (or show access-iists) command to spot check the port-level conditions restricted by the device access control list (check the eq of ACL value).
In the HUAWEI/H3C network device system, use the dis cu command to view the access control list, or use the dis acl all command to spot check the port-level conditions restricted by the device's access control list (check the eq value of the ACL).
In Ruijie Networks equipment system, use the show ip access-list (or show access-lists) command to spot check the port-level conditions restricted by the equipment access control list (check the eq value of the ACL).
Use show run or show acl commands in the ZTE network equipment system to check the port-level conditions restricted by the equipment access control list (check the eq value of the ACL)
The content access control is generally implemented by installing Internet behavior control equipment.
8.1.3.3 Intrusion Prevention
For cisco devices, you can use the show monitor command to check the configuration of source ports (source mirror ports) and destination ports (destination ports).
For huawei/h3c devices, use the display mirroring-group all command to check the mirroring-group (source port) and monitor port (destination port) configuration.
8.1.3.4 Malicious code prevention
8.1.3.5 Security Audit
Since all security devices need to be audited by logs, it is better to have log auditing devices in the system (the hard disk needs to be large).
8.1.3.6 Trusted Verification
Like the above, it must meet the following requirements:
1. Encrypted transmission;
2. Account password login;
3. Operation must be performed through the bastion machine;
4. Authority settings must be performed, for example, an administrator must be required to modify important configuration parameters.