With the rapid development of information technology and the widespread popularization of network applications, while enjoying the convenience brought by network technology, enterprises are also subject to increasingly serious network security threats. In the future, the scale and complexity of enterprise information systems will continue to increase, and the application of information and communication technologies will continue to deepen. Network security operation and maintenance will become an increasingly prominent issue.
1. The main problems faced by network security operation and maintenance
With the deepening of enterprise informatization, its daily production and operation management is closely integrated with network and informatization, and its dependence on network and information system is getting higher and higher. At present, enterprises generally face difficulties in network security operation and maintenance.
(1) The network structure is complex, and the construction lacks a clear plan
On the one hand, it is geographically isolated, and the internal network is deployed in different places due to the multi-location of the enterprise; on the other hand, the office network and the production network of the enterprise are mixed, and the network structure is not clear.
(2) Network security operation and maintenance objects are complicated
Network operation and maintenance objects are mostly servers, switches, routers, security equipment, communication equipment, video surveillance equipment, and software services. There are hundreds of manufacturers producing software and hardware products of different specifications and models, requiring a lot of adaptation work.
(3) O&M objects have brand heterogeneity and protocol differences, making it difficult to unify O&M
The device configuration interface is very different, and it is difficult for administrators to quickly familiarize themselves with the operation interface and operation instructions of each product, and it becomes difficult to configure device policies uniformly.
(4) There are shortcomings in core technology and dependence on foreign products
Compared with developed countries in Europe and the United States, there are still gaps in the development of information technology in my country. Some important software and hardware products still rely on foreign countries and lack an independent information technology industry chain.
(5) Insufficient network security talents
Compared with the ever-increasing demand for network security, there are shortcomings in the training methods of professional talents, and there is a shortage of professional and compound network security talents.
2. Main countermeasures
Based on the future trend of network development and the overall goal of network security operation and maintenance, in view of the problems existing in the current network security operation and maintenance, all enterprises and institutions can start from building a localized network operation and maintenance system and reduce the dependence on human operation and maintenance to deal with the current existing problems. Network security operation and maintenance problems. The main measures include: promote domestic software and hardware products to replace foreign products; build a network security management and control platform and a situation awareness and monitoring and early warning platform to make network security operation and maintenance collaborative, visualized, and standardized; build a network security operation and maintenance system in a targeted manner, and continue to implement the system optimization.
3. Network security operation and maintenance platform architecture
Build an all-weather and all-round network security operation and maintenance platform, transform manual operation and maintenance into automatic operation and maintenance, transform passive maintenance into active maintenance, and transform single-point monitoring into comprehensive monitoring, so as to improve situation awareness, risk monitoring, fault alarm, and big data analysis ability. By collecting data and log information of servers, switches, middleware, firewalls, application systems and other equipment, real-time monitoring and dynamic display are performed, and full-dimensional visual monitoring of the entire network information across regions, network segments, and devices: active monitoring And discover network abnormal events, real-time alarm, improve risk prevention and monitoring and early warning capabilities. The network security operation and maintenance platform architecture is shown in Figure 1.
4. Network security operation and maintenance solution based on Zhihe network management platform
The network has been integrated into every corner of life and production construction, and has an important impact on enterprise production, company management and even national security. Therefore, network security operation and maintenance is particularly important. This article takes the Zhihe network management platform (SugarNMS) of Beijing Zhihe ICT Co., Ltd. as an example to analyze the core functions and implementation measures in the network security operation and maintenance solution.
(1) Basic functions
The basic functional structure of Zhihe network management platform SugarNMS In terms of basic functions, the network security operation and maintenance platform should have automatic discovery of equipment, resources, and links, and the ability to visualize network topology, fault alarms, and performance analysis. The basic functional structure specifically includes:
1. Automatic discovery. Within the reachable range of the network, search for network nodes through IP information, match the model and manufacturer information of network nodes, simulate and visualize through the real panel of the device, display network node resource information through the resource logic panel, and monitor the CPU, memory, and board of the network node Link relationship between card, disk and other resource usage and network nodes.
2. Topology display. The network nodes are combined according to the network relationship or logical association and displayed in a topological form, and the network nodes, the resources in the nodes, and the link relationship between the nodes are monitored or managed.
3. Equipment control. Supports configuration of devices and their parameters in the topology map or list management, and can manage devices through SNMPV1/V2C/V3, NetConf, Telnet, SSH, IPMI, ONVIF, JRPC, JMX, JDBC, WMI, Trap, Syslog, HTTP and other protocols.
4. Resource management. Visually display the real panel of the device and the logical panel of resources, including the physical components that constitute the network node, the services running in the network node, or other monitoring targets customized according to the monitoring requirements.
5. Link identification. Link information can be edited in the topology view and management list, and real-time link performance data can be displayed on the topology, and the type of displayed data can be modified according to requirements.
6. Fault alarm. Collect equipment fault and event information, trigger real-time alarms, view alarm information in the network topology and fault alarm list, and trigger alarm work orders with one click.
7. Performance collection. The resource information is collected through the network node protocol stack policy. The collected performance data is calculated and displayed visually through intelligent algorithms, and it supports fixed or custom time ranges to view the trend changes of performance indicators.
8. Security control. Provides security management and control capabilities based on universal commands, and can implement functions such as QoS security policies, traffic policies, and access control through command delivery, and supports network-wide MAC-IP data acquisition and binding, and blacklist and whitelist policy enabling or disabling.
9. Monitoring report. Provides intelligent inspection capabilities for networks, devices, and resources, including automatic operation and maintenance, fault inspection, policy inspection, policy backup, and other inspection policy configurations. Supports the generation of inspection reports and statistical reports, allowing users to have a comprehensive and intuitive understanding of the network.
(2) Platform Architecture
monitoring module
One-click automatic discovery of network devices, links, and resources and generation of network topology diagrams, support for physical topology discovery technologies such as LLDP, CDP, ICMP, ARP, port forwarding table, spanning tree protocol, and neighbor routing, and discover physical links of devices. Provides discovery methods such as IP range, network range, and connected device search. It has functions such as device management, network management, topology management, alarm management, performance analysis, and event log management. Provides graphical device type extension interface, panel diagram editing interface, resource extension interface, alarm extension interface, performance extension interface, and TRAP extension interface.
analysis module
Provide big data sorting and analysis capabilities, graphically analyze and display massive network data, and have the ability to customize and configure large-screen display data. Large-screen data elements, chart elements, data ranges, etc. can be freely configured. Provides functions such as business monitoring, custom business processes, and business alarm views.
Operation and maintenance module
Provides the function of customizing the operation and maintenance inspection strategy, and can also configure the operation and maintenance arrangement strategy through commands to realize the automatic operation and maintenance management of the network, equipment, resources, etc.
Ticket module
Provides the operation and maintenance work order function, supports quick creation of work orders on the equipment and fault management page, and controls the progress of fault handling. Provide custom work order templates, configure smart work order service level (SLA), my work order, all work order display and real-time work order status display and other functions. Form an automated fault handling mechanism, and assign responsibility to each processing node. While achieving rapid response to faults, it also takes into account enterprise process control.
log module
Provide a log information management module for massive devices and applications, collect and process all kinds of heterogeneous log data such as target device operation logs, operation status, security events, space usage, user operation records, etc., after merging, filtering and big data analysis and processing , alarm the abnormal data, and store and manage it in a unified log format, combined with rich instruments, charts and colors, comprehensively display the network status.
(3) Safety control
Provide security operation and maintenance and in-depth management and control of network-wide equipment based on equipment and resource levels. Through Telnet, JDBC, JMX, SNMP protocols and other equipment management protocols and equipment types, unified security management and operation and maintenance specification configuration are performed. The security control architecture of Zhihe network management platform SugarNMS is shown in Figure 2, which realizes centralized management and control of multi-brand equipment and visible security policies. , configuration accuracy verification and other functions. Provides right-click shortcut commands on the topology map to issue operations. Supports in-depth management and control of Huawei, H3C, Maipu, DP, Ruijie and other domestic equipment, including ACL, QoS, routing configuration, account security, terminal access, etc.