The main level of protection is [evaluation] and [Management] technology into two categories evaluation
Management requirements of
the reference standard documentation requirements can be:
"information system security management requirements" GB / T 20269-2006
"Information Systems Security Engineering management requirements" GB / T 20282-2006
Technical requirements: The
technical requirements are divided into: physical security, network security, host security, application security, data security and backup and recovery.
Physical Security: mainly related to security room, room location, room and other supporting weak electromagnetic anti-theft lightning protection facilities.
Network security: room configuration network devices, security devices, and network equipment.
Host Security: security applications where the operating system, the operating system is mainly baseline configuration.
Application Security: service and application security-related measures, mainly B / S or C / S model-based (ie browser - Server client - server).
Data security and backup and recovery: Is there a remote backup, if the backup line backup and restore data and reliable.
Level of protection assessment technology section details entries
1: There is a certain understanding of computer room construction, familiar with some room building standards.
2: 2-3 familiar speed-factory network device configuration, and network equipment manufacturers 2-3 security configuration.
3: Familiar with at least two kinds of operating system baseline configuration, centos (redhat), debian, freebsd, solaris, windows server4: understand the application packet capture tools like wireshark or burp suite as well as the basic use.
5: Learn some mainstream software development languages and middleware (apache iis nginx) databases (mssql mysql oracle) and other
physical security technical requirements:
the physical location of choice for
a) the engine room and office space should have the ability to choose earthquake, wind and rain, etc. within the building; the current room availability earthquake, wind and rain is in the building.
b) provided in the room should be avoided site level or basement of a building, and the lower water wall or equipment. Literally, room location is not recommended more than five layers, which is why the general cloud computing data centers, buildings are generally not too high, fear of shock. Note seepage water. Three requirements
Physical Access Control
a) room entrance should arrange special duty control, identification and recording into the literal meaning of the personnel, access room with a person on duty, such as fingerprint identification code recognition, are required to register access room, typically paper records are generally qualified, many units could be missing documentation and access control supplements are recommended.
b) the need to enter the visiting room personnel and should be subject to the application approval process, and to limit and monitor their activities; outsiders visiting requires approval process, such as the entry and exit of introduction, registration card, enter the room needs to be escorted and standardize operations does not meet the general scope, the main constraint is that no one specific act, or did not approve the document confirming the identity of the process.
c) respond to room split region disposed between the management means physical separation, regional and provided delivery or the like installed at the front region of the transition zone is important; room requires excessive region, the region server, hosting region, there exist physically divided area i.e. to comply, the best there is access to other areas.
d) arranged to be an important area of electronic access control systems, control, identification and record into the persons. It requires access control system, and entering the access control system to identify persons, and a function of controlling records.
Anti-theft and anti-sabotage
a) should be the main device is placed in the machine room; literally, the main server, network devices within the range of the room.
b) that the main components of the device or is fixed, and provided a difficult to remove clearly marked; identification device, such as network devices, network cable, the IP server, the name, business use, the person in charge contact information.
c) a communication cable should be laid in the shelter, or may be laid underground conduit; walking bridge network cable (aerial), take the power cable under the floor. Cable is not exposed on the floor.
d) respond to media classification identifier, stored in the media library or the archives; if not using the storage medium is not applicable project, a small number of rooms will use the U disk, CD-ROM requires a fixed place of archiving and identification.
e) should use optical, electrical, and other technical rooms disposed theft alarm system; requires light perception, inductor burglar alarm, (electromagnetic Door photographic light-sensitive alarm, etc.) specific knowledge of security equipment, not described herein. Generally is not met, there may be surveillance, access control.
f) set up to deal with the engine room monitoring alarm system. When someone out of the room, there is automatic recording, camera alarm.
Lightning
a) means lightning equipment room to be provided; whether equipment room lightning rod, lightning, or other measures.
b) should be set Lightning Protecting against lightning; anti Leian protection device, lightning actually talking about a non-direct lightning hit other equipment caused by impact.
c) mains earth room should be provided. Are you sure the equipment cabinet ground line, and whether there has been leakage of the device, whether there is room power ground line.
Fire
a) should be set to automatic fire engine room fire protection system, can automatically detect a fire, alarm, and automatic fire extinguishing; sense fire, smoke devices, whether automatic fire extinguishing system, if there is a fire extinguisher, a fire extinguisher pressure is normal.
b) room and work room and related auxiliary room should have a fire resistance rating of building materials; electrostatic floor room requires the use of fire, fire doors.
c) regional isolation room should take fire prevention measures, to isolate important equipment and other devices.
Waterproof and moisture-proof
a) installation of water pipes shall not pass through the engine room under the roof and floor; can not have water or seepage through the room.
b) should take measures to prevent rainwater *** room through windows, roofs and walls; room walls, cabinets, windows, floors can not have moisture, water seepage.
c) shall take measures to prevent the transfer of water vapor condensation and *** the engine room of the underground water; preferably controlled humidity or drying equipment.
d) should be installed on the water-sensitive element or instrumentation, for detection and alarm room waterproofing. There appears for water *** circumstances, related equipment detects an alarm.
Antistatic
basic requirements Explanation Note a) a major equipment should be grounded anti-static measures necessary; whether the cabinet antistatic whether a device ground.
b) shall be anti-static floor room. Literally, the room can not be directly on the ceramic tile, wood, preferably with anti-static floor.
Temperature and humidity control
basic requirements should be set interpretation Remark room temperature, and humidity-conditioning the room temperature, changes in humidity in the range of operation of the device of permitted.
Room standards A, B, C three rooms. For temperature and humidity:
A Class A and B as required room temperature is 23 ± 1 ℃, humidity of 40% to 55%.
Class C room temperature is 18 ~ 28 ℃, humidity 35% to 75%. .
Power supply
a) should be configured regulators and overvoltage protection equipment in the room supply line; requires UPS devices, overvoltage protection devices.
b) The short-term backup power supply to meet the normal operating requirements at least in the main apparatus power outages; the UPS at least more than one hour after power work, or equipment to ensure that the room may be a spare power plant.
c) should be set parallel or redundant power supply cabling to the computer system; at least two of the municipal supply line, automatically switched off (in milliseconds).
d) to establish a standby power supply. In addition to UPS batteries also need to have standby generators.
Electromagnetic protection
a) grounding should prevent external electromagnetic interference and spurious interference coupling device; anti-EMI measures interference and parasitic coupling, various power lines and communications cables and associated equipment can not be too close to the server.
b) power supply line and a communication cable laying should be isolated to avoid interference with each other; power supply line and a communication cable laid separately, bridge such as (high) to go lower deck floor supply line communication cable.
c) respond to magnetic media key equipment and electromagnetic shielding embodiment.
Network Security Technology Requirements:
PS: level of protection is an important part of the heavy weights, but also can more rectification section. This section involves a lot to see and recognize the following device configuration will be referred to as (Device Configuration Reference Manual)
structural safety
a) shall ensure that the main business processing capabilities with redundant network equipment space to meet the peak of the business needs; see load redundant network equipment , generally 80% utilization of that match.
b) shall ensure that the peak of the bandwidth to meet the business needs of each part of the network; broadband redundancy.
c) routing control should establish secure access path between the service terminal and the service server; static routes.
d) should be drawn to the current network topology consistent operation; literal. It means the need for the current network topology layout, and updating the actual situation.
e) should be based on job functions of various departments, the importance and the importance of information and other factors involved, divided into different subnets or network segments, and in accordance with the principles of ease of management and control for the subnet network address assignment segment; interviews network administrator, whether based on the work of functional departments, the level of importance and application system divided the different VLAN or subnet.
f) should be avoided important segments deployed at the network boundary and is directly connected to an external information system, an important segment between the segments and the other to take reliable technical isolation means; between the respective segments VLAN Layer devices are configured to control ACL access.
g) shall be in accordance with the order of importance of business services to specify the bandwidth allocation priority, to ensure that when the network congestion occurs preferentially protect critical hosts.
Access Control
a) access control device should be deployed at the network edge, to enable access control; protective network boundary devices, such as firewalls and the like.
b) should provide session state information according to a data stream specifically allows for capacity / deny access, the particle size of the port-level controls; the fine control port policy level.
c) out of the network respond to the information content of the filter, to achieve control of the application layer HTTP, FTP, TELNET, SMTP, POP3 and other protocol command level; communication HTTP, FTP, TELNET protocols such as the default port to be limiting, slightly better Some of the next generation of firewall can only prohibit access protocol.
d) should be in the inactive session after the session is terminated a predetermined time or network connection; literally, is actually talking timeout on a network connection, a functional connection is automatically disconnected when the network connection is not active, the network also including landing device timeout does not operate.
e) should be limited to the maximum number of network traffic and network connections; two, up and down limits the maximum flow rate, and the maximum number of concurrent network links limit.
f) important segments should be taken to prevent address spoofing techniques; in fact, IP-MAC binding operation to prevent ARP spoofing. There are easy ways of preventing ARP firewall.
g) between the user and the system should be allowed access rules, to allow or deny user access to the resources of the controlled system, control of particle size for a single user;
1: for remote dial-up users, need to have a user authentication function. (Campus network dial-up)
2: plug the network cable for direct access to the Internet user, with a simple way to manage online behavior.
h) should limit the number of users have dial-up access.
1: remote dial-up users if there is a maximum number of users limit.
2: Direct Internet user has the largest IP / link is limited to the gateway.
Security audit
a) to deal with the health network equipment network systems, network traffic, user behavior such as logging; network equipment need to enable logging, the log output to other places or, single save.
b) audit records should include: date and time of the event, user, type of event, whether the event is successful, and other information related to audit; audit log content network devices need to record the time, type, user, type of event, whether the event was successful failure Wait.
c) should be able to analyze the data according to the recording and generate audit reports;
You can export the log, analyze, report form. Reviews you loose points otherwise export will do.
d) respond to audit records be protected, avoid unexpected delete, modify or cover and so on.
General management accounts or ordinary users can not modify, delete, covering the relevant log, only the super administrative privileges can be modified. Strict requirements are that any account can not be modified.
Boundary integrity check
a) should be able to conduct unauthorized device linked to the internal network without permission checks, accurate position fix, and subjected to effectively blocked.
b) the internal network should be able to conduct unauthorized users linked to an external network to be checked, accurate position fix, and subjected to effectively blocked.
*** prevent
a) should be monitored at the network boundary *** the following acts: port scanning, powerful *** *** *** the back door, *** denial of service, buffer overflow ***, IP fragmentation * ** and *** and other network worms; for these types *** *** testing equipment is required, generally have to meet the IPS, but also with the next-generation IPS firewall, IPS alone compared with the next-generation firewall , in general, single-port IPS network traffic to go higher.
b) When detecting *** behavior, recording the IP source *** *** type, object ***, *** time, provide an alarm should *** serious incidents. A log and alarm functions on the IPS, capable of recording "*** Source IP, *** type, purpose ***, *** time" security with network-level log similar requirements. .
Malicious code protection
a) should be carried out to detect and remove malicious code at the network boundary;
malicious code, there are two, the legacy host virus executable viroids. As suffix EXE, BAT, VBS, VBE, JS, JSE, WSH, WSF and other such needs OfficeScan deployment at the network edge.
There is also a script virus type generally called WEBSHELL upload ASPX.PHP.JSP script type. Such need to deploy web firewall at the network boundary (also known as: *** Web site application-level defense system English:. Web Application Firewall, referred to as: WAF). b) shall maintain and update the inspection system upgrades malicious code base.
Above explanation, walls and WAF virus signature database needs to be upgraded on a regular basis.
Identity access control
a) respond to user logon to the network equipment performs authentication; network equipment ports at least two passwords: one is the password for network access (SSH TELNET HTTPS), and the other is connected directly to the mouth of the consle password, the password can not be default.
b) administrators to deal with network devices to restrict sign-in address; login access to network devices source IP restrictions. Such as management IP192.168.1.100. So the IP network devices are only allowed to log in, other IP directly rejected landing.
c) the network device should be unique user identifier; uniqueness of user name, user name does not exist duplicate. Case of a multi-user accounts can not appear. Each manager has its own unique exclusive account.
d) the primary network device to deal with the same user identification technique to select two or two or more thereof to perform authentication; In general two-factor authentication, a password is needed in addition to the account or a dongle or a fingerprint-based message authentication biometrics other authentication to determine the identity of the user authentication method.
e) identifying information should not easily be fraudulent characteristics, requirements and complexity of the password should be replaced periodically;
1: a complex combination of password password case of 8-bit numbers or more special symbols
2: regular replacement of 2 months 3 months replaced once more common.
f) should have a login failure processing functions can be taken to end the session, to limit the number of login and illegal login when the network connection timeout automatically exit and other measures; such as account passwords entered incorrectly 5 times in a row lock accounts or IP address for 20 minutes. Prevent brute force.
g) When a network device for remote management, should take the necessary measures to prevent the identification information to be tapped in the network transmission process; network device access, basically following
encryption: https ssh
expressly: telnet consle aux http
particular: gui or other customers end mode
requirement is just a way to access encrypted, https ssh
without encryption off the disabled, special landing some way to encrypt some are not encrypted, need to use wireshark capture observed.
Separation authority h) should implement equipment privileged users.
The superuser privileges split into a number of users, each user independently noninterference rights. Accordance with the requirements generally require three types of accounts: general account, audit / backup account, the account configuration changes. 
Sweep the two-dimensional code pattern above, plus my micro-channel Learn More