Grade Protection 2.0 security architecture introduced
Grade Protection 2.0 security architecture introduced
Based on " dynamic security " architecture design system and build a " network + security " firm line of defense "to protect 2.0 grade solutions" based on "dynamic security" architecture, network security and fused to compliance based on the face of the user compliance and the actual security challenges faced, the scene of security concepts into one, to provide users with "one-stop" security evolution.
National Cyber Security Protection work into the 2.0 era
National "Network Security Act" was officially implemented June 1, 2017, all network operators and operators of critical information infrastructure caught obligation to protect the safety of the system in accordance with the requirements of network security protection system. With the May 13, 2019 "GB / T 22239-2019 Information security technology to protect the basic level of network security requirements" standard official release, the National Cyber Security Protection Work officially entered the 2.0 era.
Grade Protection 2.0 key changes
"Information Security" → "Network Security"
to introduce new areas of mobile Internet, industrial, networking and other
And other insurance 2.0 fully embodies the "center of a triple defensive" thinking. A central means "Security Management Center", refers to triple defense "secure computing environment, safety zone boundary, secure network communications", and the like to strengthen security 2.0 using trusted computing techniques safety requirements.
Passive defense → active defense
Grade Protection 2.0 Solution topology design
Security Management Center
- Big Data Security
(traffic + log) - IT operation and maintenance management
- Fortress machine
- Vulnerability scanning
- WMS
- Paul and other construction consulting services
Construction Points
Unified management of security and to control
centralized analysis and audit
regularly identify vulnerabilities and risks
Secure communications network
- Next-generation firewall
- VPN
- router
- switch
Construction Points
Build secure network communications infrastructure
to protect the security of information transmission
Border security zone
- Next-generation firewall
(anti-virus + spam) - Intrusion detection / prevention
- Internet behavior management
- Security sandbox
- Dynamic Defense System
- Identity Management
- Flow probe
- WEB application protection
Construction Points
Strengthen border security and intrusion prevention protection
to optimize access control policy
Secure computing environment
- Intrusion detection / prevention
- Database Auditing
- Dynamic Defense System
- Tamper-resistant pages
- Vulnerability Risk Assessment
(penetration + drain sweep Services) - antivirus software
Construction Points
Emphasis on application security system and
strengthen the authentication mechanism and Intrusion Prevention
Secure communications network: main points (three insurance etc.)
And other security requirements |
Control Points |
Corresponding product or program |
Secure communications network |
Network Architecture |
Firewalls, routers, switches, network planning and deployment optimization, key equipment / link / server redundancy |
Communication transmission |
VPN |
|
Trusted authentication |
Trusted Computer System |
Backbone network links and equipment are redundant deployment
Divided based on business management and security needs of
network area with clear boundaries
The use of VPN or HTTPS encryption to protect the business applications
Safety zone boundaries: main points (three insurance etc.)
And other security requirements |
Control Points |
Corresponding product or program |
Border security zone |
Perimeter protection |
Firewall, authentication and access systems, wireless controller |
Access control |
Second-generation firewall, WEB application firewall, behavior management system |
|
Intrusion Prevention |
Intrusion detection and prevention, unknown threat prevention, log management system |
|
Malicious code and spam protection |
Anti-virus gateway, spam gateway, or second-generation firewall |
|
security audit |
Behavior auditing system, authentication and access systems, log management system |
|
Trusted authentication |
Trusted Computer System |
Area boundary deploy the necessary application-layer security devices,
enable security filtering policy
Established based authentication and user access mechanism,
to enable the security audit policy
Behavioral model analysis and other technical defense
new, unknown threats
Acquisition and retention of not less than six months of key network,
security and server equipment logs
Safety zone boundaries: main points (three insurance etc.)
And other security requirements |
Control Points |
Corresponding product or program |
Secure computing environment |
Authentication |
Authentication and access systems, machine fortress, strengthening security service |
Access control |
Authentication and access systems, strengthening security service |
|
security audit |
Fortress machine, database audit log management system |
|
Intrusion Prevention |
Intrusion Detection and Prevention, unknown threat prevention, log management systems, penetration testing / vulnerability scanning / Security Hardening Service |
|
Malicious code prevention |
Antivirus software, sandbox |
|
Trusted authentication |
Trusted Computer System |
|
Data integrity |
VPN, anti-tamper system |
|
Data confidentiality |
VPN, SSL encryption application layer |
|
Data backup and recovery |
Local data backup and recovery, remote data backup critical data system Tracking |
|
The remaining information protection |
Clear sensitive information |
|
Protection of Personal Information |
Protection of Personal Information |
Security Management Center: main points (three insurance etc.)
And other security requirements |
Control Points |
Corresponding Products |
Security Management Center |
System Management |
Fortress machine |
Audit Management |
Fortress machine |
|
Security Management |
Fortress machine |
|
Centralized management and control |
VPN, IT operation and maintenance management system, security situational awareness platform, log management system |
|
Safety Construction Management |
Acceptance testing |
On-line before the security testing services |
Safe operation and maintenance management |
Vulnerability and Risk Management |
Penetration testing services, vulnerability scanning service |
System administrators, audit administrators, security administrators
with clear mandate, separation of powers
Set up an independent security management area, gathering the whole network
security information, analysis of the implementation of early warning management
Leveraging professional security service personnel, providing penetration testing and other
high-tech security services requirements
Grade Protection 2.0 Solution Features summary: 1 + N of the whole network security
And other insurance 2.0 standard name "Network Security Protection" clearly highlights the building's security system must keep closely integrated network architecture design
Complete protection and other security products category
1
-Based network security technology support system SDN
2
A full range of wireless products, the formation of wired and wireless unified whole network security system
3
User identity + authorization application
4
Reliable IT operation and maintenance management support
5
Protection level 2.0 Configuration Solution
No. |
And other insurance products and services required |
Mandatory / optional (Paul et two) |
Mandatory / optional (Paul et three) |
The corresponding product or service names Ruijie |
1 |
Firewall |
Essential |
Essential |
RG-WALL |
2 |
Intrusion Prevention |
Essential |
Essential |
RG-IDP |
3 |
Centralized management and audit log |
Essential |
Essential |
RG-BDS |
4 |
Penetration Testing Services |
Essential |
Essential |
Penetration Testing |
5 |
Vulnerability scanning services |
Essential |
Essential |
Vulnerability scanning |
6 |
Fortress machine |
Optional |
Essential |
RG-OAS |
7 |
Internet behavior management |
Optional |
Essential |
RG-UAC |
8 |
WAF application firewall |
Optional |
Essential |
RG-WG |
9 |
Terminal access system |
Optional |
Essential |
SMP Series |
10 |
Database Auditing |
Optional |
Optional |
RG-DBS |
11 |
Grade Protection Building Advisory |
Optional |
Optional |
Grade Protection Building Advisory |
12 |
Safe Emergencies Service |
Optional |
Optional |
Safe Emergencies |
13 |
Site tamper-proof |
Optional |
Optional |
RG-Wlock |
14 |
Room operation and maintenance management software |
Optional |
Optional |
REAL |
15 |
Unknown Threat Defense |
Optional |
Optional |
RG-DDP |
16 |
APT |
Optional |
Optional |
RG-SandBox |
17 |
Network version of antivirus software |
Essential |
Essential |
Tinder terminal security (strategic) |