1. Project background
随着外网信息化的发展,业务系统对外网络系统、信息系统的依赖程度也越来越高,信息安全问题也越来越突出。为了有效防范和化解风险,保证对外网信息系统平稳运行和业务持续开展,须对外网现有的网络升级,并建立信息安全保障体系,以增强对外网的信息安全风险防范能力。通过系统的信息安全体系规划和建设,将为对外网加强内部控制和内部管理,降低运营风险,建立高效、统运转协调的管理体制的重要因素。
2. Reinforcement technical scheme
The requirements for network system security reinforcement construction are as follows:
1. Network border security protection, especially the security protection of important departments such as finance:
Use firewalls to provide boundary access control for important security domains in the information network, strictly control access to and from each security area of the network, clarify the source of access, the object of access and the type of access, ensure the normal progress of legal access, and eliminate illegal and unauthorized access Access; at the same time, effectively prevent, discover, and handle abnormal network access to ensure normal access activities to the external network information network.
Deployment location: Deploy firewall devices between administrative, financial and office areas.
Deployment mode: The firewall is deployed in routing mode.
2. Limit the speed of the network and control the Internet; visitors can scan the code or follow the WeChat official account to authenticate the Internet;
Deploy the online behavior management system in series, and configure network bandwidth and user external access bandwidth according to the usage of the business system to meet the bandwidth usage of the business application system and ensure the smooth flow of the network.
Deployment location: between the firewall device and the intranet Layer 3 switch.
Deployment mode: Deploy in a transparent manner.
Authentication method: Users need to scan the QR code provided by the company, apply for accessing the Internet through the official account, and then complete the identity authentication process.
3. Network access;
Establish a complete set of access management processes, from basic access identity identification, to post-access compliance checks, repair wizards, and real-name audits, etc., to package the security, purification, and anti-repudiation functions of terminal access as a whole.
Deployment location: Intranet Layer 3 switch.
Deployment mode: Bypass deployment.
4. SSLVPN equipment: mobile office
The digital certificate technology is used to realize the two-way authentication of the server and the client, and to ensure the integrity of the data transmission and the non-repudiation of the transaction, which can conveniently realize the safe access of the mobile office users to the system by using the Internet. It can be combined with USB KEY to provide certificate and key storage to enhance the security of user identity authentication.
Deployment location: DMZ area of the firewall in the computer room.
Deployment mode: Bypass deployment.
4. Program Summary
According to the actual situation of informatization, plan and construct the framework structure and basic requirements of security elements of the network and information security system, and optimize and adjust them based on reality. On the premise of ensuring the realization of key technologies, adopt mature domestic products to ensure the usability of the system, The project implementation is simple and fast. Carry out information system security planning, rectification and construction work, implement security protection technical measures, establish and improve security management systems, further improve the security assurance capabilities and protection levels of information systems, ensure the safe operation of networks and information systems, and promote information security, Healthy and coordinated development.