CN117155678A - Computer network engineering safety control system - Google Patents
Computer network engineering safety control system Download PDFInfo
- Publication number
- CN117155678A CN117155678A CN202311171649.5A CN202311171649A CN117155678A CN 117155678 A CN117155678 A CN 117155678A CN 202311171649 A CN202311171649 A CN 202311171649A CN 117155678 A CN117155678 A CN 117155678A
- Authority
- CN
- China
- Prior art keywords
- network
- security
- access
- data
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims abstract description 31
- 230000005540 biological transmission Effects 0.000 claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 21
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 claims abstract description 16
- 238000003860 storage Methods 0.000 claims abstract description 16
- 230000009545 invasion Effects 0.000 claims abstract description 4
- 238000007726 management method Methods 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 18
- 230000000694 effects Effects 0.000 claims description 18
- 230000007246 mechanism Effects 0.000 claims description 14
- 238000012550 audit Methods 0.000 claims description 13
- 238000002955 isolation Methods 0.000 claims description 12
- 230000008439 repair process Effects 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 claims description 8
- 230000000737 periodic effect Effects 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 6
- 230000002265 prevention Effects 0.000 claims description 6
- 230000035945 sensitivity Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 230000006399 behavior Effects 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000005641 tunneling Effects 0.000 description 4
- 238000013439 planning Methods 0.000 description 3
- 230000003449 preventive effect Effects 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001149 cognitive effect Effects 0.000 description 1
- 238000010924 continuous production Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000012913 prioritisation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to the technical field of computer network security, in particular to a computer network engineering security control system, which comprises: setting a firewall to monitor and control network traffic, and preventing unauthorized access and malicious attack; detecting and preventing invasion by monitoring network flow and identifying abnormal behavior, and timely taking measures to protect network safety; by defining access rules and authority control, the access authority of users inside and outside the network is limited, and unauthorized access is prevented; through encryption communication and establishment of a secure tunnel, secure access of remote users and branch institutions is realized, and data leakage is prevented; the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured; dividing the network into a plurality of safety areas, limiting communication among different areas, and improving the safety of the network; the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured.
Description
Technical Field
The application relates to the technical field of computer network security, in particular to a computer network engineering security control system.
Background
Computer network security is an important link in computer research, and when the computer is safely maintained, a program to be accessed into the computer is detected through a firewall, and after the detection is successful, the program is accessed into the computer, so that the computer network security is realized.
The method is characterized in that after the content of the mail is edited by the end A, the mail is packed and compressed and transmitted to the end B through a computer network, and when the end B receives the mail, the transmitted file passes through a firewall, so that the end B receives the mail finally. However, in the whole process, the information security is monitored only through the firewall, and other security prevention and control means are not provided, so that a security air defense system is not provided during file transmission, and the situation that mails may be stolen by other people is caused.
Therefore, how to ensure the security of sensitive data during data transmission and storage is a major problem addressed by the present application.
Disclosure of Invention
Aiming at the defects of the prior art, the application provides a computer network engineering safety control system, which solves the problems.
In order to achieve the above purpose, the application is realized by the following technical scheme:
a computer network engineering security control system, comprising:
setting a firewall to monitor and control network traffic, and preventing unauthorized access and malicious attack;
detecting and preventing invasion by monitoring network flow and identifying abnormal behavior, and timely taking measures to protect network safety;
by defining access rules and authority control, the access authority of users inside and outside the network is limited, and unauthorized access is prevented;
through encryption communication and establishment of a secure tunnel, secure access of remote users and branch institutions is realized, and data leakage is prevented;
the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured;
dividing the network into a plurality of safety areas, limiting communication among different areas, and improving the safety of the network;
recording network activities and events, performing security audit, and timely monitoring and detecting potential risks and threats;
and (3) carrying out periodic vulnerability scanning on the network, repairing system vulnerabilities, installing and updating security patches in time, and improving the security of the system.
Preferably, the firewall monitors and controls network traffic, preventing unauthorized access and malicious attacks; by setting access rules, the firewall can restrict which traffic can enter or leave the network to prevent unauthorized access, and can check network traffic and filter out potential threats, using threat intelligence and security policies to detect and prevent known attacks it can monitor and control network traffic to prevent unauthorized access and malicious attacks, and by checking packets of network traffic, the firewall decides whether to allow or prevent traffic according to preset security policies and rules.
Preferably, the detecting and preventing intrusion by monitoring network traffic and identifying abnormal behavior uses an intrusion detection system or a network traffic analysis tool to monitor network traffic in real time; based on known attack patterns and abnormal behavior characteristics, rules and models are set to identify potential intrusion and abnormal behavior; when abnormal behaviors are detected, generating a real-time alarm to inform a security team; recording and analyzing the monitoring result and the alarm list; and paying attention to threat information, and knowing the latest attack trend, vulnerability and software vulnerability. Updating and repairing the system in time to reduce the utilization risk of the known loopholes; the effectiveness of intrusion detection systems and monitoring tools is assessed and continued improvement and optimization is performed. And updating rules and models according to new attack vulnerabilities and threats, and improving the detection accuracy and sensitivity.
Preferably, the access rules and the authority control are defined, so that the access authorities of users inside and outside the network are limited, unauthorized access is prevented, and only authenticated users can access network resources by using an authentication mechanism; to control user access to resources based on user roles and permissions; dividing the network into different areas or using VPN technology, a safe isolation environment can be created to limit access between internal and external users; firewalls are configured to restrict untrusted traffic from entering the network and intrusion detection/prevention systems are used to detect and prevent potential malicious activity.
Preferably, the secure access of the remote user and the branch office can be realized by encrypting communication and establishing a secure tunnel, so that data leakage is effectively prevented, and the remote user and the branch office are connected with the main network through the encrypted communication tunnel; SSL/TLS encryption protocol is adopted for external access and Web communication, so that confidentiality and integrity of data in the transmission process are ensured; the remote desktop connection and the remote management tool are subjected to safety configuration, the access of the remote user and the branch office is subjected to double-factor identity verification, sensitive data are encrypted in end-to-end communication, and the safety and confidentiality of the data in the transmission and storage processes are ensured; establishing an encrypted communication channel by using a secure tunnel technology, and protecting the security of remote access and data transmission; independent security domains and network isolation are provided for access by remote users and branches.
Preferably, the encryption algorithm is used for encrypting the sensitive data, the asymmetric encryption algorithm is used for encrypting the secret key, and the asymmetric encryption algorithm and the hash algorithm are combined to ensure the integrity and the identity verification of the data; using an encrypted transmission protocol to protect the security of data during transmission; and encrypting and storing the sensitive data stored in the local or cloud to ensure the safety of the data on a storage medium.
Preferably, the dividing the network into a plurality of security areas and limiting communication between different areas is an effective network security measure, dividing the network into a plurality of subnets, each subnet may use a different IP address range; the VLAN technology is used for dividing the network into logically independent areas, and the isolation of different areas can be realized even on the same physical network; dividing a network into different security areas, and setting up access control rules according to the sensitivity level and the access requirement of data; setting a safety area for hosting publicly accessed services; the access control list is configured using the ACL function of the firewall or router to limit communications between different security zones.
Preferably, the network activities and events are recorded, security audit is carried out, and log information of key events and operations is recorded through configuring log recording functions of key systems such as network equipment, servers, application programs and the like; using SIEM tools, collecting, analyzing and managing various log and security event information centrally; setting a real-time monitoring and alarming mechanism, and periodically checking and analyzing logs of network activities and events through a monitoring system and a SIEM tool; establishing a response mechanism, and rapidly responding and processing the security event; malicious behavior and threat patterns are detected and analyzed using security analysis tools and threat intelligence. By analyzing the patterns of network activities and events, threats are discovered and addressed in time.
Preferably, the periodic vulnerability scanning is performed on the network, system vulnerabilities are repaired, and the system, application programs and equipment in the network are periodically scanned by using a special vulnerability scanning tool for timely installing and updating the security patches; evaluating the scanning result, and determining the priority of repair according to the severity and potential influence of the vulnerability; according to the vulnerability scanning result, the vulnerabilities found in the system and the application program are repaired in time; an automation tool and a system are used for simplifying and accelerating the patch management process; maintaining the updating of the operating system and the application program, and timely applying the safety repair and patch of the new version; note the use of third party software and plug-ins, periodically checking and updating security patches therein; establishing a vulnerability management flow ensures the comprehensiveness and timeliness of vulnerability restoration work.
The application provides a computer network engineering safety control system, which has the following beneficial effects:
1. the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured.
2. The vulnerability scanning and system vulnerability repairing and the security patch installing and updating are carried out regularly, so that the possibility of attack on the system can be effectively reduced, and the overall security of the system is improved.
3. Potential security vulnerabilities in the system and the application program can be found through vulnerability scanning, and timely repaired, so that the risk of being attacked is reduced. Preventive repair can prevent vulnerabilities from being exploited by malicious attackers.
4. Vulnerabilities of the system and unrepaired software risk data leakage and information theft. By timely patching and updating, these risks can be reduced, protecting the security of important data and sensitive information.
Drawings
FIG. 1 is a schematic diagram of an overall flow of a prior art system;
Detailed Description
In order that the application may be readily understood, a more complete description of the application will be rendered by reference to the appended drawings. The drawings illustrate preferred embodiments of the application. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
Referring to fig. 1, the present application provides a technical solution:
a computer network engineering security control system, comprising:
setting a firewall to monitor and control network traffic, and preventing unauthorized access and malicious attack;
detecting and preventing invasion by monitoring network flow and identifying abnormal behavior, and timely taking measures to protect network safety;
by defining access rules and authority control, the access authority of users inside and outside the network is limited, and unauthorized access is prevented;
through encryption communication and establishment of a secure tunnel, secure access of remote users and branch institutions is realized, and data leakage is prevented;
the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured;
dividing the network into a plurality of safety areas, limiting communication among different areas, and improving the safety of the network;
recording network activities and events, performing security audit, and timely monitoring and detecting potential risks and threats;
and (3) carrying out periodic vulnerability scanning on the network, repairing system vulnerabilities, installing and updating security patches in time, and improving the security of the system.
In particular, the setting of a firewall is one of the common security control measures in computer network engineering, by setting access rules, the firewall can restrict which traffic can enter or leave the network to prevent unauthorized access, and can inspect network traffic and filter out potential threats, such as malware, network attacks, etc., using threat intelligence and security policies to detect and prevent known attacks, which can monitor and control network traffic to prevent unauthorized access and malicious attacks. The firewall determines whether to allow or prevent traffic by checking the data packets of the network communication according to preset security policies and rules.
Firewalls can employ a variety of methods to screen and control network traffic, including the following:
packet filtering firewalls: based on the configured rule set, the data packet is filtered and filtered, and whether to allow the data packet to pass is determined according to the information of the source IP address, the target IP address, the port number, the protocol type and the like.
A state detection firewall: by maintaining a state table, tracking the state and context information of the network connection, finer granularity control is possible and specific attacks are detected.
Application layer firewall: based on the traditional network layer and transmission layer, the deep inspection of the application layer protocol is added, the application layer data is analyzed and blocked, and higher-level security control is provided.
Next generation firewall: combining various technical means, such as Deep Packet Inspection (DPI), intrusion detection and prevention systems (IDS/IPS), URL filtering, anti-malware, etc., can provide more comprehensive security and threat intelligence.
It should be noted that: setting up a firewall requires planning and configuration according to the needs of the organization and the network environment, including defining security policies, setting up rule sets, managing Access Control Lists (ACLs), etc. Meanwhile, periodic auditing and updating of firewall rules are also important steps to ensure the validity of the firewall.
Specifically, the detection and prevention of intrusion by monitoring network traffic and identifying abnormal behavior is an important network security measure, and the specific scheme is as follows:
and (3) flow monitoring: network traffic is monitored in real-time using Intrusion Detection Systems (IDS) or network traffic analysis tools. Network packets, logs, and other relevant information are collected. The source, destination, protocol, port, etc. of the traffic may be monitored.
Abnormal behavior identification: rules and models are set to identify potential intrusions and abnormal behavior based on known patterns of attack and abnormal behavior characteristics. For example, malware transmissions, abnormally high traffic, unauthorized access, multiple failed authentication attempts, etc. are detected.
Real-time alert and response: when abnormal behavior is detected, a real-time alert is generated to notify the security team. Timely response measures are taken, such as blocking access by an attacker, quarantining an infected host, blocking malicious IP, etc.
Log and audit: the monitoring results and alarm list are recorded and analyzed. Security auditing is performed to learn the type, frequency and impact of attacks, thereby enhancing network security measures.
Threat intelligence and vulnerability management: and paying attention to threat information, and knowing the latest attack trend, vulnerability and software vulnerability. The system is updated and repaired in time to reduce the exploitation risk of known vulnerabilities.
Continuous improvement and optimization: the effectiveness of Intrusion Detection Systems (IDS) and monitoring tools is evaluated and continuously improved and optimized. And updating rules and models according to new attack vulnerabilities and threats, and improving the detection accuracy and sensitivity.
Importantly, in addition to monitoring network traffic and identifying abnormal behavior, other security measures should be incorporated, such as strengthening boundary firewalls, applying security patches, setting up access control policies, encrypting data transmissions, etc. At the same time, continuous training and consciousness-improving activities are also a vital loop for improving the cognitive and reactive abilities of employees to network security. The network security can be better protected by comprehensively adopting the comprehensive means.
Specifically, the access rules and the access rights control are defined, the access rights of users inside and outside the network are limited, unauthorized access is prevented, and only authenticated users can access network resources by using an authentication mechanism, such as a user name, a password, two-factor authentication and the like; in addition, authorization mechanisms, such as Access Control Lists (ACLs) or role-based access control (RBACs), are used to control user access to resources based on user roles and permissions; dividing the network into different areas or using VPN technology, a safe isolation environment can be created to limit access between internal and external users; firewalls are configured to restrict untrusted traffic from entering the network and intrusion detection/prevention systems are used to detect and prevent potential malicious activity.
Specifically, the secure access of the remote user and the branch office can be realized by encrypting communication and establishing a secure tunnel, so that the data leakage is effectively prevented, and the method is realized by the following scheme:
first, a secure VPN connection is established, connecting the remote user and the branch office to the main network through an encrypted communication tunnel. VPN uses encryption protocols (such as IPSec) to protect data from unauthorized access and data leakage during transmission.
Secondly, SSL/TLS encryption protocol is adopted for external access and Web communication, so that confidentiality and integrity of data in the transmission process are ensured. The HTTPS protocol is used to protect Web traffic and public key certificates are used to verify the identity of the server.
And, security configurations are performed on remote desktop connections and remote management tools, such as restricting access, enhancing authentication, and using encrypted transmissions.
Meanwhile, the access of the remote user and the branch office is subjected to two-factor identity authentication, such as token, short message authentication code or biological recognition, so that the security of the access is improved.
In end-to-end communication, sensitive data is encrypted, so that the security and confidentiality of the data in the transmission and storage processes are ensured. Encryption algorithms and protocols (e.g., AES, RSA, etc.) are used to protect the confidentiality of the data.
Secure tunneling: secure tunneling (e.g., SSH tunneling, IPSec tunneling) is used to establish encrypted communication channels to protect the security of remote access and data transmission.
Safe domain division and network isolation: independent security domains and network isolation are provided for access by remote users and branches. Network access among users with different security levels and requirements is limited, and data leakage is prevented.
Periodic security scrutiny and updating: the configuration of remote access and secure communications is periodically security reviewed and updated. The latest security protocol and algorithm are used to repair known vulnerabilities and security vulnerabilities and maintain the security and stability of the system.
By implementing these security measures, secure access by remote users and branch offices can be effectively protected against data leakage and unauthorized access. Importantly, to maintain network security and compliance, these security measures need to be regularly assessed and updated to accommodate evolving security threats.
Specifically, an encryption algorithm is used for encrypting sensitive data, so that the safety of the data in the transmission and storage processes is ensured; the specific scheme is as follows:
encrypting the key by adopting an asymmetric encryption algorithm: the encryption and decryption is performed using a pair of keys, a public key for encrypting data and a private key for decrypting data. Common asymmetric encryption algorithms include RSA, ECC, and the like. The private key needs to be kept properly to prevent the private key from being revealed.
Digital signature: and combining an asymmetric encryption algorithm and a hash algorithm to ensure the integrity and the identity verification of the data. The hash value of the data is signed using a private key, which is used to verify the validity of the signature.
Encryption transmission protocol: an encrypted transport protocol (such as TLS/SSL) is used to secure data during transmission. Ensure that the data is encrypted in the network transmission and verify the identity of the server.
And (3) safe storage: and encrypting and storing the sensitive data stored in the local or cloud to ensure the safety of the data on a storage medium. File-level encryption or database-level encryption, etc. may be used.
Key management: ensuring the security of the key and reasonable key management. And a safe key generation, storage and distribution mechanism is adopted, so that key leakage and abuse are avoided.
Periodically replacing keys: the keys of the encryption algorithm are periodically replaced to reduce the risk of the keys being hacked by an attacker. The update frequency of the key should be reasonably grasped according to the security requirement.
Security audit and monitoring: and establishing a security audit and monitoring mechanism, and recording and analyzing abnormal activities and events in the encryption process. Timely detecting and coping with potential security threats.
Specifically, the method for dividing the network into a plurality of security areas and limiting the communication between different areas is an effective network security measure, which can improve the security of the network, and the specific scheme is as follows:
sub-network division: the network is divided into a plurality of subnets, each of which may use a different range of IP addresses. Access rules are set by the network device (e.g., router, firewall) to limit communication between different subnets.
Virtual Local Area Network (VLAN): VLAN technology is used to divide a network into logically independent areas, and isolation of different areas can be achieved even on the same physical network. Communication between VLANs requires setting appropriate access control rules.
Network isolation and segmentation: the network is divided into different security areas, and access control rules are set up according to the sensitivity level of data and the access requirement. For example, isolating the internal network from the external network restricts external access to internal resources.
DMZ (isolation zone) setup: a secure area, called DMZ (Demilitarized Zone), is provided for hosting publicly accessible services, such as Web servers. The DMZ is separate from the internal network and the external network and limits access by access control rules.
Access Control List (ACL): the access control list is configured using the ACL function of the firewall or router to limit communications between different security zones. Screening and control may be based on IP address, port number, protocol, etc.
Security policies and rules: explicit security policies and access rules are formulated to restrict communications between different security zones according to security requirements and business requirements. Only necessary communication is allowed, unauthorized access is prevented.
Internal network monitoring: and setting a monitoring system in the network, monitoring communication among different safety areas in real time, and timely finding and processing abnormal activities.
Network partitioning and security zone setting need to comprehensively consider the security requirements and business requirements of organizations, and make appropriate planning and design. As networks evolve and change, security policies and access rules should be periodically evaluated and updated to ensure continued security of the network.
It should be noted that the choice of the appropriate encryption algorithm and key length is weighed against the security requirements and compliance requirements. Meanwhile, the management and the security of the secret key are also important links for protecting the encrypted data. Encryption algorithms and key management mechanisms are periodically evaluated and updated to accommodate changing security threats and technological developments.
Specifically, the recording of network activities and events, and the security audit, is an important network security practice, and can help to timely monitor and detect potential risks and threats. The following are some key steps and practices:
logging: and configuring log recording functions of key systems such as network equipment, servers, application programs and the like, and recording log information of key events and operations. These logs may include login events, configuration changes, access attempts, abnormal behavior, and the like.
Security Information and Event Management (SIEM): using SIEM tools, various log and security event information is collected, analyzed, and managed centrally. SIEM tools can aid in automated log analysis and anomaly detection to discover potential security threats.
Real-time monitoring and alarming: a real-time monitoring and alarming mechanism is set, and the logs of network activities and events are periodically checked and analyzed through a monitoring system and a SIEM tool. And under the condition of abnormality or attack, timely sending out alarm notification.
Security event response and handling: and establishing a response mechanism to rapidly respond and process the security event. Appropriate measures are taken as soon as possible to cope with potential risks and threats according to a preset response scheme.
Security audit and compliance: security audits are periodically conducted to audit and evaluate the logs of weblogs and records of security events. Ensuring compliance of the system and operation with relevant regulations, compliance requirements and safe best practices.
Malicious behavior detection and analysis: malicious behavior and threat patterns are detected and analyzed using security analysis tools and threat intelligence. By analyzing the patterns of network activities and events, threats are discovered and addressed in time.
Safety training and awareness: staff safety training and conscious education is provided to learn the importance of safety events and report abnormal behavior or suspicious activity.
By recording network activities and events and conducting security audit, potential risks and threats can be timely identified and responded, and the security and response capability of the network are improved. In addition, network security is a continuous process that requires periodic assessment and updating of security policies, monitoring mechanisms, and response measures to accommodate evolving threats and attack strategies.
Periodic vulnerability scanning is performed on a network, system vulnerabilities are repaired, and security patches are installed and updated in time, which are key measures for improving system security. The following are some common practices:
vulnerability scanning: systems, applications, and devices in the network are periodically scanned using specialized vulnerability scanning tools. This may help discover known vulnerabilities and vulnerabilities, including operating system vulnerabilities, application vulnerabilities, configuration errors, and the like.
Vulnerability assessment and prioritization: and evaluating the scanning result, and determining the priority of the repair according to the severity and the potential influence of the vulnerability. High risk vulnerabilities and vulnerable portions are prioritized.
Repair of systems and applications: and repairing the loopholes found in the system and the application program in time according to the loophole scanning result. This includes installing vendor provided security patches, updating software versions, configuring security options, etc.
Automated patch management: the process of patch management is simplified and expedited using automated tools and systems. Automation may help to timely detect and install newly released security patches and reduce human error.
Operating system and software updates: and maintaining the updating of the operating system and the application program, and timely applying the safety repair and the patch of the new version. At the same time, old software versions that have no longer been securely supported are stopped.
Third party software and plug-in management: note the use of third party software and plug-ins, periodically checking for and updating security patches therein. These software and plug-ins are often closely related to systems and applications and need to maintain compatibility and security with other components.
Vulnerability management flow: and establishing a vulnerability management flow, wherein the vulnerability management flow comprises links such as vulnerability tracking, repairing planning, verification, testing and the like. And the comprehensiveness and timeliness of the bug fix work are ensured.
By periodically performing vulnerability scanning, repairing system vulnerabilities and timely installing and updating security patches, the risk of the system being attacked can be effectively reduced, and the overall security of the system can be improved. It is important to maintain the persistence of such workflows to accommodate the ever-increasing security threats and emerging vulnerabilities.
In summary, there are at least the following advantages with the above system:
the system safety is improved: the vulnerability scanning and system vulnerability repairing and the security patch installing and updating are carried out regularly, so that the possibility of attack on the system can be effectively reduced, and the overall security of the system is improved.
Preventing potential security vulnerabilities: potential security vulnerabilities in the system and the application program can be found through vulnerability scanning, and timely repaired, so that the risk of being attacked is reduced. Preventive repair can prevent vulnerabilities from being exploited by malicious attackers.
Protecting important data and sensitive information: vulnerabilities of the system and unrepaired software risk data leakage and information theft. By timely patching and updating, these risks can be reduced, protecting the security of important data and sensitive information.
The economic loss is reduced: the system loopholes can be repaired and the security patches can be installed in time, so that the risk and potential loss of the system to be attacked can be reduced. Preventive work can avoid economic losses and reputation damage due to security events.
The foregoing is only a preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art, who is within the scope of the present application, should make equivalent substitutions or modifications according to the technical scheme of the present application and the inventive concept thereof, and should be covered by the scope of the present application.
Claims (9)
1. A computer network engineering safety control system, characterized in that: comprising the following steps:
setting a firewall to monitor and control network traffic, and preventing unauthorized access and malicious attack;
detecting and preventing invasion by monitoring network flow and identifying abnormal behavior, and timely taking measures to protect network safety;
by defining access rules and authority control, the access authority of users inside and outside the network is limited, and unauthorized access is prevented;
through encryption communication and establishment of a secure tunnel, secure access of remote users and branch institutions is realized, and data leakage is prevented;
the encryption algorithm is used for encrypting the sensitive data, so that the security of the data in the transmission and storage processes is ensured;
dividing the network into a plurality of safety areas, limiting communication among different areas, and improving the safety of the network;
recording network activities and events, performing security audit, and timely monitoring and detecting potential risks and threats;
and (3) carrying out periodic vulnerability scanning on the network, repairing system vulnerabilities, installing and updating security patches in time, and improving the security of the system.
2. A computer network engineering safety control system according to claim 1, wherein: the setting firewall monitors and controls network traffic to prevent unauthorized access and malicious attack; by setting access rules, the firewall can restrict which traffic can enter or leave the network to prevent unauthorized access, and can check network traffic and filter out potential threats, using threat intelligence and security policies to detect and prevent known attacks it can monitor and control network traffic to prevent unauthorized access and malicious attacks, and by checking packets of network traffic, the firewall decides whether to allow or prevent traffic according to preset security policies and rules.
3. A computer network engineering safety control system according to claim 1, wherein: detecting and preventing intrusion by monitoring network traffic and identifying abnormal behavior using an intrusion detection system or a network traffic analysis tool to monitor network traffic in real time; based on known attack patterns and abnormal behavior characteristics, rules and models are set to identify potential intrusion and abnormal behavior; when abnormal behaviors are detected, generating a real-time alarm to inform a security team; recording and analyzing the monitoring result and the alarm list; and paying attention to threat information, and knowing the latest attack trend, vulnerability and software vulnerability. Updating and repairing the system in time to reduce the utilization risk of the known loopholes; the effectiveness of intrusion detection systems and monitoring tools is assessed and continued improvement and optimization is performed. And updating rules and models according to new attack vulnerabilities and threats, and improving the detection accuracy and sensitivity.
4. A computer network engineering safety control system according to claim 1, wherein: the access rules and the authority control are defined, the access authorities of users inside and outside the network are limited, unauthorized access is prevented, and only authenticated users can access network resources by using an authentication mechanism; to control user access to resources based on user roles and permissions; dividing the network into different areas or using VPN technology, a safe isolation environment can be created to limit access between internal and external users; firewalls are configured to restrict untrusted traffic from entering the network and intrusion detection/prevention systems are used to detect and prevent potential malicious activity.
5. A computer network engineering safety control system according to claim 4, wherein: the secure access of the remote user and the branch office can be realized by the encryption communication and the establishment of the secure tunnel, so that the data leakage is effectively prevented, and the remote user and the branch office are connected with the main network through the encryption communication tunnel; SSL/TLS encryption protocol is adopted for external access and Web communication, so that confidentiality and integrity of data in the transmission process are ensured; the remote desktop connection and the remote management tool are subjected to safety configuration, the access of the remote user and the branch office is subjected to double-factor identity verification, sensitive data are encrypted in end-to-end communication, and the safety and confidentiality of the data in the transmission and storage processes are ensured; establishing an encrypted communication channel by using a secure tunnel technology, and protecting the security of remote access and data transmission; independent security domains and network isolation are provided for access by remote users and branches.
6. A computer network engineering safety control system according to claim 5, wherein: the encryption algorithm is used for encrypting the sensitive data, the asymmetric encryption algorithm is used for encrypting the secret key, and the asymmetric encryption algorithm and the hash algorithm are combined, so that the integrity and the identity verification of the data are ensured; using an encrypted transmission protocol to protect the security of data during transmission; and encrypting and storing the sensitive data stored in the local or cloud to ensure the safety of the data on a storage medium.
7. A computer network engineering safety control system according to claim 5, wherein: the division of the network into a plurality of secure areas and the limitation of communication between different areas is an effective network security measure, the division of the network into a plurality of subnets, each of which may use a different IP address range; the VLAN technology is used for dividing the network into logically independent areas, and the isolation of different areas can be realized even on the same physical network; dividing a network into different security areas, and setting up access control rules according to the sensitivity level and the access requirement of data; setting a safety area for hosting publicly accessed services; the access control list is configured using the ACL function of the firewall or router to limit communications between different security zones.
8. A computer network engineering safety control system according to claim 1, wherein: the network activities and events are recorded, security audit is carried out, and log information of key events and operations is recorded through configuring log recording functions of key systems such as network equipment, servers and application programs; using SIEM tools, collecting, analyzing and managing various log and security event information centrally; setting a real-time monitoring and alarming mechanism, and periodically checking and analyzing logs of network activities and events through a monitoring system and a SIEM tool; establishing a response mechanism, and rapidly responding and processing the security event; malicious behavior and threat patterns are detected and analyzed using security analysis tools and threat intelligence. By analyzing the patterns of network activities and events, threats are discovered and addressed in time.
9. A computer network engineering safety control system according to claim 1, wherein: the method comprises the steps of periodically scanning holes on a network, repairing system holes, installing and updating security patches in time, and periodically scanning systems, application programs and equipment in the network by using a special hole scanning tool; evaluating the scanning result, and determining the priority of repair according to the severity and potential influence of the vulnerability; according to the vulnerability scanning result, the vulnerabilities found in the system and the application program are repaired in time; an automation tool and a system are used for simplifying and accelerating the patch management process; maintaining the updating of the operating system and the application program, and timely applying the safety repair and patch of the new version; note the use of third party software and plug-ins, periodically checking and updating security patches therein; establishing a vulnerability management flow ensures the comprehensiveness and timeliness of vulnerability restoration work.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311171649.5A CN117155678A (en) | 2023-09-12 | 2023-09-12 | Computer network engineering safety control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311171649.5A CN117155678A (en) | 2023-09-12 | 2023-09-12 | Computer network engineering safety control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117155678A true CN117155678A (en) | 2023-12-01 |
Family
ID=88907820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311171649.5A Pending CN117155678A (en) | 2023-09-12 | 2023-09-12 | Computer network engineering safety control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155678A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117390656A (en) * | 2023-12-06 | 2024-01-12 | 深圳奥联信息安全技术有限公司 | Security management method and system for encryption equipment |
| CN117473503A (en) * | 2023-12-27 | 2024-01-30 | 深圳鼎智通讯有限公司 | Installation package safety detection system and intelligent POS terminal |
| CN117521120A (en) * | 2024-01-08 | 2024-02-06 | 深圳易思智科技有限公司 | File encryption method, device, equipment and storage medium |
| CN117725631A (en) * | 2023-12-18 | 2024-03-19 | 四川和恩泰半导体有限公司 | Secure memory bank and method for starting secure memory bank |
-
2023
- 2023-09-12 CN CN202311171649.5A patent/CN117155678A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117390656A (en) * | 2023-12-06 | 2024-01-12 | 深圳奥联信息安全技术有限公司 | Security management method and system for encryption equipment |
| CN117390656B (en) * | 2023-12-06 | 2024-06-11 | 深圳奥联信息安全技术有限公司 | Security management method and system for encryption equipment |
| CN117725631A (en) * | 2023-12-18 | 2024-03-19 | 四川和恩泰半导体有限公司 | Secure memory bank and method for starting secure memory bank |
| CN117473503A (en) * | 2023-12-27 | 2024-01-30 | 深圳鼎智通讯有限公司 | Installation package safety detection system and intelligent POS terminal |
| CN117473503B (en) * | 2023-12-27 | 2024-04-12 | 深圳鼎智通讯有限公司 | Installation package safety detection system and intelligent POS terminal |
| CN117521120A (en) * | 2024-01-08 | 2024-02-06 | 深圳易思智科技有限公司 | File encryption method, device, equipment and storage medium |
| CN117521120B (en) * | 2024-01-08 | 2024-04-09 | 深圳易思智科技有限公司 | File encryption method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| US7398389B2 (en) | Kernel-based network security infrastructure | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| Kesh et al. | A framework for analyzing e‐commerce security | |
| CN117155678A (en) | Computer network engineering safety control system | |
| Marinova-Boncheva | A short survey of intrusion detection systems | |
| Mahan et al. | Secure data transfer guidance for industrial control and SCADA systems | |
| CN116827675A (en) | Network information security analysis system | |
| Mohammed et al. | Automatic defense against zero-day polymorphic worms in communication networks | |
| Khan | Securing network infrastructure with cyber security | |
| Miloslavskaya et al. | Ensuring information security for internet of things | |
| CN116723048A (en) | Communication system and method in local area network | |
| Kandan et al. | Network attacks and prevention techniques-a study | |
| Sangchoolie et al. | Analysis of cybersecurity mechanisms with respect to dependability and security attributes | |
| Sadiqui | Computer network security | |
| Fink | Lessons learned from cyber security assessments of SCADA and energy management systems | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Chellappan et al. | Layered defense approach: towards total network security | |
| Sitorus et al. | Nunukan State Court's Computer Network Security Improvement Using Centralized Next-Generation Firewall | |
| Ruha | Cybersecurity of computer networks | |
| Garg et al. | Security of Modern Networks and Its Challenges | |
| Karamagi | Comptia Security+ Practice Exams | |
| Teymourlouei et al. | Effectiveness of real-time network monitoring for identifying hidden vulnerabilities inside a system | |
| Khan et al. | Work-from-home Security Issues and Risks over Internet | |
| Sethi et al. | Secure Web Application: Rudimentary perspective |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |