An overview of the
With the rapid development of information industry, the network security mechanism and technology is in constant change, now, the network security technology is no longer a uniform technology and strategy, it has become a very complicated system engineering, split for system safety can be subdivided into user security, password security, network security and data security.
More and more enterprises begin to attach importance to system security. In order to meet the needs of the market, Authing has launched a complete set of systems and standard procedures on system security and prevention.
First, user security
For Authing users, we use password plus authentication (SMS and email) to log in. That is, after entering the password, the user will be prompted by SMS or email with a verification code. Only when the verification code is correct can the user log in. In addition, the system notifies the administrator when the user logs in with this account. The administrator can encrypt the user password or store the password in plaintext.
Second, cyber security
Network management includes the management of network devices and network monitoring to ensure the secure, reliable, and stable running of network devices, such as software and hardware, such as antivirus walls and firewalls.
Ensure that IP addresses and passwords of network devices are not leaked. Set filtering rules and protection levels for software and hardware such as antivirus walls and firewalls. Divide management zones, such as security management zones, office zones, network access zones, core switching zones, central service zones, and data management zones.
Third, server security
The server monitors the server every day, backs up the server periodically, changes the password, increases password complexity, disables unnecessary services and ports, prohibits remote login by root, and allocates subuser rights properly.
Fourth, data security
When users are divided into different permissions, people with different permissions see different data, and only those with permissions see unprocessed data.
Data backup and DISASTER recovery ensure data security, consistency, and isolation.
System process security
I. User management
User management is divided into the management of users, system users, application users, and data users. According to the different identities and levels of users, users’ access permissions and scope are clearly divided, and users’ access scope is restricted by different permissions based on the different needs of each user.
Users refer to users of applications, systems, data, etc., or users of hardware such as servers and switches, etc. Such users shall reasonably arrange their rights according to their application scope or usage of such things, and make detailed use records or keep operation logs.
System users refer to the management users of the operating system. In Linux, the root user has the maximum permission to manage all other users and file data. Only o&M administrators or system administrators can use the root user. Other users can create users to manage data based on requirements.
Application user refers to the user of the application program. Developers need to do a good job in the corresponding program control. Different users in the application program are exposed to different data.
Data users This section mainly applies to database operation users. Each user of the database assigns corresponding roles or user permissions according to different data requirements, so as to achieve the protection and confidentiality of different system data.
All users are managed uniformly according to their characteristics, and the user scope and user management personnel are divided according to the attributes of different users. The powers of the other staff need to use the account need to make an application with the relevant management personnel, after the application for review and after registration, you can use it to apply for the user permissions, other personnel in the case of unauthorized use, or after a can use permissions can not directly tell other unauthorized use of personnel.
Second, password management
User passwords and user names must be managed in a unified manner. Users and passwords need to be obtained by the corresponding application, and after review, the management personnel to register and give the user and password. For the security of passwords, managers need to pay attention to prevent the leakage of passwords.
Application management
Application management security management of application development, application code, and application services needs to be strengthened.
The application development process needs corresponding code description and annotation, uniform code writing specification and naming specification.
To ensure the security of application code, for example, prevent code loss, code leakage, and code confusion, you can use tools such as SVN to improve the security to a certain extent. However, strict regulations and habits are also required.
Application services need to control the privacy of secure data, and personal and confidential data need to be encrypted and decrypted to prevent the disclosure of private data.
Fourth, data security
Data security mainly focuses on the management of data stored in the database, including the management of database users, passwords, data table Spaces, and tables.
Users and passwords for applications are allocated according to the properties of application systems and stored data, and corresponding database table structures and table Spaces are divided. Ensure the same data planning and consistent data storage forms, which can not only ensure the security of data storage, but also make our data storage orderly.
Network security
First, transmission security
Data centers can be divided into the following areas based on application deployment requirements, principles for the construction of next-generation data centers, and implementation of network security:
- Data management area: Centrally stores and manages data of all application systems.
- Service application area: Deploy the service application system at the general office.
- Application area of supporting platform: The deployment platform supports application systems (Session centralized system, distributed cache system and distributed task scheduling system).
- Common service area: various Settings and applications required for the deployment of common services, WEB services, and security management.
- Secure access area: used to achieve secure connection and logical isolation from the Internet, including various security facilities and applications that provide services directly to Internet users.
- IT control area: IT is used to realize network management, security management and operation and maintenance management of the main ECIQ system, including various security facilities and control platforms.
Security access area, data management area, application service area, IT control area, adopt identity authentication:
- Host authentication and application authentication;
- Access control;
- System security audit;
- Intrusion prevention;
- Host malicious code prevention;
- Software fault tolerance;
- Data integrity and confidentiality, backup and recovery and other security protection measures.
Second, network reliability
Network with high reliability, it is necessary to adopt the high reliability of building the network structure, the construction of the network to realize shunt can the business flow, can also be disaster preparedness, so you need to build reliable hardware redundancy and redundancy network protocols, a single point of failure in the network can automatically detect network accessibility, and to declare the whole network, Switch hardware or software to ensure network reachability and normal network operation.
Third, network load balancing
Load balancing At the network layer, daily service traffic is balanced to the entire data center, and load balancing devices are used in the data center to balance network data traffic.
Global load balancing devices are used to distribute service traffic from users to data centers. Users can access different data centers based on different policies or load conditions to disperse network traffic, reduce network congestion, and improve access and service quality.
Local load balancing is used to distribute the data traffic among servers in the data center.
Fourth, network structure security
The safety of the network structure is the premise and foundation of network security, system core routing and network equipment needs to be redundant deployment, avoid single point of failure, and to consider the business data processing ability of peak flow, so need redundant space can meet the needs of business peak, the bandwidth of each part of the network to ensure that the access networks and core network can meet the needs of business peak.
Bandwidth allocation according to the definition of business system service the important order of priority, priority important business server in the network congestion, routing reasonable planning, the establishment of security business between servers path map consistent with the current running situation of the network topology structure, based on factors such as the importance of the information involved, divide the different network segments or VLAN.
Important network segments of important service systems and data cannot be directly connected to external systems. They must be isolated from other network segments and allocated separate security zones.
Five, network security audit
Network security audit system is mainly used to monitor and record in the network of all kinds of operation, the existing and potential threats that exist in the reconnaissance system, real-time comprehensive analysis of the network security incidents, including a variety of external and internal events, monitoring function and enable network equipment through the network log audit, and incorporated into the security management platform, unified monitoring management implementation.
Sixth, network equipment protection
To improve the security of network devices and ensure the normal running of network applications, you need to take a series of security hardening measures for network devices, including:
- Authenticate users who log in to network devices. The user names must be unique.
- Restrict the login addresses of administrators on network devices.
- The authentication information is not easy to be used fraudently. The password should be set with at least 3 characters and at least 8 characters in length, and should be changed regularly.
- It has the function of handling login failures, and takes measures such as ending the session, limiting the number of illegal login times, and automatically exiting the network when the login connection times out.
- Enable management modes such as SSH to encrypt management data to prevent network eavesdropping.
At the same time need to deploy internal control operations management system of equipment management user login authentication and audit, to ensure that an authorized administrator to be able to login through reliable path equipment management operations, and for all operation process audit, control and record, avoid authorized users of illegal operation or wrong operation, ensure the legitimacy of manage the network equipment maintenance.
7. Confidentiality of communication
The communication confidentiality of application layer is mainly accomplished by application system. Before establishing the connection between the communication parties, the application system should use the cryptographic technology to initialize the session and encrypt the sensitive information fields in the communication process. The communication confidentiality of information transmission is accomplished by application system and database system transmission encryption system.
Server security
First, server system security
Server security 1: Start from the basics, install system patches in time, including Windows and Linux, any operating system has vulnerabilities, timely patch to prevent vulnerabilities from being used by deliberate attacks, is one of the most important guarantees of server security.
Server security two: installation and setting firewall now there are a lot of firewalls based on hardware or software, a lot of security manufacturers have also launched the relevant products. For server security, installing a firewall is essential. A firewall has a good protection against illegal access, but the installation of a firewall does not mean that the server is secure. After the firewall is installed, configure it appropriately according to the network environment to achieve the best defense effect.
Server security three: install network antivirus software now the virus on the network is very rampant, this needs to install the network version of antivirus software on the network server to control virus spread, at the same time in the use of network antivirus software, must be regular or timely upgrade antivirus software, and automatically update every day virus library.
Security of the server 4: Disable unnecessary services and ports During the installation of the server OPERATING system (OS), some unnecessary services will be enabled, which occupies system resources and increases system security risks. You can shut down all servers that are not needed at all for a period of time, shut down all services that are not needed for the servers that are to be used during this period, and shut down TCP ports that are not needed.
Security of the server 5: Periodically Back up the server Back up the system to prevent unexpected system failures or unauthorized operations. In addition to monthly system-wide backups, weekly backups of modified data should be performed. At the same time, important system files that have been modified should be stored on different servers so that the system can be restored to normal in the event of a system crash.
Server security six: account and password protection account and password protection can be said to be the first line of defense of the server system, most of the attacks on the server system are from the interception or guess password. Once a hacker gets into a system, the defenses are almost useless. Therefore, it is very important to manage the account and password of the server system administrator to ensure system security.
Server security 7: Monitoring system logs By running the system log program, the system records the situation of all users using the system, including the latest login time, accounts used, and activities. The log program periodically generates reports and analyzes the reports to know whether there are exceptions.
Second, server software security
The server software is mainly targeted at the software media we use, and the installation and implementation of software carrying virus plug-ins are strictly prevented. The installation and deployment of all software or applications can only be implemented on the server after being reviewed and verified by the leader. Never download any software directly from the server. Software or file uploads need to be transferred to the server through the front machine or fortress machine.
Third, server security management
- Do not use any software, CD-ROM, or removable storage devices with viruses or Trojan horses on the server. Virus detection must be done before using the devices. Do not use the server for anything other than work. Do not delete, move or change server data without authorization. Do not intentionally damage the server system or modify the server system time without authorization.
- The server system must be upgraded and installed with security patches to remedy system vulnerabilities. The server system must do a good job of virus and Trojan real-time monitoring, timely update the virus library.
- The administrator must keep the administrator accounts and passwords confidential and modify them periodically to ensure system security and prevent unauthorized intrusions.
- Any irrelevant personnel are not allowed to enter the main room without authorization. If they need to enter the main room, they must obtain the consent of the server management personnel. They should take good care of the equipment and articles in the main room.
- Inflammable, explosive, strong magnetic and other articles irrelevant to the work of the machine room are strictly prohibited to enter the machine room, and inhalation is strictly prohibited.
- The main server room must be equipped with a certain number of fire prevention (fire fighting) equipment, and a special person is responsible for the management, attention to proper storage, regular inspection, so that they are in a good state at any time.
- Take measures to prevent fire, moisture, dust and insects in the equipment room, and adhere to the principle of “prevention first and prevention combined”.
- Weekends, holidays, to have a special person to check the operation of the network, such as problems found in time to solve, and do a good record processing, can not solve the timely report.
- Before each holiday, the management personnel must download the backup of all programs and data of the database and website to the local for saving.
Data security
First, database system security
The security of database system includes two aspects:
- Database data security: When database data storage media is damaged, database system DownTime is caused by misoperation of database users or other reasons, database data cannot be lost.
- Database system to prevent illegal users to invade: should maximize the discovery and plug potential vulnerabilities, prevent illegal users to use loopholes to invade database system, access to information resources.
Second, data security
- Periodically backup database data, full backup, incremental backup.
- Assign permissions to backup personnel correctly.
- Install firewalls and intrusion detection systems.
- Data encryption uses DES, password feedback and other advanced encryption technology to improve security. In the database file password, database field description part of the encryption to encrypt them as a whole.
Third, the database system to prevent illegal user intrusion
- The safety management
The vast majority of database management systems are used by the database administrator DBA responsible for all the management of the system (including security management). Obviously, this management mechanism makes the power of DBA too concentrated, which has security risks.
The solution is to adopt the security management system with separation of three powers, and divide the system administrators: DBA is responsible for independent access control and system maintenance and management SSO is responsible for mandatory access control Auditor is responsible for system audit
This kind of management system achieves the separation of the three powers truly, each line of their responsibilities, mutual restriction, and reliably ensures the security of the database.
- User management
To access the management system, database system, operating system, file system, and network system, users should apply for corresponding permission accounts and access the database system only after the approval. To prevent misoperations, users need to back up data in a timely manner for rolling back. A common user does not have operation rights on the database system.
Authentication is one of the most important and difficult tasks in a security system because the identification process is easily confused with the authentication process. Specifically, the identification process associates the user’s username with a program or process, while the user’s authentication process aims to associate the user name with a truly authorized user.
If you like our content, welcome to pay attention to the public account “Authing identity cloud” and visit our blog Authing blog, more interesting content waiting for you to see ~