Figure 1 Coton Intranet Security Platform Architecture Computer Authentication Information User Authentication Information Coton Intranet Security Platform Architecture Trusted Network Infrastructure Platform Trusted Network Authentication Authorization Subsystem Trusted Desktop Management Subsystem Trusted Mobile Storage Media Management Subsystem Trusted Network Monitoring Subsystem Trusted Network Domain Management Subsystem Trusted Document Security Subsystem
The objectives of the system can be summarized as follows:
Sensitive information cannot be taken away. The system provides peripheral management function. By controlling the use of terminal peripherals, terminal users cannot copy or transmit sensitive information to the outside of enterprises or units without authorization.
Sensitive information can't be seen. Through transparent encryption and decryption of sensitive information, the system realizes that unauthorized users can't read sensitive information even if they take it away.
Strong audit of file operation. The system provides file control function, and through closely auditing the operation of sensitive files, the illegal operation of users can be traced afterwards;
Monitor user behavior. In terms of monitoring, the system provides remote terminal monitoring function, and administrators can monitor the running applications, desktop status, memory and hard disk usage of users in real time. If the user's behavior does not meet the requirements of the enterprise or unit, it can be terminated by locking or screen capture or real-time evidence collection. In terms of control, the system provides a process control function to control whether users are allowed to run a program. On the one hand, this function can standardize users' behavior and effectively improve employees' work efficiency, on the other hand, it also ensures the stability of the terminal and prevents virus attacks.
The measurability of terminal assets. Administrators can count the hardware and software assets of terminals and track their changes to prevent the loss of assets of enterprises or units.
Data distribution can be automatic. Administrators can distribute documents, software or patches to terminals and choose to store, install or execute them according to their nature.
Instantaneity of information interaction. The information exchange between administrators and end users is used for announcement and feedback in centralized registration management of mobile storage media in enterprises or units (1). Through this system, administrators can centrally register mobile storage media for internal use, so as to further manage these mobile storage media in a unified way and realize access control and security log audit. The registration contents include:
L Meta-information of storage media: including meta-information such as equipment name, competent department, subordinate department, user department, person in charge, user and remarks;
L service life: indicates the service life of the mobile storage medium in the intranet. Once it expires, the system will automatically prohibit the device from being used in the network.
(2) When registering the mobile storage medium, the private disk format administrator can register the medium as a special disk format, so that the storage medium can only be used in the intranet of the enterprise, and the internal personnel will not be recognized by the external machine after taking it out, thus preventing the internal data from being lost.
(3) Strict media access control After accessing the internal computer, the system will be able to identify its authentication information and adopt different mechanisms for access control:
L authentication media. For legally registered removable storage media, administrators can set the computer range and user range that they can use, and the specific access control can be subdivided into three types:
A. If unauthorized users use the medium, or insiders use the medium on unauthorized machines, the system will automatically stop it to prevent the loss of confidential data;
B, removable storage media can only be used normally when legal users access it on legal machines;
C. Administrators can easily report the loss of storage media. Once the loss is reported, the relevant storage media will not be able to access the intranet.
L uncertified media. For uncertified media, the administrator can uniformly set whether the media can be used in the intranet. If the administrator prohibits the use, the device will not be able to access the intranet.
(4) Flexible access control After the mobile storage medium is connected to the internal computer, the administrator can set its usage rights from the console. The five control modes supported by the system include:
L it is forbidden to use. Media cannot be used within the scope authorized by the administrator.
L read-only control. Within the scope authorized by the administrator, the device can only be used as read-only, and users cannot copy any files to the media.
L read and write control. Within the scope authorized by the administrator, users can read and write mobile storage media.
L transparently decrypt read-only controls. Within the scope authorized by the administrator, the device can only be used as read-only, and users cannot copy any files to the media; Different from the read-only control mode, when a user reads a file, the system will transparently decrypt the read data.
Transparent encryption and decryption read-write control. Within the scope authorized by the administrator, users can read and write mobile storage media; Different from the read-write control mode, the system will automatically decrypt the data when the user reads it, and automatically encrypt it when writing it, thus losing the internal data.
(5) Offline Policy Control When the user takes the computer out of the intranet (for example, on a business trip), the administrator can control the use of mobile storage media by adopting the second set of offline policies. At the same time, the user's mobile storage medium operation record can be automatically recorded when offline, and the log will be automatically uploaded once online.
(6) The security incident early warning and auditing system will record the user's operation on the mobile storage medium in the enterprise intranet. When the pre-defined warning events of the administrator occur, the system will report these events in time and display them in the form of early warning. Specific operation logs include:
L removable storage media access event. When users access mobile storage media on the intranet, the system will record the access events, including access time, personnel, location and device number.
L file copy event. When users copy intranet data to mobile storage media, the system will automatically record the copying events, including copying events, personnel, location, device number, file information and so on. Compared with similar products, the system has the following characteristics:
1, standardized design. This system is designed in strict accordance with the management requirements of the classified network of mobile storage media, and conforms to the relevant national regulations and standards.
2. Equipment independence. The system has nothing to do with specific mobile storage media and computer hardware, and can transform the original mobile storage media of enterprises into "trusted mobile storage media" and carry out strict management.
3. Broad support. The system can fully support various types of removable storage media, including USB flash drives, removable hard disks, digital cameras and MP3 players.
4. The registration strategy is flexible. Administrators can flexibly manage computers (groups) and users (groups) that mobile storage media can use.
5, the operation is simple. Private disk format and system kernel-level data encryption are completely transparent to users, and users do not need additional training, which reduces the cost.
6. Support offline policy control. When internal personnel use mobile storage media in the external network, they will also be controlled by offline policy.
7. Strong follow-up audit. It has powerful functions of mobile storage media tracking and log auditing, and can safely track the usage of storage media in the whole life cycle. Trusted document security subsystem mainly includes the following functions:
L forced encryption
By specifying the document type or processing procedure, all such files existing on all storage media can be encrypted, thus effectively preventing the disclosure of confidential information.
L input control
By limiting the reading authority and reading scope of distributed files, the circulation scope can be effectively controlled, the possibility of the proliferation of confidential files can be reduced, centralized storage and convenient and fast query services can be provided, and the function of the file server can be improved.
L output control
Through the self-installation control program, the reading authority of foreign units is set, which effectively prevents the disclosure of intellectual property information of this unit. Trusted document security subsystem mainly includes the following key technologies.
L kernel-level dynamic encryption and decryption
Dynamic encryption and decryption technology encrypts and saves data through different security policy channels, so that the stored data cannot be leaked by any means (including: various mobile storage devices, networks, emails, instant messaging tools: MSN, QQ, Bubble, Skype, etc. ); When legitimate users read data, the encrypted data will be safely decrypted through dynamic encryption and decryption technology and correct security policy channel; For the plaintext data content in memory, a unique memory file content protection system is provided to prevent the content from being illegally stolen through the network or other applications, resulting in leaks. The encryption and decryption processes are completed automatically, completely transparent to users, and the security of files is protected without any perception of users.
L read-only control
The read-only control of files is controlled by the following strategies, mainly including saving as, saving, printing, copying and pasting, and reading time.
Clipboard control
After the package is opened, if it is read-only, it cannot be copied or pasted by Ctrl+C and Ctrl+V. The main purpose is to prevent users from copying file contents into uncontrolled processes.
Print control
You can set the printing permission of the file.
N save as control
For the controlled file, click Save As to save the file to ensure that the file will not be copied.
Save control
Controlled document, which can be edited and modified, but cannot be saved.
Reading period
When packaging any document as an NSD file, you can set the opening time, and those that exceed the time limit cannot be opened.
L record outgoing packaging
The selected file is compressed and encrypted to prevent malicious access.
Generate exe files to support automatic deployment control environment.
Read-only control of files in the package.
Reading authorization methods include password authorization and registration code authorization, which can strictly control illegal access to the system.
(1) is completely independent of the original authentication system of the computer network system, which has higher security and reliability, supports various standard CA servers, is convenient to use, and has little influence on the original network system.
(2) Two-factor authentication based on PKI technology. Users must use a legal authentication token and provide the PIN code corresponding to the authentication token before they can log on to the computer operating system with a trusted authentication agent. Two layers of protection improve the security level of authentication.
(3) It has the security enhancement function of service resources. The user account of the server can be forcibly bound with the hardware USB token representing the user's identity, so as to avoid the situation that the account of the leader or other people is internally stolen to use the service resources.
(3) It provides a high-level personal computer protection function. Users can set the computer operating system to automatically lock after the token is pulled out to protect the personal computer; You can disable safe mode.
(4) A secure server area can be established. Using Virtual Security Gateway, administrators can specify which specific application servers each user can access within the company, or which users can only be authorized to use the servers. Before accessing these servers, these users need to pass the unified authentication of the servers and get authorization.
(5) Token distribution, token revocation, token authorization, token update and other operations can be completed by administrators in the management center, which greatly improves the efficiency of management.
(6) When the number of PIN code input errors of the token reaches a preset value, the token will be locked immediately to prevent the token from being attacked by a forced dictionary after being lost. The key in the token is unique and cannot be copied, and the identity of the user cannot be forged by copying the token.
(7) Automatically generate audit trail information including each login operation, and have automatic log maintenance function, which helps to prevent internal employees from abusing access rights or neglecting to implement security policies.
(8) It has the extended function of authenticating USB tokens. Including: intelligent storage USB hardware authentication equipment, support for 128m ~ 1g large-capacity storage space, support for Tian Fei Chengxin, Daming Wuzhou, Minghua, Qiqi and other company equipment. Smart fingerprint token; Intelligent fingerprint USB hardware authentication device. Support the equipment of Tian Fei Chengxin, Daming Wuzhou, Minghua and Qiqi. System characteristics
(1) Endpoint firewalls can filter URLs to prevent users from browsing malicious web pages and Trojans.
(2) In order to give consideration to management and security, the endpoint firewall provides a time-sharing control function for users' network access control, and administrators can flexibly configure the access range of designated users within a specified time period.
(3) Powerful webpage attachment control function, which can prevent information from being leaked by pasting attachments through webpage forums and transmitting files through network hard disks.
(4) The flow control and bandwidth control functions provide control of objects with different granularity, such as users or user groups, and provide real-time statistical display.
(5) The IP and MAC addresses of the host can be bound by force, and users who maliciously modify the IP can be punished for disconnection.
(6) Intelligent ARP firewall can not only immunize ARP virus, but also prevent its destructive activities. More importantly, it can improve the rich log information to trace the source of the virus. Generally speaking, the security domain of an enterprise or unit consists of an external domain and an internal domain. Among them, internal domain is divided into access domain and core processing domain. External domain is mainly the part outside the boundary of enterprise or unit network, such as Internat;; Access domain is mainly a logical area composed of office, operation and production machines in the intranet of enterprises or units, which is organized and managed by departments according to different business characteristics; The core processing domain is mainly the area where the business system hosts of enterprises or units are placed. CNSDMS mainly solves the following three requirements of enterprises or units in intranet security protection:
1) If the security level of an access domain A is higher than that of an access domain B, how to prevent the host in B from accessing the host in A?
2) If the security level of an access domain is lowered, or it is necessary to exchange visits with other access domains, how to restore their communication?
3) Due to the special application requirements of enterprises or units, if it is necessary to temporarily mobilize people from different domains to cooperate, how to break their original communication restrictions?
Comparison between cnsdms and VLAN
VLAN(Virtual Local Area Network) is an end-to-end logical network, which can span different network segments and networks by using network management software based on switched LAN. From a technical point of view, VLAN can be divided according to different principles. Generally speaking, there are three ways to divide VLAN: port-based, MAC address-based and route-based. Port-based division is to divide several ports on one or more switches into a logical group, and the network administrator only needs to redistribute the switching ports of network devices, regardless of the devices connected to the ports; The division based on MAC address is to divide some hosts into a logical subnet according to MAC address; Routing-based partitioning requires routers and routing switches (that is, layer 3 switches), allowing VLANs to span multiple switches or a port to be located in multiple VLANs. At present, the VLAN division mainly adopts the above-mentioned 1 and 3 modes, and the second mode is the auxiliary scheme.
Using VLAN has the following advantages:
1) Controlling broadcast storm: VLAN is a logical broadcast domain. By creating VLAN, isolating broadcasting and narrowing the broadcasting range, the generation of broadcasting storm can be controlled.
2) Improve the overall security of the network: Through VLAN division principles such as routing access list and MAC address allocation, user access rights and the size of logical network segments can be controlled, and different user groups can be divided into different VLANs, thus improving the overall performance and security of the switching network.
3) Simple and intuitive network management: For switched Ethernet, if some users are redistributed, the network administrator needs to readjust the physical structure of the network system, or even add network equipment, which will increase the workload of network management. For networks using VLAN technology, VLAN can divide network users in different geographical locations into a logical network segment according to department functions, object groups or applications. Workstations can move freely between workgroups or subnets without changing the physical connection of the network.
Using VLAN has the following disadvantages:
1) Communication between VLANs: If users of VLAN1) want to communicate with users of VLAN2, they cannot connect directly and must be configured on the switch. If this happens frequently, it will be inconvenient to solve with VLAN, thus losing its advantages.
2) Complexity of VLAN: If the whole network is expanded on a large scale, the complexity of VLAN will increase rapidly. So once the network crashes, maintenance will cost a lot of money.
3) Router load capacity: use a router to route between VLANs. If the network is not very large, the router can bear the workload, but if it is applied to a large network with many VLANs, it is not a good method to add all the load to one router.
According to the analysis of advantages and disadvantages of VLAN, CNSDMS can make up for the shortage of VLAN, which does not conflict with the construction of VLAN, and can enhance the secure access ability of logical network in the existing network topology of enterprises or units.
Third, the function of CNSDMS.
3. 1 related concepts
CNSDMS involves four concepts: virtual security domain, public switched domain, workgroup and trusted domain:
Virtual security domain corresponds to access domain, which is to divide the machines installed with intranet security terminals in enterprises or units according to different security levels to realize secure access between domains. Among them, a machine can only belong to one virtual security domain. The function of virtual security domain mainly realizes communication control between domains and access control of external network.
The public * * * switching domain corresponds to the core processing domain, which can be connected with all virtual security domains to ensure the smooth business of enterprises or units. In CNSDMS, the machines included in the public switched domain are divided into two categories: one is the public gateway, public router or service server of enterprises or units; The second is to install or not install the machine with intranet security terminal.
The working group is a temporary virtual department with a valid period, which can correspond to the actual project team. A workgroup must contain at least two computers with virtual security domains, and a computer can belong to multiple workgroups.
Trusted domain refers to the trust relationship between virtual security domains, which is symmetrical. Security domains with trust relationships can access each other.
3.2 technical advantages of CNS DMS
Technically, CNSDMS intercepts all network packets at the NDIS layer of the operating system, which realizes the safe isolation of inter-domain machines, so the network blocking is efficient and thorough. In addition, the technical advantages of CNSDMS include the following two points:
1) using CNSDMS does not need to transform the existing network;
2) The creation and editing of security domain has great flexibility;
3.3 working principle of cns DMS
The working principle of CNSDMS is shown in the following figure. Cotton Control Center is responsible for creating and editing virtual security domains, public switched domains and workgroups.
For the virtual security domain, the administrator can divide the machines installed with security terminals in the intranet according to the security level of functional departments. In order to ensure the smooth progress of business activities, the public gateways, public routers or business servers in the intranet are divided into public * * * exchange domains (similar to the virtual security domain created by the working group); Secondly, the security policy of a specific security domain is specified by setting whether the virtual security domain can access the external network and the trust relationship between the virtual security domains; Finally, the security policy sends the security policy to the security terminal through the cotton server, which realizes the network blocking and information encryption between domains. At present, Coton intranet security platform is divided into two versions: B/S and C/S.
C/S supports WINDOWS2000/XP/2003/WIN7 32-bit full range of operating systems.
B/S supports WinodWS 2000/XP/2003/Win7/Win8/32-bit and 64-bit full-system operating systems. The version supporting LINUX system is in the internal testing stage and will be released at the end of 20 13. Cotton is at the forefront of information security.