2. The servers and workstations of the website have installed genuine antivirus software, and a set of preventive measures have been taken against computer viruses and harmful emails to prevent harmful information from interfering and destroying the website system.
3. Keep the production log. The website has the function of saving the system running log and user usage log for more than 60 days, including IP address and usage, homepage maintainer, email user and corresponding IP address.
4. The interactive column has the functions of IP address, identity registration and identity confirmation, and the bulletin board service without legal procedures and conditions will be closed immediately.
5. The website information service system should establish a dual-computer hot backup mechanism to ensure that once the main system fails or is attacked, the backup system can replace the main system to provide services in time.
6. Shut down the temporarily unused service functions and related ports in the website system, fix system vulnerabilities with patches in time, and regularly check and kill viruses.
7. Lock the server at ordinary times and keep the login password; The background management interface sets the super user name and password, and binds IP to prevent others from logging in.
8. This website provides centralized authority management. According to different application systems, terminals and operators, the website system administrator sets * * * access rights to database information, and sets corresponding passwords and passwords. Different operators set different user names and change them regularly. Operators are prohibited from revealing passwords. Set the operator's authority in strict accordance with the job responsibilities, and the website system administrator regularly checks the operator's authority.
9. The company's computer room is built according to the standard of telecom computer room, equipped with necessary independent UPS uninterrupted power supply, high-sensitivity smoke detection system and fire-fighting system, and regularly checks the power supply, fire prevention, moisture prevention, anti-magnetic and anti-rat.
Network and information security measures
First, network security measures
In order to fully ensure the company's network security, the company's network platform solution was established.
The design will be mainly based on the following design principles:
securities
In the design of this scheme, we will make a comprehensive analysis from the perspectives of network, system, application, operation management and system redundancy, and adopt advanced security technologies, such as firewall and encryption technology.
Hot websites provide a complete security system. Ensure the safe operation of the system.
high-performance
Considering the future business growth of the company's network platform, in the design of this scheme, we will comprehensively analyze the network, server, software and application, and rationally design the structure and configuration.
In order to ensure that a large number of users visit the peak period concurrently, the system still has enough processing power to ensure the quality of service.
reliability
As an enterprise portal platform, the company's network platform will be comprehensively designed from the aspects of system structure, network structure, technical measures and facility selection. , while minimizing investment.
, in order to minimize the single fault node in the system and realize 7×24 hours uninterrupted service.
expandability
Excellent architecture design (including hardware and software architecture) is very important for the system to adapt to the future business development. In the design of this system, the hardware system (such as server)
, storage design, etc. ) will follow the principle of scalability and ensure the seamless and smooth expansion of the system with the continuous growth of business volume without stopping the service; At the same time, the design of software architecture also
Will follow the principle of scalability to meet the needs of new business growth.
E openness
Considering that this system will involve the equipment technology of different manufacturers and the expanding system requirements, all the product technologies in this project are selected by international standards/industry standards, which makes this project
The system has good openness.
F. Advanced nature
In this system, the software and hardware platform construction, the design and development of application system, the product technology used in system maintenance and management all take into account the current development trend of the Internet, and at the same time adopt relatively advanced and.
The relatively mature product technology in the market can meet the development needs of future hot websites.
G system integration
The software and hardware system in this scheme includes excellent products of Shili Technology and third-party manufacturers. We will provide complete application integration services for Raman website, so that Raman website has more resource collections.
Do not engage in specific integration work in business development and operation.
1, hardware facilities safeguard measures:
The information server equipment of Chongqing Raman Technology Development Co., Ltd. meets the technical interface index of post and telecommunications public communication network and the technical standard, electrical characteristics and communication mode of terminal communication.
Will not affect the security of the public network. The company rents the standard computer room environment of Chongqing Telecom IDC for placing information servers, including: air conditioning, lighting, humidity, uninterrupted power supply, anti-static floor, etc. heavy
Qing Telecom provides a high-speed data port for our server to access CHINANET network. The application mode of the host system determines that the system will face a large number of users and a large number of mergers.
Access system is a key application system with high reliability, which requires the system to avoid any possible downtime and data destruction and loss. The system needs the latest application server technology.
Load balancing and avoiding single points of failure.
System host hardware technology
CPU: More than 32-bit CPU, supporting multi-CPU structure and smooth upgrade.
The server has high reliability and long-term working ability. The mean time between failures (MTBF) of the whole system shall not be less than 100000 hours. The system provides powerful diagnostic software to diagnose the system.
The server has mirror fault tolerance function, and adopts dual-disk fault tolerance and dual-computer fault tolerance.
The host system has powerful bus bandwidth and I/O throughput, and has flexible and powerful scalability.
Configuration principle
The peak load of (1) processor is 75%;
(2) The processor, memory and disk need to be balanced to provide good results;
(3) Disks (preferably mirrored) should have 30-40% redundancy to cope with the peak.
(4) Memory configuration should match database indicators.
(5)I/O is as important as the processor.
System host software technology:
The system software of the server platform conforms to the open system interconnection standards and protocols.
The operating system should be a universal multi-user multi-task winduws 2000 or Linux operating system, which should be highly reliable and open, and support symmetric multiprocessing (SMP) and support.
Support a variety of network protocols, including TCP/IP.
Meet C2 safety standards: provide perfect operating system monitoring, alarm and fault handling.
Popular database systems and development tools should be supported.
Storage device of system host
System storage device technology
RAID0+ 1 RAID5 disk array and other measures to ensure the security and reliability of the system.
I/O capability can reach 6m/s.
Provide enough expansion slots.
Design of system storage capacity
The storage capacity of the system mainly considers the storage space of data such as users, file system, backup space, test system space, database management space and system expansion space.
Capacity expansion of server system
The expansion of the system host mainly includes three aspects:
Expansion of performance and processing power-including expansion of CPU and memory.
Expansion of storage capacity-expansion of disk storage space
The expansion of I/O capability includes the expansion of network adapters (such as FDDI cards and ATM cards) and the expansion of external devices (such as external tape libraries and optical disks).
2, software system guarantee measures:
Operating system: Windows 2000 SERVER network operating system.
Firewall: Cisco PIX hardware firewall
The operating system of Windows 2000 SERVER keeps data contact with the upgrade site of windowsupdate site of Microsoft Corporation in the United States to ensure that the operating system fixes the known vulnerabilities.
Use NTFS partition technology to strictly control users' access rights to server data.
Strict security policies and log access records are established on the operating system, which ensures the safety of users and passwords and the network access control of the system, and records the network access to the system.
All the visits and actions.
The system adopts the standard three-tier architecture based on WEB middleware technology, that is, all WEB-based applications are realized by web application server technology.
Performance design of middleware platform;
Scalability: Allows users to develop systems and applications to meet the growing business needs in a simple way.
Security: Use various encryption technologies, identity and authorization control and session security technologies, as well as Web security technologies to prevent user information from being destroyed by illegal intrusion.
Integrity: Reliable and high-performance distributed transaction function is realized through middleware to ensure accurate data update.
Maintainability: It can easily use new technologies to upgrade existing applications to meet the growing needs of enterprise development.
Interoperability and openness: Middleware technology should be based on an open standard system, provide the function of developing distributed trading applications, and realize the interoperability of existing systems across heterogeneous environments. Can support more
Hardware and operating system platform environment.
Network security:
Multi-layer firewall: according to the different needs of users, multi-layer high-performance hardware firewall is adopted to fully protect the host hosted by customers.
Heterogeneous firewall: At the same time, the most advanced and mature Cisco PIX hardware firewall is used for protection, and firewalls with different structures from different manufacturers further guarantee the security of user networks and hosts.
Anti-virus scanning: professional anti-virus scanning software to prevent viruses from infecting client hosts.
Intrusion detection: professional security software provides intrusion detection services based on network, host, database and application programs, and adds a number of security measures on the basis of firewall to ensure that users
The system security is high.
Vulnerability scanning: regularly scan and analyze the security vulnerabilities of the user's host and application system, eliminate potential security risks and nip in the bud.
CISCO PIX hardware firewall runs on the upper layer of CISCO switch, which provides a special host to monitor all packets flowing through the network and find the attack characteristics that can correctly identify the ongoing attacks.
The identification of attacks is real-time. Once an attack is detected, users can define alarms and responses. Here, we have the following protective measures:
All Event Monitoring PolicyThis policy is used to test, monitor and report all security events. In the real environment, this strategy will seriously affect the performance of the detection server.
Attack detection strategy This strategy focuses on preventing malicious attacks from the network and is suitable for administrators to understand important network events on the network.
Protocol analysis This strategy is different from attack detection strategy, it will analyze the protocol of network session, which is suitable for security administrators to understand the network usage.
Website protection This strategy is used to monitor the HTTP traffic on the network and is only sensitive to HTTP attacks. It is suitable for security administrators to understand and monitor website access on the network.
Windows network protection This strategy focuses on protecting the Windows network environment.
Session replication This strategy provides the function of replicating Telnet, FTP and SMTP sessions. This function is used to customize the security policy.
DMZ Monitoring This strategy focuses on protecting network activities in the DMZ area outside the firewall. This strategy monitors network attacks and typical Internet protocol vulnerability attacks, such as (HTTP, FTP, SMTP, POP.
And DNS), which is suitable for security administrators to monitor network events outside the enterprise firewall.
The monitoring strategy in the firewall focuses on the attacks on network applications passing through the firewall and the use of protocol weaknesses, which is suitable for monitoring security incidents inside the firewall.
Database server platform
The database platform is the foundation of the application system, which is directly related to the performance of the whole application system, the accuracy, security and reliability of data and the efficiency of data processing. Logarithm of the system
The design of database platform includes:
The database system should be highly reliable and support distributed data processing;
Support a variety of network protocols including TCP/IP protocol and IPX/SPX protocol;
Support UNIX, MS NT and other operating systems, support client/server architecture, have an open client programming interface, and support Chinese character operation;
Have the technology needed to support parallel operation (such as multi-server cooperation technology, integrity control technology of transaction processing, etc.). );
Support online analytical processing (OLAP) and online transaction processing (OLTP), and support the establishment of data warehouse;
Require fast data loading, efficient concurrent processing and interactive query; Support C2-level security standards and multilevel security control, provide a WEB service interface module and output it to the client.
The protocol supports HTTP2.0, SSL3.0, etc. Support online backup, with automatic backup and log management functions.
Second, the information security management system
1, information monitoring system:
(1), the website information must indicate the source on the webpage; (that is, the reproduced information must indicate the reproduced address)
(two) the relevant responsible person regularly or irregularly check the information content of the website, implement effective monitoring, and do a good job in safety supervision;
(3) Do not use the Internet to produce, copy, consult and disseminate the following series of information. In case of violation of regulations, relevant departments will deal with it according to regulations;
1. Violating the basic principles stipulated in the Constitution;
B, endangering national security, revealing state secrets, subverting state power and undermining national unity;
C, damage the national honor and interests;
D. inciting national hatred, discrimination and undermining national unity;
Destroying the state's religious policy and propagating cults and feudal superstitions;
F spreading rumors, disrupting social order and undermining social stability;
G spreading obscenity, pornography, gambling, violence, murder, terror or abetting crime;
Insult or slander others and infringe upon their legitimate rights and interests;
Containing other contents prohibited by laws and administrative regulations.
2. Organizational structure:
Set up a special network administrator and be supervised by his superiors. Any information provided or published to international network sites must be subject to confidentiality review and approval. Confidential examination and approval shall be subject to departmental management, and relevant
The unit shall, in accordance with the national secrecy laws and regulations, be released after examination and approval, and adhere to the system of "no hair from unknown sources, no hair with the approval of higher authorities, no hair with problems in content, no hair with three hairs".
Implement the website management responsibility system
Clarify the responsibilities of website managers and leaders at all levels, manage the normal operation of the website, strictly manage the work, and whoever manages will be responsible.
Third, the user information security management system
A, information security internal personnel confidentiality management system:
1. Relevant internal personnel shall not disclose information that needs to be kept confidential;
2. Internal personnel shall not publish or disseminate contents prohibited by national laws;
3. Information should be reviewed by relevant personnel before release;
4. Set website management authority for relevant managers, and do not manage website information beyond their authority;
5. Once the website information security accident happens, it should be reported to the relevant parties immediately and coordinated in time;
6. Filter toxic and harmful information and keep user information confidential.
Second, log in to the user information security management system:
1. Set the permission to read and publish the logged-in user information as required;
2. Information management for members in the form of member area;
3. Effectively monitor users' behaviors on the website to ensure internal information security;
4. Fixed users shall not spread or publish the contents prohibited by national laws.