At present, there are several kinds of safety products that are popular in the market and can represent the future development direction:
User authentication, such as static password, dynamic password (SMS password, dynamic password card, mobile phone token), USB KEY, ic card, digital certificate, fingerprint iris, etc. General enterprise networks are physically isolated from the Internet, so the security is higher than the Internet. However, in daily operation and management, we still face problems such as network link maintenance and illegal use of network events, specifically:
(1) In terms of IP resource management, IP MAC bundling technology is adopted to prevent users from arbitrarily changing the IP address and port on the switch. This is achieved in two situations. In the first case, if the client is connected to a switch that supports network management, the port security policy can be implemented remotely on the switch through the management software of the network management center, and the MAC address of the client network card can be fixed to the corresponding port. In the second case, if the switch or hub to which the client is connected does not support network management, a program can be called through the webpage to bind the MAC address and the IP address together. In this way, the IP address will not be stolen and the network will not be used normally.
(2) In terms of network traffic monitoring, network monitoring software can be used to classify and count the types of network transmission data protocols, check the utilization bandwidth of data, video, voice and other applications, prevent the frequent transmission of large files, and even find the transfer and spread direction of viruses. The operating system installed by common application servers is mostly Windows series, and the management of servers includes server security audit, group policy implementation and server backup strategy.
Server security audit is one of the daily work items of network management. The audit scope includes security vulnerability inspection, log analysis, patch installation inspection, etc. Audit objects can be DC, Exchange Server, SQL Server, IIS, etc.
In the process of group policy implementation, if you want to use the software restriction policy, that is, which customers can't use which software, you need to upgrade the operating system to Windows 2003 Server. The backup strategy of server includes two parts: system software backup and database backup. The system software backup plan makes use of the existing special backup program to make a reasonable backup strategy, such as making a full backup every Sunday night, and then making incremental backup or differential backup from Monday to Friday night; Regularly back up the work of the server, etc. For the network management of most units, the client management is the most headache, only
Only effective measures can solve this problem. Here are some ways:
(1) It is very important to add all clients to the domain, because only in this way can clients be brought into the scope of centralized management by administrators.
(2) Only users can log in to the domain as ordinary domain users, because ordinary domain users do not belong to the local Administrators and Power Users groups, so they can be restricted from installing most software on the local computer (some software can also be installed by ordinary users). Of course, in order to facilitate users' work, they should be granted the right to "shut down" and "modify system time" through local security policies.
(3) Automatic installation of client operating system patches.
(4) Realize the automatic update of the antivirus software of the client.
(5) Use SMS to monitor the client irregularly, and handle the abnormal situation in time. With the increase of application systems, there are more and more databases. How to ensure that data is not lost in the event of failure or catastrophic events is a difficult problem at present. Here are four solutions: the first solution is to back up data with tape drives or hard disks. This method has the lowest price and the strongest preservation, but the disadvantage is that only a certain point in time is backed up. The second scheme is to use local disk array to realize the redundancy of local hard disk data of each server. The third scheme is to adopt the dual-computer fault-tolerant mode, and the dual-computer systems are mutually backed up, and all application-layer data are put in a shared disk array cabinet. This method can solve the problem of single machine failure or shutdown, and prevent data loss caused by single hard disk failure, but the initial investment is large. The fourth scheme is to use NAS or SAN to realize centralized storage of servers and backup data of high-level hardware failures such as disks, but it is expensive and generally cannot prevent system-level failures, such as virus infection or system crash.
Consider the situation that unauthenticated users on the network may try to bypass the system, such as physically "taking away" the database and eavesdropping on communication lines. The most effective solution to this threat is data encryption, that is, storing and transmitting sensitive data in encrypted format. The sender encrypts the information with an encryption key and sends it out through an encryption device or algorithm. After receiving the ciphertext, the receiver decrypts the ciphertext with the decryption key and restores it to plaintext. If someone steals it in transmission, they can only get incomprehensible ciphertext, thus keeping the information confidential. Iron coil electronic document security system (referred to as "iron coil") adopts kernel-level transparent encryption and decryption technology, which is a solution aimed at providing overall security for enterprise electronic documents, drawings and other data. Its highly customized characteristics enable enterprises to formulate different rules according to their own conditions, thus creating a unique information data maintenance mechanism. Because of the C/S communication mode, the key is stored in the server, which makes it impossible for employees to specify protected documents and drawings for enterprises when they are not in the enterprise network environment, and strengthens the management of sensitive data of enterprises.