Network Security Access Solution
◆ The security challenges
The computer terminal is a tool for users and office to deal with the most important business, access to the management of computer terminals, can effectively improve work efficiency, reduce information security risks, enhance network security, thereby creating more business value for customers. But at present, most of the terminals are in loose management, and the main problems are as follows:
■ Identity authentication - access terminal, whether legitimate users access
■ The following state - work computer terminal:
Operating system vulnerabilities result in security incidents
Patch was not updated in time
Work terminal peripherals access at random, such as U disk, Bluetooth interface, etc.
Outside personnel or third party company developers use mobiles laptops without access to the service private network or office network system
■ No unified security strategy - terminal, serious impact on global security strategy
◆ The solution
The platform to solve the security challenges, proposed network security access solutions, using CA digital certificate system platform, terminal security management system TopDesk, combined with 802.1X technology, to achieve perfect and trusted network access, as shown below.
Platform network security access solution diagram
■ In the terminal security access process is as follows:
1) the network admission control component sends the current end user identity certificate information to the switch through the 802.1X protocol.。
2) the switch sends the user ID information through the RADIUS protocol to the RADIUS authentication component.
3) the RADIUS component judges the validity of the user identity certificate through the CA authentication center, and returns the authentication result to the switch, and the switch passes the authentication result to the network admission control component.
4) after the authentication of users, the terminal system detection component will test the security status of the terminal according to the access policy set by the access policy management component.
5) the security status of the terminal meets the requirements of the security policy, allowing access to the flow control center system network.
6) if terminal authentication fails, the network access control component informs the switch to turn off the port;
7) if the terminal security status does not meet the security policy requirements, the terminal system detection component will isolate the terminal to the non working VLAN.
8) in the non work VLAN terminal, the terminal system detection component will automatically repair the terminal security status. After the completion of the repair, the system automatically re access the terminal to the normal work Vlan.
■ In the full use of terminal detection and protection technology
Terminal protection system to conduct a comprehensive supervision on the safety of the terminal state and security detection and protection behavior, desktop system security, unified formulation, issued and implement security policies so as to realize the full range of protection, maintenance and management of the terminal, terminal system and effectively protect the safety related sensitive information. In the many functions of the terminal protection system, this scheme makes full use of the following functions:
☆To safety state automatic detection and reporting function. Scanning engine for terminal system updates, antivirus software, virus database updates that automatically detect, report and safety situation and enhance the personal firewall, inspection and certification in the access network provided trusted gateway.
☆ All kinds of network behavior, supervision terminal system. The dial-up behavior of the terminal system and the use of network ports are monitored, and the access behavior of the end users is limited by policy customization, so as to reduce the possibility of illegal access.
☆ Some of the mobiles media control function. External equipment, especially mobiles media, is the main channel for the transmission of viruses, Trojan horses and sensitive information. Authentication, authorization, control and auditing must be carried out in accordance with the relevant security policies.
☆ It security audit function. On the basis of detailed analysis and statistics of the collected security incidents, the network administrator can help network administrators to dig and analyze the network access to meet the needs of the audit of access.
☆ Some illegal access behavior blocking function. By controlling the terminal protection system of illegal access behavior, control behavior, remote dial-up terminal system for wireless Internet behavior, such behavior on the Internet, and give an alarm through the personal firewall, disabled card means disconnect the host and network, avoid network destruction due to illegal access to the terminal.
■ integrated security management platform
In order to provide secure access and prevent illegal access to the network, need unified definition of whole mechanism must follow the strategy, and the strategy of centralized issued to the relevant equipment such as terminals, servers, gateways, and enforced in these devices. The integrated security management platform can accomplish the unified policy definition, execution and enforcement. In addition, the integrated security management platform can also analyze the security incidents, and form a security risk assessment report in order to respond in a timely manner.
◆ The superiority of the plan
The scheme for the network access security, introducing boundary isolation and access control technology, CA technology, terminal management technology, content and behavior of audit technology, security management platform, a trusted access security system of multi-level, three-dimensional, integrated security resources, has the following effect:
■ The identity of the trusted network access to solve the problem - for terminal access, prevent illegal users and foreign personnel free access to internal network behavior, even illegal user theft legal host, if does not have the legal identity of the user can not access to the corporate network, can effectively resist the attack from illegal access to the network access; the establishment of the basic trust relationship between networks, so as to prevent the illegal access behavior between networks;
■ Can solve the security problem: State security check terminal trusted terminal access determines whether to allow the terminal access network; access to the state after the detection, can guarantee the connection in the terminal state does not meet the requirements of business strategy timely cut off network;
■ Solve the centralized policy management, event analysis, emergency response and decision support problem: the comprehensive and effective implementation of security access problems depends heavily on their overall security strategy, integrated security management platform to conduct unified definition, strategy development and in various devices for enforcement, improve the comprehensive ability of prevention, in addition can also carry out centralized management analysis and emergency response support to security incidents, assessment and management of global security threats and risks, to provide support for safety decision-making.
