Network Security Access System Escort Military Industry Informatization
Industry characteristics
With the rapid development of military industry information construction, all enterprises and institutions have basically established their own classified information system and non secret information system. Due to the special nature of the work, the military enterprises and institutions involved in a large number of national secret information, a wide range of information security has become a matter of concern. While military enterprises are promoting information work, it is a very serious problem that how to do information security well. National Security Bureau has issued the "Interim Provisions" document of computer information system security management and "BMB-17" and a series of technical grade protection requirements, requirements for classified information system clear level protection planning.
At this stage, the security of classified information system is still in its infancy, and there are many problems such as low security capability, no security and confidentiality level and lack of information confrontation ability. At present, the military enterprises are with employees to sign a confidentiality agreement, but only from the system constraint is not enough, also need to be controlled by means of technology, security and protection of the terminal itself the military enterprises and institutions, improve data security strength, to prevent the occurrence of leakage of the secret information.
Requirement Analysis
♦The need to strengthen the network of illegal secret network connection strength, namely to strengthen the terminal access control function in security network, and according to the classified security level, strictly classified to Fenwick grading control;
♦To monitor and control of the non secret network terminal;
♦The need to strengthen the compliance of the classified network terminal strict safety inspection and safety inspection, safety inspection to the terminal virus protection, system update etc.
♦To ensure the protection standard system in place.
Solution
♦To monitor and control of the non secret network terminal;
♦The need to strengthen the compliance of the classified network terminal strict safety inspection and safety inspection, safety inspection to the terminal virus protection, system update etc.
♦To ensure the protection standard system in place.
Solution
♦The strict control of illegal access, real name authentication
According to the classification protection technology requirements, network security access system based on 802.1x authentication mode access management of classified terminals, using the physical characteristics of the switch LAN architecture, to achieve LAN port device authentication. Access methods support: PAP, chap, MD5, TLS, PEAP and XXX private access. The system supports LDAP/AD domain synchronization, uses domain login user to authenticate, and combines network access authentication with domain authentication.
According to the classification protection technology requirements, network security access system based on 802.1x authentication mode access management of classified terminals, using the physical characteristics of the switch LAN architecture, to achieve LAN port device authentication. Access methods support: PAP, chap, MD5, TLS, PEAP and XXX private access. The system supports LDAP/AD domain synchronization, uses domain login user to authenticate, and combines network access authentication with domain authentication.
♦The compliance of health examination
The terminal computer enters the terminal security compliance inspection link after passing the network identity authentication, and carries on the final appraisal to the terminal's health condition through the scoring system form. Only through compliance testing, can successfully pass the network certification management, or quarantine treatment, that is, network must be compliance.
The terminal computer enters the terminal security compliance inspection link after passing the network identity authentication, and carries on the final appraisal to the terminal's health condition through the scoring system form. Only through compliance testing, can successfully pass the network certification management, or quarantine treatment, that is, network must be compliance.
♦The fine-grained user access control
Configure at least three VLAN at the same time, realize different function respectively:
Configure at least three VLAN at the same time, realize different function respectively:
The visitor area (Guest_VLAN): user access for visitors to the user or client is not installed to provide access to download the client, limited access to company information, you can manage the client IP through the exchange of configuration of DHCP in the VLAN, while the TopNAC eth1 port can be connected to the VLAN, to provide download client service.
Isolation / repair area (Fix_VLAN): for client self repair service, anti-virus software, software updates and other services. The specific repair operation can be configured in the TopNAC health inspection policy, and the end user can perform the repair function on the basis of the Repair Wizard itself.
Authorized access area (Normal_VLAN): provides normal network access services such as FTP, mail, HTTP, OA, and other services.
♦The implementation of safety management standard
XXX network security access system can outline the security baselines of enterprise terminal access, shield some unsafe devices and personnel access network, and regulate the behavior of users access to the network. To install terminal or terminal software agent agent software but do not meet the security policy (requires the installation of anti-virus software, system security settings, illegal software etc.) the terminal equipment, it can prohibit access to the network, or VLAN network isolation, and provide security for the repair wizard. Fully meet the relevant laws and regulations, internal control requirements. And provides the log inquiry function, achieves the responsibility confirmation, has well documented.
Isolation / repair area (Fix_VLAN): for client self repair service, anti-virus software, software updates and other services. The specific repair operation can be configured in the TopNAC health inspection policy, and the end user can perform the repair function on the basis of the Repair Wizard itself.
Authorized access area (Normal_VLAN): provides normal network access services such as FTP, mail, HTTP, OA, and other services.
♦The implementation of safety management standard
XXX network security access system can outline the security baselines of enterprise terminal access, shield some unsafe devices and personnel access network, and regulate the behavior of users access to the network. To install terminal or terminal software agent agent software but do not meet the security policy (requires the installation of anti-virus software, system security settings, illegal software etc.) the terminal equipment, it can prohibit access to the network, or VLAN network isolation, and provide security for the repair wizard. Fully meet the relevant laws and regulations, internal control requirements. And provides the log inquiry function, achieves the responsibility confirmation, has well documented.
Program deployment diagram
Project characteristics
♦The complete access management process
A complete set of access management processes, from access to basic identity, access to the compliance inspection and Repair Wizard and real name audit, the safety of the whole package terminal access, purification and non repudiation function.
A complete set of access management processes, from access to basic identity, access to the compliance inspection and Repair Wizard and real name audit, the safety of the whole package terminal access, purification and non repudiation function.
♦Full range of trusted access
Trusted terminal: only access to legitimate terminals is allowed, and fine grained health checks ensure access terminal compliance;
Trusted terminal: only access to legitimate terminals is allowed, and fine grained health checks ensure access terminal compliance;
Trusted users: the system provides access function of real name system, and can be linked with AD domain. It combines network access and domain authentication organically.
♦The network has good environmental adaptability, need not significantly adjust the network structure
XXX network security access system can adapt to all kinds of complex networks and hybrid deployment networks, support a variety of access methods, support wired and wireless access. Support CISCO, H3C, HUAWEI and other vendors of equipment, very good to meet and adapt to the complexity of the customer network.
XXX network security access system can adapt to all kinds of complex networks and hybrid deployment networks, support a variety of access methods, support wired and wireless access. Support CISCO, H3C, HUAWEI and other vendors of equipment, very good to meet and adapt to the complexity of the customer network.
♦The fine-grained compliance inspection
From the feature recognition system, to the operating system and the characteristics of antivirus software, full support for a variety of security checks on the client host, in addition to the basic security check (anti-virus software, registry and process etc.) by the administrator, making custom check safety monitoring tasks. Users can choose their own compliance inspection according to their actual needs.
From the feature recognition system, to the operating system and the characteristics of antivirus software, full support for a variety of security checks on the client host, in addition to the basic security check (anti-virus software, registry and process etc.) by the administrator, making custom check safety monitoring tasks. Users can choose their own compliance inspection according to their actual needs.
♦High performance, high stability of the equipment
NAC hardware access gateway based on the latest hardware platform of XXX, the company has accumulated fifteen years of hardware products technology, hardware platform is widely used in firewalls, IPS, VPN and other hardware products. The product is based on XXX's proprietary security operating system TOS (Topsec Operating System).
♦The strong scalability
Access security inspection technology, in addition to meeting client security monitoring, client security reinforcement, client management requirements, but also provides a wide range of data interfaces and two development interfaces. It can be quickly customized according to the actual needs. It can also be deployed in conjunction with XXXTSM products (TD/TA-NET/TA-DB), and can provide audit functions based on real name authentication.
