The campus network is a hierarchical topology, so the network security protection also needs to adopt hierarchical protection measures. A complete campus network network information security solution 
It should cover all levels of the network and be integrated with security management.
At present, for the new network and the network that has already been put into operation, the security and confidentiality of the network must be solved as soon as possible. The following ideas should be followed in design:
(1) Greatly improve the security and confidentiality of the system;
(2) Maintaining the original performance characteristics of the network, that is, having good transparency to the protocol and transmission of the network;
(3) Easy to operate, maintain, and facilitate automated management without adding or adding additional operations;
(4) Try not to affect the original network topology, and facilitate the expansion of system and system functions;
(5) The security and confidentiality system has a good performance-price ratio, one-time investment, and can be used for a long time;
(6) The security and password products have legality and are easy for inspection and supervision by the security management unit and the password management unit.
Based on the above ideas, the network information security system should follow the following design principles:
Meeting the hierarchical management requirements of the Internet According to the large scale of the Internet network and the large number of users, the solution for implementing hierarchical management of Internet/Intranet information security will be divided into three levels to implement security management.
-- The first level: the central level network, mainly to achieve internal and external network isolation; access control of internal and external network users; internal network monitoring; internal network transmission data backup and audit.
-- Level 2: Department level, mainly to achieve access control of internal network and external network users; access control between departments at the same level; security audit within the department network.
-- Level 3: Terminal/personal user level, realizes access control of internal hosts of departmental network; security protection of database and terminal information resources.
The principle of balance of demand, risk and cost is absolutely difficult to achieve for any network, and it is not necessarily necessary. Conduct a physical research on a network (including tasks, performance, structure, reliability, maintainability, etc.), and analyze the threats and possible risks of the network in combination with qualitative and quantitative analysis, and then develop norms and measures. Determine the security policy of this system.
Comprehensive and holistic principles apply systems engineering perspectives and methods to analyze network security and specific measures. Security measures mainly include: administrative legal means, various management systems (personnel review, work flow, maintenance guarantee system, etc.) and professional measures (identification technology, access control, password, low radiation, fault tolerance, antivirus, high security products) Wait). A better security measure is often the result of a combination of multiple methods. A computer network that includes individuals, devices, software, data, and more. The status and influence of these links in the network can only be seen and analyzed from the perspective of the overall system as a whole, in order to obtain effective and feasible measures. That is, computer network security should follow the overall security principle and formulate a reasonable network security architecture according to the specified security policy.
Usability Principles Security measures need to be done manually. If the measures are too complex and too demanding, they will reduce security. For example, key management has similar problems. Secondly, the adoption of measures cannot affect the normal operation of the system, such as the use of cryptographic algorithms that greatly reduce the operating speed.
Step-by-step implementation principle: step-by-step implementation of hierarchical management Due to the wide range of network systems and their applications, as the network scale expands and applications increase, network vulnerability will continue to increase. It is unrealistic to solve the network security problem once and for all. At the same time, due to the implementation of information security measures, considerable expenses are required. Therefore, step-by-step implementation can meet the basic needs of network systems and information security, and can also save costs.
Second, the network information security system design stepsNetwork security needs analysis
Establish a reasonable target baseline and security strategy
Clearly prepared to pay the price
Develop a viable technical solution
Engineering implementation plan (purchase and customization of products)
Formulate supporting regulations, regulations and management methods
This solution mainly analyzes the network security requirements, and proposes campus network information security solutions with different levels and security strengths based on the network hierarchy.
Third, network security needsKnowing exactly which security issues need to be addressed in the campus network information system is the basis for establishing reasonable security requirements. In general, the campus network information system needs to address the following security issues:
Security issues inside the LAN, including network segmentation and VLAN implementation
How to implement security at the network layer when connecting to the Internet
How does the application system ensure security? How to prevent hackers from invading the network, hosts, servers, etc.
How to realize the security and confidentiality of WAN information transmission
How to arrange the encryption system, including establishing a certificate management center, application system integration encryption, etc.
How to achieve remote access security
How to evaluate the overall security of the network system
Based on these security issues, network information systems should generally include the following security mechanisms: access control, security detection, attack monitoring, encrypted communication, authentication, and hiding internal network information (such as NAT).
Fourth, network security level and security measuresThe security level of the information security network is divided into: link security, network security, information security network security level and security measures taken at the corresponding level are shown in the following table.
Information security information transmission security (dynamic security) data encryption data integrity authentication security management information storage security (static security) database security terminal security information anti-leakage information content audit user authentication authorization (CA)
Network Security Access Control (Firewall) Network Security Detection Intrusion Detection (Monitoring) IPSEC (IP Security) Audit Analysis Link Security Link Encryption
4.1 Link Security
Link security protection measures are mainly link encryption devices, such as various link encryption machines. It encrypts all user data together, and the user data is decrypted immediately after being sent to another node via the communication line. Encrypted data cannot be exchanged for routing. Therefore, in the case that the encrypted data does not need to be exchanged, for example, the DDN direct private line user can select the routing encryption device.
Generally, line encryption products are mainly used in telephone networks, DDN, leased lines, and satellite peer-to-peer communication environments, including asynchronous line ciphers and synchronous line ciphers. The asynchronous line cipher machine is mainly used in the telephone network, and the synchronous line cipher machine can be used in many dedicated line environments.
4.2 Network Security
The security of the network is mainly caused by the openness, borderlessness and freedom of the network. Therefore, we should consider the security of the campus network information network. First, we should consider separating the protected network from the open, borderless network environment. Become a manageable, controllable and secure internal network. Only by doing this, it is possible to realize the security of the information network, and the most basic means of separation is the firewall. With the firewall, the isolation and access control between the internal network (trusted network) and the external untrusted network (such as the Internet) or different network security domains of the internal network can be realized to ensure the availability of the network system and network services.
At present, mature firewalls on the market mainly include the following types: one is packet filtering firewall, the other is application proxy firewall, and the other is composite firewall, that is, the combination of packet filtering and application proxy firewall. The packet filtering firewall usually filters the data stream based on the source or destination IP address of the IP packet, protocol type, protocol port number, etc. The packet filtering firewall has higher network performance and better application transparency than other modes of firewall. . The proxy firewall acts at the application layer and can generally proxy multiple application protocols and authenticate users and provide more detailed log and audit information. The disadvantage is that each application protocol needs to provide the corresponding agent. And proxy-based firewalls often cause a significant drop in network performance. It should be pointed out that in today's increasingly prominent network security issues, firewall technology is developing rapidly. At present, some leading firewall vendors have integrated many network edge functions and network management functions into firewalls. These functions include: VPN function, billing function, and traffic. Statistics and control functions, monitoring functions, NAT functions, and more.
Information systems are dynamically evolving. Determining security policies and choosing the right firewall products is only a good start, but it can only solve 60%-80% of security problems, and the remaining security issues remain to be resolved. These issues include high intelligence and proactive threats in information systems, weakening of subsequent security policies and responses, misconfiguration of systems, low awareness of security risks, and dynamic changes in application environments. These are challenges to information system security. .
The security of information systems should be a dynamic development process, which should be a cycle of detection-monitoring-safety response. Dynamic development is the law of system security. Cybersecurity risk assessment and intrusion detection products are an essential part of achieving this goal.
Network security detection is an important measure for risk assessment of the network. By using the network security analysis system, the weakest link in the network system can be discovered in time, the weaknesses, vulnerabilities and unsafe configurations of the reporting system are checked, and remedial measures and security are recommended. Strategy to achieve the purpose of enhancing network security.
The intrusion detection system is a real-time network violation automatic identification and response system. It is located on a network where sensitive data needs to be protected or where there is a risk in the network. By intercepting network traffic in real time, it can identify and record intrusion and destructive code streams, and find network-deficient and unauthorized network access attempts. When the network is found to be out of scale and unauthorized network access, the intrusion detection system can respond according to the system security policy, including real-time alarms, event logins, automatic blocking of communication connections, or execution of user-defined security policies.
In addition, a transparent secure encrypted channel can be established between two network nodes using IP Channel Encryption (IPSEC). The use of IP Authentication Header (IP AH) provides authentication and data integrity mechanisms. The confidentiality of communication content can be achieved by using IP encapsulated payload (IP ESP). The advantage of the IP channel encryption technology is that it is transparent to the application, can provide host-to-host security services, and implement a virtual private network, that is, a VPN, by establishing a secure IP tunnel. Currently, IPSEC-based security products mainly include network encryption machines. In addition, some firewalls provide the same functions.
Fifth, campus network network security solutions5.1 basic protection system (package filtering firewall + NAT + billing)
User requirements: all or part of the following
· Resolve internal and external network boundary security, prevent external attacks, and protect internal networks
· Solve internal network security problems, isolate internal network segments, and establish VLANs
· Filter according to IP address, protocol type, and port
· Internal and external networks use two sets of IP addresses, which require network address translation NAT function.
· Support secure server network SSN
· Prevent IP spoofing by matching IP address with MAC address
·Based on IP address billing
· IP address based traffic statistics and restrictions
· Black and white list based on IP address
· The firewall runs on top of a secure operating system
· Firewall is independent hardware
· Firewall no IP address solution: use network guard firewall PL FW1000
5.2 Standard Protection System (Package Filtering Firewall + NAT + Billing + Agent + VPN)
User requirements: based on the basic protection system configuration, all or part of the following
· Provide application proxy services to isolate internal and external networks
·User identity
·Permission control
·Based on user billing
· User-based traffic statistics and control
·Web-based security management
·Support VPN and its management
· Support transparent access
· Has its own protection ability to prevent common attacks on firewalls
solution:
(1) Select Network Guardian Firewall PL FW2000 (2) Firewall Basic Configuration + Network Encryption Machine (IP Protocol Encryption Machine)
5.3 Strengthen the protection system (packet filtering + NAT + billing + proxy + VPN + network security detection + monitoring)
User requirements: based on the standard protection system configuration, all or part of the following
Network security detection (including servers, firewalls, hosts, and other TCP/IP related devices)
·Operating system security testing
·Network monitoring and intrusion detection
Solution: Select Network Guardian Firewall PL FW2000+ Network Security Analysis System + Network Monitor
The Reactor Control Panel contains all of the controls and indications you'll need to startup the reactor and bring the plant to full power. Some of the plant systems operated from the simulation Control Panel include:
- Reactor Process Instrumentation (reactor pressure, temperature, water level, etc)
- Control Rod System (control rod selection, insertion, withdrawal)
- Control Rod Sequence Control System (rod selection and movement restraints)
- Neutron Monitoring Systems (reactor power and period indication)
- Reactor Protection System (manual and automatic reactor scram)
-
Reactor Feedwater System (Feed Pump controls)
Reactor Water Level Control System (manual and automatic level control) - Reactor Recirculation System (Recirculation Pump speed control)
- Turbine Generator Systems (turbine runup, synchronization, loading)
- Emergency Core Cooling System
-
In addition, the following simulator functions are provided from the Reactor Control Panel screen:
View and/or print the Power to Flow Operating Map
View and/or print the Rod Sequence Checkoff Sheet
Display the Control Rod Select Panel
Display the ECCS System Control Panel (from the 100% Power Initialization Condition)
Save plant conditions as a custom Initial Condition (IC)
Temperature Control Units,Reactor Temperature Control Units,Reactor Control Units,Machinery Reactor Control Cabinet
Nantong Double Star Automation Equipment Co., Ltd. , https://www.nt-doublestar.com