I. Main work requirements for the design of hierarchical protection system
The main work requirements of the hierarchical protection system design include:
(1) The design of hierarchical protection system should include both technology and management;
(2) The design of graded protection system should not only meet the requirements of the corresponding national protection level, but also meet the requirements of the corresponding protection level of the industry and field;
(3) The operator shall form a design document after the design of the hierarchical protection system;
(4) If there is any change in the design process of the hierarchical protection system, change management shall be implemented;
(5) If an external organization is entrusted to assist in the design of the hierarchical protection system, it shall sign a confidentiality agreement with the external organization.
2021 Network security/penetration testing/security learning /100 SRC technical documents (full set of videos, big factory surface, boutique manuals, essential kits, routes
Ii. Basic preparation for the design of hierarchical protection system
Before designing the network security level protection system, operators should first complete the classification and filing of protection level objects and security requirement analysis. Among them:
(1) Classification and filing of grade protection objects: determine the security protection level of grade protection objects to guide the design of grade protection system to mark the corresponding level of security protection requirements. Interested readers can refer to the article on how to standardize the grading and filing of grade protection.
(2) Security demand analysis of level protection objects: specify the network security level protection requirements of operators according to the security protection requirements of corresponding protection levels, so that targeted level protection measures can be taken in the subsequent level protection system design. Interested readers can refer to “On how to standardize and orderly network security demand analysis”.
Iii. Main process of hierarchical protection system design
After the completion of the basic preparation work of the hierarchical protection system design, the design process of the hierarchical protection system formally began. The main process of hierarchical protection system design is as follows:
3.1 Determine the goals to be achieved
When designing the network security level protection system, the operator shall first determine the design objectives of the network security level protection system based on the actual situation of the unit, so as to clarify the construction tasks and contents of the subsequent network security level protection system.
Achieving goals can be divided into general goals and detailed goals. Among them:
(1) The overall goal is the overall safety protection goal that the hierarchical protection system is designed to achieve.
(2) Detailed objectives Specific objectives can be determined according to project stages, stages, etc. Such as:
— Operators can decompose the overall objectives into specific security objectives at each stage of the hierarchical protection objects, such as targets at the development and construction stage and targets at the operation and maintenance stage.
— When the content to be completed in the design of hierarchical protection system is decomposed into several periods in the form of projects, the overall goal can be decomposed into the realization goal of each project.
3.2 Clear design principles, basis and ideas
After determining the realization of the goal, the operator should clearly follow the design principles, basis and ideas.
3.2.1 Define design principles
Generally speaking, the design principles should reflect the contents of independent protection, domain differentiation, key protection, moderate safety, “three synchronization”, dynamic adjustment, equal emphasis on technology management, standard, mature, scientific, reasonable, confidentiality and so on.
3.2.2 Clear design basis
The design basis should include national and industrial network security level protection related policies, laws and regulations, standards and specifications as well as system integration, security development and other engineering specifications.
3.2.3 Clear design ideas
The design idea is the soul to guide the overall and subsequent detailed design. Generally speaking, the following points should be grasped:
(1) To build a domain-specific control system
According to the idea of domain-based protection, the security architecture is designed and divided into different security zones structurally. The construction of security protection technology measures is carried out based on security zones. The molecular security zone and three-level security zone can be further divided into each security zone according to the different security requirements. The boundary of the sub-security domain and the tertiary security domain also adopts the same boundary security protection measures as that of the primary security domain, thus constituting the domain-based security control system.
(2) Build a deep defense system
According to the defense in depth thinking security architecture design, according to the “one center” defense in depth system under the management of “triple protection” system framework design, from the physical environment safety, communication network security protection, network border security protection, safe computing environment protection (host safety protection equipment/application and data security protection) for the design of security technology and measures, In addition, the security management center implements unified security technology management for the whole level of protected objects. Fully consider the combination of various technologies and complementary functions, provide comprehensive protection capability of multiple security measures, form a deep defense system from the outside to the inside.
(3) Ensure consistent safety intensity
Security measures of the same intensity are adopted for protected objects deployed in the same security zone, and a unified defense policy is adopted. (When lower-level protected objects are deployed in higher-level security zones, follow the principle of higher protection.) In this way, all security measures complement each other in terms of functions and functions, forming a dynamic defense system.
3.3 Security Zone Division Design
Generally speaking, the level of protection for a protection object is not the same level of protection for the whole level of protection object, but different levels of protection for different service areas within the level of protection object. Therefore, security domain division is an important part of network security level protection.
Security domain refers to the same system with the nature of the information, use the element such as the main body, security objectives and strategies to differentiate different logical subnet, each logical areas have the same security protection requirements, has the same security access control strategy, control and boundary region with mutual trust relationship, the same security domain sharing the same security policy. Simply put, a security domain is a collection of network areas or network entities that have the same or similar security requirements and trust each other.
3.3.1 Rules for Dividing Security Domains
The basic principles for dividing security zones are as follows:
3.3.2 Security Domain Division mode
Security domain division considers the access relationship between service terminals and service hosts and between service hosts on the network. If there is no access relationship between service hosts, divide the security domains of each service system separately. If there is an access relationship between service hosts, several service systems consider security domain division together.
A physical network zone can correspond to multiple security zones, but a security zone generally corresponds to only one physical network zone.
3.3.3 Division of LAN Security Domains
Internal LAN security domains are divided based on service security policies, including service functions, security levels, and LAN network structure.
(1) Division based on business function characteristics
Without changing the current business logic, it can be divided into two levels and three layers:
(2) According to the safety level requirements
Hierarchical network security protection divides the information system into multiple subsystems through security domain division. When implementing level protection, it must be implemented in each security domain.
The objects of level protection are actually security domains. After major information systems are protected by network security levels, deploy application service systems of the same security level in the same security domain.
(3) Divide by VLAN
VLAN is the technical basis of Intranet security zone division. Members of a VLAN can be regarded as objects with the same security policies and trust each other. VLAN boundaries can be regarded as network boundaries. Security policies are applied between vlans to achieve simple security zone division.
3.3.4 Isolation measures for Security Zones
After security domains are divided, technologies such as border isolation and border access control are adopted to implement necessary security measures for networks in different security domains according to different security policies.
Logical VLAN isolation is to create different vlans for different security domains on the same switch. This method supports the existing network well and is easy to implement, but the network security risk is large.
Based on logical VLAN isolation, different security domains use different IP subnet addresses to isolate data link layer and network layer. In this way, the existing network is changed greatly, and the network security risk is not high.
Physical isolation means that different security zones use separate network infrastructure, including network cables, switches, and routers, without any logical or physical connection to each other. In this way, the investment is relatively large and the existing network is greatly changed, but the network security risk is minimal.
3.3.5 Security Technical Measures after Security Zones are divided
Security domain division’s main purpose is to implement the security policy, because of the security domain boundary is usually based on the network, so the usual way is that the management level according to the demand of security policy system and technical level through the deployment of security equipment, using the corresponding security technology, security requirements after implement security domains.
3.3.6 Example for Dividing security zones
An operator classifies the security zones based on the security zone classification principle and general classification method as follows:
3.4 Determine the protection intensity of each security zone
The protection intensity of each security zone is determined according to the classification of protection objects and security zones. Such as:
— An operator divides the “core domain” to uniformly deploy the core business system. The protection level of the core business system is set as level 3, and the protection intensity of the “core domain” is determined to be designed according to the requirements of level 3 protection level.
3.5 Design security technology system
On the basis of realizing the reasonable division of security domain and determining the protection intensity of each security domain, the operator designs the security technology system of grade protection.
3.5.1 Security technology architecture design
Because of the different operators to different targets, the use of technology, and application scenario for different factors, such as classified protection object will appear in a different form, form might call foundation information network and information system (including systems) by adopting the technology of mobile Internet, cloud computing, big data platform/platform/system, Internet of things, such as industrial control systems.
Because of threats to form different levels of protection objects, safety protection requirements also vary, in order to describe the implementation of different network security protection level and different forms of protection objects of common and personal protection, based on the general and specific application scenario that level security technology system design. Among them:
(1) General level protection security technology design content For level protection objects to implement network security level protection requirements of the common protection. Level Protection objects in any form must meet the corresponding security requirements based on the security protection level.
(2) Specific application scenarios This paper proposes personalized protection requirements for cloud computing, mobile Internet, Internet of Things and industrial control system, and realizes security technical requirements for corresponding network security protection levels for specific application scenarios.
Security technology architecture is composed of deep defense system from outside to inside. The depth defense system is designed according to the system framework of hierarchical protection.
Among them:
(1) “Physical Environment safety Protection” protects servers, network equipment and other equipment and facilities from damage caused by earthquake, fire, flood, theft and other accidents;
(2) “Communication Network Security Protection” protects exposed communication lines and communication equipment;
(3) “Network border security Protection” implements border security protection for level protected objects. Internal level classified objects should be deployed in the internal security zone of the corresponding protection level as far as possible, while low-level classified objects should follow the principle of “high protection” when deployed in the security zone of higher level.
(4) “Computing environment security Protection” means “host device security protection” and “application and data security protection” will be implemented in the internal security area.
(5) The “Security Management Center” implements unified security technology management for the whole level of protected objects.
The security technology architecture of level protected objects is shown in the following figure:
(1) Specify technical measures for the security protection of physical environment of graded objects at different levels
Operators put forward security protection strategies and security technical measures for physical environment of graded objects at different levels according to basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019), basic requirements of industries (normative documents for network security Level protection of different industries) and security requirements. When proposing security protection policies and security measures for the physical environment of graded objects, consider that graded objects of different levels share the physical environment. If graded objects of different levels share the same physical environment, the security protection policies and security measures in the physical environment must meet the basic requirements for the highest level of graded objects.
(2) stipulate the security protection technical measures for communication network of different levels of graded objects
Operators put forward security protection strategies and security technical measures for communication networks according to basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019), basic industry requirements (normative documents for network security Level protection of different industries) and security requirements, etc. The sharing of network lines and network equipment should be considered when the security protection strategy and security technical measures of communication network are proposed. If graded objects of different levels transmit data through the same line and device on the communication network, the security protection policies and technical measures for the line and device must meet the basic requirements for graded objects of the highest level.
(3) stipulate the technical measures of network boundary protection for different levels of graded objects
According to the Basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019), the basic requirements of industry (normative documents for network security level protection of different industries) and security requirements, the operators put forward security protection strategies and security technical measures for network boundaries of different level objects. If grading objects of different levels share the same device for border protection, the security protection policies and security measures of the border device must meet the basic requirements for level protection of the highest-level grading object.
(4) stipulate the technical measures of internal security protection for different levels of classified objects
According to the Basic Requirements of Network Security Level Protection of Information Security Technology (GB/T 22239-2019), basic requirements of industry (normative documents of network security Level protection of different industries), security requirements, etc., Put forward security protection strategy and security technology protection measures for internal network platform, system platform, business application and data of different levels of classified objects. If a lower-level object is deployed in the network area of a higher-level object, the security policies and technical measures for system platforms, service applications, and data of the lower-level object must meet the basic protection requirements of the higher-level object.
(5) Provision of security protection technical measures for interconnection between graded objects
According to the Basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019), the basic requirements of industry (normative documents for network security Level protection of different industries), and security requirements, the operators put forward the requirements for information transmission protection strategy and specific security technical measures between graded objects connected across LAN. It includes the strategies of peer interconnection and different levels of interconnection, and puts forward the requirements of information transmission protection policies and specific security technology protection measures among the graded objects of Intranet interconnection, including the strategies of peer interconnection and different levels of interconnection.
(6) Stipulate security protection technical measures for cloud computing, mobile Internet and other new technologies
Operators put forward security protection strategies and security technical measures for cloud computing, mobile Internet and other new technologies according to basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019), basic industry requirements (normative documents for network security Level protection of different industries) and security requirements, etc. The cloud computing platform shall at least meet this requirement for the level of protection of the highest-level grading object it hosts.
The backbone or metropolitan area network, through the backbone or grading of metropolitan area network interconnection, internal grading object connected grading grading, the boundary of the object, the object internal platform, computer room and other aspects of security and protection strategy and safety technical measures for sorting, summary, formation level to protect the safety of object technology system structure.
3.5.2 Put forward the safety technical measures to realize the hierarchical protection technology system
According to the information security technology of network security level to protect the basic requirements “(GB/T 22239-2019), the basic requirements (level of network security protection normative documents) of different industries, such as security requirements, put forward the classified protection object need to implement safety technical measures, forming operator specific level security technology architecture protection object, To guide the concrete realization of hierarchical protection.
Implement the security policy, security technology architecture, security measures and requirements in the security technology system to the product function or physical form, and put forward the products or components that can be realized and their specific specifications.
For new level protection objects, operators can design item by item security technical measures according to the content of security control points proposed by corresponding level protection requirements of network security.
For the reconstruction or expansion of classified protection objects, the operators can design security technical measures for the newly added or changed parts of classified protection objects according to the content of security control points proposed in the corresponding protection requirements of network security.
Operators carry out detailed design from five aspects of security physical environment, security zone boundary, security communication network, security computing environment (host security/application security and data security), security management center, and propose specific security technical measures to be adopted. Such as:
– Network security level Protection The access Control of the security zone boundary of the common requirements for Level 3 security requires the following:
Based on the above requirements, according to the actual situation of the unit, the operator designs and uses the firewall to do the following deployment:
Configure the following policies using the firewall:
3.6 Design the safety management system
The operator shall design the safety management system according to the requirements of the safety management system of the corresponding level of safety protection and the actual situation of the unit.
The security management system consists of security policy, security management system, operation rules, record forms and so on.
In general, safety management system design includes design method, system framework design, content design, safety management system revision, review, release, execution, inspection and scrap working mechanism design.
Interested readers can refer to the article “How to amend the security management System for operators of critical information infrastructure”.
3.7 Design the security organization system
According to the requirements of the corresponding level of network security protection for the security organization, combined with the actual situation of the unit, design the security organization system.
Generally speaking, safety organization design includes organizational structure, post and responsibility design, safety personnel management mechanism design and other contents. Specifically:
(1) According to the design content proposed in the design of the safety organization system, if the design of job responsibilities is unreasonable, it should be clear how to reshape the responsibilities;
(2) If there is a lack of corresponding posts, clarify which new posts should be set up, corresponding responsibilities and possible post reorganization;
(3) from the personnel review, personnel screening, personnel transfer, personnel dimission, responsibility separation and safety awareness education, professional skills training and other aspects of the detailed design of safety practitioners management mechanism.
Interested readers can refer to the article on the Establishment of specialized security management Organization for Operators of critical information infrastructure.
3.8 Sort out the list of grade protection construction
According to the safety technology system, safety management system, and safety organization system, the construction list is formed.
3.9 Form a phased project planning
Graded protection is a systematic project, involving policy, budget, technology, management, talent, resources and other factors. When carrying out graded protection related work, operators may not be able to complete the implementation and implementation of a series of protection measures. Therefore, operators should carry out the protection related work of graded protection objects by stages and in batches through scientific, reasonable and pragmatic project forms.
The main steps of the planning of graded protection construction project include: determining the target of the project by stages, planning the content of the project by stages and forming the plan by stages.
(1) Determine project staging objectives
The operator shall comprehensively determine the security goal of the project by stages based on the medium and long term development plan of the network security and informatization construction of the unit, the budget input and financial situation of the network security construction, and the priority of the security problems to be solved.
(2) Plan the construction content of the project by stages
Operators in setting project stage target, the listing according to project targets and construction, the main construction contents of planning by instalments, differ according to actual needs into the content of the construction project, at the same time to clarify dependence or promote the relationship between project and so on, to guide the installment construction projects continue to advance and strengthen the management of stage construction project.
(3) To form a phased project planning
According to the phasing objective and construction content of the project, the operator takes the construction list into general consideration, allocates the construction list to different periods and stages, arranges the construction sequence as a whole, and makes investment estimation in combination with time, priority of problem solving and budgetary funds.
The operator sorts out documents such as project staging objectives and construction contents, and forms a staging plan for the project of graded protection objects.
3.10 Analyze the expected construction results
According to the design of graded protection system, the expected construction results, including social benefits and economic benefits, are analyzed after the completion of construction by project stages.
summary
This paper describes the general practice of network security level protection system design. Operators can refer to this article and design or adjust their network security level protection system based on the actual situation of their own units. If there is any immature place, please correct.