IDC Total Security Solution
First, the current situation and development trend of IDC
According to China IDC circle released in March 2013, "2012-2013 China IDC Industry Development Research Report" data show that in 2012 the global IDC market overall market size reached 25 billion 520 million U. S. dollars, the growth rate of 14.6%. As can be seen from the report, in the global data center market, Europe and the United States regional market demand has become saturated, the Asia Pacific region is becoming the main driving force of the global IDC market. Among them, the United States has begun to gradually close the small part of the data center, with the head Department of government cloud computing; Europe is slightly behind the United States, cloud computing is still in the stage of deployment; while the Asia Pacific is still in the IDC infrastructure stage, a huge potential for the future.
According to China IDC circle released in March 2013, "2012-2013 China IDC Industry Development Research Report" data show that in 2012 the global IDC market overall market size reached 25 billion 520 million U. S. dollars, the growth rate of 14.6%. As can be seen from the report, in the global data center market, Europe and the United States regional market demand has become saturated, the Asia Pacific region is becoming the main driving force of the global IDC market. Among them, the United States has begun to gradually close the small part of the data center, with the head Department of government cloud computing; Europe is slightly behind the United States, cloud computing is still in the stage of deployment; while the Asia Pacific is still in the IDC infrastructure stage, a huge potential for the future.
In the domestic IDC market, the construction of data centers in the financial and telecom industry accounted for 50% of the market share, followed by the government, manufacturing and energy industries, and radio and television began to join them. Online games and video and other applications become the main driving force of the growth of IDC market, cloud computing has become the future development trend of IDC industry, and network security has become a growing concern of the IDC industry.
Two, IDC network architecture and security threats
IDC network architecture generally includes four layers: Internet access layer, convergence layer, service access layer and operation and maintenance management layer. Internet access layer consists of 2 core routers, as a link between IDC and Internet Interconnection, high-speed Internet and the Internet to complete the foreign, in charge of the convergence layer and IDC switching interconnection, IDC internal and external routing information for routing forwarding information and maintenance, Internet access layer bandwidth by at least 20Gbps more than 10 Gbps export link. The aggregation switch aggregation layer consisting of a plurality of pairs of components, business access layer switch and the convergent point to the Internet access layer core router, more 10Gbps link the connection between the aggregation layer switch and core router Internet access layer. Service access layer consists of access switches and business system server, storage and other equipment, is the core of IDC foreign related business, a plurality of multi Gigabit link connection between the access switches and aggregation switches. Operation and maintenance management to provide network management, resource management, business management, safety management, operation management, IDC management, equipment management, to provide IDC operation and maintenance personnel and customer maintenance system, remote access service.
Two, IDC network architecture and security threats
IDC network architecture generally includes four layers: Internet access layer, convergence layer, service access layer and operation and maintenance management layer. Internet access layer consists of 2 core routers, as a link between IDC and Internet Interconnection, high-speed Internet and the Internet to complete the foreign, in charge of the convergence layer and IDC switching interconnection, IDC internal and external routing information for routing forwarding information and maintenance, Internet access layer bandwidth by at least 20Gbps more than 10 Gbps export link. The aggregation switch aggregation layer consisting of a plurality of pairs of components, business access layer switch and the convergent point to the Internet access layer core router, more 10Gbps link the connection between the aggregation layer switch and core router Internet access layer. Service access layer consists of access switches and business system server, storage and other equipment, is the core of IDC foreign related business, a plurality of multi Gigabit link connection between the access switches and aggregation switches. Operation and maintenance management to provide network management, resource management, business management, safety management, operation management, IDC management, equipment management, to provide IDC operation and maintenance personnel and customer maintenance system, remote access service.
Security threats faced by IDC is mainly reflected in: unauthorized access to the network layer, network vulnerability, DDOS attack, invasion and attack, a large number of malicious traffic, effective bandwidth, user access behavior evidence, etc.; system service layer own vulnerability exists, viruses, spam, the site has been tampered with the horse, SQL injection, cross site attacks / system availability, security, and so on; system management to operation management, operation and maintenance personnel of the operation is illegal, security incidents to unified management and analysis, operation and maintenance of the terminal security itself, IDC how to supervise, etc..
Three, IDC overall security solutions
Three, IDC overall security solutions
According to the security threats faced by IDC, launched IDC overall security solutions, from Internet access layer, convergence layer and access layer and business operation management from four aspects, put forward the corresponding solutions, as shown below.
Figure 1, IDC overall security solution diagram
Internet access layer
The Internet access layer is the entire IDC export business, bear against DDOS attacks and heavy responsibility to ensure normal and IDC service available bandwidth can be a normal visit, the key to prevent DDOS attacks caused by the host bandwidth or consume a lot of resources.
Anti DDOS/ flow cleaning
The proposed deployment of the company's Gigabit anti DDOS/ traffic cleaning device DDOS, cleaning attack traffic, to ensure that the entire IDC network bandwidth availability and access to IDC services. Anti denial of service attack algorithm DDOS applied to independent research and development, creatively algorithm in the bottom of the stack, avoid the TCP/UDP/IP high-level system of network stack, the computational cost is greatly reduced, and combined with hardware acceleration operation, so the system efficiency is very high. DDOS also with the help of attack and Defense Laboratory for many years DDOS attack research results, with the industry's most perfect DDOS attack detection capabilities.
DDOS DDOS attacks by real-time detection of abnormal traffic detection system, once detected attack traffic will be abnormal traffic traction to the abnormal flow cleaning system for cleaning the normal traffic flow attack, after cleaning the back into the network, which can resist DDOS attacks from the Internet in real time, effective filtering DDOS attack traffic, IDC business continued normal security visit.
The following diagram shows the IDC anti DDOS/ abnormal flow cleaning deployment and work sketch.
The following diagram shows the IDC anti DDOS/ abnormal flow cleaning deployment and work sketch.
Figure 2 and IDC anti DDOS/ flow cleaning solution diagram
distribution layer
The convergence layer is IDC business gathering place, first need good network security, such as access control, intrusion detection, network vulnerability scanning, network equipment security, the second is shouldering the load balancing and flow analysis and management responsibilities for the IDC business.
High performance firewall
High performance firewall
It is recommended to deploy the company's Wan level NGFW high-performance firewall Guard at the convergence layer to provide access control and other value-added services for IDC users who need border protection. There are series of parallel multistage Qingtian hardware architecture rack Zhaogao million performance firewall and cheetah series ASIC chip 10 Gigabit firewall based on high performance, high efficiency and safety of independent TOS operating system and multi-core architecture based on the independent original data processing technology of TURBO high performance business layer multi core fast forwarding, processing capacity of up to 320Gbps. Support VPN, firewall, intrusion prevention, anti-virus, URL filtering, virtual firewall, IPV6 and other functions, support VPN virtualization access, very suitable for the deployment of the IDC layer provides security of different requirements for different IDC users.
Figure 3, NGFW firewall multi-core architecture
High performance network intrusion detection
It is recommended to deploy the company's Gigabit high performance network intrusion detection system (Sentry) at the convergence layer, which provides intrusion, attack detection and other value-added services for IDC users who need network intrusion detection. Independent research and development of network intrusion detection system Sentry, using the same firewall multi-core processing hardware platform and independent intellectual property rights TOS system, advanced SmartAMP parallel processing architecture based on load balancing technology patent built-in dynamic processor, combined with the original SecDFA core algorithm, full support for IPV6, real-time rapid detection of overflow attacks, including RPC attacks, WEBCGI attacks, denial of service attacks, Trojans, worms and other system vulnerabilities of network attack behavior in more than 3500, in full flow rule + + full attack flow conditions, whether large or small package, can achieve Gigabit full speed detection rate. Very suitable for deployment in the IDC convergence layer, Wan level environment.
Sentry five in one safety protection function diagram
Network security audit
It is recommended that the company's network security audit system Audit-NET be deployed at the convergence layer to provide users with network behavior auditing and value-added services for IDC users. The company developed the Audit-NET technology based on the quantum storage, can effectively ensure the massive audit data is not lost; give full play to the calculation ability of Sec multi-core platform by using the autonomous query technology of cloud platform audit, instantaneous can achieve massive data query operation to return the real search; PPPoE real name audit, AD domain name 802.1x real name audit, audit; using massive raw data packets are stored, for professionals to conduct in-depth analysis, the only domestic; using special hardware architecture with double dedicated secure operating system for cold, when the common system fault can be quickly restored using the backup system.
Vulnerability scanning and management
Vulnerability scanning and management
It is recommended that the company's vulnerability scanning and management system Scanner be deployed at the convergence layer to provide periodic vulnerability scanning value-added services to IDC users. Scanner uses the B/S framework, the scientific concept of CVSS, scanning the level of protection based on the collection of intelligent service identification, multi service detection, intelligent scheduling, and script script relies on dynamic information thrown, security scanning, scanning, optimization of denial of service recovery, sequential scan script breakpoints and other advanced technology, to ensure the high accuracy, high scanning speed. Scanner scanning engine adopts host based, target based vulnerability, network and application detection technology to maximize the accuracy of vulnerability identification. Scanner vulnerability knowledge database is more than 20000, keep updated weekly, compatible with Nessus plug-in library and compatible with international CVE standard. Scanner offers a variety of scanning strategy templates and template parameters, can achieve a variety of tasks, multi host scanning, scanning authorization scan, can realize cascade deployment, external interface, Syslog log, statistical comparison report, can effectively regulate all kinds of target equipment to scan.
Applied traffic management
Applied traffic management
It is recommended to deploy the company's application traffic management system (Flow) at the convergence layer to provide IDC users with business applications, traffic analysis and management of value-added services. The industry's most powerful protocol recognition engine Flow has its unique "encryption protocol depth recognition technology can be identified through P2P protocol encryption, can accurately identify in addition to the traditional TCP/IP protocol up to 600 kinds of seven layer application protocol. Provide bandwidth, bandwidth reservation, bandwidth guarantee, support strategy nesting, support hardware Bypass function, can limit speed of single IP, can be used for fine management flow, support for HTTP control and DNS redirection, DNS hijacking, drop the request DNS control, with the application of flow depth and flow diversion amplification, application proxy, user the identity tracing function, support cross flow routing agent check, support TCP, UDP connection control based on DSCP markers and to support the router linkage, provide rich reporting capabilities, can provide users with the application of monitoring, traffic analysis, traffic management, traffic statistics, traffic management and control functions.
Figure 4 and Flow application flow check map
Server load balancing
It is recommended that the company's server load balancing system (App-LB) be deployed at the convergence layer to provide value-added services to IDC users who need server load balancing services. App-LB based intelligent server load balancing technology, support a variety of load balancing algorithms, dynamic performance monitoring server and health status, support TCP, HTTP, HTTPS, custom services and many other health checks, automatically choose the best server and intelligently balanced server traffic, to hide the real IP server, support more than 10 kinds of fast and efficient intelligent the load balancing algorithm, non continuous load balancing algorithm and multiple continuous load balancing algorithm to support fast and efficient, to support the load balancing algorithm for Cache server settings, support services automatically balanced server traffic, server support the maximum number of connections with the session limit, maintain function, can realize the automatic fault notification service, support server load balancing and high availability deployment.
Service access layer
Service access layer
Service access layer is the core business of IDC, focus on the need to consider IDC security services, such as defense for the site of the attack on the website, web anti tamper protection, safety of the line before the IDC business system evalsuation and reinforcement etc..
WEB Application Firewall
WEB Application Firewall
It is recommended that the company's WEB application firewall WAF be deployed at the business access layer to provide security protection and value-added services to IDC users. WAF is a new generation of Web site "substitute" protection products produced by the company independently. It can be used in the three aspects of pre warning, security protection and post hoc analysis to provide full cycle security protection for the website. Beforehand, WAF on the web services dynamic monitoring, real-time monitoring system of service capacity and service quality, to establish a safety hazard warning mechanism; in WAF based on the principle of "running time", relying on the stability, efficiency and safety of the system kernel and advanced multidimensional protection system, through the WEB application, web anti tamper threat defense against denial of service attacks and WEB function optimization etc, to ensure the quality of running web application service system; afterwards, WAF provides multi angle decision support data, provide detailed stage statements for users, help site managers to accurately understand the status of the website and carry out targeted adjustment.
Figure 5, WAF, before, during and after the full cycle of protective plans
Webpage tamper proofing
It is recommended to deploy the company's webpage tamper proofing system at the business access layer to provide web users with tamper resistant value-added services for IDC users. Web tamper resistant system, using enhanced event trigger + system (kernel) file driver filtering technology (third generation anti tampering Technology), safe, stable and reliable; take multiple protection technology, advanced to prevent tampering completely; the kernel level based on event trigger mechanism, the server resource is few, the efficiency is much higher than similar products on the server; safety real-time monitoring, to ensure safe and stable operation of the server; monitoring the safety of WEB service running, ensure that WEB service is limited to the incident interference; support the protection of the WEB server configuration file, to prevent websites to destruction. Can effectively prevent hackers, viruses and other pages of the directory, electronic documents, pictures, databases and other types of documents illegal tampering and destruction.
Figure 6 and third generation tamper proofing technology evolution diagram
evalsuate reinforcement before system on line
Recommended in the service access layer, through the company's professional information security services, IDC users to provide IDC business system, on-line evalsuation of value-added services reinforcement. Is distributed throughout the country more than the professional information security services team of 70 people, all kinds of professional information security reserve service personnel, to provide system covers network equipment, host computer equipment, operating system, database, security equipment and other equipment and systems before the assessment and strengthening of professional information security services for IDC users.
Operation management layer
Operation management layer
Operation and maintenance management of the core mission is to ensure that the entire IDC network, equipment, systems, the normal safe operation and business of the normal and safe operation, it is necessary to focus on the security of 4A and IDC (account / authentication / authorization / audit), database audit, terminal security, maintenance audit, safety management, operation management VPN, remote access, and security provided by third party information security including remote site security monitoring and recovery, security event auditing and early warning, security policy risk assessment, secure cloud services etc..
firewall
firewall
It is recommended that the company NGFW firewall Guard be deployed in the operation and maintenance management layer, and the IDC operation and maintenance management zone will be separated from the logic of the IDC business area. Qingtian, cheetah, general with three series of firewall, for users in different network environment and different application areas, from the plane frame, Wan Zhaofei million rack to high-end, in the end, Gigabit Gigabit Gigabit, Gigabit and other low-end level and function of firewall, intrusion prevention, virus filtering, URL filtering and other options.
VPN gateway
VPN gateway
Proposed in the operation and maintenance management deployment of the company's IPSEC/SSL VPN multi VPN gateway VPN VONE, for IDC operators to provide with remote VPN security access, IDC operation and maintenance management area, maintenance operations and management. VPN VONE based on proprietary intellectual property rights TOS security operating system, the use of leading AMP technology, the use of advanced multi-core parallel technology and intelligent cluster technology, built-in high-speed compression algorithm. Support ioses, androids and other intelligent terminal access. Support the application of QoS, support WebCache acceleration, integrated powerful firewall function. Support user name / password, certificate, USB Key, short message, dynamic token, hardware characteristic code, fingerprint and so on many kinds of authentication methods, supports third party CA and CA on-line authentication. Support unified user management, support a variety of single sign on mode, the user only one authentication can access all licensed business resources. Support virtual portals, different IDC users can have an independent access gateway, customized different login interface, functional modules, authentication methods, etc..
VPN remote secure access diagram
4A (account / authentication / authorization / audit)
It is recommended to deploy the company's 4A (account / certification / authorization / audit) system UTS in the operation and maintenance management layer, and provide a unified 4A management for the IDC operation and maintenance personnel. UTS rejected the implementation of single sign on technology of the traditional single sign on the leading domestic support C-S and B-S architecture (SSO) implementation mechanism, without any system transformation, the realization and application of the system operating platform, development platform, development language, database, Web server, without changing the the existing hardware and software and network environment, seamless application system will be integrated into the existing user single sign on platform, to achieve a login can access all of the application systems. Truly realized "plug and play", "one point login", "full network roaming", and truly reflects the "application independent" perfect integration concept.
Figure 7, 4A (account / certification / authorization / audit) architecture diagram
Operation and maintenance of the audit (bastion host)
Proposed in the operation and maintenance management deployment of the company's operation and maintenance audit (Fortress host) system Audit-SAG, for the IDC operation and maintenance personnel to provide a unified operation and maintenance operation audit. The tree of infinite order grouping Audit-SAG support main account, managed resources, roles, support static password, smart card, certificate, fingerprint authentication, support rich managed resources and can automatically collect the managed resources account, password support all devices automatically change the access control configuration can be abstracted into the host command strategy, strategy, strategy, client access time address access locking strategy four strategies to simplify the configuration and use of the user, can effectively achieve the SSO, account management, authentication, authorization, resource access control and audit operation, very suitable for IDC operation and maintenance personnel management and operation behavior of audit.
Figure 8, operation and maintenance audit (Fortress host) functional diagram
Database audit
Database audit
Database audit
It is recommended to deploy the company's database audit system Audit-DB in the operation and maintenance management layer, to provide database operation audit for the IDC operation and maintenance staff, to detect database violations in a timely manner, and to protect the security of the IDC business database. Audit-DB as a high performance professional database audit hardware products, Sybase, DN2, SQL support Server, Oracle, MYSQL, Informix, PostgreSQL, of dreams, general Gbase, basesoft analysis of multiple database audit; quantum memory based technology, can effectively guarantee the massive audit data is not lost; give full play to the calculation ability of SEC multi core platform using autonomous cloud query technology audit platform, realize the instantaneous mass data query returns, realize that the investigation that was used for data; application of pressure analysis technology, real-time and accurate audit analysis of all the SQL statements, SQL statements clearly determine operation type, operation object; support custom SQL statement the analysis of function, the only domestic; with real-time statistical analysis report function, effectively solve the problem of long time waiting for the query statistics The statistical report, that the investigation that the only true; analysis of three related audit, association analysis accuracy is as high as 90% or more; real time alarm analysis, support for user-defined alarm rules, support email, SMS, command line, firewall linkage etc. several alarm methods.
Terminal security management
Terminal security management
It is recommended to deploy the company's terminal security management system DESK in the operation and maintenance management layer, and to provide terminal security access for the IDC operation and maintenance personnel, so as to prevent the security problems of the operators and terminals themselves and affect the IDC business system. DESK is the third generation terminal management system, with 802.1x patch management, access control, storage medium (U disk) management, illegal outreach management, terminal security check, terminal state monitoring, terminal behavior monitoring, security alarm and other functions based on the increased risk management and proactive prevention mechanism, with illegal monitoring and risk analysis the implementation of effective prevention and control, reduce risk, and guide the continuous improvement and perfect protection strategy, and have the terminal sensitive information check function, support terminal traffic monitoring, is very suitable for the safety management of IDC operation and maintenance terminal.
Security management platform (SOC)
Security management platform (SOC)
It is recommended that the company's security management platform (SOC) Analyzer be deployed in the operation and maintenance management layer, and all security devices and non security devices of IDC should be analyzed and managed in a unified security situation, security situation, etc.. Analyzer is a IT resource integration for the whole network security management platform, through the acquisition, processing and analysis of the IT resource event network security domain, risk model building business information system can measure, implementation of information system for centralized monitoring, analysis and management, display the overall information security situation, and for the safe operation of the whole the information system to provide decision-making service and maintenance process management. Analyzer has a page dynamic configuration, different roles can configure different home page to show the different theme; with the security object management, vulnerability management, risk management, event management, safety warning, alarm function, security policy management, order management, knowledge base management, expert decision-making management, report management and other functions. Analyzer based on business driven, using service oriented architecture, scalable event collection of patent technology, advanced technology, standard SWL92 syntax merge event filtering technology, state based real-time correlation detection technology, based on intelligent protection and decision multi view display technology, can provide the continuous improvement of the security risk management.
Figure 9, security management platform (SOC) diagram
IT Operation Management
Proposed in the operation and maintenance management deployment of the company's IT operation and maintenance management system, to achieve the entire IDC IT operation and maintenance management. ISO 20000 and ITIL 3 based on the IT operation and maintenance management system, around four people, processes, technology, information, maintenance and management organization related information, maintenance and management of suppliers, manufacturers, service providers, related information, maintenance and management of contract information, maintenance and management of all kinds of documents, maintenance and management of information service, scanning the current network equipment and import (host and target device open SNMP) information into the asset base, maintenance and management of information assets. At the same time, set the current network configuration status to baseline (BaseLine), and compare the configuration changes of the current network equipment with the baseline. So, to the entire IDC organization, suppliers, manufacturers, service providers, computer room, network, equipment, systems, such as a full range of asset management, event management, problem management, change the operation evalsuation objective.
Figure 10, IT operation and maintenance management system functional diagram
nformation security management system (ISMS)
It is suggested that the information security management system (ISMS), which is developed for IDC/ISP supervision and management, be deployed in the operation and maintenance management layer to realize the information security supervision of IDC. ISMS of IDC/ISP business unit unit information, computer data, user data and other basic data management and monitoring; monitor the uplink traffic data, and statistical records and access to information, access logs can be formed; monitoring of public information network data transmission, the network is found in the illegal sites, illegal information so, keep the relevant records of illegal information filtering; at the same time, the relevant information submitted to the active safety supervision system of telecommunication management department (SMMS), or by the safety supervision system of relevant records and logs, through information security supervision of IDC/ISP, to ensure the security of the Internet to.
Figure 11 and IDC/ISP ISMS system functional diagram
Quanyun service
Recommended to choose the company secure cloud services, providing remote site security monitoring and recovery, security audit events and warning services for IDC users, IDC users to lift safety management difficult menace from the rear. The security management platform based on company (SOC) and other security products, has been to build secure cloud service center, service management system technology platform, advanced experienced security operations team, based on the analysis of data from the national authority, relying on regulators, for government and enterprise users including website security monitoring and recovery, security incident warning, safety inspection, audit and security policy risk assessment, professional quanyun service, can help enterprise users find safety problems, existing in the network security analysis about the causes and effects, the security incident warning and provide solutions to help users deal with and solve security problems in a timely manner.
Fig. 12, secure cloud services
IDC network is a large room to the most representative network to provide IDC solutions, the overall security, on the one hand reflects the deep understanding of the security problems faced by IDC, on the other hand, security products, security services and security solutions powerful.
As the most powerful and trustworthy security product / security service / security solution provider, we are willing to provide users with more and better overall security solutions
