(34 Bar message ) Talking about —— Network security architecture design （ One ）_ Isolated city 286 The blog of -CSDN Blog

(34 Bar message ) Talking about —— Network security architecture design （ Two ）_ Isolated city 286 The blog of -CSDN Blog

(34 Bar message ) Talking about —— Network security architecture design   ( 3、 ... and )_ Isolated city 286 The blog of -CSDN Blog

notes ： This article continues the above article ！！！

Catalog

One 、 Springboard machine （ Fortress machine ）— Solution

（1） brief introduction ：

（2） Solid column ： 

 （3） Springboard machine function ：

Two 、 Database audit system — Solution

3、 ... and 、 Log audit system — Solution  

Four 、 Security, etc

5、 ... and 、 hot standby ：

6、 ... and 、 The stack

① Horizontal virtual ： The switch is virtualized into a

 ② Vertical virtual ： Virtualize the access switch into a virtual board of the core switch

  7、 ... and 、 Gatekeeper —— Production network and office network solutions

One 、 Springboard machine （ Fortress machine ）— Solution

（1） brief introduction ：

Springboard machine （Jump Server）, Also known as Fortress machine , It is a kind of remote equipment that can be used as a springboard for batch operation Network devices , yes System administrator or Operation and maintenance One of the commonly used operating platforms .

（2） Solid column ： 

Under normal circumstances ,PC1 Want to access the intranet OA System ,

First, through web Page access to the springboard , Then use this springboard to face OA The office system initiates an access .

And it can also be deployed on the springboard AAA Certification Technology （ authentication , to grant authorization , Audit ）

•  —— authentication ： Verify that users can gain network access . It can be the authentication of password users or digital certificates
• —— to grant authorization ： What services can authorized users use , Including commands that authorized users can use . It can be to give the corresponding access permission to the corresponding device , Which network segments can be accessed , What can be done .
• —— Audit ： What login? , When to leave .......

 （3） Springboard machine function ：

• ① Core system operation and maintenance and safety audit control ;
• ② Filter and block illegal access 、 A malicious attack , Block illegal commands , Audit monitoring 、 Call the police 、 Responsibility tracking ;
• ③ Call the police 、 Record 、 analysis 、 Handle ;

————————————————————————————————————————————————————————— 

Two 、 Database audit system — Solution

Mainly to prevent deleting the database and running away ：

If you develop a game , One web page , So these related video pictures ..... Are stored in the database ,

Now, if the developers of the intranet want to log in to this database , First of all, it must be certified by the database audit system （

  It's actually based on AAA Certification Technology .

• —— authentication ： Login to this database requires an authentication
• —— to grant authorization ： The database has many real columns , Which realistic column can you visit , Which real columns cannot be accessed , And what permissions do you have for the addition, deletion, modification and query of this real column , Can control death . If a developer wants to modify a statement in the database , After the modification is completed , Once submitted, it will not take effect immediately , He will send the application for modifying the database to the technical director , Only after being reviewed by the supervisor can it be approved , Then it will take effect .
• —— Audit ： When do you log in to the database , When did you leave , What have you done during this period , Can be recorded .

such , It can effectively prevent database deletion and running . 

 —————————————————————————————————————————————————————

3、 ... and 、 Log audit system — Solution  

For comprehensive collection of enterprises IT Common safety equipment in the system 、 Network devices 、 database 、 The server 、 Application system 、 Logs generated by host and other devices （ Including running 、 The alarm 、 operation 、 news 、 State, etc ） And store it 、 monitor 、 Audit 、 analysis 、 Call the police 、 Response and reporting system .

Almost all network devices have one log journal ,log The log can dynamically pass the alarm of equipment hardware information log Print out the log . Many security devices have been attacked , Found the virus . These information will be stored in the memory of the device .

  If the network scale is relatively large , On a network device through syslog The agreement puts the log The log is sent to the log server ,

After the IT The operation and maintenance personnel only need to check on the log server .

—————————————————————————————————————————————————————— 

Four 、 Security, etc

Information security level protection , It is a kind of work to protect information and information carrier according to importance level , In China, 、 There is a kind of work in the field of information security in the United States and many other countries .

In China, , In a broad sense, information security level protection is the standard related to this work 、 product 、 System 、 Information, etc. are safe work based on the idea of hierarchical protection ; In a narrow sense, it generally refers to the security level protection of information system .

Equal protection is an all-round system security standard , Not just program security , Include ： Physical security 、 Application security 、 Communication security 、 Border security 、 environmental safety 、 Management, security, etc .

———————————————————————————————————————————————————— 

5、 ... and 、 hot standby ：

(34 Bar message ) Double machine hot standby experiment ——（VRRP technology +HSRP technology ） Explain + To configure _ Isolated city 286 The blog of -CSDN Blog _vrrp hot standby

———————————————————————————————————————————————————————— 

6、 ... and 、 The stack

There is a problem with dual machine hot standby ： High delay during active / standby switching will lead to business interruption

solve ： Stacking technology  

① Horizontal virtual ： The switch is virtualized into a

 ② Vertical virtual ： Virtualize the access switch into a virtual board of the core switch

—————————————————————————————————————————————————————————— 

  7、 ... and 、 Gatekeeper —— Production network and office network solutions

The gateway realizes the logical isolation of internal and external networks , In terms of technical characteristics , It is mainly manifested in the disconnection of each layer of the network model （ Physical layer isolation ）

The firewall only has three layers （ Routing mode ） To the isolation of the seventh floor . Or the second floor （ Transparent mode ） To the isolation of the seventh floor

But for some viruses , Isolation from the firewall has certain limitations , The isolation effect is limited .

However, the gateway is isolated by the physical layer .

The net gate is equivalent to a ferry , If the traffic wants to pass , Then get on the ferry first （ The special protocol of the gateway acts as a ferry ）, Pulled by the ferry car to the other end , Then unpack , After passing through the firewall ,AV,

demand ： In the case of network communication, realize the safe isolation of production network and office network .

  When the office network pc1 When you want to access the production network server , In the firewall , Make security policy on the gateway , Layers of filtering .

The production network gateway is unsealed after receiving , And then pass by AV, A firewall ,IPS