| With the accelerating of the process of people's lives network, theauthor's life and the network has been inseparable from every aspect suchas shopping with network bank, making network telephone, going to hospitalwith the help of health-care network. Furthermore, the economic, cultural,military and social activities of country will be much more dependent onthe network, so the national network reliability and security, as thecritical infrastructure, will become the focus all over the world. However,network goes beyond countries, and its properties such as not in chargeof nature, not setting up defences, lacking legal restraint, will bringabout opportunities for all the countries as well as great risks.The Party committee information network puts City government as thecore, which connecting the city's Bureau and other government organs,local office area network, and terminal nodes can even reach thesub-district offices, constitutes a citywide party and government organsof various government office metro net. These include internal andexternal network physical isolation of the two metro networks. From thephysical, network, system, and application level, the city has built acomplete security system; equipped with a firewall, GAP, networkanti-virus, system reinforcement, intrusion detection and preventionseries of hardware and software equipment; established the AD directory service system, providing a unified directory service and achieving aunified authentication, single sign-on, unified authorization, and theparties involved in providing centralized management, monitoring,e-government systems to ensure safe and reliable operation.However, network security is dynamic. With the opening up of Internettechnology, the risk of attacks increases, and some new security issuesarises followed by the information construction of party and government:1. The traditional Identity authentication system is not competentfor the diversity of network services;2. Lacking of a set an Intrusion Detection and Prevention System whichunifies anti-virus, firewall and other functions;3. With the massive adopting of the Ipv6, new security problems rise;4. With the abundant emergence of P2P, traditional web and networktraffic monitoring system collapses.With the comprehensive studying of Changchun municipal governmentsinformation network according to the structural characteristics of theChangchun municipal government departments internal network, andconducting a security risk analysis from the physical, network, system,application, and management layer, according to network security designprinciples, the author designs a security protection system on the baseof these problems.1, in order to allow business systems running on different platformsto be able to access to the identity authentication system, and let theidentity authentication system can constantly integrate a new businesssystem, the author uses asp technology architecture to convert theidentity authentication system certification services whenA unified identity authentication system and security featuresachieved.The system puts different functions provided by the identity authentication system into asp language described a common serviceinterface, in this interface which using a function describes theauthentication service provider to the content service system. Thefunction of the entry parameter is the user name, user password and thecontent business systems, ID; export parameter is the user can access thecontents of a string of business systems.Regardless of which platform business systems running on, as longas the description under the asp interface protocol specification, theuser name and PWD with the SOAP message sent to the authentication service,authentication service will then certified the results of the SOAP messagereturned with the contents of a business system. Content business systemscertification services do not have to understand how to achieve, in orderto achieve a common cross-platform authentication.2, the author conducts a comprehensive analysis of a newly installedWEB server system with operating systems and services as well as itsauthority to the plan. It is not difficult to find that "the minimalservices + the minimal permission= maximal security". For the service,it is unnecessary to install unusable things and it is important to knowthe service is running on SYSTEM-level; for the authority, respect to theprinciple of good-enough distribution. The paper describes in detail inthe operating system and services software of WEB server system permissionsettings, and put forward new solutions on thses issues.3 Network security as a whole, it must be equipped with theappropriate security products as a necessary complement to the firewall.Intrusion Detection System is the best security products, but the priceof intrusion detection defense system on the market often last 100thousand yuan, or even higher, so the price goes beyond the afford of manyorgans and units. After screening a large number of Intrusion DetectionSystem, the author are to recommend a "Strata guard" Intrusion Detection and Prevention software produced by StillSecure companies, which trulyincludes intrusion detection and active defense capabilities of the IDS/ IPS software. Hardware using accords with the current standard. Softwareadopts Strata guard, as shown with the following unique features: 1,graphical installation interface, as well as the way to initialize thewizard set up to let the user easy to fly. 2, according to the severityof the attack to prioritize alarms. 3, the real intrusion preventioncapabilities can modify attackers to intercept data packets handleaccordrdingly. 4, WEB-based remote configuration and management.The above unique features of Strata guard make users do not need toknow more about Linux system, and can easily install and use it. BecauseStrata guard evolved from Snort, so it is still signature-based detectiontechnology library to identify malicious network traffic in the attacks.However, Strata guard can also detect malicious attacks in network trafficthrough the use of signature analysis, protocol anomaly analysis,stateful packet analysis, and functional reorganization of TCP packets.Because Strata guard also has these unique detection methods, it can makethe right judgments to the emerging malicious attacks, and take theinitiative to intercept the corresponding response, play a real role inthe active defense.When Strata guard installed as a gateway to the information on thekey positions, in addition to pre-emptive way it can take the initiativeto block malicious network traffic to detect, but it also can replayedTCP traffic safety. At the same time, it can intercept attacks from thenetwork according to the source IP address or port through the mode, aswell as ways to prevent DoS attacks, and it can perform the user's owncustomized response to the script. Strata guard also allows the authorto configure it according to the global response to the default mode alldetected attacks, but also for each separate attack in response to creation of an independent way, so that you can let the author accordingto different network environments, to flexibility and freedom to to createdemand for a variety of ways to respond to network attacks.4 The author found shortcomings on the content by analyzing thereal-time analysis and filtering: Content filtering real-time analysismethod wastes bandwidth, with access latency and higher false positiverate. There is some application limitation on Url filtering methods: first,products adopt Url filtering method can not apply as global genericproducts, which involves legal, cultural, religious and other problems;secondly, the pre-classified Web site database must be updated in realtime, which puts a high demand on the right Pre-classification accuracyof the library web site. The pre-classified Web site not only should belarge on numbers, but also has high demand on classification accuracy.in this sense, it is unlikely to misjudg or overslaugh. According to thecharacteristics of the information network of party and government organsof Changchun City, the author unifies the advantages of the two methods,combined with NDIS HOOK technology to make some modification, and writesa set of applicable procedures in order to serve the organ network serviceswell.5 At present, the P2P applications into network increases large innumber, and the flow also shows a gradual upward trend, furthermore,distributed, encrypted, anonymous P2P applications are becomingmainstreams. In this case, in order to meet the service quality, networkplanning, billing and auditing and other basic requirements, it isnecessary to make an effective identification and monitoring of P2P. Thispaper describes several typical P2P traffic identification method, andmakes analysis and identification of P2P traffic from different aspectsof its characteristics. Through unifying traffic patterns and connections,and using c + + by adding some modification accordingly, it meets need of the Changchun party and government organs information network.Finally, security products arrange on all levels and build a platformfor the safe operation of the system by integrating the characteristicsof Changchun party and government organs information network to ensurethe security of network information. The paper begins with new problemsemerge from Changchun party and government organs Information Network,through introducing its network structure and according with the networksecurity requirements of the State Secrets Bureau of Changchun, to furthereliminate the remaining current information network security risks andvulnerabilities to computer information systems in the classified dataand information confidentiality, integrity, availability, reliableprotection. Thus, it can achieve a "normative online behavior, purify theInternet environment; all-out attack protection, strengthening networksecurity; traffic fine control, optimizing bandwidth resources; multiplefunctions of integration, easy to control the network to save money," oneof the goals. |
PDF Full Text Request