1.0 Intelligent Campus Network Solution
2.0 IDC Data Center Network Solution
3.0 Enterprise Cloud Solutions
4.0 Overall Information Security Solution
- 4.1 Exit Security Application Solutions
- 4.2 Branch and Mobile Internet Application Solutions
- 4.3 Data Center Security Solutions
- 4.4 Level Protection Comprehensive Solution
- 4.5 Disaster Recovery and Backup Integrated Solution
- 4.0 Overall Information Security Solution
- 4.6 CDP Local Disaster Recovery Solution
- 4.7 Dual-System Disaster Recovery Shared Storage Hot Standby Solution
- 4.8 Mirrored Hot Standby Solution for Dual-machine Disaster Recovery
- 4.9 Desktop Access Scheme
- 4.10 Anti-disclosure security management system for electronic documents
- 4.11 Email Security Overall Solution
5.0 Smart Wireless Total Solution
- 5.1 Cloud wireless solution
- 5.2 Application authentication access solution
- 5.0 Smart Wireless Total Solution
- 5.3 Smart Business Circle Solution
- 5.4 Wireless bridging solution
- 5.5 Elevator Wireless Coverage Solution
- 5.6 Hotel wireless coverage solution
- 5.7 Smart Campus Wireless Solution
- 5.8 Hospital Wireless Solution
- 5.9 Wireless retail solutions for malls
6.0 HD Video Conference Solution
7.0 IDC Computer Room Construction Solution
8.0 Intelligent Weak Current Solution
9.0 Intelligent Building Solution
10.0 Intelligent Management Center Overall Solution
需求背景及分析 1 Demand background and analysis
XXXX 集团单位业务的开展已经离不开信息系统的正常运转。 After more than ten years of development of the informatization of XXXX Group units, the supporting role of the business has been very obvious, and the development of XXXX Group units cannot be separated from the normal operation of the information system. XXXX 单位信息化的深化， XXXX 的业务流程已经高度自动化、高效率，从而内外部提供更好的服务。 With the deepening of the informationization of XXXX units, XXXX 's business processes have been highly automated and efficient, thereby providing better services internally and externally. XXXX 集团业务流程的信息系统基础架构的管理手段却仍然相对落后，在当前复杂多变的信息安全形势下，无论是外部黑客入侵、内部恶意使用，还是大多数情况下内部用户无意造成的漏洞， XXXX 集团的安全管理手段都正在变得越来越不够用。 On the other hand, the management method of the information system infrastructure that carries the business processes of the XXXX Group is still relatively backward. Under the current complex and changeable information security situation, whether it is external hacking, internal malicious use, or in most cases internal Vulnerabilities caused by users and the security management methods of XXXX Group are becoming increasingly inadequate. XXXX 集团的信息安全管理压力越来越大。 At the same time, the outbreak of ransomware virus, information leaks, media publicity hype, accountability of superior leaders, laws and regulations supervision, etc., are all increasing the pressure on XXXX Group's information security management.
XXXX 集团对安全保障工作的要求，需要强化网络信息安全服务保障，建设数据中心、办公网、生产网及业务平台安全防护体系，加强大数据安全保障。 According to the requirements of XXXX Group for security work, it is necessary to strengthen the security protection of network information services, build a data center, office network, production network and business platform security protection system, and strengthen big data security protection. The overall security requirements for the construction of XXXX Group's information security protection system are summarized as follows:
The first is to strengthen the construction of a network security guarantee system. “ 三员 ” （系统管理员、安全保密管理员、安全审计员）分立机制；推进 XXXX 集团信息安全技术体系建设，完善安全事件快速响应和处置手段；建成感知、处置、响应一体化的安全运营机制，加强事前预防、事中审计、事后响应的安全应急服务能力，形成发现、阻断、取证、溯源、研判、拓展的安全业务闭环；开展安全组织与职责建设、安全技术设计、安全管理设计，确定第三方机构，统一实施网络安全等级防护和风险评估。 Improve the security system, establish a security management control system, and form a " three members " (system administrator, security and confidentiality administrator, security auditor) separation mechanism; promote the construction of the XXXX Group's information security technology system, and improve the rapid response and disposal of security incidents; The integrated security operation mechanism of perception, disposal and response strengthens the security emergency service capabilities of ex-ante prevention, in-event audit, and after-event response, and forms a closed loop of security business for discovery, blocking, forensics, source tracing, research, and expansion; developing security organizations and Responsibility construction, security technology design, security management design, identification of third-party organizations, and uniform implementation of network security level protection and risk assessment.
The second is to build a security protection system for business platforms. Build a network security access management and control system to provide strong identity authentication, user management, and access control services for internal users, partners, and operation and maintenance personnel; strengthen the security protection of data center networks, office networks, industrial control networks, and Internet network areas ; Build a cloud computing virtualization platform security guarantee system, real-time monitoring and identification of malicious code, security loopholes, unauthorized access and other security risks, and provide isolation, protection, monitoring and audit services.
The third is to strengthen the security system with data security as its core. Strengthen data center border security protection, establish a unified platform authentication and identity management mechanism; implement platform-level access control and authorization management to achieve fine-grained access control; build an operational audit system to form a centralized audit report; strengthen big data security protection and privacy Protection to achieve efficient and reliable data leakage prevention.
建设目标 2 construction goals
XXXX 集团”整体安全规划工程”项目搭建完善的信息安全保障框架，包括防护、检测、处置、恢复的安全能力建设，建设“以风险管理为基础的安全技术支撑体系、安全运营管理体系”，为 XXXX 集团提供全面的信息安全保障和安全运营支撑。 According to the construction requirements of the Cyber Security Law and the Group's information security governance, follow the principle of "active defense, comprehensive prevention, strengthened management, and safety first", with the goal of ensuring the sustainable, stable, and robust operation of the Group's key information systems, through XXXX Group The "Overall Security Planning Project" project establishes a comprehensive information security guarantee framework, including the construction of security capabilities for protection, detection, disposal, and recovery, and the construction of a "risk management-based security technology support system and security operation management system" for XXXX Group Provide comprehensive information security guarantee and security operation support. Through the implementation of the security situation awareness platform, a unified security monitoring and early warning and disposal body at the group level is established to achieve unified security supervision of data centers, office networks, branches, and production bases, and provide security early warning services and emergency response to network security incidents support. Specific implementation goals include:
安全技术支撑体系建设 2.1 Construction of Security Technology Support System
In accordance with national security laws, level protection, and the actual business security needs of the group, WEB 防护、身份认证等安全技术措施使集团信息安全建设符合国家及自身安全建设方面的要求。 Plan a reasonable security area, and make the Group's information security construction consistent with national and own security through security technical measures such as border security protection, communication security, comprehensive audit, vulnerability scanning and evaluation, host and network virus protection, host hardening, web protection, and identity authentication. Construction requirements. At the same time, data security construction should be strengthened, and all links in the data transfer process should be protected accordingly to prevent data leakage.
安全运营管理体系建设 2.2 Construction of safety operation management system
ISO27001 信息安全管理系统、等级保护基本要求和集团安全设计技术要求的相关内容，为 XXXX 集团设计合理的信息安全管理体系、信息安全运维体系以及信息安全策略体系的相关控制内容，通过安全服务 XXXX 集团的实际情况加以落实。 According to the relevant content of ISO27001 information security management system, basic protection of level protection and technical requirements of group security design, design reasonable control content of information security management system, information security operation and maintenance system and information security policy system for XXXX Group, through security services The actual situation of XXXX Group will be implemented.
全网安全监测预警与处置体系建设 2.3 Construction of the whole network security monitoring early warning and disposal system
Through the construction of a network security situation awareness platform, comprehensively collect the security data of the Group's headquarters data center, office network, bases and branches, and form a comprehensive network security situation awareness and early warning capability through big data analysis, intelligence sharing, and notification and early warning. . It also formed a rapid alarm and response mechanism to improve the response speed and enhance the company's ability to deal with security risks.
总体信息安全方案设计 3 Overall Information Security Solution Design
XXXX Group's information security guarantee system fully integrates the actual business scenarios of the project, with the core objectives of protecting business operation security and data security, starting from two levels of security technology and security management, and implementing "closed-loop risk management before, during, and after the event" The integrated security concept is designed in accordance with the specific conditions of the project and the actual needs to form a closed-loop safety operation and maintenance system for risk assessment, security defense, emergency disposal, continuous detection and response disposal, and build an integration that meets national laws and regulations and industry regulatory requirements. Security system.
Overall security architecture
构建以云、边界和端点安全为核心的立体防护能力 3.1 Build three-dimensional protection capabilities centered on cloud, border, and endpoint security
3.1.1 Compliance-Driven Basic Security Architecture
1.0 、等保 2.0 的安全防护要求结合，对核心的安全要素进行防护，达到基础安全防护体系建设。 The basic security defense system combines the security protection requirements of equal guarantee 1.0 and equal guarantee 2.0 to protect the core security elements to achieve the construction of a basic security protection system.
The core security elements include network security, mainframe security, application security, data security, cloud computing security, and big data security. On top of these basic elements, a security management center is established to implement pre-protection and security protection. Monitor and respond to incidents.
3.1.2 Three- dimensional protection architecture centered on business and data security
XXXX 集团的业务和大数据核心资产保为出发点，构筑一个立体防护的框架： From the perspective of protection space, we should build a three-dimensional protection framework around the business of XXXX Group and the core assets of big data.
9 以云、边界和数据安全为核心的立体防护示意图 Figure 9 Schematic diagram of three-dimensional protection with cloud, border and data security as the core
The three-dimensional protection capabilities involved in the solution, the emphasis is on establishing deep protection capabilities to achieve end-to-end security of the business. Drawing on the defense capabilities of "sea, land, and air" in the military field to form a linkage.
The first is the security of cloud platforms and borders. Although security boundaries have disappeared, we need to reconstruct the boundaries of the business in a software-defined manner. Border security remains important. Establish business security boundaries and prevent external intrusion threats. L2-L7 层外部威胁防御；基于云安全资源池和终端检测响应 EDR 产品，对云平台内网及业务边界进行防护。 The main technical methods include terminal and network access security, L2-L7 layer external threat defense; EDR products based on cloud security resource pools and terminal detection and response , to protect the cloud platform's internal network and business boundaries.
Second, we need to build security for our business and data. ODAY 攻击、内部攻击等高级威胁。 There is a need to strengthen business access, authentication, and audit, as well as continuous monitoring within the business, to discover potential advanced threats such as ODAY attacks and internal attacks. Establish a security protection system covering the entire life cycle of data collection, storage, sharing, application, and destruction.
Finally, it is also necessary to provide external intelligence and cloud expert confrontation capabilities from an external perspective. We believe that security construction is not just a matter of a certain manufacturer, nor is it possible to solve problems by relying solely on the strength of customers. The traditional way of relying on a single technical confrontation is difficult to achieve the ultimate victory. Therefore, we need to rely on external forces and cloud power to strengthen threat intelligence linkage and cloud sandbox unknown threat detection from the external perspective of the business to introduce more external perspectives to counter threats.
3.1.3 Technical Guarantee to Adapt to Cloud Computing Environment
The security technology of cloud computing infrastructure focuses on three levels of computing resource pool, network resource pool and cloud management platform. As cloud computing introduces virtualization technology, cloud computing engines, and cloud computing management platforms, it brings new security challenges to hosts and networks.
Hypervisor 三个维度开展安全防护工作，首先解决基于主机层的恶意代码防范。 Virtual machine security: around the three dimensions of physical server, virtual machine and Hypervisor to carry out security protection work, first of all, to solve host-based malicious code prevention. Secondly, we need to pay attention to the above three dimensions of vulnerability detection and protection to avoid vicious security events such as virtual machine escape attacks. At the same time, the protection effect should also be achieved at the operating system level through various security measures such as security baseline hardening, security vulnerability hardening, anti-violent cracking, and weak password prevention.
VPC 内部（东西向流量）及外部（南北向流量）的安全隔离、访问控制、业务安全等，还需要实现在虚拟化环境下的安全策略跟随。 Cloud data center network security protection: First, we need to prevent malicious code around the physical network and virtual network. Second, we need to pay attention to the security protection of east-west traffic and north-south traffic, that is, to ensure that the cloud services or tenant VPC internal ) And external (south-to-north traffic) security isolation, access control, business security, etc., also need to implement security policy follow in a virtualized environment.
Cloud management platform security: More attention is paid to platform security, and the cloud management platform is used as a platform application for security protection, that is, to perform access authentication and authorization control on the cloud platform, and set a security baseline for the platform. Through the detection and protection of vulnerabilities, log collection and audit operations are performed on the cloud platform from multiple dimensions to ensure the security of the cloud platform itself.
构建以安全感知为核心的防御、检测、响应能力 3.2 Build defense, detection, and response capabilities with security awareness at the core
10 “防御、检测、响应”闭环体系示意图 Figure 10 Schematic diagram of the "defense, detection, response" closed loop system
Gartner 的 PPDR 自适应安全防护模型基础上，结合业界人工智能（ AI ）、威胁情报、安全云服务、终端检测响应 EDR 等技术发展趋势， XXXX 集团期望构建从“云端、边界、端点” + “安全感知”的立体联动防御机制。 Based on the in-depth integration of Gartner 's PPDR adaptive security protection model and the industry's artificial intelligence ( AI ), threat intelligence, security cloud services, terminal detection and response EDR and other technological development trends, XXXX Group expects to build a "cloud, border, endpoint" + "Security-aware" three-dimensional linkage defense mechanism. The related functions are as follows:
是指一系列策略集、产品和服务可以用于防御攻击。 Defense capabilities: A set of strategies, products, and services that can be used to defend against attacks. The key goals in this regard are to raise the threshold for attacks by reducing the attack surface and to intercept attack actions before being affected.
用于发现那些逃过防御网络的攻击，该方面的关键目标是降低威胁造成的 “ 停摆时间 ” 以及其他潜在的损失。 Detection Capability: Used to detect attacks that have escaped the defense network. The key goal in this regard is to reduce the " downtime " and other potential losses caused by the threat . The ability to detect is critical, because companies should assume that they are under attack.
系统一旦检测到入侵，响应系统就开始工作，进行事件处理。 Responsiveness: Once the system detects an intrusion, the response system starts to work and handles events. The response includes emergency response and recovery processing, which in turn includes system recovery and information recovery.
使系安全系统可从外部监控下的黑客行动中学习，以主动锁定对现有系统和信息具有威胁的新型攻击，并对漏洞划定优先级和定位。 Predictive ability: enable the system's security system to learn from hackers under external surveillance to actively lock new types of attacks that threaten existing systems and information, and prioritize and locate vulnerabilities. This intelligence is fed back to prevention and detection functions, forming a closed loop of the entire process.
XXXX 集团整体安全规划项目”安全保障工作内容多，涉及面广，核心是安全运营，为支持安全运营工作的高效开展，需要一体化态势感知与安全运营平台作为工具支撑。 The “ XXXX Group Overall Security Planning Project” has a wide range of security assurance work, covering a wide range, and the core is security operations. To support the efficient development of security operations, an integrated situational awareness and security operation platform is required as a tool support. XXXX 集团整体安全规划项目”的本地安全基础大数据中心。 By deploying latent threat traffic probes and relying on log collection servers (collecting logs from the host, network, platform, operating system, middleware, etc.), the local security basic big data center of the entire “ XXXX Group Overall Security Planning Project” is aggregated . XXXX 集团整体安全规划项目”安全保障工作的统一监测响应与指挥调度中心。 Utilizing the integrated situational awareness and security operation platform, security services or security operation and maintenance personnel can effectively carry out key tasks such as continuous threat monitoring, threat analysis and research, timely notification of incidents, rapid response processing, and threat tracking and traceability, and integrate situational awareness and security operations The platform is the unified monitoring, response, command and dispatch center for the security assurance work of the " XXXX Group Overall Security Planning Project."
构建以全局安全可视为核心的安全治理能力 3.3 Building a Security Governance Capability with Global Security Visibility as the Core
In the world of network security, visualization has a role that cannot be ignored. Security visualization can ensure real-time observation of risk points between information assets, people, and behaviors. When threats occur, decisive security measures can be taken to effectively prevent them. Infiltration of security threats.
XXXX 集团整体安全规划项目”在流量可视、行为可视的基础上，可实现全局安全可视化，可以结合攻击趋势、有效攻击、业务资产脆弱性对全网安全态势进行整体评价，以业务系统的视角进行呈现，可有效的把握整体安全态势进行安全决策分析。 The " XXXX Group Overall Security Planning Project" can realize global security visualization based on traffic visibility and behavior visibility. It can integrate attack trends, effective attacks, and business asset fragility to conduct an overall evaluation of the security posture of the entire network. It can be presented from the perspective of security, which can effectively grasp the overall security situation and analyze security decisions.
On the basis of global security visibility, artificial intelligence and big data technologies can significantly improve security operation and maintenance capabilities. Through technologies such as lost host detection and access relationship visualization, operations and maintenance personnel can quickly discover security risks, and provide processing suggestions to simplify Operation and maintenance. Further, a security operation center for in-depth analysis, threat detection, defense linkage, and service response can be established on the customer side.
整体信息安全方案架构 4 Overall Information Security Solution Architecture
Overall information security architecture topology:
4.1 Internet Boundary Design:
Two link load balancing devices are deployed at the egress to realize the outbound link load and the inbound link load to meet the full utilization of multi-operator link bandwidth and deploy dual machines to ensure redundancy;
Two next-generation firewalls are deployed at the exit to implement 7-layer packet filtering for data entering and leaving the Internet. The next-generation firewall has security modules such as virus protection, IPS protection, DDOS protection, botnet protection, and real-time vulnerability analysis to meet the security of the entire Internet boundary Protection (Network Security Law) and record related security logs, deploy dual machines to ensure redundancy;
Behavior control, flow control, audit
Two Internet behavior management devices are deployed at the exit to implement internal network behavior control, traffic control, online audit, and online authentication, etc., to improve office efficiency, ensure smooth office bandwidth, meet traceability of illegal Internet access events, and respond to cybersecurity law requirements (in line with Order No. 82 of the Ministry of Public Security), deploying two machines to ensure redundancy.
4.2 Security protection design of DMZ zone
Two application load devices are deployed in the DMZ zone to realize load-level scheduling of multiple business systems at the application level, to ensure balanced access to business systems, and to avoid the impact of excessive load on the business system; it has an SSL offload security gateway and shares server encryption and decryption Load, alleviating pressure on server performance and improving resource utilization;
Two next-generation firewalls are deployed at the border of the DMZ to implement 7-layer packet filtering for data entering and leaving the Internet. The next-generation firewall has web application protection, webpage tamper resistance, virus protection, IPS protection, DDOS protection, botnet protection, and real-time vulnerability analysis. And other security modules, to meet the entire DMZ security protection (network security law) and record related security logs, deploy dual machines to ensure redundancy;
Security Services Cloud
Provide security service cloud lease for external business systems to realize threat intelligence early warning, timely response to emergency incidents, security situation awareness and artificial on-duty services, reduce the workload of operation and maintenance personnel, and achieve intelligent security protection.
4.3 Data Center Security Protection Design
Next-generation firewall for traditional data centers
Two next-generation firewalls are deployed at the border of the data center to implement data packet detection at the data center. The next-generation firewall has web application protection, webpage tamper resistance, virus protection, IPS protection, DDOS protection, botnet protection, and real-time vulnerabilities. Analysis and other security modules, to meet the entire data center security protection (network security law) and record related security logs, deploy dual machines to ensure redundancy;
Virtualization Architecture Data Center Next-Generation Firewall
The virtualization architecture data center uses the bottom layer to deploy the next-generation firewall software version to implement virtual machine data filtering at the bottom of the entire virtualization architecture. The software version of the next-generation firewall has web application protection, webpage tamper resistance, virus protection, IPS protection, DDOS protection, Security modules such as botnet protection and real-time vulnerability analysis meet the "South-North" security protection and also the "East-West" security protection.
Virus protection software
Install anti-virus software on the server to achieve server virus protection and avoid the spread of U disk and intranet viruses; deploy anti-virus software virtual machines at the bottom of virtualization to achieve virus protection at the bottom of the virtualization without installing a client on the virtual machine , Greatly reducing the stress on the virtual machine.
4.4 Branch Network Security Design
Branch network design
The branch and headquarters are interconnected by a WAN dedicated line for networking. A WAN acceleration device is deployed to accelerate the transmission of the dedicated line at both ends to achieve data transmission compression and maximize the use of bandwidth. At the same time, a VPN device headquarters and branch are used to establish a virtual VPN encrypted tunnel as the entire Network backup link;
Branch network security protection design
Both the headquarters and branch networks perform data filtering through the next-generation firewall to ensure the security of data transmission and ensure the safe operation of business systems;
4.5 Mobile Office Security Access Design
设备 SSLVPN device
By deploying a professional SSLVPN device at the headquarters, all mobile office personnel use SSLVPN encrypted tunnels to connect the headquarters to the incoming office, avoiding the risk of the business system being exposed to the public network, realizing the secure access of mobile office personnel, and meeting post-event audits;
Support Android / IOS / WINDOWS / LINUX / MAC and other mainstream PC and mobile terminal access, support business system "no mobile" (no APP) operation on mobile terminals, and support mobile phone "sandbox" technology to ensure data Do not land on the terminal to avoid the risk of data leakage.
4.6 Terminal Security Protection Design
Terminal antivirus software
By deploying an anti-virus management center on the intranet to control and control all terminal anti-virus software, and to issue virus updates, PC terminals are installed with anti-virus software clients to detect and kill PC viruses, ensure the security of all PCs on the intranet, and ensure the security of the entire office network.
Desktop Management System
By deploying a desktop management and control system on the intranet, all PCs install clients, and manage and monitor all PCs on the intranet to implement management and audit measures such as U disk permission control, file addition and deletion auditing, print auditing, and desktop real-time monitoring to meet the desktop Audit afterwards and avoid leakage of sensitive data;
Data encryption system
By deploying a data encryption system on the internal network, all sensitive data on the internal network is encrypted, and transparent decryption is used on the internal network environment. Outgoing data needs to be reviewed and applied to avoid leakage of all sensitive data, and to achieve the security protection of sensitive data, Traceability afterwards.
4.6 Operation and maintenance, audit management area design
Bastion machine: record all equipment and business system account password information, all operation and maintenance personnel through the bastion machine for operation and maintenance, record all operations and maintenance personnel operations;
漏洞扫描系统：针对所有业务系统进行漏洞扫描并生成漏洞报告，对业务系统漏洞进行实时观察； 日志审计系统：记录所有网络设备和业务系统的日志，满足事后追溯； 网管平台：针对所有网络设备、业务系统、中间件等进行统一管理，减少运维工作，并及时告警、观察所有设备状态情况 准入系统：所有内网接入进行接入登记，配合审计追踪定位； Database audit: record the addition, deletion, and modification of the database to meet the needs of retrospection. Vulnerability scanning system: Vulnerability scan and generate vulnerability reports for all business systems, real-time observation of business system vulnerabilities; Log audit system: Record all network devices and Logs of business systems to meet post-event traceability; network management platform: unified management of all network equipment, business systems, middleware, etc. to reduce operations and maintenance, and timely alert and observe the status of all equipment access system: all internal network access Perform access registration and coordinate with audit trail positioning;