Online Service
 Work Time
Mon to Fri :9:00-18:00
Contact us

Address: Level 26,Fortune Financial Center,No.5 Dongsanhuanzhong Rd,Chaoyang District,Beijing

Contact: Wang He

Mobile: 18601920470

Tel: 010-57750598

Fax: 010-57750350

E-mail: wanghe@ugtech.com.cn

News Detail

Internet access design inexpensive ring [words] Talk Information Security Design and Governance

background
People: Brother Lian, information security soldier after graduating from college ambitious second-tier cities came from the middle of the magic cities to work hard. With a little bit of artisan spirit bearers CISSP and other evidence and information security division, fought in the field of information security for several years. Over the years to traverse a variety of IT projects from planning, implementation to the end, or steeped internal and external resources and risk control and other safety aspects. Usually work, he cheerful and lively, and even some talktive, often eager to share some of their own experiences around the small partners, and for our discussion. This time he jumped on the vast stage 51CTO, and we try to ramble information security design and management.


I do not think this is a big pricey and the high technical threshold Talk. I remember Mr. Lu Xun once said: read the article to the neighborhood Granny can understand, that is a good article. So Lim brother is good article standard itself, so he will be dry, technical language and humor hybridity together, to comply with entry to the depth of the learning curve, illustrated, entertaining, Tell me who accompany getting better. So little friends do not have to hold their breath, sat reading, can be a kind of Ge You lie approach point to open the series Talk. So will talking chatting Not then? No! So-called way to teach, with your special, he is well prepared, much here is material. We can relax a bit big, does not become a eunuch paste, as long as you are willing to read, he will be gracious to the first person and you are connected to (cheaper), then go on the ring.


For a long time, many domestic small and medium enterprises in the business first, and then have the system features, focus on business development while ignoring the follow-up network information system. Internal network information system from good enough slowly become a can be used on the line, the hardware and software has been stagnant, a lot of this product is 1.0 to support the 3.0 era now, so there is not much incentive to transform upgrade power. Now, we find that the generalenterprise information system there is so common problems:
1. slow Internet access, network vulnerability; hardware over years of service, often a single point of failure, broken net fault-prone.
2. Once the user's computer or server in a network virus or storm, it is easy to spread, resulting in paralysis of the system, directly affect the continuity and availability of services.
3. The backup policy is not timely and quality of recovery can not be guaranteed.
4. IT technology and old traditions, can not be achieved even remote mobile office.
External suppliers suppliers may disclose our confidential data, information security management in the supply chain, we require direct suppliers in our data hosting or subcontracted to a third party must be obtained prior to our security audit, in approved, duly authorized only after they share to a third party.


On the other hand, many companies comply with the Internet + the tide quickly turned and launched a similar O2O variety of online and mobile services, or the use of HTML5 Apps and so receive various types of business. Although companies generally give network information system to invest limited, but from the face of these internal and external Forced, we urgently in the total cost based on ownership (TCO) and return on investment (ROI) for the environment, the use of existing IT budgets, build and maintain a secure, stable, controllable and useful network information system to enable enterprises to maintain a competitive advantage and achieve sustainable development.


For example, here is the status of my last customer to do the project units. They are medium-sized company with several branches, the poll results of the IT system improvement needs the following for critical about:
1. Establish a secure and stable network architecture, the headquarters and branch offices to the IPSec VPN network connection manner.
2. Safety network deployment, application data with high security systems to ensure the normal operation of enterprises.
3. within the office area wireless access points covering a wide range of flexible configuration, easy mobile office.
4. Provide SSL VPN way of traveling staff.
5. The flexible and easy to upgrade the network infrastructure expansion, is conducive to investment protection.


Love Thoughts Love summary I started to throw their own ideas and concepts of the overall design and management, I call it a basic model with P2DR2W (redefined the concept of industry P2DR2 security model, oh!). The so-called letter P2DR2W model which comprises six parts, namely Protection (protection), Policy (Policy), Detection (detection), Recovery (Recovery) Remote (remote), and Wireless (wireless). Among them, the first step in protection is safe, including the use of safety equipment installation configuration, security technology; refers strategy is to develop safety rules; detecting comprises the use of a rich variety of security technologies found means invasion and abnormal behavior; recovery it is to restore the information and services in the event of a disaster when the system can take; and whether it refers to remote users or the general operation and maintenance personnel can remotely manage system resources; and finally to the radio – that broke the traditional network boundaries Popular application control.


Since it is a cheap ring, then (painting), did not chart how the line! Moreover, we often say that there are pictures and the truth, so I give a topology architecture typical information network system, to facilitate our intuitive plug-speak.


As shown above, this is a three-dimensional perspective of the system architecture. Entire IT system is functionally divided extranet and intranet, extranet and Internet are connected to the VPN manner with the headquarters network, but the network does not allow access to the Internet, but the need and the Internet in the server for data exchange. In services, divided into information dissemination and provide external website users login service, internal staff to provide daily Internet access and achieve business data exchange through the application of information systems at Headquarters. On the way, both wired access fixed work place, but also to meet the various types of user equipment comes (BYOD) wireless connectivity and access.


Internet access design
Internet access is the entrance of the entire IT system connected to the outside, if there are problems, companies will lose contact with the outside network and even affect the normal operations. I used the three ISP design approach, namely the three communication line suppliers (eg: China Telecom, China Unicom and China Mobile) Internet leased line, select 10M bandwidth. By setting to achieve different business applications to connect to each other and to achieve their backup from the external circuit. Specifically: the need with other regional offices (or field) collaborative business applications through an ISP line access; the establishment of data communication lines open VPN proprietary channels to achieve the confidentiality of business data. While the other ISP line for Internet access as well as employees within the legal services website for public access. On these two ISP access router on the line affected by the configuration realized when a device fails any automatic thermal switch does not provide normal services and user access.


ISP is the third line comes with a variety of staff and visiting guests wireless Internet access device used, this has nothing to do with the daily business, foreign equipment and abnormal behavior in order to avoid the Internet to the enterprise network security threat.


I remember my early remarks CISSP when you often see such a sentence: one mile wide, but just one inch deep, I think this tone can also be applied to us on this subject. After reading this period begins, you may have noticed, I am here to talk to everyone and not a very sophisticated security technology or idea, except that the typical enterprise around us and a common design, operation and maintenance as well as governance summed up the experience for everyone to share, in a sense, it can be said to be all is routine. Now we have to develop the dead of night to recover the US drama or chase drama habits. Recently chase drama of seemingly neutral, we do not go to onlookers what hot eye of the oratorio, and taking the time to chase this series we look at the topic of it. I believe love to cheap ring, then students are not bad luck. I also look forward to is their God back Oh!


Users can generate a one-time password on the phone, used to access online banking, e-commerce sites, and VPN and other cloud software, which eliminates the need to remember cumbersome passwords, no need to accept the password via SMS, eliminating the certification issued by a bank hardware, thereby reducing the risk of fraud.