版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)
文檔簡介
1、<p><b> 附錄B:中文原文 </b></p><p> 校園網(wǎng)層次型網(wǎng)絡(luò)安全設(shè)計</p><p> 隨著我國數(shù)字校園工作不斷推進,校園網(wǎng)絡(luò)在給廣大師生工作、學習帶來便利的同時,其開放性、自由性、交互性和共享性使得一系列網(wǎng)絡(luò)安全問題相繼出現(xiàn)。因此,結(jié)合高校管理自身特點,基于校園網(wǎng)的一般性安全需求和安全目標,設(shè)計行之有效的網(wǎng)絡(luò)安全層次模型,構(gòu)建完善
2、的校園網(wǎng)安全防御體系,保障校園網(wǎng)穩(wěn)定、高效、安全運行已成為校園網(wǎng)建設(shè)過程中必須要解決的問題。從管理和實用的角度出發(fā),校園網(wǎng)完全設(shè)計分為物理安全、網(wǎng)絡(luò)安全和安全管理三個層次。</p><p><b> 1 物理安全</b></p><p> 物理安全是保護計算機網(wǎng)絡(luò)設(shè)備、設(shè)施以及其它媒體免遭地震、水災(zāi)、火災(zāi)等環(huán)境事故以及人為操作失誤或錯誤及各種計算機犯罪行為導致的
3、破壞過程。保證學院校園網(wǎng)各種設(shè)備的物理安全是實現(xiàn)系統(tǒng)安全控制的前提。</p><p><b> 1.1機房環(huán)境安全</b></p><p> 機房、監(jiān)控等場地設(shè)施和環(huán)境安全設(shè)計:必須符合國家標準并滿足應(yīng)用系統(tǒng)24小時不間斷運行的特殊要求(參見國家標準GB50173-93《電子計算機機房設(shè)計規(guī)范》、國標GB2887-89《計算站場地技術(shù)條件》、GB9361-88《計
4、算站場地安全要求》)。機房的位置應(yīng)力求減少無關(guān)人員進入的機會,設(shè)備的位置遠離主要通道,同時,機房的窗戶也應(yīng)避免直接面臨街道。</p><p> 供配電系統(tǒng)安全設(shè)計:要求能保證對機房內(nèi)的主機、服務(wù)器、網(wǎng)絡(luò)設(shè)備、通訊設(shè)備等的電源供應(yīng)在任何情況下都不會間斷,做到無單點失效和平穩(wěn)可靠,這就要求兩路以上的市電供應(yīng),N+1冗余的自備發(fā)電機系統(tǒng),還有能保證足夠時間供電的UPS系統(tǒng)。</p><p>
5、 防雷接地系統(tǒng)安全設(shè)計:保證機房的各種設(shè)備安全,要求機房設(shè)有四種接地形式,即計算機專用直流邏輯地、配電系統(tǒng)交流工作地、安全保護地、防雷保護地。消防報警及自動滅火系統(tǒng)安全設(shè)計:為實現(xiàn)火災(zāi)自動滅火功能,在網(wǎng)絡(luò)系統(tǒng)各個重點位置,應(yīng)該設(shè)計火災(zāi)自動監(jiān)測及報警系統(tǒng),以便能自動監(jiān)測火災(zāi)的發(fā)生,并且啟動自動滅火系統(tǒng)和報警系統(tǒng)。</p><p> 門禁系統(tǒng)安全設(shè)計:安全易用的門禁系統(tǒng)可以保證物理安全,同時也可提高管理的效率,其中
6、需要注意的原則是安全可靠、簡單易用、分級制度、中央控制和多種識別方式的結(jié)合。</p><p> 保安監(jiān)控系統(tǒng)安全設(shè)計:保安監(jiān)控包括閉路監(jiān)視系統(tǒng)、通道報警系統(tǒng)和人工監(jiān)控系統(tǒng)。</p><p><b> 1.2物理設(shè)備安全</b></p><p> 主要包括:設(shè)備防盜、防毀、防電磁信息輻射泄漏、抗電磁干擾等。</p><p
7、><b> 2 網(wǎng)絡(luò)安全</b></p><p> 學院校園網(wǎng)的網(wǎng)絡(luò)安全重點解決網(wǎng)絡(luò)層和傳輸層的通信安全,它包括三個層次:不同局域網(wǎng)之間的隔離與訪問控制、公共網(wǎng)絡(luò)上的數(shù)據(jù)傳輸安全和網(wǎng)絡(luò)入侵檢測系統(tǒng)。</p><p> 2.1隔離與訪問控制</p><p> 基于網(wǎng)絡(luò)安全的需求,在學院校園網(wǎng)的部分網(wǎng)絡(luò)邊界處采用防火墻(Fire W
8、all)技術(shù)來實現(xiàn)隔離與訪問控制。根據(jù)校園網(wǎng)的特點一般采用防火墻在透明模式和路由模式同時工作的混合模式,這樣提高了網(wǎng)絡(luò)應(yīng)用的靈活性,很大程度上提高了防火墻的適應(yīng)性,通過結(jié)合其他安全技術(shù)就更能方便快捷地達到用戶的安全需求。通過選用核心交換機提供防火墻與包過濾功能,規(guī)定網(wǎng)管信息的流向,在中心交換機連接教師/學生宿舍網(wǎng)絡(luò)、公眾信息服務(wù)器網(wǎng)絡(luò)、網(wǎng)管中心網(wǎng)絡(luò)、教學單位網(wǎng)絡(luò)和行政辦公網(wǎng)絡(luò)5個接口處,配置防火墻,對5個網(wǎng)絡(luò)進行隔離并對進/出的數(shù)據(jù)進行
9、訪問控制。</p><p><b> 2.2網(wǎng)絡(luò)傳輸安全</b></p><p> 鑒于目前高校普遍擁有2個以上的校區(qū),不同校區(qū)網(wǎng)絡(luò)之間是通過專線連接起來的。當這些大型局域網(wǎng)通過專線交互數(shù)據(jù)時,面臨的安全威脅有:如何防范惡意攻擊?如何確保數(shù)據(jù)在專線上傳輸時的安全性?可以采用的安全技術(shù)是VPN技術(shù)。在網(wǎng)絡(luò)通信線路上配置VPN網(wǎng)關(guān),在中心交換機上安裝VPN管理器。通過
10、VPN網(wǎng)關(guān),可以在專線上構(gòu)建安全通道,對通信數(shù)據(jù)提供安全保護;同時,VPN網(wǎng)關(guān)還能起到網(wǎng)絡(luò)隔離作用,如果有攻擊者欲借助專線接入學院校園網(wǎng),由于其訪問數(shù)據(jù)不能走安全通道,因而VPN網(wǎng)關(guān)可以對來自非安全通道內(nèi)的數(shù)據(jù)自動進行過濾,阻止非法數(shù)據(jù)通信。</p><p> 2.3 網(wǎng)絡(luò)入侵檢測系統(tǒng)</p><p> 入侵檢測系統(tǒng)(Intrusion Detection System),簡稱IDS,
11、用于對入侵行為進行識別,它通過從計算機網(wǎng)絡(luò)或計算機系統(tǒng)的關(guān)鍵點收集信息并進行分析,從中發(fā)現(xiàn)網(wǎng)絡(luò)或系統(tǒng)中是否有違反安全策略的行為和被攻擊的跡象。</p><p> 校園網(wǎng)IDS配置在兩個地方。校園網(wǎng)和教育網(wǎng)的連接處:用于對進出教育網(wǎng)的數(shù)據(jù)進行監(jiān)視,既監(jiān)測并阻斷來之教育網(wǎng)對校園網(wǎng)的攻擊,同時又監(jiān)測并阻斷校園網(wǎng)內(nèi)用戶對教育網(wǎng)的攻擊數(shù)據(jù)包;教師/學生宿舍網(wǎng)絡(luò)和校園網(wǎng)中心交換機的連接處:學生是校園網(wǎng)的主要使用者,但鑒于大
12、學生思維活躍,有一定的冒險意識,所以必須對其的網(wǎng)絡(luò)行為進行必要的控制,在學生宿舍網(wǎng)絡(luò)接入校園網(wǎng)的入口配置IDS,可以實時監(jiān)測學生對校園網(wǎng)資源訪問時的數(shù)據(jù)包,防止惡意數(shù)據(jù)包對校園網(wǎng)通信秩序的破壞。</p><p><b> 3 安全管理</b></p><p> 給校園網(wǎng)制定一個合適的安全管理制度和安全策略是十分必要的。</p><p>&
13、lt;b> 3.1安全管理體制</b></p><p> 建議成立以學校分管安全的領(lǐng)導為主的校園網(wǎng)安全管理小組,小組成員可以由各子網(wǎng)節(jié)點、各子系統(tǒng)管理員參加。明確制定安全管理小組的成員在管理上的權(quán)利和義務(wù)。對于小組中的每一個成員,明確指定每個人應(yīng)該對什么事故負什么樣的責任,責任落實到人。明確指定什么人可以管理什么網(wǎng)絡(luò)設(shè)備(防火墻、路由器、交換機等等),作到專門的產(chǎn)品維護由專人負責。</
14、p><p><b> 3.2安全管理原則</b></p><p> 多人負責原則。每一項與安全有關(guān)的活動,都必須有兩人或多人在場。這些人應(yīng)是系統(tǒng)主管領(lǐng)導指派的,他們忠誠可靠,能勝任此項工作;他們應(yīng)該簽署工作情況記錄以證明安全工作已得到保障。任期有限原則。為遵循任期有限原則,工作人員應(yīng)不定期地循環(huán)任職,強制實行休假制度,并規(guī)定對工作人員進行輪流培訓,以使任期有限制度切實
15、可行。職責分離原則。在信息處理系統(tǒng)工作的人員不要打聽、了解或參與職責以外的任何與安全有關(guān)的事情,除非系統(tǒng)主管領(lǐng)導批準。</p><p><b> 3.3安全管理服務(wù)</b></p><p> 網(wǎng)絡(luò)安全是動態(tài)的、整體的,并不是簡單的安全產(chǎn)品集成就可以解決問題。隨著時間推移,新的安全風險又將隨著產(chǎn)生。因此,一個完整的安全解決方案還必須包括長期的、與系統(tǒng)相關(guān)的信息安全服
16、務(wù)。其包括:全方位的安全咨詢、培訓;靜態(tài)的網(wǎng)絡(luò)安全風險評估;特別事件應(yīng)急響應(yīng)。</p><p><b> 參考文獻</b></p><p> [1] 唐俊.層次型校園網(wǎng)安全主動防御體系的研究[J].電腦知識與技術(shù),2008(2).</p><p> [2] 覃國銳.高校校園網(wǎng)絡(luò)安全管理存在的問題及對策[J].柳州師專學報,2009(2).
17、</p><p> [3] 陳繪新.淺析數(shù)字圖書館網(wǎng)絡(luò)安全防御體系[J].科技信息,2009(15).</p><p><b> 附錄C:英文翻譯</b></p><p> Hierarchical campus network security design</p><p>
18、; With the digital campus of China work steadily, campus network into teachers and students working, study and bring convenience while its openness, freedom, interaction and sharing makes a series of network security pr
19、oblems arise. Therefore, according to the characteristics of their university management, based on campus network general safety requirements and the safety goal, the design effective network security level model, buildi
20、ng perfect campus network security defense system, ensure the s</p><p> 1. Physical security</p><p> The physical security is to protect the computer network equipment, facilities and other me
21、dia from earthquake, flood, fire and other environmental accidents and artificial operation error or errors and of various computer crime behaviors led to the destruction of the process. Ensure that all sorts of equipmen
22、t of college campus physical security are to realize the system security control of premise.</p><p> 1.1 Room environment safety</p><p> Rooms, control, and other facilities and environmental
23、security design: Must conform to the state standards and meet the application system 24 hour uninterrupted operation special requirements(See the national standard GB50173-93 “electronic computer room design standard”, G
24、B2887-89 "computing station site technical conditions", GB9361-88 "computing station site safety requirements"). The location of the room should be trying to reduce the chance of irrelevant personnel
25、enter, away from the main</p><p> For distribution system security design: Requests can guarantee to the telecom room host, server, network equipment, communications equipment and power supply in any circum
26、stances will be missed, do no single point of failure and stable and reliable. This requires two way above the utility service, N + 1 redundant self-provided generator system, and can ensure enough time to UPS power supp
27、ly system.</p><p> Lightning proof grounding system security design: Ensure the safety of all kinds of equipment room, computer room has four kinds of grounding request form, that is computer special dc log
28、ic, power distribution system, safety, protect where communication lightning protection site.</p><p> Automatic fire alarm and fire fighting system security design: To realize the automatic fire extinguishi
29、ng function, in the network system each key position, should design automatic fire monitoring and alarm system, so as to automatic monitoring fire, and start to be automatic fire system and alarm system.</p><p
30、> Entrance guard system security design: Safety and easy entrance guard system can ensure the physical security, but also can improve the management efficiency, which need to be aware of principle is safe and reliabl
31、e, easy to use, the ratings system, central control and a variety of the combination of mode of recognition.</p><p> Security monitoring system security design: Security monitoring including closed-circuit
32、surveillance system, channel alarm system and artificial monitoring system.</p><p> 1.2 Physical equipment safety</p><p> Mainly includes: equipment security, against destroyed, prevent electr
33、omagnetic radiation leakage of information, electromagnetic interference, etc.</p><p> 2. Network security</p><p> Campus network security is mainly to solve the network layer and the transpor
34、t layer security communication, it includes three levels: different between the local area network to isolate and access control, public network data transmission of security and network intrusion detection system.</p
35、><p> 2.1 Isolation and access control: Based on network security needs, in college campus network boundary between the parts of the network firewall (Fire Wall) technology to realize isolation and access cont
36、rol. According to the characteristics of the campus network firewall in general use transparent mode and routing mode of working at the same time mixed mode, improve the network application of such flexibility, greatly i
37、mprove the adaptability of the firewall, by combining other security technolo</p><p> Network transmission safety: In view of the present universities generally have more than one school district, between d
38、ifferent campus network is connected by special line. When these large LAN through the special line interactive data, facing the security threats: how to prevent malicious attacks? How to ensure that data in the security
39、 in the transmission line? Can use safety technology is VPN technology. In the network configuration VPN gateway on line, in the center the switch installed VPN</p><p> The network intrusion detection syste
40、m:Campus network IDS be configured in two places. Campus network and the joint of leaks: used for moving the monitoring data leaks, both monitoring and blocking the education network of campus to attack, and at the same
41、time, monitoring and block in the campus network users for education network attack packet; The teacher/student dormitory campus network and the joint of central switch: students are the main campus network users, but wi
42、th college students' ac</p><p> 3. Safety management</p><p> To formulate a proper campus network security management and safety strategy is very necessary.</p><p> 3.1 Safet
43、y management system</p><p> Suggestions for school was founded to the leadership of the safety of the campus network security management group mainly, team members can be made by each node, subsystem subnet
44、 administrator to attend. We should clearly lay safety management team members in the management of right and obligation. For every member of the group, specifically designated everyone should be on what kind of responsi
45、bility for the accident, responsibility to implement. What specifically designated person can what man</p><p> 3.2 Safety management principle</p><p> The principle of people is responsible fo
46、r it. Each of security-related activities must have two or more persons present. Some people should be appointed manager system, their loyalty and reliability, can do the work; they should work records to prove signed sa
47、fety work already get ensuring. Term limited principle. In order to follow the principle term limited, workers should not regularly circulation work, enforce holiday system, and regulations of the staff to take turns tra
48、ining, so that the </p><p> Safety management services</p><p> Network security is dynamic, integral, and is not simple security product integration can solve the problem. Over time, the new s
49、afety and risk with produce. Therefore, a complete security solution must include the long-term and related information security service system. They include: comprehensive safety consulting, training; Static network saf
50、ety risk assessment; Special event emergency response.</p><p><b> Reference</b></p><p> [1] TangJun. A hierarchical network security of active defense system [J]. Computer knowledg
51、e and technology, 2008 (2).</p><p> [2] Qin Guorui. The campus network security management problems and countermeasures [J]. Journal of liuzhou teachers, 2009 (2).</p><p> [3] Chen Huixin. Acc
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
- 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 校園網(wǎng)中的網(wǎng)絡(luò)安全技術(shù).pdf
- 校園網(wǎng)絡(luò)安全知識
- 校園網(wǎng)絡(luò)安全設(shè)計方案
- 校園網(wǎng)絡(luò)安全課程設(shè)計
- 基于高校校園網(wǎng)的網(wǎng)絡(luò)安全研究.pdf
- 校園網(wǎng)的網(wǎng)絡(luò)安全研究與應(yīng)用.pdf
- 校園網(wǎng)改造中的網(wǎng)絡(luò)安全研究.pdf
- 網(wǎng)絡(luò)安全畢業(yè)設(shè)計---校園網(wǎng)網(wǎng)絡(luò)安全及其對策
- 畢業(yè)論文(設(shè)計)校園網(wǎng)絡(luò)安全
- 校園網(wǎng)計費與網(wǎng)絡(luò)安全管理系統(tǒng)設(shè)計與實現(xiàn).pdf
- 網(wǎng)絡(luò)安全技術(shù)在校園網(wǎng)中的應(yīng)用.pdf
- 校園網(wǎng)絡(luò)安全分析及全局網(wǎng)絡(luò)安全體系設(shè)計.pdf
- 校園網(wǎng)絡(luò)安全畢業(yè)論文
- 校園網(wǎng)絡(luò)安全畢業(yè)論文
- 校園網(wǎng)絡(luò)安全的改進.pdf
- 校園網(wǎng)網(wǎng)絡(luò)安全分析與設(shè)計.pdf
- 校園網(wǎng)環(huán)境下網(wǎng)絡(luò)安全體系的研究.pdf
- 網(wǎng)絡(luò)安全技術(shù)在校園網(wǎng)中應(yīng)用研究.pdf
- 基于校園網(wǎng)的網(wǎng)絡(luò)安全檢測與監(jiān)控系統(tǒng).pdf
- 校園網(wǎng)絡(luò)安全方案的設(shè)計與實現(xiàn).pdf
評論
0/150
提交評論