办公自动化网络安全防护策略.doc

1、浅析办公自动化网络安全防护策略理学院数学101崔福红【 摘 要 】本文总结了办公自动化网络常见的安全问题及其后果,探讨了解决这些安全问题的方法,提供了基于网络内部的安全策略。 【关 键 词】办公自动化 网络 网络安全 病毒 黑客 【Abstract】This article summarizes the office automation network common security issues and its consequences, on the solution of the security problem the method, is provided based on the

2、 internal network security strategy【Key works】Office automation Internet Internet safe Computer Viruses Hacker1 引言 企业内部办公自动化网络一般是基于TcrilP协议并采用了Internet的通信标准和Web信息流通模式的Intra-net,它具有开放性,因而使用极其方便。但开放性却带来了系统入侵、病毒入侵等安全性问题。一旦安全问题得不到很好地解决,就可能出现商业秘密泄漏、设备损坏、数据丢失、系统瘫痪等严重后果,给正常的企业经营活动造成极大的负面影响。因此企业需要一个更安全的办公自动

3、化网络系统。 Enterprise office automation network is based on the TcrilP protocol with Internet communication standards and Web information circulation model Intra-net, which is open, so the use is extremely convenient. But open brought system intrusion, virus attacks and other security issues. Once the s

4、afety problem can not be solved, it may appear commercial secret, equipment damage, loss of data, the system paralysis and other serious consequences, to the normal business activities caused great negative impact. Therefore, enterprises need a more secure office automation network system. 2 办公自动化网络

5、常见的安全问题 2.1 黑客入侵 目前的办公自动化网络基本上都采用以广播为技术基础的以太网。在同一以太网中,任何两个节点之间的通信数据包,不仅可以为这两个节点的网卡所接收,也同时能够为处在同一以太网上的任何一个节点的网卡所截取。另外,为了工作方便,办公自动化网络都备有与外网和国际互联网相互连接的出入口,因此,外网及国际互联网中的黑客只要侵入办公自动化网络中的任意节点进行侦听,就可以捕获发生在这个以太网上的所有数据包,对其进行解包分析,从而窃取关键信息;而本网络中的黑客则有可能非常方便的截取任何数据包,从而造成信息的失窃。 The current office automation networ

6、k is basically used to broadcast based on ethernet. On the same Ethernet, communication between any two nodes data packets, not only for the two node network card receiving, also can be in the same Ethernet on any one node of the network card interception. In addition, in order to facilitate the wor

7、k, office automation network with network and Internet connected entrance, therefore, extranet and Internet hackers in the invasive office automation as long as any node in the network to listen, you can capture occurred in the Ethernet all packets, carries on the analysis to unpack, steal a key inf

8、ormation; and the network hackers may very convenient to intercept any packet, thereby causing the information being stolen2.2 病毒感染 随着计算机和网络的进步和普及,计算机病毒也不断出现,总数已经超过20000种,并以每月300种的速度增加,其破环性也不断增加,而网络病毒破坏性就更强。一旦文件服务器的硬盘被病毒感染,就可能造成系统损坏、数据丢失,使网络服务器无法起动,应用程序和数据无法正确使用,甚至导致整个网络瘫痪,造成不可估量的损失。 Along with the

9、computer and network the progress and popularization, computer virus also appears ceaselessly, has a total of more than 20000 per month, and 300 speed increase, its destructive also increases ceaselessly, and the network virus destructive stronger. Once the hard disk is infected by a virus, it may c

10、ause damage, loss of data, the network server can start, application programs and data cannot be used correctly, even lead to paralysis of the entire network, caused inestimable loss.2.3 数据破坏 在办公自动化网络系统中,有多种因素可能导致数据的破坏。首先是黑客侵入,黑客基于各种原因侵入网络,其中恶意侵入对网络的危害可能是多方面的。其中一种危害就是破坏数据,可能破坏服务器硬盘引导区数据、删除或覆盖原始数据库、破

11、坏应用程序数据等。其次是病毒破坏,病毒可能攻击系统数据区,包括硬盘主引导扇区、Boot扇区、FAT表、文件目录等;病毒还可能攻击文件数据区,使文件数据被删除、改名、替换、丢失部分程序代码、丢失数据文件;病毒还可能攻击CMOS,破坏系统CMOS中的数据。第三是灾难破坏,由于自然灾害、突然停电、强烈震动、误操作等造成数据破坏。重要数据遭到破坏和丢失,会造成企业经营困难、人力、物力、财力的巨大浪费。In office automation network system, there are many factors that may lead to the destruction of data.

12、The first is the hacker invades hacker, network intrusion based on a variety of reasons, including malicious intrusions against the network may be in many aspects. One danger is destruction of data, may disrupt the server hard disk boot sector data, delete or overwrite the original database, break t

13、he application data. Followed by the virus, the virus may attack system data area, including hard disk master boot sector, Boot sector, FAT table, ; virus may also attack the area, so that the is deleted, renamed, replace, lost part of program codes, missing data file; virus may also attack CMOS, CM

14、OS destruction system data in. Third is the disaster damage, due to natural disasters, all of a sudden power failure, strong vibration, misoperation caused by data destruction. Important data were damaged and lost, will cause the enterprise manages difficulty, manpower, material resources, financial

15、 resources huge waste 3 网络安全策略 3.1 网络安全预警 办公自动化网络安全预誓系统分为入侵预警和病毒预警两部分。 入侵预警系统中,入侵检测可以分析确定网络中传输的数据包是否经过授权。一旦检测到入侵信息,将发出警告,从而减少对网络的威胁。它把包括网络扫描、互联网扫描、系统扫描、实时监控和第三方的防火墙产生的重要安全数据综合起来,提供内部和外部的分析并在实际网络中发现风险源和直接响应。它提供企业安全风险管理报告,报告集中于重要的风险管理范围,如实时风险、攻击条件、安全漏洞和攻击分析;提供详细的入侵告警报告,显示入侵告警信息(如入侵IP地址及目的IP地址、目的端口、攻击特

16、征),并跟踪分析入侵趋势,以确定网络的安全状态;信息可以发往相关数据库,作为有关网络安全的决策依据。 病毒预警系统通过对所有进出网络的数据包实施不间断的持续扫描,保持全天24小时监控所有进出网络的文件,发现病毒时可立即产生报警信息,通知管理员,并可以通过IP地址定位、端口定位追踪病毒来源,并产生功能强大的扫描日志与报告,记录规定时间内追踪网络所有病毒的活动。 Office automation network security pre oath system is divided into two parts and virus intrusion early warning early wa

17、rning.The intrusion warning system, intrusion detection can be analyzed to determine the network transmission of data packet is authorized or not. Upon detection of the intrusion information, will issue a warning, thereby reducing the network threat. It includes the network scanning, scanning system

18、 scanning, Internet, real-time monitoring and the third side of the firewall to produce important safety data together, providing internal and external analysis and the actual network found in the risk source and direct response. It provides enterprise safety risk management report, the report focus

19、ed on the important risk management, such as real time risk, attack conditions, analysis of security vulnerabilities and attacks; to provide detailed intrusion alarm reporting, display intrusion alarm information (such as the invasion of the IP address and the destination IP address, destination por

20、t, assault characteristics ), and tracking analysis intrusion trend, to determine the network security state; information can be sent to related database, as the basis for decision making about network security.Virus warning system based on the network data packets of all import and implementation o

21、f uninterrupted continuous scanning, maintain 24 hours of monitoring all import network files, found that the virus can be immediately generates alarm information, notify the administrator, and can through the IP address port positioning, positioning and tracking the source of the virus, and generat

22、e powerful scanning log and report, recording time tracking network all virus activity.3.2 数据安全保护 对于数据库来说,其物理完整性、逻辑完整性、数据元素完整性都是十分重要的。数据库中的数据有纯粹信息数据和功能文件数据两大类,入侵保护应主要考虑以下几条原则:物理设备和安全防护,包括服务器、有线、无线通信线路的安全防护;服务器安全保护,不同类型、不同重要程度的数据应尽可能在不同的服务器上实现,重要数据采用分布式管理,服务器应有合理的访问控制和身份认证措施保护,并记录访问日志。系统中的重要数据在数据库中应有

23、加密和验证措施。For the database, its physical integrity, logical completeness, elements of the data integrity is very important. The data in the database have pure information data and the function of two kinds big, intrusion protection should mainly consider the following principles: the physical equipmen

24、t and safety protection, including servers, wired, wireless communication line safety protection; the server safe protection, different types, different importance degree data should be possible on a different server implementation, important data using distributed management, server should have rea

25、sonable access control and authentication measures to protect, and records the access log. System of the important data in database encryption and verification measures should be.3.3 入侵防范 3.3.1 内外网隔离 在内部办公自动化网络和外网之间,设置物理隔离,以实现内外网的隔离是保护办公自动化网络安全的最主要、同时也是最有效、最经济的措施之一。 第一层隔离防护措施是路由器。路由器滤掉被屏蔽的IP地址和服务。可以

26、首先屏蔽所有的IP地址,然后有选择的放行一些地址进入办公自动化网络。 第二层隔离防护措施是防火墙。大多数防火墙都有认证机制,无论何种类型防火墙,从总体上看,都应具有以下五大基本功能:过滤进、出网络的数据;管理进、出网络的访问行为;封堵某些禁止的业务;记录通过防火墙的信息内容和活动;对网络攻击的检测和告警。In the interior of office automation network and outside the network, set up physical isolation, in order to achieve internal and external network

27、isolation is to protect the office automation network security is the most important, but also the most effective, the most economic measure.The first layer of isolation protection measures is a router. Router filter blocked IP address and a service. Can be the first shield all the IP address, and t

28、hen selectively release some address into the office automation network.The second layers of the insulating protective measures is the firewall. Most firewalls are authentication mechanism, no matter what type of firewall, from look on the whole, should have the following five basic functions: filte

29、ring, network data; management, network accessing behavior; blocking certain prohibited business; records through the firewall information content and activities; to the network attack detection and alarm.3.3.2 访问控制 办公自动化网络应采用访问控制的安全措施,将整个网络结构分为三部分,内部网络、隔离区以及外网。每个部分设置不同的访问控制方式。其中:内部网络是不对外开放的区域,它不对外提

30、供任何服务,所以外部用户检测不到它的IP地址,也难以对它进行攻击。隔离区对外提供服务,系统开放的信息都放在该区,由于它的开放性,就使它成为黑客们攻击的对象,但由于它与内部网是隔离开的,所以即使受到了攻击也不会危及内部网,这样双重保护了内部网络的资源不受侵害,也方便管理员监视和诊断网络故障。Office automation network should be used in access control security measures, the whole network structure is divided into three parts, the internal network

31、 and external network, isolation zone. Each portion of the set of different access methods. Among them: the internal network is not open to the region, it does not provide any service, so the external user cannot detect its IP address, is difficult for it to attack. Isolation zone of external servic

32、es, open system information on the region, due to its openness, makes it become the hackers attack object, but as it was with the internal network is separate from, so even if attacked they do not endanger the intranet, the double protection of the internal network resources are not infringed, also

33、facilitate the administrator of monitoring and diagnosing network fault3.3.3 内部网络的隔离及分段管理 内部网络分段是保证安全的一项重要措施,同时也是一项基本措施,其指导思想在于将非法用户与网络资源相互隔离,从而达到限制用户非法访问的目的。办公自动化网络可以根据部门或业务需要分段。网络分段可采用物理分段或逻辑分段两种方式:物理分段通常是指将网络从物理层和数据链路层上分为若干网段,各网段相互之间无法进行直接通讯;逻辑分段则是指将整个系统在网络层上进行分段。并能实现子网隔离。在实际应用过程中,通常采取物理分段与逻辑分段相结

34、合的方法来实现隔离。Internal network segmentation is an important measure to ensure the safety, but also a basic measure, its guiding ideology is the illegal users and cyber source isolated from each other, thereby limiting users unauthorized access to. Office automation network according to the departments o

35、r business segment. Network segment can use physical segment or logic sections in two ways: physical segment usually refers to the network from the physical layer and data link layer is divided into a number of segments, each segment has no direct communication between each other; logical segmentati

36、on refers to the whole system in network layer segmentation. And can realize the network isolation. In practical application process, usually taking physical segment and logic sections combined to achieve isolation.3.4 病毒防治 相对于单机病毒的防护来说,网络病毒的防治具有更大的难度,网络病毒防治应与网络管理紧密结合。网络防病毒最大的特点在于网络的管理功能,如果没有管理功能,很难

37、完成网络防毒的任务。只有管理与防范相结合,才能保证系统正常运行。Compared with the single virus protection, network virus prevention and control has greater difficulty, network virus prevention and control should be closely combined with network management. Network anti virus is characterized by network management function, if ther

38、e is no management function, it is difficult to complete the task of network antivirus. Only the management and prevention of the combination, in order to ensure the normal operation of the system.3.5 数据恢复 办公自动化系统数据遭到破坏之后,其数据恢复程度依赖于数据备份方案。数据备份的目的在于尽可能快地全盘恢复运行计算机系统所需的数据和系统信息。根据系统安全需求可选择的备份机制有:实时高速度、大

39、容量自动的数据存储、备份与恢复;定期的数据存储、备份与恢复;对系统设备的备份。备份不仅在网络系统硬件故障或人为失误时起到保护作用,也在入侵者非授权访问或对网络攻击及破坏数据完整性时起到保护作用,同时亦是系统灾难恢复的前提之一。 Office automation system data destruction, their data recovery is dependent on the data backup scheme. Data backup is to as soon as possible the overall recovery operation needed for a c

40、omputer system data and information system. According to the system safety requirements can choose backup mechanisms: real time high speed, large capacity automatic data storage, backup and recovery; regular data storage, backup and recovery device of the system backup. Backup not only in the networ

41、k hardware failure or human error play a protective role, but also in the unauthorized access or to the network attack and destroy data integrity play a protective role, but also is the premise of disaster recovery system. 4 结束语 随着企业各部门之间、企业和企业之间、国际间信息交流的日益频繁,办公自动化网络的安全问题已经提到重要的议事日程上来,一个技术上可行、设计上合理、

42、投资上平衡的安全策略已经成为成功的办公自动化网络的重要组成部分。As among the various departments and enterprises, enterprises and between enterprises, international information exchanges become more frequent, office automation and network security problems have been mentioned important schedule to come up, a feasible in technology, reasonable design, investment balance security strategy has become a successful office automation network important component.学生姓名：崔福红 学号：5501110009