阅读说明：本技术 一种基于互联网的公司安全网络的实现系统 (Internet-based company security network implementation system ) 是由 李王斌 于 2020-11-23 设计创作，主要内容包括：本发明公开了一种基于互联网的公司安全网络的实现系统,包括应用客户端1、应用客户端2、应用客户端N、虚拟专网模块和统一应用系统,统一应用系统包括系统安全模块、网络安全模块、防火墙调整模块、入侵检测模块、漏洞扫描模块、数据库安全模块和电子邮件安全模块,应用客户端1、应用客户端2、应用客户端N通过网络连接在MPLS/VPN模块、虚拟专网模块上并串联在统一应用系统内的系统安全模块、网络安全模块、防火墙调整模块、入侵检测模块、漏洞扫描模块、数据库安全模块和电子邮件安全模块上；本发明具有系统信息加密传送高,系统内的信息安全性性高、方便跨地域进行加密传送和查看、及时发现系统漏洞和危险因素,从而进行有效的防护的优点。(The invention discloses an internet-based company security network implementation system, which comprises an application client 1, an application client 2, an application client N, a virtual private network module and a unified application system, wherein the unified application system comprises a system security module, a network security module, a firewall adjusting module, an intrusion detection module, a vulnerability scanning module, a database security module and an e-mail security module, the application client 1, the application client 2 and the application client N are connected to an MPLS/VPN module and the virtual private network module through a network and are connected to the system security module, the network security module, the firewall adjusting module, the intrusion detection module, the vulnerability scanning module, the database security module and the e-mail security module in the unified application system in series; the invention has the advantages of high system information encryption transmission, high information security in the system, convenient cross-region encryption transmission and check, and timely discovery of system bugs and dangerous factors, thereby carrying out effective protection.)

1. An implementation system of a company security network based on the internet is characterized in that: the system comprises an application client 1, an application client 2, an application client N, MPLS/VPN module, a virtual private network module and a unified application system, wherein the unified application system comprises a system security module, a network security module, a firewall adjusting module, an intrusion detection module, a vulnerability scanning module, a database security module and an e-mail security module, and the application client 1, the application client 2 and the application client N are connected to the MPLS/VPN module and the virtual private network module through a network and are connected to the system security module, the network security module, the firewall adjusting module, the intrusion detection module, the vulnerability scanning module, the database security module and the e-mail security module in the unified application system in series;

the MPLS/VPN module adopts the MPLS/VPN network reconstruction implementation for realizing the safe interconnection of multi-service systems and the unified planning of companies, the MPLS technology is adopted to reconstruct the original wide area network access mode, the VPN technology based on the MPLS is adopted to divide VPNs for the service systems covering different regions, the safety isolation is carried out, and the safe and effective information interaction is provided;

the virtual private network module adopts a virtual private network, and the Virtual Private Network (VPN) has the functions of: establishing a private network on a public network for encrypted communication;

the system security module divides VLANs according to different functions and services of departments for local area networks of municipal companies and local area networks of counties, so as to realize logical isolation of network resources, prevent broadcast storms and perform network-level access control and application-level access control;

the network security module adopts a safe operating system platform to perform security detection on the interior of the system;

the firewall adjusting module is a safety protection measure of the network, analyzes and monitors flow, adjusts the deployment of a firewall to block illegal data transmission, and can independently place servers which provide services to the outside and are easy to attack in a specific protection area;

the intrusion detection module is designed and configured for ensuring the safety of the computer system, and is a technology which can find and report unauthorized or abnormal phenomena in the system in time and detect behaviors violating the safety policy in the network;

the vulnerability scanning module can warn the vulnerability in the network system in advance, and prevent hacker intrusion and misoperation of internal personnel;

the database security module guarantees the confidentiality of a service database system, user identity identification, access control, prevention of inference attack and auditability, prevents attack on a hidden channel in the database and guarantees the integrity of the service database;

the electronic mail safety module has potential safety hazard, and safety protection processing is also carried out in the mail server in the safety configuration mail server.

2. The system of claim 1, wherein the system further comprises: the e-mail security module is a mail system self-security module: according to the difference of the version and the configuration of an operating system and a mail system, whether the mail system occurs or not and the remote buffer area overflows are checked; if the system is existed, a method for upgrading the version or adjusting the configuration of the system is provided to put an end to through the safety service; e, encrypting and signing the mail: configuring and establishing a safe e-mail system to realize automatic compression, data encryption and signature of the e-mail; three mail system configuration security: according to the whole network security policy, system configuration is adjusted aiming at system configuration which may cause potential safety hazards, and potential safety hazards caused by the system configuration are avoided, such as the problem of forwarding mails by unauthorized addresses; four remote commands perform configuration: aiming at the attack behavior of a hacker for remotely executing a local command by utilizing the characteristics of the mail system, the configuration of the mail system is changed, the remote command is forbidden to be executed, or a high-version mail system is configured to eliminate the potential safety hazard and ensure the safety of internal information; five POP3 and IMAP service security configuration: aiming at the problem of remote illegal Shell or IMAP remote overflow in POP and IMAP, the system version is upgraded or the system configuration is modified to solve the security problem.

3. The system of claim 1, wherein the system further comprises: the system security module comprises an operating system security module, a user identification and authentication module and an autonomous access control module, and the operating system security module builds a secure operating platform through a private network; the user identification and authentication module identifies a user through a user name and at least provides a basic user name and password authentication mechanism; the autonomous access control module can determine the access control authority of the user according to the registration name of the user, and the user can determine the authorization of the owned resources.

4. The system of claim 1, wherein the system further comprises: the network security module comprises a network access control module and an application level access control module, and the network level access control module configures an Access Control List (ACL) on the router; the planning is to allow only some sub-networks or hosts (IP address field or IP address) to access, and deny the access of other sub-networks, so as to achieve the purpose of protecting the key network; application level access control certain subnets or hosts (IP address fields or IP addresses) may be allowed in a rule to access a certain application (corresponding to a certain port) of a certain machine by extending an access control list (extended ACL).

5. The system of claim 1, wherein the system further comprises: the firewall adjusting module adopts a firewall module configured on a core switch Catalyst6500_ and can divide a security area on the basis of VLAN (virtual local area network), and the high performance of a hardware firewall is utilized to provide firewall protection between VLANs; secondly, the built-in firewall characteristic of the CISCOI0S is utilized;

the NATIVEIOS version of the Catalyst6500 switch provides built-in firewall characteristics CBAC, and can divide security areas on the basis of VLANs to provide firewall protection among the VLANs.

Technical Field

The invention relates to the technical field of secure network implementation, in particular to an internet-based company secure network implementation system.

Background

For the realization of company security network, the survival path of the company is concerned, the encryption transmission of the system information of the company is poor, the information security in the system cannot be ensured, the encryption transmission and the check cannot be carried out across regions, and system bugs and unsafe factors cannot be found in time, so that the effective protection cannot be carried out.

Disclosure of Invention

The invention aims to provide an internet-based company security network implementation system, which has the advantages of high system information encryption transmission, high information security in the system, convenience in encryption transmission and check across regions and capability of finding system bugs and dangerous factors in time, thereby effectively protecting and solving the problems in the prior art.

In order to achieve the purpose, the invention provides the following technical scheme: an internet-based company security network implementation system comprises an application client 1, an application client 2, an application client N, MPLS/VPN module, a virtual private network module and a unified application system, wherein the unified application system comprises a system security module, a network security module, a firewall adjusting module, an intrusion detection module, a vulnerability scanning module, a database security module and an e-mail security module, and the application client 1, the application client 2 and an application client N are connected to the MPLS/VPN module and the virtual private network module through a network and are connected to the system security module, the network security module, the firewall adjusting module, the intrusion detection module, the vulnerability scanning module, the database security module and the e-mail security module in the unified application system in series;

the MPLS/VPN module adopts the MPLS/VPN network reconstruction implementation for realizing the safe interconnection of multi-service systems and the unified planning of companies, the MPLS technology is adopted to reconstruct the original wide area network access mode, the VPN technology based on the MPLS is adopted to divide VPNs for the service systems covering different regions, the safety isolation is carried out, and the safe and effective information interaction is provided;

the virtual private network module adopts a virtual private network, and the Virtual Private Network (VPN) has the functions of: establishing a private network on a public network for encrypted communication;

the system security module divides VLANs according to different functions and services of departments for local area networks of municipal companies and local area networks of counties, so as to realize logical isolation of network resources, prevent broadcast storms and perform network-level access control and application-level access control;

the network security module adopts a safe operating system platform to perform security detection on the interior of the system;

the firewall adjusting module is a safety protection measure of the network, analyzes and monitors flow, adjusts the deployment of a firewall to block illegal data transmission, and can independently place servers which provide services to the outside and are easy to attack in a specific protection area;

the intrusion detection module is designed and configured for ensuring the safety of the computer system, and is a technology which can find and report unauthorized or abnormal phenomena in the system in time and detect behaviors violating the safety policy in the network;

the vulnerability scanning module can warn the vulnerability in the network system in advance, and prevent hacker intrusion and misoperation of internal personnel;

the database security module guarantees the confidentiality of a service database system, user identity identification, access control, prevention of inference attack and auditability, prevents attack on a hidden channel in the database and guarantees the integrity of the service database;

the electronic mail safety module has potential safety hazard, and safety protection processing is also carried out in the mail server in the safety configuration mail server.

Preferably, the e-mail security module is a mail system which is self-security: according to the version and configuration of the operating system and the mail system, whether the mail system can happen or not is checked, and the remote buffer zone overflows. If the system is existed, a method for upgrading the version or adjusting the configuration of the system is provided to put an end to through the safety service; e, encrypting and signing the mail: configuring and establishing a safe e-mail system to realize automatic compression, data encryption and signature of the e-mail; three mail system configuration security: according to the whole network security policy, system configuration is adjusted aiming at system configuration which may cause potential safety hazards, and potential safety hazards caused by the system configuration are avoided, such as the problem of forwarding mails by unauthorized addresses; four remote commands perform configuration: aiming at the attack behavior of a hacker for remotely executing a local command by utilizing the characteristics of the mail system, the configuration of the mail system is changed, the remote command is forbidden to be executed, or a high-version mail system is configured to eliminate the potential safety hazard and ensure the safety of internal information; five POP3 and IMAP service security configuration: aiming at the problem of remote illegal Shell or IMAP remote overflow in POP and IMAP, the system version is upgraded or the system configuration is modified to solve the security problem.

Preferably, the system security module comprises an operating system security module, a user identification and authentication module and an autonomous access control module, and the operating system security module establishes a secure operating platform through a private network; the user identification and authentication module identifies a user through a user name and at least provides a basic user name and password authentication mechanism; the autonomous access control module can determine the access control authority of the user according to the registration name of the user, and the user can determine the authorization of the owned resources.

Preferably, the network security module comprises a network access control module and an application level access control module, and the network level access control module configures an access control list ACL on the router; the planning is to allow only some sub-networks or hosts (IP address field or IP address) to access, and deny the access of other sub-networks, so as to achieve the purpose of protecting the key network; application level access control certain subnets or hosts (IP address fields or IP addresses) may be allowed in a rule to access a certain application (corresponding to a certain port) of a certain machine by extending an access control list (extended ACL).

Preferably, the firewall adjusting module adopts a firewall module configured on a core switch Catalyst6500_ and can divide a security area on the basis of a VLAN and provide firewall protection between VLANs by using the high performance of a hardware firewall; secondly, the built-in firewall characteristic of the CISCOI0S is utilized; the NATIVE IOS version of the Catalyst6500 switch provides built-in firewall characteristics CBAC, and can partition security areas based on VLANs to provide firewall protection between VLANs.

Compared with the prior art, the invention has the following beneficial effects:

1. the system for realizing the company security network based on the Internet is connected to a company system through the MPLS/VPN module and the virtual private network module, and the application client 1, the application client 2 and the application client N pass through the MPLS/VPN module and the virtual private network module and are transmitted in the same application system through the network, so that internal staff of the company can conveniently encrypt and transmit information in the system, and cross-region encryption transmission and checking are convenient.

2. The system for realizing the company security network based on the Internet builds a safe operation platform through an operation system security module, a user identification and authentication module and an autonomous access control module in a system security module, wherein the operation system security module builds a safe operation platform through a special network; the user identification and authentication module identifies a user through a user name and at least provides a basic user name and password authentication mechanism; the autonomous access control module can determine the access control authority of the user according to the registration name of the user, and the user can determine the authorization of the owned resources; the network security module comprises a network access control module and an application level access control module, and the network level access control module configures an Access Control List (ACL) on the router; the planning is to allow only some sub-networks or hosts (IP address field or IP address) to access, and deny the access of other sub-networks, so as to achieve the purpose of protecting the key network; the application level access control can allow some sub-networks or hosts (IP address fields or IP addresses) to access some application (corresponding to a certain port) of a certain machine in the rule through an extended access control list (extended ACL), thereby effectively protecting the security of the internal network system of the company.

3. The implementation system of the company security network based on the Internet adopts a firewall module configured on a core switch Catalyst6500_ through a firewall adjusting module, can divide a security zone on the basis of VLAN, and provides firewall protection for the VLAN by utilizing the high performance of a hardware firewall; secondly, the built-in firewall characteristic of the CISCOI0S is utilized; the NATIVE IOS version of the Catalyst6500 switch each provides built-in firewall features CBAC, the security zone may be partitioned on a VLAN basis, providing firewall protection between VLANs, therefore, the intrusion detection module is designed and configured for ensuring the safety of the computer system and can timely find and report unauthorized or abnormal phenomena in the system, and the security scanning module can warn the weakness in the network system in advance, prevent hacker invasion and misoperation of personnel in the company, and the database security module ensures the confidentiality of the service database system, user identity identification, access control, prevention and auditability of inference attack, prevents attack on hidden channels in the database, ensures the integrity of the service database and ensures the security of information in the company system.

4. The system for realizing the company security network based on the Internet has the advantages that the system is self-safe through an e-mail security module: according to the difference of the version and the configuration of an operating system and a mail system, whether the mail system occurs or not and the remote buffer area overflows are checked; if the system is existed, a method for upgrading the version or adjusting the configuration of the system is provided to put an end to through the safety service; e, encrypting and signing the mail: configuring and establishing a safe e-mail system to realize automatic compression, data encryption and signature of the e-mail; three mail system configuration security: according to the whole network security policy, system configuration is adjusted aiming at system configuration which may cause potential safety hazards, and potential safety hazards caused by the system configuration are avoided, such as the problem of forwarding mails by unauthorized addresses; four remote commands perform configuration: aiming at the attack behavior of a hacker for remotely executing a local command by utilizing the characteristics of the mail system, the configuration of the mail system is changed, the remote command is forbidden to be executed, or a high-version mail system is configured to eliminate the potential safety hazard and ensure the safety of internal information; five POP3 and IMAP service security configuration: aiming at the problem of remote illegal Shell or IMAP remote overflow in POP and IMAP, the system version is upgraded or the system configuration is modified to solve the safety problem, and the mail information in the company is effectively protected.

Drawings

Fig. 1 is a schematic diagram showing an overall configuration of a system for implementing an internet-based corporate security network according to the present invention;

FIG. 2 is a schematic diagram illustrating the transmission and viewing process of an implementation system for an Internet-based corporate security network according to the present invention;

FIG. 3 is a schematic block diagram of a network security module for implementing an Internet-based corporate security network according to the present invention;

fig. 4 is a schematic diagram of a security module structure of an implementation system of an internet-based corporate security network according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts based on the embodiments of the present invention belong to the protection scope of the present invention.

Example 1

Referring to fig. 1, 2, 3 and 4, an internet-based implementation system for a company security network includes an application client 1, an application client 2, an application client N, MPLS/VPN module, a virtual private network module and a unified application system, where the unified application system includes a system security module and a network security module, the application client 1, the application client 2 and the application client N are connected to the MPLS/VPN module and the virtual private network module through a network and are connected in series to the system security module and the network security module in the unified application system;

the MPLS/VPN module adopts the safe interconnection of multi-service systems, the transformation and implementation of MPLS/VPN network which is uniformly planned by companies, the transformation of the original wide area network access mode is carried out by adopting the MPLS technology, the VPN is divided by adopting the VPN technology based on the MPLS to cover the service systems in different regions, the safe isolation is carried out, and the safe and effective information interaction is provided;

the virtual private network module adopts a virtual private network, and the function of the Virtual Private Network (VPN) is as follows: establishing a private network on a public network for encrypted communication;

the system security module divides VLANs according to different functions and services of departments for local area networks of city companies and local area networks of counties companies so as to realize logical isolation of network resources, prevent broadcast storms and perform network-level access control and application-level access control;

the network security module adopts a secure operating system platform to perform security detection on the interior of the system;

specifically, the system security module comprises an operating system security module, a user identification and authentication module and an autonomous access control module, and the operating system security module establishes a secure operating platform through a private network; the user identification and authentication module identifies a user through a user name and at least provides a basic user name and password authentication mechanism; the autonomous access control module can determine the access control authority of the user according to the registration name of the user, and the user can determine the authorization of the owned resources; the network security module comprises a network access control module and an application level access control module, and the network level access control module configures an Access Control List (ACL) on the router; the planning is to allow only some sub-networks or hosts (IP address field or IP address) to access, and deny the access of other sub-networks, so as to achieve the purpose of protecting the key network; application level access control certain subnets or hosts (IP address fields or IP addresses) may be allowed in rules to access a certain application (corresponding to a certain port) of a certain machine through extended access control lists (extended ACLs), and the application client 1, the application client 2 and the application client N pass through the MPLS/VPN module and the virtual private network module and perform encrypted transmission and viewing of data over the network.

Example 2

Referring to fig. 1, an implementation system of a company security network based on the internet includes a unified application system, which includes a firewall adjusting module, an intrusion detection module, a vulnerability scanning module, a database security module and an e-mail security module, and is connected to the system security module, the network security module, the firewall adjusting module, the intrusion detection module, the vulnerability scanning module, the database security module and the e-mail security module through a network;

the firewall adjusting module is a safety protection measure of the network, analyzes and monitors flow, adjusts the deployment of a firewall to block illegal data transmission, and can independently place servers which provide services to the outside and are easy to attack in a specific protection area;

the intrusion detection module is a technology which is designed and configured for ensuring the safety of a computer system, can timely discover and report unauthorized or abnormal phenomena in the system and detect behaviors violating a safety strategy in a network;

the vulnerability scanning module can warn the vulnerability in the network system in advance, and prevent hacker intrusion and misoperation of internal personnel;

the database security module guarantees the confidentiality of a service database system, user identity identification, access control, prevention of inference attack, auditability, prevention of attack on a hidden channel in the database and guarantee of the integrity of the service database;

the e-mail safety module has potential safety hazard, and in the safety configuration mail server, the mail server also carries out safety protection processing.

Specifically, a mail system is self-secure through an e-mail security module: according to the difference of the version and the configuration of an operating system and a mail system, whether the mail system occurs or not and the remote buffer area overflows are checked; if the system is existed, a method for upgrading the version or adjusting the configuration of the system is provided to put an end to through the safety service; e, encrypting and signing the mail: configuring and establishing a safe e-mail system to realize automatic compression, data encryption and signature of the e-mail; three mail system configuration security: according to the whole network security policy, system configuration is adjusted aiming at system configuration which may cause potential safety hazards, and potential safety hazards caused by the system configuration are avoided, such as the problem of forwarding mails by unauthorized addresses; four remote commands perform configuration: aiming at the attack behavior of a hacker for remotely executing a local command by utilizing the characteristics of the mail system, the configuration of the mail system is changed, the remote command is forbidden to be executed, or a high-version mail system is configured to eliminate the potential safety hazard and ensure the safety of internal information; five POP3 and IMAP service security configuration: aiming at the problem of remote illegal Shell or IMAP remote overflow in POP and IMAP, upgrading the system version or modifying the system configuration to solve the safety problem; the firewall adjusting module adopts a firewall module configured on a core switch Catalyst6500_ and can divide a safety zone on the basis of VLAN (virtual local area network), and the high performance of a hardware firewall is utilized to provide firewall protection between VLANs; secondly, the built-in firewall characteristic of the CISCOI0S is utilized; the NATIVE IOS version of the Catalyst6500 switch provides built-in firewall characteristics CBAC, and can partition security areas based on VLANs to provide firewall protection between VLANs.

In summary, the following steps: the invention relates to a system for realizing an internet-based company security network, which is connected to a company system through an MPLS/VPN module and a virtual private network module, wherein an application client 1, an application client 2 and an application client N pass through the MPLS/VPN module and the virtual private network module and are transmitted in the same application system through a network, the system security module comprises an operating system security module, a user identification and authentication module and an autonomous access control module, and the operating system security module establishes a secure operating platform through a private network; the user identification and authentication module identifies a user through a user name and at least provides a basic user name and password authentication mechanism; the autonomous access control module can determine the access control authority of the user according to the registration name of the user, and the user can determine the authorization of the owned resources; the network security module comprises a network access control module and an application level access control module, and the network level access control module configures an Access Control List (ACL) on the router; the planning is to allow only some sub-networks or hosts (IP address field or IP address) to access, and deny the access of other sub-networks, so as to achieve the purpose of protecting the key network; the application level access control can allow some sub-networks or hosts (IP address fields or IP addresses) to access a certain application (corresponding to a certain port) of a certain machine in a rule through an extended access control list (extended ACL), an application client 1, an application client 2 and an application client N pass through an MPLS/VPN module and a virtual private network module and carry out encryption transmission and check on data on a network, a firewall adjusting module adopts a firewall module configured on a core switch Catalyst6500 & lt- & gt, a safety region can be divided based on VLAN, and the high performance of a hardware firewall is utilized to provide the protection of the firewall between the VLAN; secondly, the built-in firewall characteristic of the CISCOI0S is utilized; the NATIVE IOS version of the Catalyst6500 switch each provides built-in firewall features CBAC, the security zone may be partitioned on a VLAN basis, providing firewall protection between VLANs, therefore, the intrusion detection module is designed and configured for ensuring the safety of the computer system and can timely find and report unauthorized or abnormal phenomena in the system, and detect the technology of violating the safe tactics in the network, the vulnerability scanning module can warn the weakness in the network system in advance, prevent hacker invasion and wrong operation of personnel inside the company, the security of the database security module guarantee business database system, user's identity recognition, access control, guard against reasoning attack, auditability, prevent the attack to the hidden channel in the database and guarantee the integrality of the database of business, through the E-mail security module-mail system self security: according to the difference of the version and the configuration of an operating system and a mail system, whether the mail system occurs or not and the remote buffer area overflows are checked; if the system is existed, a method for upgrading the version or adjusting the configuration of the system is provided to put an end to through the safety service; e, encrypting and signing the mail: configuring and establishing a safe e-mail system to realize automatic compression, data encryption and signature of the e-mail; three mail system configuration security: according to the whole network security policy, system configuration is adjusted aiming at system configuration which may cause potential safety hazards, and potential safety hazards caused by the system configuration are avoided, such as the problem of forwarding mails by unauthorized addresses; four remote commands perform configuration: aiming at the attack behavior of a hacker for remotely executing a local command by utilizing the characteristics of the mail system, the configuration of the mail system is changed, the remote command is forbidden to be executed, or a high-version mail system is configured to eliminate the potential safety hazard and ensure the safety of internal information; five POP3 and IMAP service security configuration: aiming at the problem of remote illegal Shell or IMAP remote overflow in POP and IMAP, the system version is upgraded or the system configuration is modified to solve the safety problem, and the method has the advantages of high system information encryption transmission, high information safety in the system, convenience in cross-region encryption transmission and check, and timely discovery of system bugs and dangerous factors, thereby effectively protecting.

While there have been shown and described the fundamental principles and essential features of the invention and advantages thereof, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing exemplary embodiments, but is capable of other specific forms without departing from the spirit or essential characteristics thereof; the present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein, and any reference signs in the claims are not intended to be construed as limiting the claim concerned.

Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.