To ensure the security of enterprise information resources, information protection tools are usually located directly on the corporate network. MEs control access to corporate resources, reflecting attacks from outsiders, and virtual private network gateways (VPNs) provide confidential information transfer through open global networks, in particular the Internet. To create reliable defense in depth, security tools such as Intrusion Detection Systems (IDS), access control systems for information content, anti-virus systems, etc. are also currently used.
Most CISs are built on the basis of software and hardware supplied by various manufacturers.
Each of these tools requires careful and specific configuration, reflecting the relationship between users and the resources available to them. In order to ensure reliable information protection in heterogeneous CIS, a rationally organized CIS security management system is needed that would ensure the security and proper configuration of each CIS component, constantly monitor the changes that occur, install “patches” on the gaps found in the system, and monitor the user’s work. Obviously, the more heterogeneous IP, the more difficult it is to manage its security.
Basic concepts
The experience of leading manufacturers of network security tools shows that the company will be able to successfully implement its security policy in a distributed CIS, if security management is centralized and does not depend on the OS and application systems used. In addition, the system for registering events occurring in CIS (NSD events, changing user privileges, etc.) should be unified so that the administrator can compose a complete picture of the changes taking place in CIS.
A number of security management tasks require the use of unified vertical infrastructures such as the X.500 catalog. For example, a network access policy requires knowledge of user identifiers. This information is also needed by other applications, for example, in the personnel accounting system, in the system of single access to applications (Single Sign-On), etc. Duplication of the same data leads to the need for synchronization, increased labor intensity, and possible confusion. Therefore, to avoid such duplication, often use a single vertical infrastructure.
Such vertical structures used by various user subsystems operating at different OSI / ISO levels include: Security architect
PKI public key management infrastructures. An interesting aspect should be noted, which has not yet received wide distribution, but is important for management. Now digital certificates are mainly used in the form of so-called “identity certificates”, but digital certificates in the form of so-called “credential certificates” are already being developed and used in some places; By issuing and revoking such “credentials,” you can more flexibly control access;
Directories (for example, user identifiers and other user information required by access control systems); it is noteworthy that directories are often used not only as data warehouses - they also often have access policies, certificates, access lists, etc .;
authentication systems (usually RADIUS, TACACS, TACACS + servers);
event logging, monitoring and audit systems. It should be noted that these systems are not always vertical; they often specialize and work autonomously in the interests of specific subsystems.
The concept of global security management, which allows you to build an effective hierarchical security management system for a heterogeneous company network, was developed by TrustWorks Systems. The organization of centralized security management of CIS is based on the following principles:
corporate network security management should be carried out at the GPB level - a set of security rules for many interactions between corporate network objects, as well as between corporate network objects and external objects;
GPB should be consistent with the company's business processes. For this, the security properties of the facilities and the required security services should be described taking into account their business roles in the company structure.
for individual remedies are formed LPS. LBP broadcasting should be carried out automatically based on the analysis of GPB rules and the topology of the protected network.
Considering that the methodology of centralized management of network security sufficiently fully reflects current trends in the development of security technologies, let us consider in more detail this methodology and some aspects of its implementation.
No comments:
Post a Comment