In order to implement the requirements of the Ministry of Public Security and the National Energy Administration on the safety protection of the power monitoring system of power stations, strengthen the safety protection capability of the power monitoring system of photovoltaic power stations, and ensure the safe and stable operation of the power monitoring system. The power monitoring system of new energy power station and photovoltaic power station needs to conduct network security grade protection evaluation and safety protection evaluation, analyze the existing threats and vulnerabilities of the system, improve the protection measures, make the power monitoring system meet the specific requirements of the state on the corresponding level of grade protection, and increase the standardization and effectiveness of the safety management of the power monitoring system. Improve the unit's security awareness, enhance the power monitoring system network anti-attack ability, to ensure the normal operation of the network and information system.

Equal protection is short for grade protection. It refers to the hierarchical security protection of important national information, the proprietary information of legal persons, other organizations and citizens, the open information and the information system storing, transmitting and processing such information, the hierarchical management of information security products used in the information system, and the hierarchical response and disposal of information security incidents occurring in the information system.

Network security level protection provides systematic, targeted and feasible guidance and services for the network security construction and management of graded objects such as information systems, cloud computing, mobile Internet, Internet of Things and industrial control systems, and helps users improve the security protection ability of graded objects. In addition, Article 21 of the Cyber Security Law clearly stipulates that "the state implements a network security level protection system".

In addition to meeting the requirements of relevant national laws and regulations, a good level of protection can also reduce the information security risks of the system and improve the protection ability.

Class protection is a hot topic for businesses and governments. For enterprises, the network security level protection record certificate and evaluation report is not only the recognition of product professionalism, security and compliance, but also an important qualification certificate in the process of business development. Today, Xiaobian will explain why it is important for enterprises to have class protection.

What is waiting insurance?

Isoassurance is information security level protection, refers to the security protection of important national information, legal person, other organizations and citizens' proprietary information and public information when storing, transmitting and processing such information; The information security products used in the information system shall be managed according to the level; Hierarchical response and processing of information security events in the information system.

Network security level protection is the basic system, basic strategy and basic method of national information security. Network security level protection is a job to protect information and information carrier according to importance level. The operation and use units of information systems shall choose the evaluation that meets the requirements of the state and organize the evaluation of information systems on a regular basis according to such technical standards as Basic Requirements for Information Security Technology and Network Security Level Protection.

For most small and medium-sized enterprises and institutions, such as construction is a headache, there are two core pain points:

1. The construction process of equibao is complicated

Small and medium-sized enterprises and public institutions lack full-time personnel responsible for security and even IT, and they are not familiar with peer-to-peer insurance, and deployment, operation and maintenance management becomes a great burden.

2. High investment in equibao construction

Such as insurance construction purchase service and safety equipment investment is high, business and policy changes need to add new investment to meet the requirements of review and compliance.

Due to the complex process and high investment in the construction of the network security, small and medium-sized enterprises and institutions will prefer how to carry out the construction of the network security with "less worry and effort" when considering the network security construction scheme, and how the investment in the network security construction can be sustained, effective and cost-effective.

Therefore, the popularity of the integrated equal-insurance all-in-one program is still the best choice for the construction of small and medium-sized enterprises and institutions.

During network security construction, customers can use the isoassurance all-in-one solution to customize security capabilities based on their own requirements, such as isoassurance Level 2 capability + behavior management capability, isoassurance level 3 capability + remote security access capability, which not only complies with the requirements, but also meets the service requirements. Meanwhile, the equipment room becomes clean and the operation and maintenance management workload is greatly reduced.

Why do we have grade protection?

(1) Requirements stipulated by law

The Cyber Security Law clearly stipulates that the operators and users of information systems shall fulfill their security protection obligations in accordance with the requirements of the cyber security hierarchical protection system. If they refuse to comply, they will be punished accordingly.

(2) Industry requirements

In finance, electricity, radio and television, medical care, education and other industries, the competent units clearly require the information systems of employees to carry out hierarchical protection work.

(3) Enterprise system security requirements

The operation and use of the information system can find the internal security risks and deficiencies of the system, and improve the security protection capability of the system and reduce the risk of attack through security rectification.

Refers to the scope of grade protection

(1) Important websites and office information systems of Party and government organs above the cities of the provincial government;

(2) Public communication networks, radio and television transmission networks and other basic information networks of the telecommunications and radio and television industries, as well as important information systems of operational public Internet information service units, Internet access service units, data centers and other units;

(3) Production, dispatch, management, office and other important information systems of railway, banking, customs, taxation, civil aviation, electric power, securities, insurance, foreign affairs, science and technology, development and reform, national defense science and technology, public security, personnel and labor and social security, finance, auditing, commerce, water conservancy, land and resources, energy, transportation, culture, education, statistics, business administration, postal service and other industries and departments .

After the information security level protection work is carried out, the limited financial resources, material resources and manpower will be put into the security protection of important information system, the security protection measures will be established according to the standard, the security protection system will be established, the security responsibility will be implemented, the supervision and inspection will be strengthened, and the security of important information system will be effectively protected, which can greatly improve the overall level of the security construction of our information system.

Network architecture is the "nerve vein" of data center

If the data center is compared to a "person", then the server and storage device constitute the "organ" of the data center, and the network (switch, router, firewall) is the "nerve vein" of the data center. That section deals with the network architecture and general design of data centers.

01 Network partition and Equal protection

Generally, an enterprise partitions physical devices on a data center network to ensure flexibility, security, and ease of management. Generally, data centers adopt a three-layer network structure of core, aggregation, and access. The core is used for fast forwarding of all traffic, while the aggregation functions as a gateway on each network zone.

Generally, each zone in a data center is assigned different service network segments based on the expected traffic and number of servers. At the same time, security devices such as firewalls will be set up in some areas with high isoassurance requirements to control the flow in and out of this area, as shown in the figure below:

wps36.jpg

Equal protection is short for level protection. When setting the server area of a data center, the level protection for servers of different services varies. For example, background storage, tape libraries, databases, these servers and Web, front-end, APP protection is different. In a data center network, the firewall is used to divide equal guarantees and control the access between different equal guarantees.

Then how to better understand the concept of "equal insurance"?

wps37.jpg

wps39.jpg

wps39.jpg

In the current data center network architecture, traffic control between different equal guarantees should be taken into account, as well as the convenience and speed of routing design. At present, the firewall in the data center is almost always deployed in off-line mode, and then works with the VRF on the aggregation switch to control traffic.

02 Data center network partitioning mode

There are three partition modes. Each partition mode has its own advantages and disadvantages.

A. Partition by server type

For example, x86 server, minicomputer, blade machine, mainframe, virtual machine classification. Completely according to the classification of server models, in practical applications, may be an enterprise minicomputer is used a lot, but the mainframe is almost useless, will lead to the minicomputer network area traffic is huge and the mainframe this area idle. So, in data centers today, it's almost impossible to see such a distribution of areas.

B. Partition by application layer

For example, Web and APP are front-end servers, while database, storage and NFS are back-end servers. Therefore, put front-end servers in one area and back-end servers in one area. In some enterprise data centers, this is indeed the partition. For example, all the Web servers are in the "general Business area" and the databases are in the "production management area" (even the name of the area is "vague," as you can see). The advantage of this partition is easy to manage, because the front-end service area and the back-end service area are not in the same guarantee, the front-end service area directly faces the office, and the back-end area is the front-end service area, as shown in the figure below:

wps40.png

The advantage of this way of setting up the area is that it is easy to separate management, but the disadvantage is that it is too cumbersome to operate and maintain. For example, when a new APP is online at the front end and the corresponding database support is needed at the back end, the system operation and maintenance personnel need to contact the network operation and maintenance personnel and ask them to open the corresponding security policy on the firewall in the back end area. Considering that there are many non-network problems in the connection between the front end and the back end, and there are firewalls between the front end and the back end, so once the front end and the back end communication problems, network operation and maintenance personnel will be easy to "blame".

C. Categorize applications by application type

For example, core service, public service, office area, isolation area, development and testing area are divided. The advantage of this partition is that a "functional business" front-end server and back-end server are in a guarantee, in the front end and back-end docking, network operation and maintenance personnel will not be because of the firewall policy reasons and "back". But this division will appear network planning is a bit "chaotic". For some administrators who do not pay much attention to IP address planning in the early stage, the IP address planning of the front-end server and back-end server may be troublesome. For example, if the IP address segment given to the core server area is 10.114.128.0/21, there are 10.114.128.0/24-- 10.114.135.0/24, 16 C segments. However, for unscrupulous administrators, 10.114.128.0/24 May be used as the front-end IP address and 10.114.129.0/24 as the back-end IP address, so that the front-end and back-end IP address segments "cross".

In an extreme case, when multilevel data centers use MPLS V.P network interconnection to divert traffic from the front-end to the back-end, the front-end and back-end IP address segments cross, and the traffic diversion becomes extremely troublesome.

To sum up, each method of partitioning has its own advantages and disadvantages, so it is necessary to partition according to the actual situation.

03 Common data center network architecture

A. Flat networking

For small data centers with single functions and less than 300 servers, two-layer flat networking is usually adopted. In other words, the aggregation device serves as the gateway, and the access device is a Layer 2 device that can open the layer 2 channel. Flat networking can be designed in two modes: traditional VRRP+MSTP and stack + link bundling.

The first is the structure of VRRP+MSTP, as shown in the following figure:

wps41.png

Compared with the first very traditional MSTP+VRRP architecture, the second "fat tree" architecture is commonly used in the current flat networking of data centers. The idea is that aggregation switches must be stacked, access switches must be stacked on demand, and all redundant links must be bundled to form a "fat tree". Its advantages are that it not only ensures the redundancy of the device, improves bandwidth performance, but also prevents Layer 2 loops. However, in order to realize device stacking, this requires hardware. Therefore, the cost of this "fat tree" networking is much higher than that of the first one.

wps42.png

B. Layer 3 networking architecture

For large data centers, where functions are diverse and functional partitioning is required, a standard three-tier architecture is used.

In this networking mode, the switching core area is the hub of the entire data center network. Two to four large-capacity high-end frame switches are deployed in the core devices. The switches can be deployed independently or in groups by using the stacking technology. Therefore, the core will adopt the mode of independent deployment, that is, there is only interconnection between the core and the convergence, and there is no interconnection between the core)

The aggregation layer and access layer in a zone are stacked to implement layer 2 failure.

The following figure shows a current mainstream three-layer networking diagram of data centers:

wps43.png

In the previous topology, firewalls in large areas are connected in bypass mode. The off-line connection of the firewall also improves scalability and is compatible with dynamic routes. In this structure, if the core - aggregation - access traffic can enter the firewall, it is necessary to use VRF to isolate routes on the aggregation switch. Therefore, the function of VRF in this place is to isolate routes and "turn bypass into series".

The difficulty of this paper is exactly how to draw the logic diagram of the service flow when VRF is used on the aggregation switch. In fact, it took me a while to understand the relationship between the VRF and the bypass firewall when I first took on the project. Now let me briefly explain to you the method of delimiting traffic flow.

The so-called "single equal protection" means that all service network segments under the aggregation can be directly accessed, and traffic does not need to be controlled by the firewall. In this case, only one VRF is needed to separate the traffic between the aggregation-core and the aggregation-firewall.

The physical connection diagram is as follows:

wps44.jpg

Because aggregation and access, including firewalls, are deployed on a two-node cluster or in a stack, you can temporarily draw the aggregation and access as a single device to avoid complex physical structures.

wps45.png

Then, remove the aggregation layer device icon and replace it with a box. Add two small boxes inside the box to represent two virtual devices with independent Layer 3 routes. The global route is connected to the core and the VRF route is connected to the access. Then, draw two lines on the firewall and connect them to the Global Route and VRF boxes respectively. The two lines connecting the firewall and aggregation can be different physical interfaces or sub-interfaces. As shown in the picture below:

wps46.png

Finally, remove the large block of aggregation layer device location, and "plug" the firewall between the small box of "global route" and the small box of "VRF". In this way, a single level of equal protection and flow diagram of bypassing into series is completed.

wps47.jpg

Two equal protection levels. Therefore, traffic of the two equal protection levels must pass through the firewall when the services in the two equal protection levels communicate. Here you have to remember: a wait for insurance