Internet system, if divided into Internet access area, server area, operation and maintenance area. Previously, my understanding is that the server area and the Internet each divided into a boundary, recently thought about, should be from the direction of data inflow, extranet access to divide an Internet boundary, operation and maintenance area access server division operation and maintenance area boundary, boundary equipment can be in the operation and maintenance area and between the core switch, or server before. The two measurements are unchanged, the idea is slightly different.
2, border devices must be firewall?
According to the evaluation requirements, the gateway, firewalls, routers, switches and wireless access gateway devices that provide access control functions or related components can be used as border devices, configure the corresponding access control policy.
3. Accessing the device through the bastion, the identity authentication measures of the bastion, such as password complexity, login failure processing, and two-factor authentication can determine the device that meets?
If only allowed to access the device through the bastion (corresponding to the intrusion prevention C: should be set through the terminal access mode or network address range to manage the management terminal through the network restrictions), the bastion policy can be equivalent to the device policy. If the device can bypass the bastion machine direct access, to determine the device's own policy, if the device itself lacks measures, the bastion machine policy can only be judged as part of the compliance.
4, should be at the network border, important network nodes for security audits, audits covering each user, the important user behavior and important security events to audit. This requirement at the network border refers to the audit of each border device itself, or a comprehensive audit system?
Semi-official answer: network security audit refers to the network security audit data formed by analyzing the traffic data of the network boundary or important network nodes. Network security auditing includes network traffic auditing and network security event auditing, in which network traffic auditing is mainly through the network traffic statistics, correlation analysis, identification and screening, to achieve the audit of specific important behaviors in the network, such as auditing of a variety of violations of access protocols and their traffic, auditing of access to sensitive data on the behavior of the personnel or the system behavior, etc.; network security event auditing is mainly the audit of network Network security event audit is mainly for network intrusion detection, network intrusion prevention, APT (Advanced Sustainability Threat Detection) detection, Web application attack detection and other equipment detected network attack behavior audit.
The above defines the scope of user behavior and security events, but does not specify through what to achieve. Measurement requirements in the assessment of the clear object of the assessment is a comprehensive security audit system and so on. Temporarily identified as long as the important user behavior and important security events can be audited, not limited to the device, can be a firewall, situational awareness, cloud security center and so on.
5, should be able to remote access to the user behavior, access to the Internet user behavior, such as separate behavioral auditing and data analysis, what is considered remote access, which cases need to record access to the Internet user behavior?
Remote access to internal equipment through the Internet, such as the use of VPN or dedicated line through the Internet, need to record the user behavior of remote access.
If the system does not have the need to access the Internet, there is no need to record the user behavior of accessing the Internet, and the office network networking behavior, if it has nothing to do with the system under test, is not included in the scope of the assessment.
6. What kind of measures can meet illegal inbound and outbound?
Illegal inbound: for external devices to access the internal network, preventive measures are security access products; all routers and switches and other related equipment idle ports have been closed; IP-MAC address binding; physical environment is controlled.
Illegal outreach: for management terminals, business terminals to access the internal network and the Internet at the same time.
Preventive measures include unauthorized outreach products; the physical environment where the device is located, the operator can be controlled, and only specific authorized personnel can operate it; and there are control measures for USB interfaces and wireless network cards on the relevant devices.