With the continuous development of security technology, the physical isolation network construction program continues to develop. Figure 3.1 is the physical isolation network construction plan of the internal and external networks. At the boundary of the internal and external networks, physical isolation equipment-gatekeepers are used for isolation, but there is no redundancy design, which is prone to interruption or packet loss events. Intranet boundary security uses firewall equipment to ensure the security of input and output data streams outside the intranet, and to ensure the information exchange between this unit and other units. The core switching area uses dual core switching to ensure the reliability of the network, and the convergence layer switching equipment also uses dual aggregation. Due to the need for timely handling of sudden network failures, the zone management solution for the internal network area is divided into business systems, administrative logistics systems, operation and maintenance management areas, and test areas, and the client access network area is subdivided. The equipment from the floor switch to the uplink aggregation floor switch can be used to quickly locate the fault. On this basis, a test area should also be added. The main role of this area is to debug network equipment when purchasing new equipment. If the addition of this area is only economically considered, it will undoubtedly increase the cost of network construction. But for the sake of overall network security and stability, I think it is an indispensable deployment.
Taking the network construction of Equal Security 2.0 as the standard, I think there are still the following problems
The
-1 At the network boundary interacting with the Internet, the deployment of security equipment is not comprehensive.
-2 The deployment of security equipment at the border with other internal units is incomplete.
-3 The deployment of the test system is necessary and should be deployed.
-4 In the physical isolation network scheme, only one gatekeeper is used in the internal and external network isolation, resulting in unstable network.
-5 The DMZ area should be deployed with the government cloud to reduce security issues and simplify administrator operations.
物理隔离网络建设方案随着安全技术的不断发展。如图 3.1是物理隔离内外网网络建设方案。内外网边界处用物理隔离设备-网闸进行隔离,但没有进行冗余设计,容易出现中断或丢包事件。内网边界安全使用防火墙设备保障内网外部输入输出数据流的安全性,保证本单位与其他单位的信息交互。核心交换区域采用双核心交换保证网络的可靠性,汇聚层交换设备一样采用双汇聚。处于对网络突发性故障及时处理的需求,对内网区域进行分区管理方案,分为业务系统、行政后勤系统、运维管理区域和测试区域,而在客户端接入网络区域,进行细分化从楼层交换机到上联汇聚楼层交换机的设备,这样就可以迅速定位故障出现的地点。在此基础上还应该增加测试区域,该区域的主要作用就是在购进新设备的时候,进行网络设备的调试工作,该区域的添加如果只在经济上考虑,无疑增加了网络建设的成本,但是出于整体网络安全以及稳定性的考虑,我认为是不可或缺的部署。
以等保2.0的网络建设为标准,我认为还存在以下几个问题
1 在和互联网交互的网络边界处,安全设备的部署不全面。2 在和其他内部单位通信的边界处安全设备部署不全面。3 测试系统的部署具有一定的必要性,应该部署。4 物理隔离网络方案中内外网隔离中间只依靠一台网闸,导致网络不稳定。5 DMZ区域应该采用政务云部署,减少安全问题,简易管理员操作。