Expressway network toll network security system engineering
[ad_1]
1. Engineering background
The optical transmission system of the expressway network toll system in the Pearl River Delta region uses SDH digital transmission equipment, and the network structure is a chain network structure. The transmission signal adopts the basic module STM-4 signal (rate 622Mbit/s). There are big differences in management system and technical strength between different road sections. Most of the road section management systems are relatively loose, and the staff’s awareness of network security is relatively weak, and there are greater security risks. The network topology diagram of the expressway network toll system in the Pearl River Delta region is shown in Figure 1.
2. Overall structure
According to the actual situation of the Pearl River Delta Expressway toll system network system, according to our security system design principles, we adopt high-performance network security products to build a security protection system, and use security technology and management methods to enable security products to fully play their role in security protection .
First of all, from the perspective of security areas, we divide the network into: expressway toll system regional operation center, road section management center, and subordinate toll stations and lanes, and use firewalls to isolate the above-mentioned areas to isolate the inter-area Mutual access for access control constitutes the first security protection system.
Second, in order to protect the important servers of the company’s headquarters (such as management servers, business servers, and charging system servers), these important servers are placed on the same network segment, and firewalls are used for access control. This network segment is called the core protection zone. . You can use the multiple network interface function of the firewall at the original gateway, only adding one more network interface.
Third, deploy a network intrusion detection system IDS at the network exit of the road section to automatically monitor the network operation of the toll system, detect and respond to suspicious events, and prevent illegal intrusions before the host and the network are damaged. Because IDS is a feature of passive monitoring, no traffic will not affect the bandwidth of the network. The network intrusion detection system can form a linkage with the firewall. When an intrusion is found, it can automatically notify the protective wall to dynamically change the rules to construct a defense-in-depth system.
Fourth, through the deployment of the antivirus wall, the use of a full range of enterprise antivirus products, and the implementation of the strategy of “layers of defense, centralized control, focusing on prevention and combining prevention and control”, so that the network has not become a weak link for virus intrusion. Configure the corresponding anti-virus software for all possible virus attacks in the network, and build a comprehensive and multi-level overall anti-virus system.
Three, program advantages
1. High reliability
The products selected in this program all have an MTBF greater than 10,000 hours.
2. High scalability
The firewall, IDS, and antivirus wall used in this solution are all technical network equipment linkage protocols, which support linkage with other brand equipment, which is beneficial to protect the owner’s investment. The selected firewall supports VPN to facilitate future expansion needs of the owner’s network.
3. High defensiveness
The firewall, IDS, and anti-virus wall of this scheme constitute a three-dimensional protection system. The firewall isolates each security area; IDS detects the network data flow in real time; the anti-virus wall can not only cut off the path of virus propagation on the network, but also prevent control on the network. Host virus, this is a function that general gateway-level antivirus walls do not have.
4. High performance
In this scheme, IDS and antivirus wall are connected to the network in bypass mode, which does not have any impact on network performance. The device itself monitors network data packets through a high-performance kernel.
[ad_2]