政务网涉密移动存储安全控制系统
|
摘要
政务网内的信息需要被进行严格的控制,由其是一些有密级的文件。在实现了网络化的办公环境中,有很多种方法可以有效的监控机密文件在网络中的传输。但是随着USB存储设备普及,外部的USB存储设备经常被连接到政务专网内的计算机上使用,有很多专用的U盘也被随意放在外网计算机上使用,而且不同部门的USB设备的混用现象严重。这些都是导致政务网内文件外泄的途径,而且如果不严格控制这些USB存储设备,有很多病毒也会通过他们传播。因此,应该制定一种机制来控制USB设备在政务网的访问权限,防止一些涉密用户误操作或有意操作而导致文件泄漏。虽然国家的规定已经明确提出了移动存储介质的安全管理以及保密分级,但是实施起来很难,没有技术措施作为保证和管理,国内大多数政务网还没有应对策略。
本项目要实现一套软件来解决这一问题。提供政务网内的移动存储设备(主要是U盘)的安全访问机制,包括分级别的U盘访问,U盘权限的集中管理,U盘操作过程中的监控以及U盘的杀毒等功能。
With the popularity of removable storage devices, removable storage use have begun to threaten the safety of government departments have be threaten by using these removable storage devices. The normal work of government departments have be threaten by viruses which has been spread through removable storage devices, ferry attack and confidential leaks through removable storage devices. Last two years, the safety of mobile storage media has been mentioned in the latest documents. The information on the government networks has to be strictly controlled, especially some classified files. In the networked office environment there are many effective ways to monitor the transmission of these classified files. However, with the popularization of USB storage devices, external USB storage devices are often connected to the computers which should only be used inside the Special Net for government. Likewise, there are many dedicated USB storage devices often be connected to the outer net computers randomly. Furthermore, phenomenons of mixing the USB device between different departments are serious. All of these are approach for government documents leaking, and if these USB storage devices are not be controlled strictly, lots of viruses will be spread via them.
Existing domestic mobile storage security control software are generally achieved by a special hardware to control U-disk permission access and secure access. And some through the combination of software and dedicated hardware; also some products only use the software. But these software products usually focus on the internal network management, to take the local host virus killing. This system realized the of removable storage devices in government networks via software, without additional hardware. This software take the U-disk centralized management and centralized virus killing, instead of the local antivirus.
After the research and experimentation, in the basis of fully analysis of existing research results, this project realized the safety access and permission control of U-disk by taking the centralized management of the servers, as the Potential security risk and information leakage of U-disk also has been solved. By taking the client/server (C/S) mode, the U-disk checking server was set up in the government network which to realized the centralized management for U-disk. When the U-disk is inserting the computer, the computer will connect to the U-disk checking server and obtain the access permission of U-disk; in the computer local user can use a dedicated browser to accessing the U-disk; the files in U-disk need to be uploaded to U-disk checking server for virus scanning and anti-virus, the file will be encrypted in the transmission process; U-disk checking server not only providing the U-disk permissions, but also provide inspection virus, U-disk operation records and audits, the management of U-disk using strategy.
In conclusion, this paper will be divided into five functional software modules, as: U-disk control services, the specific browser of U-disk accessing, U-disk rights management, U-disk operation base DLL, anti-virus of files. The five modules provided users with file operations, U disk monitoring, anti-virus, logs, access control and other functions. The Concrete process of this software is:
1) When the system detected the external U-disk accessing computer, a service will be triggered to read the U-disk serial number. After obtained the serial number of U-disk via Windows service the U-disk management server will provided management services for the U-disk access permission in this computer.
2) As the users'operation interface was unified, making the operation of documents easy and unified. When the user inserted the U-disk to computer, has to obtain the permission of U-disk. If there is failure to obtain the information about U-disk permission, can only browser the computer. Only with the access permissions of U-disk, the operation to the files in computer can be permitted. The dedicated browser can realize the function for files upload, download, delete the selected files, U-disk formatting and other functions. The operation will generate a log file; log will be saved in the database.
3) All users need to apply for permission to the administrator. A U-disk serial number will be send to the administrator as a parameter by user. The web services according to the serial number and the request IP to obtain the user's departments and classified information and the development of good group strategy to return a permission for the user.
4) The upload and download of user's file is carried out based on SSL, FTP. The file will be encrypted during the transfer process; this region also provides access to anti-virus module, when user is uploading the infected files the virus will be killed by system. 5) The server was be monitored by the anti-virus module at intervals of five seconds whether there was a file upload. File upload will trigger the anti-virus program. The files in the upload region will be scanned by the anti-virus software which in this software. The clean files are sent directly to the download area. The results of anti-virus will be generated as logs, virus logs saved in the database for inspection by the administrator.
In this paper, the above functions were realized via pure software methods, avoiding the problems of upgrade and compatibility issues which caused by using dedicated hardware. Using the remote anti-virus technology and centralized management of U-disk. could realize the anti-virus and anti-Trojan House function while using the U-disk, and could avoided the leak and hidden risk which brought by local anti-virus. Local service is running in the background, not only monitor the U-disk without interference users but also strictly control user access to U-disk. By using U-disk checking servers, the system plays a supervisory role, could enhance the safety of using U-disk in the government network, monitoring the movement of internal documents, and prevented user misuse or intentional operation of secret internal documents leaked. As the operation of U-disc was supervised and limited by the local service, effectively prevent the viruses and ferry attack which caused by using U-disk.
本项目要实现一套软件来解决这一问题。提供政务网内的移动存储设备(主要是U盘)的安全访问机制,包括分级别的U盘访问,U盘权限的集中管理,U盘操作过程中的监控以及U盘的杀毒等功能。
With the popularity of removable storage devices, removable storage use have begun to threaten the safety of government departments have be threaten by using these removable storage devices. The normal work of government departments have be threaten by viruses which has been spread through removable storage devices, ferry attack and confidential leaks through removable storage devices. Last two years, the safety of mobile storage media has been mentioned in the latest documents. The information on the government networks has to be strictly controlled, especially some classified files. In the networked office environment there are many effective ways to monitor the transmission of these classified files. However, with the popularization of USB storage devices, external USB storage devices are often connected to the computers which should only be used inside the Special Net for government. Likewise, there are many dedicated USB storage devices often be connected to the outer net computers randomly. Furthermore, phenomenons of mixing the USB device between different departments are serious. All of these are approach for government documents leaking, and if these USB storage devices are not be controlled strictly, lots of viruses will be spread via them.
Existing domestic mobile storage security control software are generally achieved by a special hardware to control U-disk permission access and secure access. And some through the combination of software and dedicated hardware; also some products only use the software. But these software products usually focus on the internal network management, to take the local host virus killing. This system realized the of removable storage devices in government networks via software, without additional hardware. This software take the U-disk centralized management and centralized virus killing, instead of the local antivirus.
After the research and experimentation, in the basis of fully analysis of existing research results, this project realized the safety access and permission control of U-disk by taking the centralized management of the servers, as the Potential security risk and information leakage of U-disk also has been solved. By taking the client/server (C/S) mode, the U-disk checking server was set up in the government network which to realized the centralized management for U-disk. When the U-disk is inserting the computer, the computer will connect to the U-disk checking server and obtain the access permission of U-disk; in the computer local user can use a dedicated browser to accessing the U-disk; the files in U-disk need to be uploaded to U-disk checking server for virus scanning and anti-virus, the file will be encrypted in the transmission process; U-disk checking server not only providing the U-disk permissions, but also provide inspection virus, U-disk operation records and audits, the management of U-disk using strategy.
In conclusion, this paper will be divided into five functional software modules, as: U-disk control services, the specific browser of U-disk accessing, U-disk rights management, U-disk operation base DLL, anti-virus of files. The five modules provided users with file operations, U disk monitoring, anti-virus, logs, access control and other functions. The Concrete process of this software is:
1) When the system detected the external U-disk accessing computer, a service will be triggered to read the U-disk serial number. After obtained the serial number of U-disk via Windows service the U-disk management server will provided management services for the U-disk access permission in this computer.
2) As the users'operation interface was unified, making the operation of documents easy and unified. When the user inserted the U-disk to computer, has to obtain the permission of U-disk. If there is failure to obtain the information about U-disk permission, can only browser the computer. Only with the access permissions of U-disk, the operation to the files in computer can be permitted. The dedicated browser can realize the function for files upload, download, delete the selected files, U-disk formatting and other functions. The operation will generate a log file; log will be saved in the database.
3) All users need to apply for permission to the administrator. A U-disk serial number will be send to the administrator as a parameter by user. The web services according to the serial number and the request IP to obtain the user's departments and classified information and the development of good group strategy to return a permission for the user.
4) The upload and download of user's file is carried out based on SSL, FTP. The file will be encrypted during the transfer process; this region also provides access to anti-virus module, when user is uploading the infected files the virus will be killed by system. 5) The server was be monitored by the anti-virus module at intervals of five seconds whether there was a file upload. File upload will trigger the anti-virus program. The files in the upload region will be scanned by the anti-virus software which in this software. The clean files are sent directly to the download area. The results of anti-virus will be generated as logs, virus logs saved in the database for inspection by the administrator.
In this paper, the above functions were realized via pure software methods, avoiding the problems of upgrade and compatibility issues which caused by using dedicated hardware. Using the remote anti-virus technology and centralized management of U-disk. could realize the anti-virus and anti-Trojan House function while using the U-disk, and could avoided the leak and hidden risk which brought by local anti-virus. Local service is running in the background, not only monitor the U-disk without interference users but also strictly control user access to U-disk. By using U-disk checking servers, the system plays a supervisory role, could enhance the safety of using U-disk in the government network, monitoring the movement of internal documents, and prevented user misuse or intentional operation of secret internal documents leaked. As the operation of U-disc was supervised and limited by the local service, effectively prevent the viruses and ferry attack which caused by using U-disk.
引文
[1]宋福英.电子政务系统若干安全问题的研究.西北师范大学[D].2007-11-01.
[2]李培修.敖勇.贾永强.内网涉密信息泄露途径及防范[J].计算机安全.2005.
[3]谭晓.聂承启.简论“三网”环境下电子政务系统的安全性.计算机与现代化.[J]2002-11-30.
[4]周俐军.王冬梅.宋皓,政务内网中的移动存储介质管理问题及对策.电子政务.[J]2008-10-15.
[5]覃祖军.预警策略不可少.中国计算机用户.[J]2007-11-01.
[6]方正数码.防护体系和支撑体系.信息网络安全.[J]2002-12-15.
[7]张永峰.电子政务中安全审计技术的研究及应用.北方工业大学.[D]2007-05-20.
[8]电力数据网安全防护整体解决方案.计算机安全.[J]2006-05-05
[9]孙玮.内网安全监管审计系统的设计及其应用实现.电子科技大学[D].2007-04-01.
[10]李浩.电子政务安全策略研究.哈尔滨工业大学.[D]2006-06-01.
[11]郝玉环.德州市电子政务网的设计与实施.北京邮电大学.[D]2007-06-01.
[12]身份认证为社保网络保驾护航.信息网络安全.[J]2006-12-08.
[13]李朝中.Windows服务程序编写.[J]
[14]郝兴伟.Web技术导论.清华大学出版社.[D]2005-2.
[15]张剑.银行安全解决方案.信息安全与通信保密[J].2004-01-10.
[16]钟晖云.分布式环境下统—身份认证及访问控制策略的研究.广东工业大学.[D]2007-05-01.
[17]李光军.基于工业以太网的“透明工厂”的研究与应用.昆明理工大学.[D]2006-03-01.
[18]杜兴盛.混合型入侵检测在校园网中的应用研究.重庆大学.[D]2007-10-01.
[2]李培修.敖勇.贾永强.内网涉密信息泄露途径及防范[J].计算机安全.2005.
[3]谭晓.聂承启.简论“三网”环境下电子政务系统的安全性.计算机与现代化.[J]2002-11-30.
[4]周俐军.王冬梅.宋皓,政务内网中的移动存储介质管理问题及对策.电子政务.[J]2008-10-15.
[5]覃祖军.预警策略不可少.中国计算机用户.[J]2007-11-01.
[6]方正数码.防护体系和支撑体系.信息网络安全.[J]2002-12-15.
[7]张永峰.电子政务中安全审计技术的研究及应用.北方工业大学.[D]2007-05-20.
[8]电力数据网安全防护整体解决方案.计算机安全.[J]2006-05-05
[9]孙玮.内网安全监管审计系统的设计及其应用实现.电子科技大学[D].2007-04-01.
[10]李浩.电子政务安全策略研究.哈尔滨工业大学.[D]2006-06-01.
[11]郝玉环.德州市电子政务网的设计与实施.北京邮电大学.[D]2007-06-01.
[12]身份认证为社保网络保驾护航.信息网络安全.[J]2006-12-08.
[13]李朝中.Windows服务程序编写.[J]
[14]郝兴伟.Web技术导论.清华大学出版社.[D]2005-2.
[15]张剑.银行安全解决方案.信息安全与通信保密[J].2004-01-10.
[16]钟晖云.分布式环境下统—身份认证及访问控制策略的研究.广东工业大学.[D]2007-05-01.
[17]李光军.基于工业以太网的“透明工厂”的研究与应用.昆明理工大学.[D]2006-03-01.
[18]杜兴盛.混合型入侵检测在校园网中的应用研究.重庆大学.[D]2007-10-01.