一种面向应用层的网络安全方案的分析与设计.docVIP

  一种面向应用层的网络安全方案的分析与 设计 江超，罗守山，辛阳** 5 10 15 20 25 30 35 40 （北京邮电大学信息安全中心，北京 100876） 摘要：在网络日益繁杂的今天，传统的网络安全防御方案已经无法有效预防和阻止网络应用 层攻击。传统的一个端口对应一个应用发展为一个端口对应多个应用，再到目前的一个应用 对应多种应用细分，传统防火墙的 ACL 策略已经失效，安全与危险的边界已经模糊。网络 攻击手段从以网络层攻击为主转化为以应用层攻击为主，并且日趋多样化。在此背景下，很 多企业或单位盲目的购买各种应用层安全防御设备，如 IPS、UTM 等，甚至是 NGFW，缺 乏对整个网络应用层安全防御的整体认识。基于这一点，本文对企业网络的应用层安全风险 进行了分析，提出了基于应用层的网络安全解决方案，从检测、防护、监控、审计四个维度 阐述了网络安全的设计架构，并给出了相应的部署方式，接着对本方案的有效性进行了说明。 本方案可为企业或单位在购买及部署网络安全设备时提供参考。 关键词：信息安全；网络安全；防御方案；安全解决方案；应用层安全 中图分类号：TP393.0 An Solution Of Network Secrity On Application Layer Jiang Chao, Luo Shoushan, Xin Yang (Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876) Abstract: Today network is more and more multifarious, the traditional network security solution cannot effectively prevent network attacks. The traditional one port matches an application development to a port matches multiple application, and then development to an application matches multiple subdivision, traditional Firewall ACL strategy become invalid, safety and dangerous border has being fuzzifying. Network attack means gradually changes from network layer attack to application layer attack; and becoming more diverse. In this context, a lot of enterprises or unit blind to buy all kinds of application layer security defense equipment, such as IPS, UTM, and even NGFW, but lack of whole understanding of network of application layer security defense. Based on this, this paper analyzed the network security at application level of enterprise, and proposed network security solution based on application layer. Proceed from Detection, Protective, Monitoring and Audit the four dimensions expounds the design of the network security architecture, and give deployment way. Then verify the effectiveness of the proposed scheme. For the enterprise or the unit in the purchase and the deployment of network safety equipment provides the reference. Keywords: Information Security; Network Security; Defense sch