Enterprise LAN security work

我国的计算机网络，特别是局域网技术发展最为迅速，许多大专院校、科研院所以及银行、公安、邮电、铁路、石油等部门都建立了自己的局域网，但在实际运作中，由于一些网络是没有保密措施的“裸网”，用户不敢在网上处理涉密信息，使网络的作用得不到充分发挥。 China's computer networks, especially the fastest growing local area network technology, many universities, research institutes and banks, public security, telecommunications, railways, oil and other departments have established their own local area network, but in actual operation, because some of the network is No security measures of the "bare network", the user can not deal with classified information on the Internet, the role of the network are not fully realized. 因此，开发和运用有效的局域网保密措施，树起坚实的保密防护网，无论现在还是将来都具有十分突出的现实意义。 Therefore, the development and use of effective LAN security measures, erected a solid privacy fence, either now or in the future have a very prominent practical significance.

局域网信息的保密 LAN confidentiality of information

计算机局域网由信息(存储在计算机及其外部设备上的程序及数据)和实体两大部分组成，信息泄露是局域网的主要保密隐患之一。 Computer local area network by the information (stored on your computer and peripheral equipment on the program and data) and the entities of two parts, information disclosure, confidentiality is a major risk of the LAN. 所谓信息泄露，就是被故意或偶然地侦收、截获、窃取、分析、收集到系统中的信息，特别是秘密信息和敏感信息，从而造成泄密事件。 The so-called information disclosure, is to be deliberately or accidentally close surveillance, intercept, steal, analysis, and to collect system information, particularly confidential information and sensitive information, resulting in leaks. 局域网在保密防护方面有三点脆弱性：一是数据的可访问性。 Privacy protection in the LAN has three vulnerabilities: one data accessibility. 数据信息可以很容易被终端用户拷贝下来而不留任何痕迹。 Data can be easily copied down by the end user without leaving any traces. 二是信息的聚生性。 Second, the nature of information together. 当信息以零散形式存在时，其价值往往不大，一旦网络将大量关联信息聚集在一起时，其价值就相当可观了。 When the information is fragmented form, its value often is not, once the network will be a lot of related information together, its value is quite substantial. 三是设防的困难性。 Third, the difficulty of proof. 尽管可以层层设防，但对一个熟悉网络技术的人来说，下些功夫就可能突破这些关卡，给保密工作带来极大的困难。 While it is possible layers of defenses, but a people who are familiar with network technology, some effort could break through these barriers, to create great difficulties for confidentiality.
从某种意义上可以说，网络的生命在于其保密性。 Sense can be said that the life of the network lies in its secrecy. 根据近几年的实践和保密技术发展的要求，计算机局域网的保密防范应从以下四个方面入手： According to the practice in recent years and security technology development requirements, the confidentiality of computer local area network to prevent from the following four aspects:
（1）充分利用网络操作系统提供的保密措施。 (1) make full use of available network operating system security measures. 某些用户对网络的认识不足，基本不用或很少使用网络操作系统提供的保密措施，从而留下隐患。 Some users on the network's lack of knowledge, the basic need or rarely use the network operating system security measures to stay hidden. 其实，一般的网络操作系统都有相应的保密措施，以美国Novell公司的网络操作系统NetWare为例，它提供的四级保密措施：第一级是入网保密。 In fact, the general network operating systems have appropriate security measures, the United States, Novell's NetWare network operating system, for example, it provides four security measures: The first level is the network security. 用户入网时，必须按用户名进行登录注册。 User network, the user name to log on must be registered. 使用网络信息资源的用户,必须准确申报自己的用户名,否则将被网络拒之门外。 Use of network information resources, users must accurately report their own user name, or else the network will be shut out. 第二级是设置目录和文件访问权限。 The second stage is to set directory and file access permissions. 访问权限是对用户访问目录和文件的合法范围的规定，以控制用户只能操作什么样的目录和文件。 Access is the user access to directories and files legal scope of the provisions to control what users can only operate on directories and files. 准确地划分网络信息的涉密等级、范围和涉密人员，需要网络管理员和保密人员协同工作。 Accurately classified information into the network level, scope and classified personnel, network administrators and security personnel need to work together. 第三级是文件和目录的属性保密。 The third level is the properties file and directory security. 属性直接控制对文件或目录的访问特性。 Direct control of the properties file or directory access features. 属性的访问控制高于文件、目录的有效访问权限，可以禁止有效访问权限所允许的操作。 Properties of access control than a file, directory and effective access, you can prohibit access to effective actions are allowed. NetWare提供的主要属性控制有：防止对目录和文件的删除；不允许查看目录和文件；禁止对文件进行拷贝；禁止对文件的写操作；控制对文件是否共享；防止文件修改时被破坏；标记被修改过的文件等。 NetWare provides control of the main attributes are: to prevent the deletion of directories and files; not allowed to view directories and files; prohibit copying of documents; prohibit writing to a file; control of file sharing; to prevent the destruction of modified files; mark been modified files. 第四级是文件服务器的安全保密。 The fourth level is the file server's security. 即控制台键盘可以加口令封锁，防止非法闯入者以超级用户身份浏览网络信息。 That blockade of the console keyboard can be added to the password to prevent unauthorized intruder superuser browse the network information.
（2）加强数据库的信息保密防护。 (2) to strengthen information security database protection. 网络中的数据组织形式有文件和数据库两种。 Network forms of organization of data files and databases have two. 文件组织形式的数据缺乏共享性，现已成为网络存储数据的主要形式。 Lack of data file organization sharing, network storage has become the main form of data. 由于操作系统对数据库没有特殊的保密措施，而数据库的数据以可读的形式存储其中，所以数据库的保密需采取另外的方法。 Because the operating system to the database no special security measures, and database data stored in a readable form which, so the confidentiality of the database need to take another approach.
（3）采用现代密码技术，加大保密强度。 (3) the use of modern cryptographic techniques to increase the security strength. 借助现代密码技术对数据进行加密，将重要秘密信息由明文变为密文。 With modern cryptography to encrypt data, the important secret information from the plaintext into ciphertext.
（4）采用防火墙技术，防止局域网与外部网连通后秘密信息的外泄。 (4) the use of firewall technology to prevent the local area network connectivity with the outside after the leakage of secret information. 局域网最安全的保密方法莫过于不与外部联网（国家规定涉及国家秘密的局域网不得与外部联网），但除了一些重点单位和要害部门，局域网与广域网的连接是大势所趋。 LAN security safest way is not with the external network (the state not involving state secrets LAN and external network), but apart from some of the key units and key departments, LAN and WAN connection is the trend. 防火墙是建立在局域网与外部网络之间的电子系统，用于实现访问控制，即阻止外部入侵者进入局域网内部，而允许局域网内部用户访问外部网络。 A firewall is built on the LAN and external networks of electronic systems used to implement access controls that prevent external intruders entering the LAN, and allows users to access external networks within the LAN.

局域网实体的保密 LAN security entities

局域网实体是指实施信息收集、传输、存储、加工处理、分发和利用的计算机及其外部设备和网络部件。 LAN entity is to implement information collection, transmission, storage, processing, distribution and use of computers and peripheral equipment and network components. 它的泄密渠道主要有四个： It has four main sources of leaks:
（1）电磁泄露。 (1) electromagnetic leakage. 计算机设备工作时辐射出电磁波，任何人都可以借助仪器设备在一定范围内收到它，尤其是利用高灵敏度的仪器可以稳定、清晰地看到计算机正在处理的信息。 Computer equipment out of electromagnetic radiation at work, anyone can make use of equipment received it within a certain range, especially the use of highly sensitive instruments can be stabilized, clear to see that the computer is processing information. 另外，网络端口、传输线路等都有可能因屏蔽不严或未加屏蔽而造成电磁泄露。 In addition, network ports, transmission lines, loose or are likely to increase due to shielding caused by the electromagnetic shield leakage. 实验表明，未加控制的电脑设施开始工作后，用普通电脑加上截收装置，可以在一千米内抄收其内容。 Experiments show that uncontrolled computer facilities to work with an ordinary computer with interception devices in one thousand meters in meter reading its contents.
（2）非法终端。 (2) unlawful termination. 非法用户有可能在现有终端上并接一个终端，或趁合法用户从网上断开时乘机接入，使信息传到非法终端。 Unauthorized users could access the existing terminal and a terminal, or take advantage of legitimate users disconnected from the Internet took the opportunity to access, so that the information reached the illegal terminal.
（3）搭线窃取。 (3) take the line to steal. 局域网与外界连通后，通过未受保护的外部线路，可以从外界访问到系统内部的数据，而内部通讯线路也有被搭线窃取信息的可能。 LAN connectivity with the outside world, through unprotected external circuit, can be accessed from outside the data within the system, and internal communication lines have been stolen information may take the line.
（4）介质的剩磁效应。 (4) media remanence effects. 存储介质中的信息被擦除后有时仍会留下可读信息的痕迹。 The information storage medium will be erased and sometimes left traces of human-readable information. 另外，在大多数的信息系统中，删除文件仅仅是删掉文件名，而原文还原封不动地保留在存储介质中，一旦被利用，就会泄密。 In addition, most of the information system, delete the file just delete the file name, but also keep intact the original storage medium, once used, it will leak.
对局域网实体，采取的相应保密措施一般有以下三种：一是防电磁泄露措施。 Entity on the LAN, to take appropriate security measures generally have the following three: First, measures to prevent electromagnetic leakage. 如选用低辐射设备。 Such as the choice of low radiation equipment. 显示器是计算机保密的薄弱环节，而窃取显示的内容已是一项“成熟”的技术，因此，选用低辐射显示器十分必要。 Display is the computer security weaknesses, and steal the contents of the display is a "mature" technology, therefore, use low radiation monitor is necessary. 此外，还可以采用距离防护、噪声干扰、屏蔽等措施，把电磁泄露抑制到最低限度。 You can also use distance protection, noise, shielding and other measures to suppress electromagnetic leakage to a minimum. 二是定期对实体进行检查。 Second, regular physical checks. 特别是对文件服务器、光缆(或电缆)、终端及其他外设进行保密检查，防止非法侵入。 Especially on file servers, fiber optic cable (or cable), terminal and other peripheral confidential checks to prevent illegal intrusion. 三是加强对网络记录媒体的保护和管理。 The third is to strengthen the network protection and management of recording media. 如对关键的涉密记录媒体要有防拷贝和信息加密措施，对废弃的磁盘要有专人销毁等。 If the secret key records and information media have copy protection encryption, to have someone on the waste of disk destruction.