安全计算环境建设对策
信息系统入侵防范对策
在网络安全界中一直有一句话“没有绝对的安全”,所以信息系统的攻击防护做不到绝对,但是所有的安全公司都在尝试创造安全的最高峰。安全的对象是数据,防护的对象是人,防止非法人员对有效数据的窃取,所以还是需要以人为本,增强安全管控。信息系统的安全防护应该是一个完整、有规范的系统规划,如图 4.3所示,把整个网络系统进行分区管理,边界防护区采用安全设备进行防护,边界服务器区域将服务器进行统一管控,隔离交换区进行内外网数据的交互以及监控,医疗信息系统区域进行资源的整合。
首先将医院信息系统采用虚拟化方案,在底层将资源整合由上层进行统一调控,实现资源的充分利用和管理。将虚拟主机、虚拟服务器系统升级为Linux系统并进行服务器加固和日志收集分析; 为处理信息系统操作不明现象,采用堡垒机登录实现内部运维人员的管控;制订合理的数据备份方案并实施,防止数据因为意外事故丢失;将门户网站迁移至云端进行运管管控和防护,防止网页篡改和挂马等;使用全网流量收集分析系统实时进行检测、记录以及事后的溯源分析,追查攻击。
当然信息系统的防护措施不仅仅是以上建议措施,定时请专业人员进行必要的渗透测试是对整个网络系统的重要检测环节,有利于及时发现问题并且解决问题。
信息系统数据备份恢复对策
针对数据的备份和恢复要求,应用数据的备份和恢复应具有以下功能:
- 应提供本地数据备份与恢复功能,完全数据备份至少每天一次,备份介质场外存放。
- 应提供异地数据备份功能,利用通信网络将关键数据定时批量传送至备用场地。
- 应采用冗余技术设计网络拓扑结构,避免关键节点存在单点故障。
- 应提供主要网络设备、通信线路和数据处理系统的硬件冗余,保证系统的高可用性。
Countermeasures for the construction of safe computing environment
Information system intrusion prevention countermeasures
In the network security world, there has always been a saying “There is no absolute security”, so the attack protection of information systems cannot be absolute, but all security companies are trying to create the highest peak of security. The object of security is data, and the object of protection is human, to prevent illegal persons from stealing valid data, so people-oriented is still needed to enhance security management and control. The security protection of the information system should be a complete and standardized system plan, as shown in Figure 4.3, the entire network system is partitioned, the border protection area is protected by security equipment, and the border server area manages and controls the servers in a unified manner and isolates the exchange The district conducts internal and external network data interaction and monitoring, and the medical information system area integrates resources.
![Insert picture description here](https://img-blog.csdnimg.cn/20200714095720815.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dX,MxA0,M3U The hospital information system adopts a virtualization scheme, and the resources are integrated at the bottom to be uniformly controlled by the upper layer, so as to realize the full utilization and management of resources. Upgrade the virtual host and virtual server system to Linux system and perform server hardening and log collection and analysis; in order to deal with the unclear information system operation, use the bastion machine login to realize the management and control of internal operation and maintenance personnel; formulate and implement a reasonable data backup plan to prevent The data was lost due to accidents; the portal was moved to the cloud for operation, management and protection, to prevent webpage tampering and horse-hiding, etc.; the entire network traffic collection and analysis system was used for real-time detection, recording, and traceability analysis after the event to track down the attack.
Of course, the protection measures of the information system are not only the above recommended measures. Regularly requesting professionals to conduct necessary penetration tests is an important detection link for the entire network system.
Information system data backup and recovery countermeasures
In response to data backup and recovery requirements, application data backup and recovery should have the following functions:
-
Local data backup and recovery functions should be provided. Full data backup should be performed at least once a day and the backup media should be stored off-site.
-
It should provide remote data backup function, and use the communication network to regularly transfer key data to the standby site in batches.
-
Redundancy technology should be used to design the network topology to avoid single points of failure at key nodes.
-
The hardware redundancy of the main network equipment, communication lines and data processing system should be provided to ensure the high availability of the system.