| The traditional network security management system only focuses on the attack from out of the intranet, in other words:internet security, but pays less attention on the computers which is used in the intranet everyday. As the Internet continues to grow and more and more new technologies are implemented, security incidents took place from intranet computers increase gradually day by day, the precautions from traditional security management system have been stretched. Although some government department, military and other confidential department in accordance with security needs have taken quarantine measures, such as strictly prohibit confidential computers connecting to internet, prohibit USB devices using on the confidential computers etc. However, some intranet users may disobey the rules to connect to internet using confidential computers by dial-up, ADSL, dual card, etc. or for the convenience of copying data, use a removable device between a confidential computer and a computer which is connecting internet; or connect to confidential intranet with an unauthorized notebook computer, etc. These behaviors above have brought enormous risks to the confidential intranet, which is likely to cause the leakage of confidential information, or to provide an opportunity to hacker attacks,this paper makes a penetratingly analyze the traditional illegal extra-connection supervisory methods, specially focuses on two kinds of solutions:illegal extra-connection supervisory solution base on two-machine mode and illegal extra-connection monitoring solution base on agent mode. According to the analyze, the solution base on tow-machine mode encounteres four problems in the practical implement as following:1) state inspection firewall developed and widely used in the intranet in recent years will filter out the illegal extra-connection alarm package, the security administrator won't able to know the illegal extra-connection events occurred in the intranet; 2) intranet users first use desktop firewall to prevent the Illegal extra-connection probe package and then connect to internet; 3) intranet users can start with physically cut off the connection with confidential intranet and then connect to internet; 4) this solution can only find out the illegal extra-connection behavior, but could not block it, which can't guarantee the intranet security. Moreover, the agent mode solution encounters the same problem with the two-machine mode, that is, if the intranet user connects to internet after cutting off physical connection with the intranet, and can't supervise new illegal extra-connection behavior, such as copying files with removable device on confidential machine, so these solutions above can't send the alarm information to intranet security administrator in time and can't give an effective supervisory to the intranet. For these problem, this paper uses windows route supervisor/windows ip security strategy control/NDIS intermediate driver/802.1x Ian and three kinds of alarm technologies etc, This paper puts forward an improved illegal extra-connection supervisory solution, which can provide an omnibearing monitor on the Illegal extra-connection of intranet computers, illegal use of USB devices on confidential intranet computers and external computer illegal access to intranet, and generate real-time alarm information to notify the intranet security administrator promptly. |
PDF Full Text Request