社区里的小伙伴们!大家2018年新年好哦!这是我元旦那天在某商场拍到的孙悟空玩偶,憨态可掬,我准备自己回家用橡皮泥捏一个。在这里也祝福大家新的一年像齐天大圣那样,法力无边,一日千里哦!好,我们接着聊去年底的那一份信息管控需求问卷,这次是第三趴:
Network:
Internet Access and Connection
Question:
- Are the DNS services setup with ability to failover to a backup DNS server?
-
- Do network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) monitor all external and internal network connections?
-
- Are the controls in place to against Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks?
-
Answer:
- 企业的上网线路采用双线制(主从DNS服务),从而实现了不同应用业务从各自的线路与外部连接,并实现互相备份。
-
- 运用工具来发现并绘制详细的网络连接拓扑结构图。
-
- 现有各种网络连接设备(如:防火墙、IDS/IPS、路由器、交换机等)都遵循统一的配置模板,各个设备的配置都有集中的备份与归档。
-
- 有针对DoS和DDoS攻击的防范控制,详尽的网络设备恢复方案与操作步骤的参考文档。
-
DMZ
Question:
- Do all external network connections [such as B2B connections, web services or communication protocols (e.g., HTTP, HTTPS, SFTP, FTP, Telnet)] terminate within a DMZ architecture?
-
- Is inbound network traffic for services that host non-public information and are Internet accessible, authenticated and terminated within a DMZ?
-
Answer:
- 在活动目录里划分了单独的域给DMZ。
-
- 仅为外部用户提供安全套接层(SSL)的方式来访问DMZ里的web资源。
-
- 已将Outlook Web Access/ActiveSync/Citrix/Office Communications Server/VPN Gateway/SharePoint Extranet等服务放置在DMZ里。
-
Internet Activity
Question:
- Are all outbound Internet activities logged or monitored?
-
- Are all outbound connections (e.g., HTTP, HTTPS, SFTP, media streaming) authenticated by a proxy device?
-
Answer:
- 所有用户须持有有效的域账号,并通过代理服务器来访问互联网。
-
- 代理服务器对出入数据包执行病毒扫描、请求特征分析、策略判断、跟踪与记录等操作。
-
Wireless Connection
Question:
- If wireless technologies are used, are strong industry standard encryption controls in place?
-
- Are employees and guest wireless network users required to acknowledge acceptable use terms before connecting?
-
Answer:
- 本企业提供统一的无线网络ID和WPA2企业版加密控制,并实现了区域全覆盖。
-
- 通过配置实现无线网络与局域网的互通,域账号能在无线网络中访问所有企业资源;非域账号登录到无线网络时,登录页面有相关的警告和规范使用的信息,而且其仅能向外访问到互联网。