外文翻譯---校園網(wǎng)層次型網(wǎng)絡安全設計

1、<p><b>　　附錄B：中文原文 </b></p><p>　　校園網(wǎng)層次型網(wǎng)絡安全設計</p><p>　　隨著我國數(shù)字校園工作不斷推進，校園網(wǎng)絡在給廣大師生工作、學習帶來便利的同時，其開放性、自由性、交互性和共享性使得一系列網(wǎng)絡安全問題相繼出現(xiàn)。因此，結(jié)合高校管理自身特點，基于校園網(wǎng)的一般性安全需求和安全目標，設計行之有效的網(wǎng)絡安全層次模型，構(gòu)建完善

2、的校園網(wǎng)安全防御體系，保障校園網(wǎng)穩(wěn)定、高效、安全運行已成為校園網(wǎng)建設過程中必須要解決的問題。從管理和實用的角度出發(fā)，校園網(wǎng)完全設計分為物理安全、網(wǎng)絡安全和安全管理三個層次。</p><p><b>　　1 物理安全</b></p><p>　　物理安全是保護計算機網(wǎng)絡設備、設施以及其它媒體免遭地震、水災、火災等環(huán)境事故以及人為操作失誤或錯誤及各種計算機犯罪行為導致的

3、破壞過程。保證學院校園網(wǎng)各種設備的物理安全是實現(xiàn)系統(tǒng)安全控制的前提。</p><p><b>　　1.1機房環(huán)境安全</b></p><p>　　機房、監(jiān)控等場地設施和環(huán)境安全設計：必須符合國家標準并滿足應用系統(tǒng)24小時不間斷運行的特殊要求(參見國家標準GB50173-93《電子計算機機房設計規(guī)范》、國標GB2887-89《計算站場地技術(shù)條件》、GB9361-88《計

4、算站場地安全要求》)。機房的位置應力求減少無關(guān)人員進入的機會，設備的位置遠離主要通道，同時，機房的窗戶也應避免直接面臨街道。</p><p>　　供配電系統(tǒng)安全設計：要求能保證對機房內(nèi)的主機、服務器、網(wǎng)絡設備、通訊設備等的電源供應在任何情況下都不會間斷，做到無單點失效和平穩(wěn)可靠，這就要求兩路以上的市電供應，N+1冗余的自備發(fā)電機系統(tǒng)，還有能保證足夠時間供電的UPS系統(tǒng)。</p><p>　

5、　防雷接地系統(tǒng)安全設計：保證機房的各種設備安全，要求機房設有四種接地形式，即計算機專用直流邏輯地、配電系統(tǒng)交流工作地、安全保護地、防雷保護地。消防報警及自動滅火系統(tǒng)安全設計：為實現(xiàn)火災自動滅火功能，在網(wǎng)絡系統(tǒng)各個重點位置，應該設計火災自動監(jiān)測及報警系統(tǒng)，以便能自動監(jiān)測火災的發(fā)生，并且啟動自動滅火系統(tǒng)和報警系統(tǒng)。</p><p>　　門禁系統(tǒng)安全設計：安全易用的門禁系統(tǒng)可以保證物理安全，同時也可提高管理的效率，其中

6、需要注意的原則是安全可靠、簡單易用、分級制度、中央控制和多種識別方式的結(jié)合。</p><p>　　保安監(jiān)控系統(tǒng)安全設計：保安監(jiān)控包括閉路監(jiān)視系統(tǒng)、通道報警系統(tǒng)和人工監(jiān)控系統(tǒng)。</p><p><b>　　1.2物理設備安全</b></p><p>　　主要包括：設備防盜、防毀、防電磁信息輻射泄漏、抗電磁干擾等。</p><p

7、><b>　　2 網(wǎng)絡安全</b></p><p>　　學院校園網(wǎng)的網(wǎng)絡安全重點解決網(wǎng)絡層和傳輸層的通信安全，它包括三個層次：不同局域網(wǎng)之間的隔離與訪問控制、公共網(wǎng)絡上的數(shù)據(jù)傳輸安全和網(wǎng)絡入侵檢測系統(tǒng)。</p><p>　　2.1隔離與訪問控制</p><p>　　基于網(wǎng)絡安全的需求，在學院校園網(wǎng)的部分網(wǎng)絡邊界處采用防火墻(Fire W

8、all)技術(shù)來實現(xiàn)隔離與訪問控制。根據(jù)校園網(wǎng)的特點一般采用防火墻在透明模式和路由模式同時工作的混合模式，這樣提高了網(wǎng)絡應用的靈活性，很大程度上提高了防火墻的適應性，通過結(jié)合其他安全技術(shù)就更能方便快捷地達到用戶的安全需求。通過選用核心交換機提供防火墻與包過濾功能，規(guī)定網(wǎng)管信息的流向，在中心交換機連接教師/學生宿舍網(wǎng)絡、公眾信息服務器網(wǎng)絡、網(wǎng)管中心網(wǎng)絡、教學單位網(wǎng)絡和行政辦公網(wǎng)絡5個接口處，配置防火墻，對5個網(wǎng)絡進行隔離并對進/出的數(shù)據(jù)進行

9、訪問控制。</p><p><b>　　2.2網(wǎng)絡傳輸安全</b></p><p>　　鑒于目前高校普遍擁有2個以上的校區(qū)，不同校區(qū)網(wǎng)絡之間是通過專線連接起來的。當這些大型局域網(wǎng)通過專線交互數(shù)據(jù)時，面臨的安全威脅有：如何防范惡意攻擊?如何確保數(shù)據(jù)在專線上傳輸時的安全性?可以采用的安全技術(shù)是VPN技術(shù)。在網(wǎng)絡通信線路上配置VPN網(wǎng)關(guān)，在中心交換機上安裝VPN管理器。通過

10、VPN網(wǎng)關(guān)，可以在專線上構(gòu)建安全通道，對通信數(shù)據(jù)提供安全保護;同時，VPN網(wǎng)關(guān)還能起到網(wǎng)絡隔離作用，如果有攻擊者欲借助專線接入學院校園網(wǎng)，由于其訪問數(shù)據(jù)不能走安全通道，因而VPN網(wǎng)關(guān)可以對來自非安全通道內(nèi)的數(shù)據(jù)自動進行過濾，阻止非法數(shù)據(jù)通信。</p><p>　　2.3 網(wǎng)絡入侵檢測系統(tǒng)</p><p>　　入侵檢測系統(tǒng)(Intrusion Detection System)，簡稱IDS，

11、用于對入侵行為進行識別，它通過從計算機網(wǎng)絡或計算機系統(tǒng)的關(guān)鍵點收集信息并進行分析，從中發(fā)現(xiàn)網(wǎng)絡或系統(tǒng)中是否有違反安全策略的行為和被攻擊的跡象。</p><p>　　校園網(wǎng)IDS配置在兩個地方。校園網(wǎng)和教育網(wǎng)的連接處：用于對進出教育網(wǎng)的數(shù)據(jù)進行監(jiān)視，既監(jiān)測并阻斷來之教育網(wǎng)對校園網(wǎng)的攻擊，同時又監(jiān)測并阻斷校園網(wǎng)內(nèi)用戶對教育網(wǎng)的攻擊數(shù)據(jù)包;教師/學生宿舍網(wǎng)絡和校園網(wǎng)中心交換機的連接處：學生是校園網(wǎng)的主要使用者，但鑒于大

12、學生思維活躍，有一定的冒險意識，所以必須對其的網(wǎng)絡行為進行必要的控制，在學生宿舍網(wǎng)絡接入校園網(wǎng)的入口配置IDS，可以實時監(jiān)測學生對校園網(wǎng)資源訪問時的數(shù)據(jù)包，防止惡意數(shù)據(jù)包對校園網(wǎng)通信秩序的破壞。</p><p><b>　　3 安全管理</b></p><p>　　給校園網(wǎng)制定一個合適的安全管理制度和安全策略是十分必要的。</p><p>&

13、lt;b>　　3.1安全管理體制</b></p><p>　　建議成立以學校分管安全的領(lǐng)導為主的校園網(wǎng)安全管理小組，小組成員可以由各子網(wǎng)節(jié)點、各子系統(tǒng)管理員參加。明確制定安全管理小組的成員在管理上的權(quán)利和義務。對于小組中的每一個成員，明確指定每個人應該對什么事故負什么樣的責任，責任落實到人。明確指定什么人可以管理什么網(wǎng)絡設備(防火墻、路由器、交換機等等)，作到專門的產(chǎn)品維護由專人負責。</

14、p><p><b>　　3.2安全管理原則</b></p><p>　　多人負責原則。每一項與安全有關(guān)的活動，都必須有兩人或多人在場。這些人應是系統(tǒng)主管領(lǐng)導指派的，他們忠誠可靠，能勝任此項工作;他們應該簽署工作情況記錄以證明安全工作已得到保障。任期有限原則。為遵循任期有限原則，工作人員應不定期地循環(huán)任職，強制實行休假制度，并規(guī)定對工作人員進行輪流培訓，以使任期有限制度切實

15、可行。職責分離原則。在信息處理系統(tǒng)工作的人員不要打聽、了解或參與職責以外的任何與安全有關(guān)的事情，除非系統(tǒng)主管領(lǐng)導批準。</p><p><b>　　3.3安全管理服務</b></p><p>　　網(wǎng)絡安全是動態(tài)的、整體的，并不是簡單的安全產(chǎn)品集成就可以解決問題。隨著時間推移，新的安全風險又將隨著產(chǎn)生。因此，一個完整的安全解決方案還必須包括長期的、與系統(tǒng)相關(guān)的信息安全服

16、務。其包括：全方位的安全咨詢、培訓；靜態(tài)的網(wǎng)絡安全風險評估；特別事件應急響應。</p><p><b>　　參考文獻</b></p><p>　　[1] 唐俊.層次型校園網(wǎng)安全主動防御體系的研究[J].電腦知識與技術(shù)，2008(2).</p><p>　　[2] 覃國銳.高校校園網(wǎng)絡安全管理存在的問題及對策[J].柳州師專學報，2009(2).

17、</p><p>　　[3] 陳繪新.淺析數(shù)字圖書館網(wǎng)絡安全防御體系[J].科技信息，2009(15).</p><p><b>　　附錄C：英文翻譯</b></p><p>　　Hierarchical campus network security design</p><p>

18、;　　With the digital campus of China work steadily, campus network into teachers and students working, study and bring convenience while its openness, freedom, interaction and sharing makes a series of network security pr

19、oblems arise. Therefore, according to the characteristics of their university management, based on campus network general safety requirements and the safety goal, the design effective network security level model, buildi

20、ng perfect campus network security defense system, ensure the s</p><p>　　1. Physical security</p><p>　　The physical security is to protect the computer network equipment, facilities and other me

21、dia from earthquake, flood, fire and other environmental accidents and artificial operation error or errors and of various computer crime behaviors led to the destruction of the process. Ensure that all sorts of equipmen

22、t of college campus physical security are to realize the system security control of premise.</p><p>　　1.1 Room environment safety</p><p>　　Rooms, control, and other facilities and environmental

23、security design: Must conform to the state standards and meet the application system 24 hour uninterrupted operation special requirements(See the national standard GB50173-93 “electronic computer room design standard”, G

24、B2887-89 "computing station site technical conditions", GB9361-88 "computing station site safety requirements"). The location of the room should be trying to reduce the chance of irrelevant personnel

25、enter, away from the main</p><p>　　For distribution system security design: Requests can guarantee to the telecom room host, server, network equipment, communications equipment and power supply in any circum

26、stances will be missed, do no single point of failure and stable and reliable. This requires two way above the utility service, N + 1 redundant self-provided generator system, and can ensure enough time to UPS power supp

27、ly system.</p><p>　　Lightning proof grounding system security design: Ensure the safety of all kinds of equipment room, computer room has four kinds of grounding request form, that is computer special dc log

28、ic, power distribution system, safety, protect where communication lightning protection site.</p><p>　　Automatic fire alarm and fire fighting system security design: To realize the automatic fire extinguishi

29、ng function, in the network system each key position, should design automatic fire monitoring and alarm system, so as to automatic monitoring fire, and start to be automatic fire system and alarm system.</p><p

30、>　　Entrance guard system security design: Safety and easy entrance guard system can ensure the physical security, but also can improve the management efficiency, which need to be aware of principle is safe and reliabl

31、e, easy to use, the ratings system, central control and a variety of the combination of mode of recognition.</p><p>　　Security monitoring system security design: Security monitoring including closed-circuit

32、surveillance system, channel alarm system and artificial monitoring system.</p><p>　　1.2 Physical equipment safety</p><p>　　Mainly includes: equipment security, against destroyed, prevent electr

33、omagnetic radiation leakage of information, electromagnetic interference, etc.</p><p>　　2. Network security</p><p>　　Campus network security is mainly to solve the network layer and the transpor

34、t layer security communication, it includes three levels: different between the local area network to isolate and access control, public network data transmission of security and network intrusion detection system.</p

35、><p>　　2.1 Isolation and access control: Based on network security needs, in college campus network boundary between the parts of the network firewall (Fire Wall) technology to realize isolation and access cont

36、rol. According to the characteristics of the campus network firewall in general use transparent mode and routing mode of working at the same time mixed mode, improve the network application of such flexibility, greatly i

37、mprove the adaptability of the firewall, by combining other security technolo</p><p>　　Network transmission safety: In view of the present universities generally have more than one school district, between d

38、ifferent campus network is connected by special line. When these large LAN through the special line interactive data, facing the security threats: how to prevent malicious attacks? How to ensure that data in the security

39、 in the transmission line? Can use safety technology is VPN technology. In the network configuration VPN gateway on line, in the center the switch installed VPN</p><p>　　The network intrusion detection syste

40、m：Campus network IDS be configured in two places. Campus network and the joint of leaks: used for moving the monitoring data leaks, both monitoring and blocking the education network of campus to attack, and at the same

41、time, monitoring and block in the campus network users for education network attack packet; The teacher/student dormitory campus network and the joint of central switch: students are the main campus network users, but wi

42、th college students' ac</p><p>　　3. Safety management</p><p>　　To formulate a proper campus network security management and safety strategy is very necessary.</p><p>　　3.1 Safet

43、y management system</p><p>　　Suggestions for school was founded to the leadership of the safety of the campus network security management group mainly, team members can be made by each node, subsystem subnet

44、 administrator to attend. We should clearly lay safety management team members in the management of right and obligation. For every member of the group, specifically designated everyone should be on what kind of responsi

45、bility for the accident, responsibility to implement. What specifically designated person can what man</p><p>　　3.2 Safety management principle</p><p>　　The principle of people is responsible fo

46、r it. Each of security-related activities must have two or more persons present. Some people should be appointed manager system, their loyalty and reliability, can do the work; they should work records to prove signed sa

47、fety work already get ensuring. Term limited principle. In order to follow the principle term limited, workers should not regularly circulation work, enforce holiday system, and regulations of the staff to take turns tra

48、ining, so that the </p><p>　　Safety management services</p><p>　　Network security is dynamic, integral, and is not simple security product integration can solve the problem. Over time, the new s

49、afety and risk with produce. Therefore, a complete security solution must include the long-term and related information security service system. They include: comprehensive safety consulting, training; Static network saf

50、ety risk assessment; Special event emergency response.</p><p><b>　　Reference</b></p><p>　　[1] TangJun. A hierarchical network security of active defense system [J]. Computer knowledg

51、e and technology, 2008 (2).</p><p>　　[2] Qin Guorui. The campus network security management problems and countermeasures [J]. Journal of liuzhou teachers, 2009 (2).</p><p>　　[3] Chen Huixin. Acc