背景

In order to cope with the large number of servers in the enterprise, basically themselves are in a zero-defense state，There is no protection against high-frequency cracking, vulnerability rights, uploading Trojan horses, remote login, springboard scanning and other behaviors，The threat situation that causes various hacker organizations to frequently launch network attacks, post reactionary slogans, and steal sensitive data on national critical information infrastructure such as Chinese government websites, web business systems, and application system servers，Implement the relevant requirements of the Cybersecurity Law of the People's Republic of China，In response to the policy requirements of the four ministries' Notice on issuing the 'Special Rectification Action Plan for Internet Website Security of Party and Government Organs, public Institutions and State-owned Enterprises' and the Ministry of Public Security's 2015 National Network and Information Security Information Notification and Hierarchical Protection Work，Under the guidance of the 11th bureau, the "Application host Integrated Protection System (referred to as: Network anti-G01)" was designed and developed.，Provide multiple protection for the protection of China's critical information infrastructure，Comprehensive monitoring of cyber attacks，Establish a small protective ring for the industry sector，It is an important technical support for the protection of critical information infrastructure in our country。 The application host integrated protection system (net anti-G01) is an effective means to combat APT attacks, and it is a technical support system required by four ministries and commissions to be implemented! Network anti-G01 is the core achievement of APT attack defense project in the National Engineering Laboratory of Computer Virus Technology

Product and positioning

It provides host - and application-based protection products for important information systems, Web business systems and website systems, and establishes a comprehensive security guarantee system integrating monitoring, early warning, protection, emergency response, disposal and operation and maintenance。

infrastructure

Construction of a number of infrastructure for emergency notification services for grade protection

Follow-up investigation

Closely surrounding the defense of important systems, tracking and investigating domestic and foreign cyber attacks。

Website comprehensive protection

It has dozens of protection functions such as anti-web tampering, anti-SQL injection, anti-cross-site scripting, web Trojan killing, sensitive word filtering, etc。

Website protection features Website vulnerability protection: prevent known and unknown vulnerability utilization, and resist SQL injection, XSS cross-site, vulnerability utilization and other attacks; Web Trojan killing: real-time and effective detection of various encrypted and deformed Webshells, automatic isolation and killing; Web tamper proof: Driver level web tamper proof, prevent the specified directory files from being maliciously modified, Web anti-theft chain: provides multi-mode anti-theft chain to prevent pictures and streaming media files from being stolen; Sensitive words filtering: Intelligent identification and replacement of reactionary, violent, pornographic sensitive words, prevent submission and browsing, Anti-cc attacks: intelligently detect and resist CC attacks, and maintain the normal service ability of the website;Anti-cc can effectively defend against CC attacks, trace the source of attacks, and reduce the loss of server resources and bandwidth occupation. Site background protection: redirects the site background to prevent hackers from guessing violently。

Protect important system files, processes, and system resources on the application server to prevent the server from being remotely controlled.

Server comprehensive protection File upload protection: File type upload restrictions to prevent the upload of non-compliant files; File monitoring and protection: Monitors and protects all files on the disk, and verifies read and write permissions and integrity. Server performance monitoring: Monitors the status of system resources such as CPU, memory, disk, network I/O, and throughput in real time and generates alarms. Advanced inspection: Web file scanning of the server, account security, system configuration verification, etc., comprehensive assessment of server risks. Access control: User-defined virtual protection wall, flexible control of inter-host access rules; Port protection: prevents port scanning and blocks the scanner from information detection and vulnerability scanning。

Monitoring and early warning and situation analysis

Network attack real-time wechat, SMS alarm;Display attack trend and extract attack feature。

subaccount

Netguard G01 provides the sub-account function. Users can create sub-accounts for other departments of the unit

Attack backtracking

Through data mining and merging attack information, attack profiling is carried out

Asset management

The assets are sorted by two dimensions of server and website, which is convenient to grasp the safe operation of assets

The new version of "Net Defense G01" public cloud comprehensively optimizes the protection strategy and implementation mechanism，Improve security incidents and security boundaries，New functions such as network topology discovery and security event tracing are added，Form a three-dimensional, all-round defense system that integrates application protection, threat perception, attack event backtracking, server security hardening, risk tracking, automatic risk identification, threat intelligence, asset management, network status and performance monitoring。The network anti-G01 system includes a protection client (Windows version, Linux version), PC control terminal, single-user management monitoring system, and external data service interface。

Operating system kernel hardening technology

· Conduct a comprehensive and efficient baseline check on host security configuration, including checking system weak passwords, checking cloned accounts, checking scheduled tasks, etc.

· Prohibit useless services in the operating system, improve system security, and reduce the occupation of system resources.

· Reinforce the operating system's own security and anti-attack capability through the kernel probe, protect the system's core files,

·Windows server can repair official patches released by Microsoft with one click。

Multi-dimensional probe and plug-in adaptive security platform technology

· Effective integration of multiple platform middleware, such as IIS6, IIS7, IIS8, Tomcat, WebLogic, Apache, WebSphere, Nginx, etc.;

· Support system compatibility, such as Windows series, Ubuntu series, Centos series, Redhat series, Suse series, Aisanux series

· Support security product compatibility, such as anti-virus software, anti-tamper software, etc。

Self-protection technology is applied during operation

· Continuously monitor the traffic, context, and behavior of the application system, identify and defend against known and unknown threats,

· Can effectively defend against SQL injection, command execution, file upload, arbitrary file read and write, deserialization, Struts2 and other application vulnerabilities that cannot be effectively protected based on traditional signature methods。

Abnormal behavior detection technology of net horse based on sandbox

· Effectively detect various encrypted and deformed Webshells;

· Read and set monitoring points in the probe of the kernel and application layer, continuously learn the behavior of the system, effectively detect abnormal behaviors in the system, and generate alarms after comprehensive judgment。

Linkage defense technology

Adaptive blacklist and whitelist mechanism is adopted to control the detection and intrusion of network scanning equipment, protect the privacy of information system, and prevent information detection。

Microisolation and flow visualization techniques

· By monitoring and visualizing the data flow of the business system, help the security operation and maintenance personnel to accurately grasp the information flow of the internal network of the business system in real time;

· Customize virtual security boundaries across physical networks and role-based access control policies to prevent attackers from moving east-west after intruding into internal business networks. Servers in micro-isolation domains can be dragged freely or joined to other micro-isolation domains, and isolation policies are automatically adjusted。

Attack event backtracking

· The system will generate corresponding security events in the three stages of risk identification, defense and threat perception, and automatically generate event analysis reports to say goodbye to complicated attack logs;

· For intrusion type attack events, the system automatically traces the attack process to help enterprises locate and repair risk points。

Network data information collection technology

.The customized web crawler monitors and collects targeted information on web disks, libraries, post bars, forums, circles, communities, etc., discovers and collects threat information, screens and classifies it in a targeted manner, assists users in comprehensive protection, and prevents information leakage and exploitation。

Machine learning technique

Intelligent identification of network assets through machine learning technology, discovery and detection of bad asset status, forming security protection based on asset discovery。

Vulnerability mining and risk scanning technology

· By mining the general vulnerability information of the information system, asset discovery and matching, users can quickly discover the vulnerability risk of their own system and prevent the risk of attack and penetration。

Cloud platform (website group) protection

① Current problems:  The defense mode remains at the periphery of hosts: Cloud platform defense is based on the virtualization technology of security devices at the network layer and uses standard computing units to create virtual security devices. After attacks penetrate the host layer, defense measures become invalid.  cannot solve the problem of data flow between cloud hosts;  Users are mostly responsible for application security on cloud platforms and there is a lack of unified and centralized security policies.  Centralized management of website groups and unified templates need to strengthen defense in depth and focus on protection。 ② Solution: Based on system and application protection, increase the last line of defense of the host layer to achieve three-dimensional protection and monitoring。 ③ Problems that can be solved:  Resolve known vulnerabilities and Web application security issues with user-defined protection rules by applying protection probes.  Continuously monitors the traffic, context, and behavior of the system through the system protection probe, identifies and defends against known or unknown threats, and solves system-layer security problems.  Non-signed Trojan horse detection technology based on script virtual machines. The cloud sandbox can effectively detect various encrypted and deformed server Trojans to prevent remote control.  The virtual security domain technology monitors process behaviors and limits process permissions, preventing hackers from taking advantage of application vulnerabilities to grant permissions and create executable files  Solve the east-west data flow problem, customize virtual security boundaries across physical networks and role-based access control policies, monitor internal network information flow, and prevent attackers from intruding into internal service networks.  Host Defense G01 protects a single cloud host, collects host attack data and asset data, integrates virtual security device log data, builds a cloud security management platform, and comprehensively monitors cloud platform security from the network layer to the application layer。 G01 host security software, fully adapted to the cloud platform, website group architecture, to achieve unified protection and monitoring

The future of virtualization security cannot be separated from SAAS (Software as a Service)

Private network protection (network protection G01 a private cloud version)

① Mapping of business assets Information assets such as servers, Web applications, external services, port opening, and account information are sorted out to help operation and maintenance personnel understand the business environment。 (2) Controllable security risks By associating risks with assets, security and operation and maintenance personnel can quickly grasp the risk coverage and locate risks, improving risk handling efficiency。 ③ Compliance check You can use baseline scanning to check Intranet assets for compliance and discover potential security problems。

① Security protection: Continuous dual protection of the operating system and Web business applications; Boundary management: Customize virtual security boundaries across physical networks, customize access control policies based on roles, and achieve application security domain division and control; ③ Advanced check: built-in a variety of scan templates, automatically scan the selected server, the registry, a variety of configuration files, strings in the file, ports, process configuration, generate scan reports; (4) Risk monitoring: For the software, middleware and version, website and the type of application system used by the website, identify the security risk points, and establish risk files to achieve the risk assessment of the entire business environment ⑤ Asset management: Combing user assets with five dimensions of server, website, service, port and account, so that users can grasp the security operation of all their assets; ⑥ Event management: Extract and associate valid log information to form a complete chain of security event records, automatically trace back the attack process, and generate event analysis reports 7 System management: According to the requirements of hierarchical protection to achieve the separation of powers, the establishment of super administrator, system administrator and audit administrator three roles, and user operations, security configuration

User value

Internal network integrated protection centralized monitoring management situation awareness analysis and other insurance compliance inspection

Situational awareness

① Real-time attack and defense log data extraction: Collect network attack logs, host attack logs, vulnerability logs, baseline inspection logs, Trojan sample data, and dark chain data to form a basic security database, integrate other types of security data, and carry out effective clue extraction and mining to complete traffic attack and host attack event monitoring。 ② Real-time perception of critical information system attack events: Real-time monitoring of important information systems being attacked, security event distribution, attack source distribution, attack means and change trend, from the point and surface to form a nationwide security protection and threat perception。 ③ Major security event alarm and source tracing: Alarms are generated for major security events to form a portrait of the attack source, providing strong data support for subsequent case investigation and evidence collection。 ④ Safety trend prediction: Comprehensively analyze the attack trend from multiple dimensions, such as time distribution, space distribution, attack means distribution, attack source distribution, attacked system, attacked unit, and attacked area, comprehensively describe the global attack situation and attack scenario, analyze attack intent, and identify potential risks and threats。

Deployment structure

The network defense G01 deployment consists of cloud center deployment and Agent deployment

Registration and installation

Network defense G01- Public cloud version

The system is divided into "basic protection version" and "advanced protection version" two versions, to the party and government organs, state-owned enterprises and institutions as the service object, in the form of "product + service" to provide users with professional attack monitoring and security protection services。 Server Basic protection: Website vulnerability protection http request header protection IP blacklist and whitelist Site background protection Domain name malicious resolution protection http response content protection Anti-cc attack File upload protection Anti-port scanning Sensitive word filtering Document monitoring and protection System hardening Website anti-theft chain Server optimization self-protection

Advanced protection: Known web Trojans automatically quarantine Deserialization vulnerability protection Unknown web Trojan real time protection Protection against arbitrary file read vulnerability Unknown SQL injection vulnerability protection Command execution vulnerability protection Unknown upload vulnerability protection Fortress lock Struts2 Vulnerability protection Process behavior analysis

Network defense G01- Public cloud version

With a simple and easy-to-use design, small and medium-sized enterprises and IDC room as the service object, with a one-click switch mode to freely switch the "basic protection" and "advanced protection" functions, effectively resist common network attacks。 Value-added services: For important industries, departments to provide value-added services (remote + manual) mode, all-round solution to user security needs。 Safety analysis report Monthly, quarterly, and annual reports provide users with security analysis reports on protection targets, and conduct professional analysis on their attacks, protection, security threats, system resources, and performance Security consulting service Professional and customized policies are configured for G01 advanced protection policies based on user protection requirements and protection priorities.Provide daily security product information, security situation, construction plan consultation, network environment optimization and other services。 Information system asset detection and major risk early warning Collect hardware, software, middleware, system and other information of external and internal network information systems, continuously pay attention to and match vulnerability and risk information, and push risk reports and rectification suggestions in a targeted manner。 On-site emergency service When the customer website is attacked or there is a serious failure, the user takes the initiative to initiate the emergency service mechanism to assist the customer to solve the sudden problem of network attack in a timely manner。 Remote security duty on sensitive days During sensitive days such as the two sessions, major events, important national foreign affairs activities, etc., remote security guard and monitoring of the protection server to ensure that the customer website does not have problems Penetration testing service Organize security researchers to conduct in-depth penetration tests on target information systems, business systems and websites and issue professional evaluation reports, and give professional opinions and suggestions on security construction, system rectification and risks。 Unit threat intelligence data push Unit incident intelligence: The content will include relevant vulnerabilities, clues to the relevant topics discussed by the unit in cyberspace, and data leaked by the unit on the Internet; Suspected risk account leakage intelligence: to monitor the core account data leakage of personnel in a specific unit, and to monitor the underground trading activities of relevant user data of the unit。 Website vulnerability scanning Rely on cloud scanner, powerful vulnerability library, effectively scan websites。System vulnerability information, and issue professional security analysis report。 Network security training Professional security researchers are hired to conduct technical training on information security architecture, system security, application security, database security, internal network security, social engineering, etc., to improve the ability of system operation personnel and security management personnel。 Organization customized threat intelligence reports Based on intelligence clues (information leaks, attacks, vulnerabilities, etc.), carry out remote and on-site cyber attack investigation, analysis, tracking and tracing, and organize and output detailed intelligence analysis reports。

Network defense G01- Public cloud version

By the end of 2017, in order to strengthen network security work, a total of 12 provincial public security departments, 19 prefecture-level public security bureos, and 9 vertical industries have issued formal recommended installation documents, and more than 100 large-scale network defense G01 promotion conferences have been held。

Security protection during the September 3rd Parade

During the September 3rd military Parade，G01 network protection includes a total of 12,458 websites of government, central enterprises and public institutions (concentrated in Beijing)，Intercept SQL injection during parade,web application vulnerability analysis, malicious access and other types of attacks more than 5.72 million times，More than 20 reports have been issued，That's up 217% year on year。During this period, through the analysis of attack data, the attack IP of the Ministry of Commerce, China Weapons and other websites was traced to the source, and through the analysis of the attack mode, we understood the hidden attack mode of the attacker, which can quickly break the protection of conventional protective equipment。During the September third military parade, the network defense G01 protection website was not found to have been breached, so it was thanked and affirmed by the relevant departments of public security.

Henan "Shanghai Cooperation Summit" security protection

The 2015 SCO Summit was held in Zhengzhou, Henan Province，During this period, he provided security services in support of Henan Public Security，As of December 14, 2015，Network defense G01 system in Henan Province (concentrated in Zhengzhou) security deployment of 300 servers，2967 protected websites，It has monitored and blocked nearly 1 million website attacks penetrating the front firewall, IPS and other defense devices，More than 60 reports have been issued。By deploying the real-time network anti-G01 system, it can detect and prevent external hacker attacks in time。Maintain the image of government units and enterprises, and ensure the security of the website during the Shanghai Cooperation Conference。

State Food and Drug Administration

Since September 2016, the website of the General Administration has been subjected to a large number of CC attacks, seriously affecting the normal data query, and a large number of CC attacks have been blocked after the installation of network anti-G01。Help the General Administration to check web Trojan files。Handle web Trojan attacks。In order to ensure the normal work of the data query of the General Administration。Provide strong support to eliminate website security risks。

19th Party Congress security

Intercepts more than 2 million cyber attacks every day，Cooperate with some provincial and municipal public security departments to carry out real-time network monitoring and emergency response work，Handled more than 20 cases,Found and killed more than 300,000 webshell attack events，More than 300 safety analysis reports have been issued，There was no breach of the protection target。

G20 Summit

During the G20 cyber security Summit，Under the guidance of the public security organs，Major industries and departments Install network anti-G01，Attack detection and protection of websites and Web systems，More than 8.7 million cyber attacks were intercepted during the period，More than 80 reports have been issued，Among them, there were more than 3.2 million SQL injection attacks，File download attacks more than 2 million times，There were more than 1.4 million attacks on various program vulnerabilities,More than 10,000 Trojan horse activities were detected。Network defense G01 project team won the "Outstanding collective security contribution", and got the relevant individual G20 Summit network security group thank-you letter。

Government website integrated protection system，Now renamed: Application host Integrated Protection System "Network Anti-G01")，The system has passed the inspection of the Computer information system Safety Product Quality supervision and inspection Center of the Ministry of Public Security，In the "Government website comprehensive protection system technology demonstration meeting"，The expert group headed by Academician Ni Guangnan highly recognized the network defense G01，The consensus is that "this system is low cost，Work well，Can effectively monitor and protect against the intrusion of the website。It is suggested that the competent authorities will use the network anti-G01 as the basic equipment for website security protection in China."。

Answer common questions for users

1. What are the protection features of G01?

Kernel-level security protection: Three layers of unified security protection and monitoring of websites, operating systems and system applications, simplifying operation and maintenance and intelligent management and control。Provide users with a free version to achieve basic network protection, and a paid version to achieve advanced protection against unknown threats, the perception and monitoring of the unit's network security situation

2. What does threat intelligence refer to in the feature protection function of network defense G01?

It mainly helps users to grasp whether the data of the unit is sold on the black market, and provides relevant intelligence insiders and assists with the source, aiming to eliminate the information asymmetry in the field of network security and reduce the related losses caused by it。

3. Check whether anti-G01 conflicts with other security software on the server?

Network-proof G01 fully supports windows.linux, Kirin and other market mainstream server operating systems;Fully compatible with IIS, Apache, Tomcat, webllogic and other mainstream web applications。

4, whether the network anti-G01 affect the system performance, drag down the website response?

After the inspection of the Information security product testing center of the Ministry of Public Security, the resource occupancy rate is less than 3%, the operation is stable, and will not affect the normal operation of the website and server。After the actual use of tens of thousands of websites, the effect is good

5, network anti-G01 can protect Oday exploit attacks?

Netproof GO1 does not adhere to the characteristics of the vulnerability, but identifies and protects the malicious behavior of the exploitation of the vulnerability, whether known or unknown。Can be effectively protected。

6. A large number of security devices have been deployed. Is it still necessary to deploy network anti-G01 ?

Different types of security devices from web server front ends。Network Defense G01 is deployed in the web server system, at the deepest level of the entire defense system。Always guard the website "The Last Door"

By the end of 2019, the G01 system had more than 2,600 users of Party and government organs, enterprises and institutions, including 112 ministries and central enterprises, and more than 2,500 other party and government organs and state-owned enterprises and institutions。More than 25,000 servers have been installed and deployed, and more than 830,000 websites have been protected。The important information system of G01 has been installed without web pages being tampered with, data mining being stolen, hacker intrusion and other security problems, and the protection ability has been effectively tested。

A total of 34 local service stations have been set up in all provinces, autonomous regions and municipalities，It covers 31 provinces，Provide technical support for website security monitoring, emergency disposal and notification early warning to local regulatory authorities;Provide security consulting, installation and deployment, after-sales operation and overall security solutions for party and government organs, enterprises and institutions，The provinces are service stations for contact information at www.qov110.cn.