Specific to the technical level, in addition to the traditional anti-virus, firewall and other security measures, the special security requirements of e-government are mainly manifested in the following aspects. 1. Safety Island
In the application of e-government, there is bound to be a demand for information exchange between intranet, private network and extranet. However, based on the confidentiality of intranet data, we don't want the intranet to be exposed to the external environment. The effective way to solve this problem is to establish a security island, and filter the information between the internal and external networks through the security island to realize the physical isolation between the two networks, so as to realize the secure data exchange between the internal and external networks. Safe Island is a special transitional network independent of the internal and external networks of e-government. It is located at the boundary of internal network, private network and external network. On the one hand, it physically isolates the internal network from the external network to prevent hackers from using vulnerabilities and other attacks to enter the internal network. On the other hand, under the control of security policy, data transmission and security exchange between internal and external networks are completed.
GAP technology is the key technology to realize the safety island. It switches back and forth between the internal and external networks like a high-speed switch, and there is no connection between the internal and external networks, so it is in a physical isolation state. On this basis, as a proxy, the isolation gateway extracts data from the network access packet of the external network, and then transmits it to the internal network through the reflection switch to complete the data transmission. During transmission, the isolation gateway will check the protocol and content of the extracted data at the application layer and filter the IP packet address. Because the isolation gateway adopts a unique switching mechanism, during these inspections, the network is actually disconnected, and only the data that passes the strict inspection can enter the intranet. Even if the hacker forcibly attacks the isolation gateway, because the internal and external networks are always physically disconnected when the attack occurs, the hacker cannot enter the internal network. On the other hand, because the isolation gateway only extracts data to exchange to the intranet, the intranet will not be attacked by the network layer, and the data can be exchanged safely while being physically isolated.
With the isolation gateway technology as the core, by adding VPN communication authentication, encryption, intrusion detection and virus scanning to data, an information security island is formed, and secure data exchange is realized on the basis of physical isolation. 2. Control of network domain
The network of e-government should be strictly controlled, and only certified equipment can access the network, and its access range can be clearly defined, which is also very important for the network security of e-government. However, most of the current networks are based on TCP/IPV4 network protocols and do not have this control ability. Strengthening the control and management ability of e-government network can be realized by using 802. 1x switch with network access authentication function. 802. 1x protocol can authenticate access devices, thus controlling the access of network devices. It can strengthen the security of authentication by using third-party authentication systems such as Radius, TACACS and CA. 802. 1x protocol makes the e-government network in a centralized and manageable state, thus realizing various network domain management strategies. 3. Standard time source
Time has its specific significance in the application of e-government security. The time stamp on government documents is an important basis and evidence for policy implementation, and the time stamp in the process of government information transmission is an important indicator to prevent online fraud. At the same time, time is also a reference for government departments to work together. Therefore, the e-government system needs to establish a credible and unified time source for the whole system, which is the key factor to ensure that the e-government system will not be chaotic. Establishing a credible and unified time source can be obtained by adding digital signatures to standard time sources (such as local observatories and TV stations). The purpose of adding digital signature is to prevent time from being tampered with during transmission. 4. Information encryption
The application of e-government includes two aspects: government internal office and public-oriented information service. As far as the internal office of the government is concerned, the e-government system involves the circulation of official documents between departments, between superiors and subordinates and between regions. The information of these official documents often involves the question of confidentiality level and should be kept strictly confidential. Therefore, in the process of information transmission, appropriate encryption methods must be adopted to encrypt information. The encryption method based on IPSEC is being widely used, and its advantages are obvious: IPsec is transparent to the application system and has strong security, which is very conducive to the development of huge applications of e-government, and application system developers do not have to think too much about encryption in the process of data transmission. There are many applications of IPsec, and IPsec gateway is an ideal choice, which is also easy to deploy and maintain. 5. Operating system
One of the important foundations of network security is a secure operating system, because all government applications and security measures (including firewall, antivirus, intrusion detection, etc. ) rely on the operating system to provide the underlying support. The vulnerability or improper configuration of the operating system may lead to the collapse of the whole security system. More dangerously, we can't guarantee that the operating system products of foreign manufacturers have no back door. In terms of operating system security, there are two points worth considering: one is to adopt products with independent intellectual property rights and open source code to the government; The second is to use vulnerability scanning tools to regularly check system vulnerabilities and configuration changes and find problems in time. 6. Data backup and disaster recovery
No security measures can guarantee that the data is absolutely reliable. Hardware failures, natural disasters and unknown virus infections may all lead to the loss of important government data. Therefore, the disaster-tolerant backup of data must be incorporated into the e-government security system, and it is best to back it up in different places.