In order to meet the target requirements of e-government network, Huawei proposes to adhere to the following principles in the process of e-government construction: to build a highly safe, reliable and manageable e-government system based on government needs!
Unified network planning
It is suggested that under the unified deployment of the national leading group, e-government construction should be carried out in an overall network planning, promoted by layers and implemented step by step to avoid repeated construction.
Perfect security system
The core concept of network security lies in paying equal attention to technology and management. It is recommended to follow the information security management standard-ISO 17799. Security management is the key to information security, personnel management is the core of security management, security policy is the basis of security management, and security tools are the guarantee of security management.
Strict equipment selection
In the process of e-government network construction, the choice of network equipment should not only consider factors such as meeting business needs and development, technical feasibility, but also put an end to the emergence of network backdoors. On the premise of meeting the functional and performance requirements, it is suggested to give priority to the products with independent intellectual property rights of domestic ethnic manufacturers, and ensure the security of e-government network from the equipment selection.
Integrated information management
The core idea of information management is unified management and decentralized control. Formulate annual IT planning, provide IT operation support and problem management, manage user service level, manage user satisfaction, configuration management, availability management, support IT facility management, security management, IT inventory and asset management, performance and capacity management, and backup and recovery management. Improve the utilization value of the system and reduce the management cost.
E-government network architecture
The National Leading Group's Guiding Opinions on the Construction of E-government in China defines the system structure of e-government network: the e-government network consists of government intranet and government extranet, which are physically isolated, and the government extranet is logically isolated from the Internet. The government intranet mainly transmits government confidential information, so in order to ensure the security of the core secrets of the party and the government, the intranet must be physically isolated from the external network. The extranet of government affairs is the government's special business network, which mainly runs the professional service business of government departments facing the society and the business that does not need to run in the intranet. Extranet is logically isolated from the Internet. In terms of network scale, both government intranet and government extranet can be built according to the mode of local area network, metropolitan area network and wide area network; From the network level, the intranet and extranet can also be built in a planned way according to the model of backbone layer, convergence layer layer and access layer.
Figure 1: e-government network architecture
According to the design ideas and application requirements of e-government and the special security requirements of government departments, we strictly follow the guiding opinions of the national leading group for e-government construction, and adopt the guiding principles of layered construction and layer-by-layer protection of services and networks in the overall construction of e-government internal and external networks. On the logical layer and service, the network structure is allocated as follows:
Figure 2: Logical hierarchy of e-government internal and external networks
Interconnection support layer is the foundation of e-government network, which is planned, constructed and managed by the network center. The support layer adopts broadband IP technology to ensure the interconnection of networks, provide bandwidth guarantee with certain QOS, provide logical isolation (VPN) between various departments and system networks, and ensure the security control of mutual access.
Security system refers to a monitoring system that provides security for users' access and data on the e-government network through authentication, encryption, authority control and other technologies. It is relatively independent of the interconnection support layer, and is planned and distributed by the network center and various departments and units.
The business application layer is to realize various applications of government network on the basis of secure interconnection, which is uniformly planned and implemented by the network center and various system units.
The Core Idea of Huawei's E-government Solution
Comprehensive network security
Building a secure e-government network is the key to e-government construction. The security construction of e-government needs both management and technology. On the technical level, Huawei provides defense, isolation, authentication, authorization, strategy and other means to ensure network security; On the equipment level, Huawei's self-developed serial router, switch, firewall equipment, CAMS integrated security management system and unified network operating system VRP can ensure the security of e-government network.
Huawei, a network company aiming at government systems, provides a three-dimensional end-to-end integrated security architecture for i3 security. Under this framework, we can not only look at security issues from the familiar network level, but also from the perspective of time and space, thus greatly expanding the security thinking and perspective, and having the model and ability to comprehensively consider and implement security protection.
Figure 3: Huawei i3 security 3D end-to-end integrated security architecture
(1) Huawei i3 security 3D end-to-end integrated security architecture
I- intelligence, comprehensiveness and individuality;
3- end-to-end); In three dimensions: time, space and network;
Security-the security architecture of all IP information networks.
(2) The concept of end-to-end security in network layer (network layer, user layer and business layer)
Security threats may exist at all levels of the network. Huawei's integrated security architecture fully embodies the layered idea of network security prevention, and carries out targeted prevention according to the characteristics of different network levels.
Network layer: ensure the security of basic networks such as network routing and network equipment;
User access layer: ensure the access of legal users, access to legal network scope, and ensure the security of user access to the network such as the isolation of user information;
Business layer: ensure the legality and security of users' access to content.
Huawei i3 security integrated security architecture has taken many enhancement measures against the weakness of the traditional network in the user layer, such as user access authentication, address anti-theft, access control and so on.
(3) Time (before and after) end-to-end security concept
In the past, the government paid more attention to the pre-prevention ability of the network, and often invested more in network user authentication, intrusion detection, DOS attack prevention, firewall and so on, but rarely implemented effective measures for post-tracking ability. Before and after the security incident, the network needs different support, and the cost and the difficulty of technical implementation are also very different:
Precautions in advance: strengthen the robustness of the whole network mainly through data isolation, encryption, filtering, management and other technologies;
Post-event tracking: Huawei's "i3 security" architecture provides the ability to log at the network level. By recording the user's online port, time and place of visit, it provides users with online traceability in an all-round way, thus providing first-hand information for later analysis.
(4) The concept of end-to-end space security (external network and internal network)
External network: ensure information security through VPN and encryption, and prevent network attacks through network firewall and virus firewall, focusing on prevention;
Intranet: through the identification of users, ensure that legal users access the legal network scope, and make access records and focus on monitoring.
At present, the government intranet is a private network, and the government extranet is an office private network. The two networks are built separately according to the strict physical isolation required by document 17 to ensure the security of the government network.
Huawei's three-dimensional integrated security architecture provides end-to-end integrated security services;
Figure 4: Huawei i3 security 3D end-to-end integrated security architecture.
With the further increase of online application of government network and the further penetration of the network into people's lives, the struggle between invasion and anti-invasion, embezzlement and anti-embezzlement will certainly escalate. As a systematic project, the security protection of government network can only be realized through network management, user management, business management, management system and other multi-level, multi-faceted and multi-pronged.
Perfect end-to-end reliability
Network reliability mainly refers to the uninterrupted service provided by the network when the equipment or network fails. Reliability is generally realized by the reliability of the equipment itself and the reliability of the networking design. Includes the following contents:
(1) Equipment reliability
Huawei's full range of data products adopt carrier-grade reliability design. Huawei's high-end routers and switches adopt a distributed architecture, and there is no single point of failure. The passive backplane is used to support real hot plug and hot backup, and the key components such as switching network and routing processing system of equipment are designed with redundant hot backup, which can fully meet the requirements of e-government network for high reliability of equipment.
(2) Reliability of network design
On the premise of controlling investment, in some land-saving backbone nodes of e-government network, VRRP dual-machine backup mode or RPR mode can be used for ring network self-healing protection, and the link connected to backbone transmission network can be designed as dual-home link or RPR mode for ring network self-healing protection, so as to avoid a single point of failure from the perspective of networking.
In addition, the backup center technology can provide a backup interface for any interface on the router; Any interface on the router can be used as a backup interface for other interfaces (or logical links); The logical link on the interface can be backed up.
Through flexible backup mechanism and perfect technology, we can make full use of backup resources and ensure the reliability of network interconnection.
Simple and efficient maintenance and management
There are many and dense information points in the government network, so there are a large number of network devices, especially floor switches connected to end users. Huawei's network management system supports unified management, topology management, graphical operation interface, real-time acousto-optic alarm and Chinese operating system. At the same time, Huawei's group management protocol HGMP can realize the functions of dynamic discovery, dynamic topology generation and automatic configuration of a large number of floor switches, which reduces the workload of network managers and improves efficiency.
Rich business carrying capacity
An important feature of government informatization is that business drives network demand, applications are constantly updated, and the demand for network equipment is constantly improving. In such a dynamic network, the service carrying capacity of network equipment itself is very important. Therefore, Huawei put forward the technology based on the fifth generation network processor, which can ensure the rapid customization and support of the subsequent new services when they have special requirements for the network platform, and ensure the continuity of network equipment investment.
Using MPLS VPN shows strong scalability and unprecedented high performance. E-government network can allow business growth and change, the network can be smoothly expanded and upgraded, and the adjustment of network architecture and equipment can be minimized. As one of the few vendors that can provide MPLS technology for the whole network, Huawei is committed to providing the government with triple play technology of data, voice and video based on advanced MPLS VPN technology.