#1#: The production environment adopts the cluster mode, 2+N provides services, the center does not perform operation and maintenance, and each node shares the pressure of operation and maintenance, and the large-scale production every Friday and the end of each month provides stable services to development and operation and maintenance personnel. Now it has managed thousands of assets and over 10,000 device accounts. The operation and maintenance mode of this bank follows the principle that all non-query accounts need to be double-checked for operation and maintenance, and any change operation needs to be supervised by someone;
#2#: The head office adopts 2 decentralization mode bastion machines (similar to SAAS mode), and each branch is divided into various departments through decentralization mode, and the internal resource autonomy of the departments does not interfere with each other;
#3#: Deploy 2 bastion machines in the same-city disaster recovery environment, which are consistent with the version and content of the production environment, and perform cold backup;
#4#: 2 bastion machines in the test environment, one for each new and old version, to provide a test environment for docking and developing other platforms and optimizing and upgrading packages for production environments.
Project Pain Points:
In response to the requirements of the higher-level unit's state secret transformation document, each financial enterprise needs to carry out state secret transformation of its internal core business, and this bank is one of them. The fortress machine is a key part of the national secret transformation. The bank needs to carry out the national secret transformation of the certification, transmission channel, storage and anti-repudiation of the fortress machine in a short period of time; The currently used fortress machines urgently need to be upgraded to meet the specified national secret transformation requirements.
According to the bank's needs and regulatory requirements, Palladium provides a complete national secret transformation plan for all the production environment fortress machines currently deployed by the bank, specifically:
1. Carry out the national secret transformation for the authentication method and password storage of the fortress machine, and realize the authentication method and the underlying password storage using the national secret algorithm to meet the requirements of the supervision unit for the transformation of the national secret.
2. For the data non-repudiation and transmission channel transformation of the bastion machine, this project realizes the key operation signature verification and non-repudiation of the bastion machine and the transformation of the national secret HTTPS channel.
The specific implementation is as follows:
1. Authentication method
In this project, the bastion machine uses the national secret dynamic token system for identity authentication and authentication. The token adopts the national secret algorithm to encrypt and transmit sensitive authentication information. For users associated with the dynamic token policy, they need to enter the 6-digit dynamic code and other authentication information on the token bound to the person for verification and login.
In addition, this transformation is also connected to the bank's own national secret unified authentication platform. The authentication information is stored in the national secret authentication platform. The transmission process and storage are encrypted by the national secret algorithm. Both are configured with two-factor authentication on the fortress machine. Ensure that identity authentication implements national encryption algorithm support.
2. Data storage
Sensitive information stored on the bastion machine, such as escrowed asset passwords and user local passwords, are encrypted and stored with the national secret algorithm.
3. Transmission channel
Through the transformation of the transmission channel, this project improves the confidentiality of data transmission and ensures the integrity of data transmission. In the end, the operation and maintenance personnel of the line can conduct business-related operations through a dedicated national secret browser in the foreground.
4. Data non-repudiation
After the upgrade, the bastion machine administrator needs to access the national secret USBKEY to configure the bastion machine. After verifying the identity, the operation command signature is transmitted to the bastion machine. instruction.
At present, the transformation plan has been successfully deployed and implemented in many financial institutions across the country, and has assisted customers in passing the national secret transformation inspection, in line with the requirements and technical specifications for financial institutions in the national secret transformation evaluation. On the client side, the transformation plan is mature and stable, with a short deployment period, which does not affect the client's business operation and operation and maintenance, and adopts technologies related to national secret algorithms in identity authentication, transmission channels, sensitive information storage and key operation non-repudiation. Improve the security of the bastion machine itself and ensure the safe operation and maintenance of the information center.
In the future, Palladium will continue to solve practical problems for customers in the construction of secret assessment, continuously improve products and solutions according to the requirements of customer information system construction, assist customers in network security construction, and escort the digital development of all walks of life.