Southwest Jiaotong University is a national key university directly under the direct administration of the Ministry of Education. It is a research university with a graduate school and one of the first batch of "Double first-class", "Project 211", "Project 985 with Characteristics" and "2011 Collaborative Innovation Plan". It is located in Chengdu, a famous historical and cultural city and a national central city in China. Now there are three campuses in Jiuli, Xipu and Emei, with more than 60,000 students and teachers.
With the rapid development of information technology, the technical threshold of network attack and defense is constantly lowered, and the attack modes are diversified. In particular, unknown threats such as ransomware virus begin to flood. In the face of network security challenges in the new era, how to ensure the safety and reliability of more than 60,000 teachers and students on the Internet and avoid malicious virus infection has become the focus of the current school security operation and maintenance work.
How does Ruijie network assist Southwest Jiaotong University to complete security early warning analysis? The story goes back to 2018.
(I) Initial experience of the security situation awareness platform
As early as 2018, the Network Center of Southwest Jiaotong University deployed a set of BDS, a security situational awareness platform, to collect and standardize the log data of information devices throughout the network and build a secure big data warehouse. Through big data association modeling analysis of BDS, core security risks are analyzed and located from massive data, which helps the school effectively prevent the occurrence of potential security incidents.
In recent two years, with the continuous development of network attack and defense technology, the analysis ability of simple log dimension can not meet the needs of schools for new attack detection and analysis and early warning. On the basis of the original security situation awareness platform, Southwest Jiaotong University expanded the traffic probe to conduct in-depth analysis of the university's exit traffic. "Log + traffic" dual dimension security analysis, found that many student terminals are infected with viruses, there is a risk of horizontal spread, is likely to become a "broiler" (can be remotely controlled by hackers).
However, security on the "edge side" of the network remains a blind spot because situational awareness and traffic probes are typically deployed in the central machine room, and lateral infections at the access layer do not rise to the core switch. In theory, one traffic probe can be deployed on each access switch, but this is expensive and unlikely to land on the ground. How to realize horizontal safety detection at low cost through technical means and break the barrier of "heavy center, light edge" security construction has become a difficult problem to be urgently solved by Southwest Jiaotong University.
(2) When the situational awareness platform is linked to the sFlow switch
In this case, Ruijie put forward the "network + security" scheme of connecting with the existing switches in the school to identify horizontal infection. This solution does not bind brands, but only switches that support the sFlow protocol can form a part of the solution. Through the linkage between the situational awareness platform and sFlow switches, the security monitoring of nodes in the whole network can be realized, and users can be assisted to complete the analysis and positioning of ransomware No.1 patient, so that administrators can take appropriate measures in time, and network security risks can be strangled in the cradle.
After continuous upgrading and expansion, the comprehensive situational awareness platform of Southwest Jiaotong University gradually brings users the value of comprehensive situational awareness analysis of "log + traffic", horizontal threat detection of linked sFlow switches and other values, and has achieved some practical achievements:
(1) Provide reinforcement and rectification suggestions for users through comprehensive management and analysis of assets that have been accessed. After continuous reinforcement and improvement, the overall safety level is up to 85 points.
2) Through the in-depth analysis of the traffic probe, viruses were found in some student terminals, which aroused the attention of the administrators. Is there a risk of spreading in a large area? Through the horizontal threat analysis of the sFlow sample of the floor switch, it is found that the host is spreading infection. Upon further analysis, we found that it was infecting eight IP addresses. In the end, the No. 1 infection source and 8 hosts were found, and the teachers of the school checked immediately.
Locate source 1 of infection
Identify the infected target
3. Internet plus security makes the Internet safer
In the past, it is difficult to realize the security analysis of the whole network of the school, and can not quickly locate and analyze the virus. Once a security incident occurs, it will take a long time to gradually investigate, which is time-consuming and laborious. Now through the log + traffic comprehensive analysis mode, combined with the linkage of sFlow switch, it only needs to check the high-risk alarms of the security situation awareness platform BDS on a daily basis, which can complete the risk assessment and early warning of the whole network. Meanwhile, it can also quickly trace the source of the No.1 "patient", effectively preventing the large-scale diffusion.
Ruijie's "network + security" whole network solution enables switching and other network devices to act as security probes for security situation awareness, and at the same time gives play to the advantages of network SDN intelligent defense, network access real-name log, and network security integration operation and maintenance, so as to bid good-bye to security islands and build a interconnected security guarantee system for the whole network. The whole automated process of security issues such as security prediction, protection, analysis and response is closed loop, which fully meets the compliance requirements of peer-to-peer insurance 2.0 and network security law of all units, and makes the network more secure.
