Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 00-Preface
- 01-System management and maintenance FAQ
- 02-Device forwarding FAQ
- 03-License management FAQ
- 04-RBM-based hot backup FAQ
- 05-NAT FAQ
- 06-User access and authentication FAQ
- 07-Attack detection and prevention FAQ
- 08-IPS FAQ
- 09-Anti-virus FAQ
- 10-URL filtering FAQ
- 11-File filtering FAQ
- 12-Bandwidth management FAQ
- 13-SSL VPN FAQ
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
31-FAQ on Intranet security comprehensive scoring (Security overview)
FAQ on Intranet security comprehensive scoring (Security overview)
Q. What is the main purpose of Intranet security comprehensive scoring?
A. Currently, the platform lacks the function to display the internal network security status intuitively. To meet this demand, the data analysis center background needs to use stored threat log data to obtain the number of four types of threat severity types and calculate the security score, which will be returned to the web for display together. The security score reflects the overall security status of the internal network, and the number of statistics for the four types of threat severity reflects the specific scoring details, allowing the web interface to visually display security elements and real-time display network security situations (such as displaying the types and number of recent attacks, overall scoring for network security status).
Q. What is the implementation principle of Intranet security comprehensive scoring?
A. The data analysis center background needs to provide:
· Intranet security score calculation.
· Attack count statistics for different threat levels
The implementation analysis of the requirements is as follows:
1. A NETCONF table needs to be added, and the Web interface needs to issue a calculation type parameter (enumeration value, reserved for future expansion of rating calculation functions, currently the Web interface only needs to issued 0). The backend returns the calculated comprehensive score and the number of corresponding threat levels, encapsulated in JSON format. The Web interface needs to parse it to obtain different types of data and display the distribution on the webpage.
2. According to the different types issued, use the callback function to realize data query processing, which is convenient for modifications caused by possible new requirements in the future.
3. Assemble SQL to query the data in this Context. Currently, threat logs are stored in different databases on a daily basis, and the time period sent at the backend is one hour, so there will only be two situations: within a day or across days. However, to cope with the possible modification of the time period to more than one day in the future, the method of querying all databases within the time period separately is adopted, and then the results of different threat levels are added up to obtain the final result.
4. After the SQL execution obtains the number of different threat levels corresponding to the conditions, calculate the security score according to the following formula:
Security score = Starting score–Attack danger index
The attack danger index = The total value of the scores corresponding to different attack levels in the threat log
Currently, the threat log generated by IPS and antivirus modules are uniformly stored in the data analysis center database. The severity in the threat log comes from the matching results of the signature library, and the data analysis center judges the severity level based on this field, in the same way as the judgment method of the application layer detection engine, IPS, and other modules.
The severity in the threat log is a UINT type data, and its corresponding relationship with the threat level and score is as follows:
¡ Severity < 30: Low, corresponding score 0.2
¡ 30 ≤ Severity < 60: Medium, corresponding score 0.4
¡ 60 ≤ Severity < 90: High, corresponding score 0.6
¡ 90 ≤ Severity: Critical, corresponding score 4
|
|
NOTE: · If there are critical attacks, the starting score is 70. · If there are high-risk attacks, the starting score is 90. · If the security score calculated is less than 10, it is set to 10. · The severity in the threat log will only appear in the range of 0-100. If an exception occurs and the severity exceeds 100, it will be handled as critical. |
5. After the score is calculated, the data of different threat levels is encapsulated into JSON and returned to the Web interface together with the security score (the interpretation of the security score is implemented by the Web interface).
Q. What is the calculation formula for the security score?
A. The formula is: Score = Total–Low * 0.2–Medium * 0.4–High * 0.6–Critical * 4
· When Critical > 0, Total = 70
· When Critical = 0 and High > 0, Total = 90
· When Critical = 0 and High = 0, Total = 100
· Finally, the total value is rounded.
· When Total <10, it is set to 10
