Lay the foundation of network security

Usually, when an organization needs to improve its network security architecture, it must start with gaining visibility across networks and complete asset inventory. At present, there are an exponential increase of devices diversity in the office environment; even though some of them are high-risk dumb terminals not under policy-based control, which results in device vulnerability to be attacked in recent years. The availability is also an important issue, as the inventory taking must be carried out without interrupting the service.

・ Can automatically generate a complete asset list.
・ Can identify the device properties and provide the operating system version, location, user information and other equipment data.
・ Ensures continuous compliance checks, including installation, version and update of Windows OS patches, antivirus software, virus code and permit software, as well as legal software licenses.
・ Improves the compliance rate of the device by collecting the security status of the terminal device, and those which do not comply can be forced to be disconnected from the network for remediation.
・ Provides charts and dashboards to control the overall situation.

Improve the access permission process of external equipment

There are some scenarios universal among all government agencies, such as a temporary need to connect to the external network or the intranet within a specified period with a non-internal personnel identity. Compared with the rigorous and thorough protection of the external network, if the device accessing the intranet without identification and least-privilege control, it may become a high-risk security vulnerability.

・ Provides identification verification.
・ Provides intranet connection authentication to visitors for their on-site and appointment applications.
・ Limits visitors’ access rights and time span to intranet and Internet with automated detachment management.
・ Isolates visitors in specific network segments.
・ Provides temporary allowlist or visitor authentication for outsourced manufacturers.
・ Provides BYOD authentication for device brought by the user.

Implement IPv6 Network Security Management

The security policy of IPv6 related network infrastructure and application infrastructure needs to be deployed in the telecommunication and Internet security system. Develop the strategy regarding network security, risk assessment, event notification, and early warning.

Improve Network Security Policy of IPv6

All telecommunications companies, data centers, content distribution networks (CDNs), cloud instances and other enterprises need to improve the existing network security frameworks in the transition from IPv4 to IPv6, in order to ensure IPv6-based security capability.

Develop Strategy of IPv6 Network Security Deployment

Establish the construction for IPv6-based network and application infrastructure, as well as support the research on network security technology and management mechanism in emerging fields, such as industrial Internet; Internet of things; and artificial intelligence, under the IPv6 network environment.

・ Automatically sets up IPv6 device allowlist, and detects and blocks external devices with IPv6.
・ Provides real-time information and historical records to view the status of intranet Ips.
・ Supports IPv6 and IPv4 dual protocol management and distributes IPv6 addresses with IPv4 tail codes.

A.8 Asset Management

Information should be classified according to regulatory requirements; its value; and harmfulness, as well as its sensitivity to unauthorized disclosure or modification. A set of appropriate information labeling procedures; asset disposal procedures; and portable media management procedures should be developed and implemented according to the classification method adopted by the organization. When the media is no longer needed, formal procedures should be applied to eliminate them safely. The media containing information should be protected from unauthorized access, misuse, or damage during the transmission period.

・ Provides IP asset classification.
・ Automatically generates data trail.
・ Provides IP usage record and system operation record.
・ Provides important information of the IP protection mechanism to prevent data loss, destruction, forgery or alteration.

A.9  Access Control

It includes the following items: access control policy, access to network and network services, user login and logout, user access configuration, privilege management, management of user's confidential authorized information, review of user's access rights, use of confidential authorized information, information access restriction, and secure login sequence.

・ Provides access control and private access device management, and reports on policy violation and abnormal events.
・ Provides IP/Mac binding management, IP/Mac time management and MAC/hardware fingerprint binding management
・ Provides the authentication mechanism.
・ Provides allowlist management and time configuration.
・ Provides the IP exception and MAC exception mechanism.
・ Provides AD management, adds or does not add AD management, AD domain logout management, online information, and rights for configurable internal and external networks.
・ Provides management, user and observer rights.

IDENTITY

ID.AM-1－Physical devices and systems within the organization are inventoried
ID.AM-2－Software platforms and applications within the organization are inventoried
ID.AM-3－Organizational communication and data flows are mapped
ID.AM-5－Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
ID.RM-1－Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2－Organizational risk tolerance is determined and clearly expressed
ID.RM-3－The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

・ Can automatically identify networked device properties.
・ Can interface with SAM (software asset management) software to analyze the status of software usage.
・ Can automatically generate data trail which is encrypted for protection to provide system operation records.
・ Provides IP asset classification.

PROTECT

PR.AC-1－Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-4－Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5－Network integrity is protected (e.g., network segregation, network segmentation)
PR.AC-6－Identities are proofed and bound to credentials and asserted in interactions
PR.DS-1－Data-at-rest is protected
PR.DS-5－Protections against data leaks are implemented
PR.DS-6－Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.IP-6－Data is destroyed according to policy
PR.PT-1－Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.PT-2－Removable media is protected and its use restricted according to policy

・ Provides important information of IP protection mechanism to prevent data loss, damage, forgery or alteration.
・ Can force the computer to install DLP software to prevent data leakage.
・ Can detect whether the permit software is installed and whether illegal/pirated software is installed; if there is a violation, repair can be requested through disconnection and page redirection.
・ Provides IP/Mac binding, IP/Mac time management and MAC/hardware fingerprint binding management.
・ Provides authentication mechanism.
・ Automatically generates data trail.
・ Provides IP usage record and system operation record.

DETECT

DE.CM-7－Monitoring for unauthorized personnel, connections, devices, and software is performed

・ Provides access control and private access device management.
・ Can monitor pirated and prohibited software.