Research on the Construction of Security Protection System of Traffic Management Video Private Network

Research on the Construction of Security Protection System of Traffic Management Video Private Network

With the vertical advancement of the construction of transportation technology facilities, the scale of the construction of the public security private network has continued to expand, and the security risks of the video private network have become increasingly prominent. Once hacker attacks, data theft and other incidents occur, it is very likely to cause leakage and tampering of sensitive information, and even lead to chaos in the city’s traffic dispatch command system, traffic control failure, etc., affecting the travel safety of the general public. How to deploy effective security strategies and build a comprehensive security protection system for video private networks has become one of the important tasks of the traffic management department.

0 Preface

Accelerating the construction of informatization, networking and intelligence in the field of transportation is an important basis for implementing the spirit of the 19th National Congress of the Communist Party of China, and comprehensively promoting the construction of a strong country in transportation and science and technology. With the vertical advancement of the construction of transportation science and technology facilities, the scale of the construction of dedicated video networks supporting transportation science and technology facilities is also expanding, and it has gradually become an Internet of Things that carries massive terminal devices and collects massive amounts of data.

As the coverage of private video network continues to increase, its network security risks are also increasingly prominent. Once a network attack or infiltration occurs, it is very likely to cause leakage, theft, tampering and other consequences of sensitive information, resulting in chaos in the city’s traffic dispatching command system, traffic control will fail, and various traffic data may be stolen, tampered, and even affect Safe travel to the general public. How to deploy an effective security strategy and improve the security protection capability of the video private network has become one of the important tasks of the traffic management department.

1 Main security risks faced by private video networks

The private video network is mainly used to connect various types of video surveillance systems built by political, legal and public security organs, and provide information to the public security network and Internet users through the security boundary. Road video surveillance cameras, high-definition bayonet mounts, Electronic police, signal control systems, and traffic flow collection systems in the traffic management information system have been widely deployed in private video networks. Considering the characteristics of the current network architecture and business process of the video private network in my country, the security risks it faces mainly include the following four aspects.

1.1 The phenomenon of illegal internet connection is common

The video private network has been fully considered in the planning and design of the physical isolation from the Internet and other networks [2], can exchange and share information with different networks such as the public security network and the Internet by deploying security technical measures such as firewalls and border access platforms. However, in actual work, multiple network cards, network exits, network proxies, wireless APs, NAT boundaries and other technical means can be used in the video private network to bypass the supervision of security devices, and the risk of connecting to the external Internet still exists.

1.2 Lack of security control for device access

At present, the video private network lacks the centralized IoT management and control capability for access devices, and there are a large number of illegal outreach, illegal inline, “network in the network” and other phenomena, which are easy to cause network overload, network paralysis, data disorder, and sensitive data. Loss and other issues, the security risks of illegal device access cannot be ignored.

1.3 The safety protection measures are still insufficient

Due to the special nature of network transmission and the complexity of the installation environment of front-end equipment in the video private network of the traffic management department, in the current environment of rapid expansion of private network construction, the security guarantee of the video private network obviously lags behind the construction, and the overall security protection Consideration is insufficient. In addition, the front-end equipment, computers, and servers of the private video network have problems such as weak passwords, operating system loopholes, Trojan software, and virus threats, which further increases the possibility of the private video network being illegally controlled and data stolen.

1.4 Security operation and maintenance capabilities need to be improved

At present, the video private network still faces great challenges in the aspect of network security operation and maintenance. First, the high-risk vulnerabilities of general equipment emerge in an endless stream, and the progress of vulnerability repairs is slow, which further reduces the difficulty of attackers. Second, there is a lack of security audit management such as audit logs, and it is difficult to review user operation records, which may easily lead to unauthorized operations, modifications, and deletions.

2 Security Status of Private Video Networks at Home and Abroad

The network security of the video private network mainly refers to the identification based on “Technical Requirements for Information Transmission, Exchange and Control of Public Safety Video Surveillance Networking System”, Onvif (Open Network Video Interface Forum, open network video interface forum), “Public Safety Video Surveillance Networking”. Information Security Technical Requirements” and “Public Security Video Image Information Application System” and other standard video services, and accurately control the overall video front-end IP equipment and transmission traffic. The core of video private network security protection is to ensure the security of front-end equipment collection data, network transmission data, monitoring center storage data and terminal application data through a variety of security mechanisms and technical management methods, and to realize video surveillance that can quickly identify and locate risks. network.

2.1 Security Status of Foreign Video Private Networks

At present, the number of IoT devices in the world is growing rapidly. According to GSMA (Global System for Mobile Communications Association), the number of IoT devices connected to the Internet will reach 25.2 billion in 2025. With the wide application and rapid development of communication technologies such as LoRa, NB-IoT and 5G, the Internet of Everything has become the general trend. As the most typical front-end perception layer equipment in the Internet of Things, video surveillance equipment has been widely used in many fields such as smart city, smart transportation, smart production and smart home.

Due to the lack of security considerations at the beginning of the design of IoT perception layer devices such as video surveillance equipment, security vulnerabilities have appeared frequently in recent years, which has become the best breakthrough for hacker attacks. At the end of 2016, Mirai, a botnet composed of hundreds of thousands of cameras, attacked the US domain name service provider Dyn with 620G (the largest at the time) DDoS traffic, causing many well-known websites in the United States to be inaccessible and large-scale network outages occurred. Since then, the Mirai botnet has become a landmark event in global IoT security. In 2018, IoT cameras once again became a “springboard” for attacks. Two network service providers, Dean and Amazon, suffered cyber attacks that made many websites in the United States inaccessible.

In 2019, attacks based on IoT terminals such as video surveillance equipment occurred frequently, and large-scale attacks such as botnets and ransomware occurred from time to time. According to data from NSFOCUS, in 2019, there were more than 300 IoT security-related incidents worldwide, and 69 incidents related to DDoS and ransomware attacks, accounting for 21.3% of the total.

At the same time, the problem that D-link terminals stop updating also shows that a large number of terminal devices that are no longer updated and maintained will have long-term vulnerabilities and risks if they are not effectively managed. The severe IoT security situation has also attracted the attention of governments around the world. In 2019, the United States and Japan respectively promulgated decrees and policy measures to carry out security governance of IoT terminals and improve comprehensive prevention of IoT security threats.

2.2 Status Quo of Domestic Video Private Network Security

Video surveillance networks can be divided into four types of application scenarios with different complexity levels: personal, small, medium and large according to coverage, purpose and scale. At present, the video surveillance network application scenario type with the highest market share in my country is the large-scale video surveillance network used for city-level comprehensive management and control and public safety. Among them, the most typical application is the “smart project” with “global coverage, network sharing, full-time availability, and full control” as the final construction goal.

In order to comprehensively improve the city’s safety prevention and control capabilities and promote the construction of safe rural areas, the “Opinions of the Central Committee of the Communist Party of China and the State Council on the Implementation of the Rural Revitalization Strategy” in January 2018 put forward the concept of “Xue Liang Project” for the first time. In fact, the construction of the “Xueliang Project” is not only an important basis for realizing data exchange and information sharing, and enhancing equipment interconnection, but also a powerful support for accelerating system networking, promoting network interconnection, platform interconnection, and realizing online sharing of video and image resources in public areas. With the increasing number of new urban integrated management and control system projects such as “Safe City” and “Xueliang Project”, the Internet of Things applications represented by private video networks continue to expand. The third-tier cities and rural areas are advancing, from the coastal areas to the central and western regions.

However, the rapid development of video private network construction has also exposed many security problems such as insufficient private network security protection capabilities and inadequate security management measures. According to statistics, the number of IPs of video surveillance equipment exposed on the Internet in my country is as high as 2.6 million, ranking first in the world. With the increasing risks of the front-end perception layer, network transmission layer and application layer of the video private network, if no protection is taken, once a network attack occurs, it may lead to security risks such as device seizure, data theft and privacy leakage, which will affect individuals, society, The country’s cybersecurity has a huge impact.

3 Video private network security comprehensive protection system

Considering the security supervision requirements of private video network and the key points and difficulties of security protection, the comprehensive security protection system of private video network is mainly composed of four levels: device access security, network security, application security and security operation and maintenance management, as shown in Figure 1. shown.

  Research on the Construction of Security Protection System of Traffic Management Video Private Network

Figure 1 Video private network security comprehensive protection system

3.1 Device Access Security

The perception layer of the video private network needs to be connected to a large number of cameras and other front-end devices, which are numerous and widely distributed. Therefore, device security mainly considers the security issues from the front-end perception node to the gateway node, and security measures should be taken from the front-end, terminal and host.

On the front-end side, due to the single function of front-end devices such as cameras, weak computing power, and lack of security protection capabilities, administrators are often unable to respond in a timely and effective manner when front-end devices are abnormal, and face the risk of data leakage and malware infection. Therefore, front-end security should establish a whitelist access mechanism for access data protocols, a front-end device access authentication mechanism, and take effective means such as active scanning, manual setting, and real-time detection to timely detect unknown, counterfeit, and illegal devices that are illegally accessed, and Based on the protocol whitelist, the illegal access data is identified and filtered, so as to realize the identification, alarm and real-time blocking of illegal and malicious behaviors.

In terms of terminals, in order to strengthen the monitoring of system operating conditions, reduce unnecessary system services, enhance the system’s own resistance to various attacks and viruses, and improve the overall security of the terminal system, system security reinforcement, installation of anti-virus software, use of Internet behavior management, deployment of access control equipment and other measures to reduce the security risk of the system itself. At the same time, since the administrator is the main user of the terminal, it is necessary to strengthen the safety management of the terminal users by formulating safety management systems such as usage specifications.

In terms of hosts, the hosts of the video private network mainly refer to the video management systems in the video surveillance platform. The goal of security protection is to ensure the confidentiality, integrity and availability of each video management system in the process of data storage and processing. [9]. Because these host systems have security risks such as security vulnerabilities, lack of attack resistance, lack of vulnerability repair capabilities, and human error operations, host security protection should not only consider the security of hardware, firmware, and system software, but also need to take appropriate security measures. Technical and safety management measures.

3.2 Network Security

The network security of the video private network mainly focuses on the network boundary security and network transmission security. Specifically, security measures can be taken from the aspects of boundary access control, Internet access security, link security and data security.

Border access control is mainly through the deployment of next-generation firewalls, security gateways and other devices to achieve network in-depth protection, which is the primary prerequisite for realizing a trusted network. In addition, the effective construction should be carried out from the perspective of the border security protection quintuple strategy of source IP address, source port, destination IP address, destination port and protocol, to limit illegal access to the network, and to prevent the target network system vulnerabilities, protocol weaknesses, malicious Integrated in-depth defense against cyber threats such as attacks, abnormal traffic, viruses, worms, and spyware.

Due to a large number of network security threats such as attacks and viruses on the Internet, the video private network needs to strengthen security protection measures at the border of the video private network when accessing the Internet. In order to prevent unauthorized access and illegal attacks, border protection products such as firewalls should be deployed, and detection and filtering should be carried out according to strict security policies and security rules. Detect network attacks and defend against network application attacks.

Ensuring link security is an important basis for ensuring secure transmission of private networks. If a network device or link failure occurs during data transmission, it is easy to cause interruption of video transmission, which cannot meet the requirements of real-time video monitoring. Therefore, the data link and network equipment should be backed up and redundant by means of hardware redundancy to ensure uninterrupted video data transmission in the event of a physical failure.

Data security mainly emphasizes the security of video data itself. From the security objectives of data confidentiality, data integrity and data availability, appropriate security technical measures should be taken to ensure the security of data transmission and data storage. Among them, in order to better deal with the security risks such as data interception and theft that may be involved in the data transmission process, encryption technologies such as Https-based Web management platform access and encryption/decryption machine-based encrypted transmission should be used to apply the interaction process and the data transmission process. Data is encrypted; in terms of data storage, access control needs to be implemented for administrators operating data-related equipment, and data storage security is achieved through hardware redundancy.

3.3 Application Security

The application system of the video private network mainly refers to each video surveillance platform, and its security is mainly reflected in reducing the security risk of the application system in the management and maintenance process and the risk caused by its own security loopholes, and ensuring the security of the application system data interaction process. The application security of the video private network needs to be implemented from several aspects such as application system account management, operation and maintenance audit system, and application system attack protection, and deploying corresponding security measures.

After the application system account is assigned to the administrator, account security management completely depends on the administrator’s personal security awareness. Therefore, for each application system account, measures such as centralized generation, centralized management, authorization of operation rights, non-sharing of accounts, and combination of multiple authentication technologies should be taken to strengthen account security by the administrator. At the same time, audit the account operation records, and hold accountable for security problems caused by account password leakage, so as to improve the awareness of personal account security management.

The operation and maintenance audit system, also known as the bastion machine, focuses on the core system operation and maintenance and security audit control functions. In terms of technical implementation, the functions of account management, identity authentication, resource authorization, access control and operation auditing in the operation and maintenance work are realized by cutting off the direct access of the terminal to the network and server resources and adopting the method of protocol proxy. At the same time, by setting effective security management and control strategies, risks such as personnel misoperation are reduced, security losses are avoided, and the security of video private network operation and maintenance is guaranteed.

The security challenges faced by the video private network application system mainly include user identity counterfeiting, unauthorized access, and WEB attacks. Due to the complexity, diversity and dynamic changes of application systems, application system security protection also needs to design security policies and deploy corresponding security measures for different applications, mainly by deploying professional intrusion prevention systems and web application firewalls. The security device performs application-layer security protection.

3.4 Security operation and maintenance control

On the basis of ensuring equipment security, network security and application security, the video private network should also realize the efficient integration of terminal, network, security, business and other resources by building a unified security management and control platform. Risk assessment and network security operation and maintenance guarantee, and realize the visual presentation of video private network security management and control through technical means such as situational awareness.

3.4.1 Security operation and maintenance management

In order to effectively carry out the safe operation and maintenance of the private video network for traffic management, efforts should be made to organically combine the management process, management content and related management systems, and strengthen the standardized management of the operation and maintenance of the private video network. After the construction of the key security protection system of the video private network is completed, relying on the security control system that has been built, the daily management system should be formulated, mainly including the network management system, system and application management system, fault management system, safety management system, personnel management system and Technical support tool management system, etc.

At the same time, because the security of the private video network is not only related to the security awareness of the system administrator, but also closely related to the decision-making of leaders and the safe operation of employees. Therefore, corresponding security training should be carried out on a regular basis for all kinds of staff involved in the video private network (senior managers, system security administrators, technical department managers and ordinary staff), aiming at various possible security risks in the video private network. , simulate various emergencies, organize emergency drills on a regular basis, and improve safe operation and maintenance capabilities. Security technology training should also include network security status quo, network security technology, network security assessment, system penetration testing, baseline configuration verification, security emergency response, security vulnerability detection, information security awareness, etc.

3.4.2 Comprehensive Security Control

In order to comprehensively improve the comprehensive security management and control capabilities of the private video network, it is necessary to consider building a security detection platform for the private video network, conduct real-time security assessments on the private video network, timely discover the security risks of each link of the private network, and carry out proactive security protection. Based on the private network security detection platform, with asset analysis as the entry point, from the seven aspects of network, host, application, terminal, data, physics, and management, regular and comprehensive risk assessment of video private network can be carried out. At the same time, the private network security detection platform is organically combined with basic hardware equipment, so as to realize network security policy optimization and network security operation and maintenance guarantee and other security services.

In addition, combined with multiple event acquisition methods such as active acquisition and passive reception, video private network security management and control should also collect all types of event information, and use pattern matching to analyze events and logs. Based on the analysis engine deployed in the bypass to collect and obtain the data traffic in the network, monitor and analyze the abnormal behavior in the network. The video private network security management and control platform should include various online terminal statistics, camera online rate, asset quantity monitoring of each unit, camera manufacturer distribution, etc., to help administrators control the operation status of the video private network from a global perspective; When a new access device, illegal terminal access, or disconnection of the access device occurs in the network, the platform should issue a real-time alarm to assist the administrator to deal with it in a timely manner.

4 Conclusion

The video private network of the traffic management department has the characteristics of large scale, many network branches, geographically dispersed front-end access equipment, difficult human supervision, large and sensitive data, etc., which lead to a large security risk in the video private network. In recent years, IoT security incidents have become more and more frequent, and the security of private video networks has attracted widespread attention. In view of the security construction needs of private video networks, we should improve the protection level of equipment security, network security, and application security, and strengthen the security operation and maintenance of video private networks. Comprehensive management and control is of great significance to the security of the video private network of the traffic management department.

The Links:   CM1000DXL-24S PSS20S51F6