医院网络安全管理方案

 

医院网络安全管理方案

 

[摘要] 本文结合自已多年的工作经验和体会，谈谈医院的网络安全，怎样以最小的代价来实现网络安全。

 

[关键字] 路由器,中心交换机，杀毒软件,VLAN,Sniffer

 

     医院信息化发展突飞猛进，但是医院的信息化安全状况却令人担扰，很多医院花了很多钱，买了很多昂贵的计算机设备和网络设备，却无法达到理想的效果，下面我将结合我们医院的情况谈谈网络安全问题。

我们医院信息化系统有二百多台电脑，有内网，外网，医保网，网络结构比较复杂。因此有必要设计一个详尽的安全方案，否则系统很容易出现安全问题。下面是我院的网络安全方案:

1、          将整个网络分为九个网段，严格控制各网段间的通讯。

2、          在路由器上通过关闭端口，ip邦定，定时关闭路由器，限速限流等手段控制上外网电脑

3、          安装网络版杀毒软件，通过杀毒软件对局域网电脑防毒杀毒及补丁下载安装。

4、          在核心交换机上设置镜像端口，通过科来网络分析系统对全院网络进行质量分析及监控。

5、          在window2008服务器上设置好软件防火墙控制规则，保证服务器安全。

   我院的网络硬件配置情况:入口路由器是一台h3c 18-21A,核心交换机是h3c 5500EI，二层交换机是h3c s3100-26TP-SI。外网光纤接入路由器，带宽为20Mbps,核心交换机和二层交换机之间为光纤连接，连接带宽为1Gbps，二层交换机和桌面为六类线连接，带宽为100Mbps。

下面是我院的网络拓朴结构（下图标示的交换机型号非我院所用）

我院整个网络分为八个网段 ,我院精神科因距离医院远，通过VPN拨入连接到医院服务器

vlan10 192.133.1.1   路由器和杀毒软件服务器在同一网段

vlan20 192.133.2.1   服务器所在网段

vlan 30 192.133.3.1   行政楼科财务科 

vlan 40 192.133.0.150  收费室药剂科护理部    

vlan 50 192.133.5.1   临床楼1所在网段

vlan60 192.133.6.1    临床楼2及检验科所在网段

vlan 70 192.133.7.1   门诊楼所在网段

vlan 80 192.133.8.1   放谢科CT室所在网段

vlan 100 192.133.10.1  网络监控所在网段

vlan 30 到vlan 100 均可访问 vlan10,vlan20。但vlan30-vlan70网段之间不能互访，vlan10和vlan20之间不能互访。以下是核心交换机配置情况,交换机的1口为镜端口,2,3,4,5,6,7,24,26 为被镜像端口。静态路由到路由器192.133.1.3

 

acl number 3000

 rule 0 deny ip source 192.133.3.0 0.0.0.255 destination 192.133.5.0 0.0.0.255

 rule 5 deny ip source 192.133.3.0 0.0.0.255 destination 192.133.6.0 0.0.0.255

 rule 10 deny ip source 192.133.3.0 0.0.0.255 destination 192.133.7.0 0.0.0.255

 rule 15 deny ip source 192.133.3.0 0.0.0.255 destination 192.133.8.0 0.0.0.255

acl number 3001

 rule 0 deny ip source 192.133.6.0 0.0.0.255 destination 192.133.5.0 0.0.0.255

 rule 5 deny ip source 192.133.6.0 0.0.0.255 destination 192.133.7.0 0.0.0.255

 rule 10 deny ip source 192.133.6.0 0.0.0.255 destination 192.133.8.0 0.0.0.255

 rule 15 deny ip source 192.133.6.0 0.0.0.255 destination 192.133.3.0 0.0.0.255

 rule 20 deny ip source 192.133.6.0 0.0.0.255 destination 192.133.0.0 0.0.0.255

acl number 3002

 rule 0 deny ip source 192.133.5.0 0.0.0.255 destination 192.133.7.0 0.0.0.255

 rule 5 deny ip source 192.133.5.0 0.0.0.255 destination 192.133.8.0 0.0.0.255

 rule 10 deny ip source 192.133.5.0 0.0.0.255 destination 192.133.0.0 0.0.0.255

acl number 3003

 rule 0 deny ip source 192.133.7.0 0.0.0.255 destination 192.133.8.0 0.0.0.255

 rule 5 deny ip source 192.133.7.0 0.0.0.255 destination 192.133.9.0 0.0.0.255

 rule 10 deny ip source 192.133.7.0 0.0.0.255 destination 192.133.0.0 0.0.0.255

acl number 3004

 rule 0 deny ip source 192.133.1.0 0.0.0.255 destination 192.133.2.0 0.0.0.255

#

traffic classifier limitspeed operator and

 if-match acl 2000

traffic classifier hospital operator and

 if-match acl 3000

traffic classifier vlan50 operator and

 if-match acl 3002

traffic classifier vlan60 operator and

 if-match acl 3001

traffic classifier vlan20 operator and

 if-match acl 3004

traffic classifier vlan70 operator and

 if-match acl 3003

#

traffic behavior limitspeed

 car cir 128 cbs 4000 ebs 4000 green pass red discard yellow pass

traffic behavior hospital

 filter deny

traffic behavior vlan50

 filter deny

traffic behavior vlan60

 filter deny

traffic behavior vlan20

 filter deny

traffic behavior vlan70

 filter deny

#

qos policy limitspeed

 classifier limitspeed behavior limitspeed

qos policy hospital

 classifier hospital behavior hospital

qos policy vlan50

 classifier vlan50 behavior vlan50

qos policy vlan60

 classifier vlan60 behavior vlan60

qos policy vlan20

 classifier vlan20 behavior vlan20

qos policy vlan70

 classifier vlan70 behavior vlan70

#

interface Vlan-interface1

 ip address 192.133.10.1 255.255.255.0

#

interface Vlan-interface10

 ip address 192.133.1.1 255.255.255.0

#

interface Vlan-interface20

 ip address 192.133.2.1 255.255.255.0

#

interface Vlan-interface30

 ip address 192.133.3.1 255.255.255.0

#

interface Vlan-interface40

 ip address 192.133.0.150 255.255.255.0

#

interface Vlan-interface50

 ip address 192.133.5.1 255.255.255.0

#

interface Vlan-interface60

 ip address 192.133.6.1 255.255.255.0

#

interface Vlan-interface70

 ip address 192.133.7.1 255.255.255.0

#

interface Vlan-interface80

 ip address 192.133.8.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 mirroring-group 1 monitor-port

#

interface GigabitEthernet1/0/2

 port access vlan 10

 qos apply policy vlan20 inbound

 qos apply policy vlan20 outbound

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/3

 port access vlan 10

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/4

 port access vlan 20

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/5

 port access vlan 20

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/6

 port access vlan 20

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/7

 port access vlan 20

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/8

 port access vlan 30

 qos apply policy hospital inbound

 qos apply policy hospital outbound

#

interface GigabitEthernet1/0/9

 port access vlan 40

#

interface GigabitEthernet1/0/10

 port access vlan 40

#

interface GigabitEthernet1/0/11

 port access vlan 40

#

interface GigabitEthernet1/0/12

 port access vlan 70

 qos apply policy vlan70 inbound

 qos apply policy vlan70 outbound

#

interface GigabitEthernet1/0/13

 port access vlan 80

#

interface GigabitEthernet1/0/14

 port access vlan 40

#

interface GigabitEthernet1/0/15

 port access vlan 40

#

interface GigabitEthernet1/0/16

 port access vlan 40

#

interface GigabitEthernet1/0/17

 port access vlan 50

 qos apply policy vlan50 inbound

 qos apply policy vlan50 outbound

#

interface GigabitEthernet1/0/18

 port access vlan 70

 qos apply policy vlan70 inbound

 qos apply policy vlan70 outbound

#

interface GigabitEthernet1/0/19

 port access vlan 50

 qos apply policy vlan50 inbound

 qos apply policy vlan50 outbound

#

interface GigabitEthernet1/0/20

 port access vlan 50

#

interface GigabitEthernet1/0/21

 port access vlan 60

 qos apply policy vlan60 inbound

 qos apply policy vlan60 outbound

#

interface GigabitEthernet1/0/22

 port access vlan 60

 qos apply policy vlan60 inbound

 qos apply policy vlan60 outbound

#

interface GigabitEthernet1/0/23

 port access vlan 70

 qos apply policy vlan70 inbound

 qos apply policy vlan70 outbound

#

interface GigabitEthernet1/0/24

 port access vlan 10

 shutdown

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/25

 shutdown

#

interface GigabitEthernet1/0/26

 port access vlan 20

 mirroring-group 1 mirroring-port both

#

interface GigabitEthernet1/0/27

 shutdown

#

interface GigabitEthernet1/0/28

 shutdown

#

ip route-static 0.0.0.0 0.0.0.0 192.133.1.3

#

 

为了加强安全同时在路由器上作了如下安全设置

1、  晚上0点到早上6:30关闭外网

2、  关闭大部分不常用端口,这样可以限制部分p2p软件的使用和下载速度同时加强了网络安全 设置如下:

rule 0 permit tcp source-port lt 1025 destination-port lt 1025

 rule 1 permit tcp source-port range 1433 1435 destination-port range 1433 1435

 rule 2 permit tcp source-port range 8002 8004 destination-port range 8002 8004

 rule 4 permit tcp source-port eq 8000 destination-port eq 8000

 rule 6 permit tcp source-port range 7709 7711 destination-port range 7709 7711

 rule 7 permit tcp source-port eq 7080 destination-port eq 7080

 rule 8 permit tcp source 192.133.3.7 0 destination-port range 4000 4200

 rule 9 permit udp source 192.133.10.2 0

 rule 10 permit tcp source 192.133.10.2 0

 rule 11 permit udp source 192.133.3.7 0 destination-port range 4000 4200

rule 16 deny udp source 192.133.0.0 0.0.255.255 source-port range 1024 1432 destination-port range 1024 1432 time-range closefilm

 rule 17 deny udp source 192.133.0.0 0.0.255.255 source-port range 1436 7079 destination-port range 1436 7079 time-range closefilm

 rule 18 deny udp source 192.133.0.0 0.0.255.255 source-port range 7081 7999 destination-port range 7081 7999 time-range closefilm

 rule 19 deny udp source 192.133.0.0 0.0.255.255 source-port gt 8004 destination-port gt 8004 time-range closefilm

 rule 20 permit tcp source 192.133.0.168 0 source-port gt 1023 destination-port gt 1023

 rule 24 deny tcp source 192.133.0.0 0.0.255.255 source-port range 1024 1432 destination-port range 1024 1432 time-range closefilm

 rule 25 deny tcp source 192.133.0.0 0.0.255.255 source-port range 1436 7079 destination-port range 1436 7079 time-range closefilm

 rule 26 deny tcp source 192.133.0.0 0.0.255.255 source-port range 7081 7999 destination-port range 7081 7999 time-range closefilm

 rule 27 deny tcp source 192.133.0.0 0.0.255.255 source-port gt 8004 destination-port gt 8004 time-range closefilm

 rule 28 deny tcp time-range closenet

 rule 29 deny udp time-range closenet

 rule 30 deny ip time-range closenet

 rule 31 deny tcp destination-port eq 135

rule 40 deny udp destination-port eq netbios-ns

 rule 41 deny udp destination-port eq netbios-dgm

 rule 42 permit tcp source 192.133.0.39 0 time-range zyf

 rule 43 deny tcp source 192.133.0.39 0 time-range closezyf

 rule 44 deny ip source 192.133.0.39 0 time-range closezyf

 rule 47 permit udp source 192.133.0.149 0

 rule 48 permit udp source 192.133.0.168 0

 rule 49 permit udp source-port lt 1025 destination-port lt 1025

 rule 50 permit udp source-port range 1433 1435 destination-port range 1433 1435

 rule 51 permit udp source-port range 8002 8004 destination-port range 8002 8004

 rule 52 permit udp source-port eq 8000 destination-port eq 8000

 rule 53 permit udp source-port range 7709 7711 destination-port range 7709 7711

 rule 54 permit udp source-port eq 7080 destination-port eq 7080

 rule 58 deny tcp destination-port eq 2710

 rule 59 deny tcp destination-port eq 6969

 rule 60 deny tcp destination-port range 8881 8999

 rule 61 deny tcp destination-port eq 10137

 rule 62 deny tcp destination-port eq 16881

 rule 63 deny tcp destination-port range 4661 4662

rule 77 permit tcp source 192.133.0.149 0

 rule 78 deny ip source 192.133.0.44 0 time-range closebcs

 rule 79 permit tcp source 192.133.0.38 0 time-range zyf

 rule 80 deny tcp source 192.133.0.38 0 time-range closezyf

 rule 81 deny ip source 192.133.0.38 0 time-range closezyf

 rule 82 permit tcp source 192.133.0.69 0 time-range zyf

 rule 83 deny ip source 192.133.0.69 0 time-range closezyf

 rule 84 deny tcp source 192.133.0.69 0 time-range closezyf

 rule 85 permit tcp source-port range 1433 1435

3、  通过ip地址和mac地址邦定限制客户机上网

 arp static 192.133.0.60    001f-d0cf-7fec

 arp static 192.133.0.168   0016-17ca-43dc

 arp static 192.133.0.90    4061-866e-088c

 arp static 192.133.0.53    0016-1710-6d79

…………………

arp static 192.133.0.141   0016-17ca-43df

 arp static 192.133.3.152   0023-5a13-dfff

 arp static 192.133.5.204   705a-b620-ada7

 

4、  限制上网速度

A、先设定规则

   acl number 3001

 rule 0 permit ip destination 192.133.3.17 0

 rule 7 permit ip destination 192.133.0.96 0

 rule 8 permit ip destination 192.133.3.151 0

……………………………

acl number 3050

 rule 0 permit ip destination 192.133.0.156 0

 rule 1 permit ip destination 192.133.0.168 0

#

B、控制上网带宽

qos car inbound acl 3001 cir 960000 cbs 960000 ebs 0 green pass red discard

 qos car inbound acl 3002 cir 960000 cbs 960000 ebs 0 green pass red discard

 qos car inbound acl 3003 cir 960000 cbs 960000 ebs 0 green pass red discard

………………………………

qos car inbound acl 3050 cir 960000 cbs 960000 ebs 0 green pass red discard

 qos car inbound acl 3051 cir 960000 cbs 960000 ebs 0 green pass red discard

 

 qos car outbound acl 3001 cir 960000 cbs 960000 ebs 0 green pass red discard

…………………………………….

qos car outbound acl 3049 cir 960000 cbs 960000 ebs 0 green pass red discard

 qos car outbound acl 3050 cir 960000 cbs 960000 ebs 0 green pass red discard

 

 qos gts acl 3001 cir 960000 cbs 960000 ebs 0 queue-length 50

qos gts acl 3069 cir 960000 cbs 960000 ebs 0 queue-length 50

……………………………………

 qos gts acl 3070 cir 960000 cbs 960000 ebs 0 queue-length 50

5、设置NAT服务器，远程连接监控桌面

nat server protocol tcp global x.x.x.x 3389 inside 192.133.10.2 3389

interface Atm2/0

 firewall packet-filter 3000 outbound

 nat server protocol tcp global x.x.x.x 3389 inside 192.133.10.2 3389

6、  设L2TP VPN

    #

interface Virtual-Template0

   remote address pool 2

#

interface Virtual-Template1

   ppp authentication-mode pap

   ip address 192.168.0.1 255.255.255.0

   remote address pool 2

#

 

    #

-group 1

 undo tunnel authentication

 mandatory-lcp

 allow virtual-template 1

#

7、  设置路由

     ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60

     ip route-static 172.16.0.0 255.255.255.0 192.133.0.2 preference 60

 ip route-static 192.133.0.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.1.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.2.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.3.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.5.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.6.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.7.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.8.0 255.255.255.0 192.133.1.1 preference 60

 ip route-static 192.133.10.0 255.255.255.0 192.133.1.1 preference 60

 

三、安装网络版杀毒软件

安装江民网络版杀毒软件在保证客户机不上外网的情况下定时更新病毒库和安装操作系统补丁,通过网络可以很方便地了解到每电脑的健康状况.下图上部份客户机列

 

下图是单台电脑的硬件和软软件情况

 

客户机病毒感染情况

  

更新补丁库，定期给每台客户机安装操作系统补丁

 

对每台计算机ip和mac地址进行登记

 

用科来网络分析系统对网络实施监控

网络流量情况

 

网络概要

 

通过这两项我们就可以整个网络的负载情况。

协议分析

 

单台电脑通信情况,通过对单台电脑的通信情况分析我们可以知道某台电脑是在进行业务操作还是在看电影娱乐，或者这台电脑是否中毒。

 

 

如192.133.8.39这台电脑用流量很大，我们双击进入分析发现这台电脑是一台放射科电脑正在和服务器通信。

 

总结:通过以上设置我们网络管理人员对整个网络的安全状况做到了心中有数,能随时随地发现问题并能及时定位和解决问题,通过及时下载和更新系统补丁可以防止因单台电脑中毒而向全网扩散,即使某个网段出现了问题也不会引起整个网络瘫痪。同时管理员可以通过远程桌面监测网络和解决各种问题。