|
Features|Installation
specification|service
Presently, the super user (like
administrator, root) of universal Windows NT /2000, 2003 has
overwhelming authority, leading to security hidden troubles
beyond measure in case of being held by invalid users.
Kernel reinforcing technology and rational administration
mode can properly disperse and restrict super users
authority, eliminating its capability threatening the
security of Windows NT /2000, 2003. Moreover, the surviving
environment of invasion methods like virus, Trojan horse and
hacker attack can be controlled, to enable the system immune
to security problems under second level, and the host
transparence can be enhanced to third-level standard under
the precondition of guaranteeing current application.
-
Product Features:
-
Module composition,
functions and features of SSR for Windows
-
Mandatory access
control module for kernel level files
Access rules are allowed to be set to
files/catalogues for users or processes with
different access right, and security level can
be set to files/catalogues and users, to carry
out access control through security module on
level (process agile mandatory access control on
the basis of completely compatible with
2000/2003 system access control list).
Operations including creating, deleting,
modification and read by any user (including
Administrator) or called process to sensitive
files or catalogues can be filtered (allowed or
denied) according to SSR rule.
-
Mandatory access
control module for kernel level registry
Access rules are allowed to be set to registry
items for processes with different access right.
Writing operation by any user (including
Administrator) or called unauthorized process to
read only or access forbidden registry items
are denied unconditionally.
-
Mandatory access
control module for kernel level processes
Access rules are allowed to be set to process
for processes with different access right. Any
user (including Administrator) or called
unauthorized process has no right to terminate
and operate processes under the protection of
SSR.
-
Mandatory access
control module for kernel level service
This module accomplishes access control on
services, by detecting newly added application
service or driver in time and immediately
forcing terminating the registration of
application service or driver.
-
Integrity
verification module for application level files
User appoints the crucial read only catalogue
and data file name needed to establish
verification information, and the verification
program will automatically record the basic
attribute and content checksum of all files in
the catalogue. Through regular validity
verification on checksum, integrity of important
files or catalogue can be verified.
-
Integrity
verification for application level service
Verification program will automatically record
the basic attribute and content checksum of all
services in the catalogue. Through regular
validity verification on checksum, service
integrity can be verified.
-
IIS-based Web page
monitoring filtration
GET and POST requests submitted by all uses will
be monitored, and return information of server
will be also monitored, so as to avoid invalid
request and returning invalid information.
-
ID authentication
On the basis of respecting traditional ID
authentication, hardware USB-KEY and password
will applied to dual ID authentication on
security administrator and audit administrator
respectively. Featured by security and
reliability, it will guarantee the
confidentiality, integrity and validity for
data.
-
SSR module composition,
functions and features
-
ID authentication
technology
SSR for Linux applies digital signature to
authenticate the identity of security
administrator. As to the web-based access
interface, it is just a rule setting interface,
which can be operated by SSR security
administrator after logging on in the method of
digital signature. Subject and object can be set
with security label, and operation of SSR will
not be influenced after closing the interface.
-
Mandatory Access
Control (MAC)
Mandatory Access Control (MAC) of SSR for Linux
is divided into two parts: one is user-based
access control to files and the other is
process-based access control to files. During
the course of operation, process has been bound
with user subject, thus process is also a
subject. Even root user cannot access this
object under the protection of security label,
unless with the MAC right.
In the system access interface (i.e. writing
operation, read operation, killing process
operation, etc), we establish access control
list, in accordance with the label table
transferred from the application layer in the
memory, to decide whether the subject has right
to the object in this access interface or not.
-
Web-based
configuration management interface
In the method of Web, we can manage the
configuration of SSR for Linux. In the b-s
communication mode, we can realize communication
encryption and certificate transfer, to
guarantee administrator to manage SSR for Linux
conveniently and safely, namely user can realize
remote management to SSR for Linux by using IE
in the remote windows computer.
-
Process protection
mechanism
SSR for Linux has provided a set of process
protection mechanism, which can prevent
malicious users from killing important system
processes and service processes, so as to
guarantee normal operation of system. Here, the
object is processes, and even root user cannot
terminate processes under protection.
In the process operation access interface, we
can judge processes in the memory and user
label, to judge whether the user has right or
not to terminate this process.
-
Network Mandatory
Access Control
The subject here is user, and object is network
resource. SSR divides network resources into two
types: one is bound with socket port
discretionarily and the other is remote linked
network resource. SSR by default forbids any
subject (user) from using these two network
resources, namely, all users are denied to bind
port or remote connect network resources, thus
hackers obtaining DAC control authority
illegally can be prevented from creating system
covert channel and stealing network resource,
etc.
Here the object is network and subject is user.
In the relative network access interface, in
accordance with security labels of subject and
object in the memory, we can judge whether this
user in the network access interface has right
or not to use network resources.
-
Installation
specification table of SSR system kernel-reinforcing
product
|
Product name |
Supporting components |
Specification and indexes |
|
SSR for
Windows |
CPU |
Intel
450Mhz CPU or X86 frame PC or compatible
computer with higher main frequency, recommend
to use 1000Mhz CPU |
|
Memory
|
64MB or memory with higher capacity, recommend
to use 128MB |
|
Hard
disk space of product installation |
The
free hard disk space above 80 M is used to store
the system programs |
|
Hard
disk space for log storage |
Free hard disk space with over 1G used for the
log storage |
|
CD
driver |
CD-ROM or DVD driver |
|
USB |
USB
V1.1 interface or higher |
|
Operating system |
Windows2000 series, WindowsNT Server/Workstation
4.0 Service Pack3 Chinese, Windows2003 Chinese
for
English Windows NT 4.0Windows
2000 or Windows2003, the user is required to
install the Chinese environment, such as RichWin
for NT or other Chinese system |
|
SSR for
linux |
CPU |
CPU
586 or higher PC or other compatible CPU |
|
Memory |
64MB or higher memory, recommend to use 128MB |
|
Hard
disk space for product installation |
The
free hard disk space over 80M is used to store
the system program |
|
Hard
disk space for the log saving |
The
free hard disk over 10G is used to store the log
file |
|
CD
driver |
CD-ROM or DVD driver |
|
USB |
USB
V1.1 interface or higher |
|
|
Operating system |
Applicable to various mainstream Linux systems,
applicable versions include: various version
issued by the large manufactures such as RedhatDebainMandrakeSuSEslackwareTurbolinux
and red flag, meanwhile it also support multi-cpuSMP |
-
After-sale
product service
Inspur Group promises a product warranty period of three
years.
-
Person constitution of supporting center
Inspur Group constitutes experienced security
technicians for after-sale supporting services.
-
Product failure processing and response time
Providing 7*24-hour product failure hotline, special
person is constituted to respond to and process
failures, offering remote technical support within
one hour. Site settlement may be arranged
conditionally when the failure cannot be solved in
remote method, and the traveling accommodation and
expenses shall be paid by clients.
-
Supporting mode of service
Hotline phone support
Inspur Group provides 7824-hour (legal and
corporation holidays excepted) hotline technical
supporting service. Prompt solving will be achieved
for general problems. As to problems failing to be
solved immediately, notification in the method of
phone and fax rely will be made within 24 hours
after finding the solution.
Mail reply
Inspur Group provides technical supporting service
in email, which will be relied within 24 hours since
the date of receipt.
|
|
