Classification Levels
The âInformation Security Classification Protection Management Measuresâ stipulates that national information security classification protection adheres to the principle of self-determination and self-protection. The security protection level of an information system should be determined by factors such as the systemâs importance in national security, economic development, and social life, as well as the degree of harm to national security, social order, public interests, and the legitimate rights and interests of citizens, legal entities, and other organizations if the system is compromised. The security protection level of an information system is divided into the following five levels: The first level indicates that if an information system is compromised, it damages the legitimate rights and interests of citizens, legal entities, and other organizations, but does not harm national security, social order, or public interests. Units operating and using first-level information systems should protect them according to relevant national management norms and technical standards. The second level indicates serious damage to the legitimate rights and interests of citizens, legal entities, and other organizations, or damage to social order and public interests, without harming national security. The national information security regulatory department guides the security classification protection work for this level of information systems. The third level indicates serious damage to social order and public interests, or harm to national security. The national information security regulatory department supervises and inspects this level of information systems. The fourth level indicates particularly serious damage to social order and public interests, or severe harm to national security. The national information security regulatory department enforces supervision and inspection of this level of information systems. The fifth level indicates particularly severe harm to national security if the information system is compromised. The national information security regulatory department conducts specialized supervision and inspection of this level of information systems.
The main purpose of this article is to research which software can replace the hardware at the third level of security classification (some with mandatory requirements are not discussed), organize a version to put here, so that it doesnât need to be searched for in future projects.
Security Management Center System: Security Classification
OSSIM Security Classification
OSSIM, which stands for Open Source Security Information Management, is a very popular and complete open-source security architecture system. By integrating open-source products, OSSIM provides a foundational platform that enables the implementation of security monitoring functions. Its purpose is to provide a centralized, organized framework system that allows for better monitoring and display. OSSIM consists of five modules: data collection, monitoring, detection, auditing, and console. These modules encompass a complete process in the current security architecture from event prevention to event handling, making OSSIM the most comprehensive. The five functional modules are divided into three tiers: the high-level security information display control panel, the mid-level risk and activity monitoring, and the low-level evidence console and network monitoring, each level offering different functionalities to collectively ensure secure system operation.
Open-Source Bastion Host/Operations Audit System
Jumpserver Security Classification
Jumpserver is the worldâs first completely open-source bastion host, using the GNU GPL v2.0 open-source license, and is a professional operations audit system that adheres to 4A. It supports jumps with RDP and SSH protocols, supports commands and session recording, and supports asset management and log audits.
GateOne: Security Classification
GateOne is a powerful open-source web SSH project based on tornado and HTML5 technology, supporting connections to remote machines through multiple accounts and terminal windows, supporting various authentication login methods, integration into diverse web applications, and multiple plugins. It currently does not support Windows.
Teleport
Teleport is a simple and easy-to-use bastion host system launched by TuWei Software, characterized by its compactness, ease of use, and integratability, supporting jumps with RDP and SSH protocols.
Kylin Open Source Bastion Host â Security Classification
The Kylin Bastion Host supports all protocols, network management functions, 3A system functionality, dynamic password functionality, SSL V** functionality, CA certificate functionality, and supports jumps using RDP and SSH protocols.
Open-Source Intrusion Detection System (IDS/IPS)
Snort
Snort is the best intrusion detection system (IDS) tool. It requires some hardware to run on, as well as time for installation, configuration, and maintenance. Snort can run on any operating system, including Windows and Linux. Snort has consistently been a leader in network intrusion detection (IDS) and intrusion prevention tools (IPS), and with ongoing support from its parent company Sourcefire (which for years has offered a fully functional commercial version of Snort with vendor support and timely updates while still providing a limited free version of Snort), Snort is likely to maintain its leadership position. While Snort âdominatesâ this market, other vendors also provide similar free tools. Many of these intrusion detection system (IDS) vendors (if not the majority) combine Snort or other open-source software engines to create powerful free intrusion detection services.
Security Onion
Security Onion is an Ubuntu-based Linux distribution used for network monitoring and intrusion detection. This image can be distributed as sensors in the network to monitor multiple VLANs and subnets, which is suitable for VMware and virtual environments. This configuration can only be used as IDS currently and cannot run as IPS. However, you can choose to deploy it as network and host intrusion detection, and use services like Sguil, Bro IDS, and OSSEC to perform its IDS functions. This toolâs wiki and documentation are rich with information, and vulnerabilities and bugs are recorded and reviewed. While Security Onion is powerful, it still needs continuous development, which of course takes time.
Certainly! Hereâs the rewritten heading:OSSEC Security Classification
OSSEC is an open-source host-based intrusion detection system (HIDS) whose functionality goes beyond intrusion detection. Like most open-source IDS products, there are various additional modules that can combine with the IDSâs core functions. In addition to network intrusion detection, OSSEC clients can perform file integrity monitoring and rootkit detection and have real-time alerting, all of which are centrally managed and can create different policies according to enterprise needs. The OSSEC client runs locally on most operating systems, including various versions of Linux, Mac OSX, and Windows. It is also commercially supported by Trend Microâs global support team, making it a very mature product.
OpenWIPS-NG: Security Classification
OpenWIPS-NG is a free wireless IDS / IPS relying on servers, sensors, and interfaces. It can run on ordinary hardware. Itâs created by the developer of Aircrack-NG and uses many functions and services built into Aircrack-NG for scanning, detection, and intrusion prevention. OpenWIPS-NG is modular, allowing administrators to download plugins to add functionality. Its documentation is not as detailed as some systems, but it allows companies to implement WIPS on a tight budget.
Suricata: Security Classification
Among all currently available IDS/IPS systems, Suricata is the most able to compete with Snort. The system has a similar architecture to Snort, relying on Snort-like signatures and can even use VRT Snort rules and the same Emerging Threats rule set as Snort itself. Suricata is newer than Snort and will likely surpass Snort in the future. If Snort is not your enterpriseâs preference, this free tool is ideal for deployment in your enterprise network.
Bro IDS
Like Security Onion, Bro IDS uses more IDS rules to determine the source of attacks. Bro IDS uses a combination of tools, and it once translated Snort-based signatures into Bro signatures but no longer does so. Now, users can write custom signatures for Bro IDS. The system has extensive documentation and over 15 years of history.
Prelude IDS Security Classification
Designed to meet the needs of large networks, it implements network detectors, log analyzers, and alert information centralized viewing and analysis tools. Its network detector section basically replicates Snortâs functionalities and is fully compatible with Snortâs rule set.
Firestorm: Security Classification
Firestorm is a high-performance network intrusion detection system (NIDS). Currently, it only implements the detector part, fully compatible with Snortâs ruleset, but plans to include support for analysis, reporting, remote console, and real-time sensor configuration. It is fully pluggable, making it very flexible and can log alert information to Prelude IDSâs manager, claiming to have better performance than Snort.
NetSTAT Security Classification
Based on the research results of the State Transition Analysis Technique (STAT) to describe attacks, it uses a unique STATL language to describe attacks. Attack description texts are interpreted by the STATL interpreter tool into C++ code to implement detection functions. Currently, the STATL language interpreter conversion tool and a basic example network detector part (with a few detection function examples) have been released. To proficiently use this IDS tool requires relatively strong programming skills, but complex detection functions can be implemented with this IDS.
Bro
Bro is a real-time network intrusion detection software implemented by Vern Paxson, released in 1998 under the BSD license. Its original design goal was to create an intrusion detection and network monitoring audit system with real-time alerts, mechanism and policy separation, and high scalability in 100M networks.
Open Source Web Application Firewall
Web application firewalls provide security at the application layer. Essentially, WAFs offer a comprehensive web application security solution to ensure that data and web applications are secure. They are suitable for cross-site scripting, SQL injections, and can provide a secure web application framework for web applications. Web application firewalls allow you to configure rules to identify and block malicious content. Below are the ten most popular and widely used open-source web application firewalls:
ModSecurity (Trustwaveâs SpiderLabs)
ModSecurity is one of the oldest and most widely used open-source web application firewalls, capable of detecting application-layer threats on the internet and providing security assurances against a range of web application security threats. It offers open-source licensing free of viruses, and can be integrated into Apache programs. Recently, ModSecurity has released version 2.6.0 providing an API for secure browsing integration, sensitive data tracking, and data modification capabilities.
AQTRONIX WebKnight
AQTRONIX WebKnight is an open-source application designed as a web server and IIS firewall authorized through GNU â General Public License. It offers features for buffer overflow, directory traversal encoding, and SQL injection recognition/restriction.
ESAPI WAF
ESAPI WAF developed by Aspect Security is designed to provide protection at the application layer, not the network layer. It is a Java-based WAF providing complete security from online attacks. Some unique solutions include outbound filtering features to reduce information leakage. Itâs configuration-driven rather than code-based, making installation easy by simply adding configuration details in a text file.
WebCastellum Security Classification
WebCastellum is a Java-based web application firewall that can protect applications from cross-site scripting, SQL injection, command injection, parameter manipulation, and can be easily integrated into Java-based applications. It is based on new technology and provides protection that can work with existing code.
âBinarysec: Security Classification Overviewâ
Binarysec for Apache is a web application firewall software that can protect applications from illegal HTTP and block suspicious requests. It offers protection from cross-site scripting, injection encouragement, parameter tampering, buffer overflows, directory traversal, and SQL injection attacks blocking. It takes no more than 10 minutes to install the software on a machine, and its user interface can manage Apache servers and many websites.
[email protected] â Security Classification
[email protected] is an open-source application-layer firewall, assessing HTTP/HTTPS traffic to protect web applications from external attacks. [email protected] immediately disconnects the TCP connection when the application encounters malicious/unauthorized requests.
OpenWAF Security Classification
Art of Defense, based in San Francisco, a web application security provider initiated an open source OpenWAF project in February 2011. It was also the first to offer a distributed web application firewall for Apache servers.
Ironbee Security Classification
Ironbee, created by Qualys, is a cloud-based, open-source web application firewall that replaces traditional IP data packet inspection with HTTP data evaluation. It even tracks attacks from cross-site scripting codes. Released through the Apache License version 2, it offers no copyright transfer. It has a modular structure and is fairly easy to use.
Profense
Provided by ZION Security, Profense is an open-source web application firewall similar to ModSecurity, known as a layer 7 firewall (also known as a âproxy firewallâ) that checks traffic and blocks content.
Smoothwall
Smoothwall provides powerful network security tools to manage emails. The open-source web filtering engine known as Smoothwall DansGuardian, offers flexible user rules and a fully integrated web filtering and security component. Moreover, it provides authenticated web access and traffic blocking. Smoothwallâs free firewall security strengthens the Linux GNU operating system.
X-WAF
X-WAF is a cloud WAF system suitable for small and medium-sized enterprises, making it very convenient for small and medium-sized enterprises to have their own free cloud WAF.
Load Balancing
Nginx
Working on the 7th layer of the network, Nginx can implement diversion strategies for HTTP applications, such as based on domain names and directory structures. Its regular rules are stronger and more flexible than HAProxyâs, which is one of the main reasons for its widespread popularity. Just for this point, Nginx can be used in many more situations than LVS.
HAProxy
HAProxy is a proxy software that provides high availability, load balancing, and can be used with TCP (layer 4) and HTTP (layer 7) applications, supporting virtual hosts. It is a free, fast, and reliable solution. HAProxy is particularly suitable for high-load websites that typically require session persistence or layer 7 processing. Operating on modern hardware, HAProxy can easily support tens of thousands of concurrent connections. Its running mode enables easy and secure integration into your current architecture, while protecting your web servers from being exposed to the network.
LVS
LVS uses the Linux kernel cluster to create a high-performance, high-availability load balancing server. It has excellent scalability, reliability, and manageability. Its strong load-bearing capacity works on the 4th layer of the network merely for distribution purposes, without generating traffic, which also determines that it is the strongest performing in load balancing software, consuming relatively low memory and CPU resources.
Virus Filtering
ClamaV
ClamAV antivirus is the most popular antivirus software on the Linux platform. ClamAV is a free open-source product that supports multiple platforms, such as Linux/Unix, MAC OS X, Windows, OpenVMS. ClamAV is a virus scanning command-line tool, but there is also a graphical interface tool, ClamTK. ClamAV is primarily used for mail servers to scan emails. It supports file formats such as ZIP, RAR, TAR, GZIP, BZIP2, HTML, DOC, PDF, SIS, CHM, RTF, etc. ClamAV has an automatic database updater and can be run from a shared library. The command-line interface allows ClamAV to run smoothly.
Avria
Another best antivirus software on Linux is Avria Free Antivirus, which offers configurable extensions, making it possible to control your computer. It has strong features, such as a simple script installation method, command line scanner, automatic updates (product, engine, VDF), and a self-integrity program check, etc.
AVG Free Antivirus
With over one billion users, AVG antivirus is a competent antivirus expert for Linux machines. The free version offers fewer features than the premium version. AVG doesnât support a graphical interface currently. It offers antivirus and anti-spyware tools. AVG runs quickly, uses minimal system resources, and supports mainstream Linux versions like Debian, Ubuntu, Red Hat, Cent OS, FreeBSD, etc.
V**
OpenV**
OpenV** is an application-layer V** implementation based on the OpenSSL library. Compared to traditional V**, its advantages are ease of use.