2018년 6월 8일 금요일

[Document Centralization - Together with Mr. Yoo] Ep4. Simple and low cost network separation of mcloudoc against malicious codes!



More Information : www.mcloudoc.com

#1
Hello, I am here in Shenzhen, China next to Hong Kong. The China Information and Telecommunications Expo is being held today, and we are here to promote our products. Today's topic is the network separation function. The network separation function is necessary to prevent malicious code from destroying systems and leaking information from the military, government agencies, communication companies, power plants, etc. Today, I will introduce a function that can prevent the leakage of information by installing the software on your PC though mcloudoc functions. I will see you at the expo in a bit!

#2
The leakage of private information from various institutions has been continuing. As a result, the government does not allow business PCs, which are used for important tasks, to be connected to the Internet. But a work environment without Internet is hard to imagine. Thus, they provide two or more PCs to each person so one is connected to the Internet, and the other is disconnected from the Internet. There are three main types of existing network separation environments. The first is to provide two PCs to one employee. One is connected to the Internet, and the other is blocked. This is called physical network separation. The second one is server-based computing providing a VDI environment. Usually you use the Internet on a physical PC, and you do not use the Internet on a virtual machine PC in VDI. The third one is client-based computing providing a virtual machine environment within the physical PC. The first and second methods are not easy to introduce because of the high introductory cost and the ongoing maintenance costs. And the third method seems to not be well suited to the market due to stability problems.

#3
The reason for the high cost structure of the existing network separation solutions is that at least two PC environments should be provided to all employees, so the network must be designed in a dual structure, and a network data exchange system must be provided. The Incheon Metropolitan City Office of Education did not follow the generalized network separation practices and seriously considered the original purpose of preventing information leakage by malicious codes. The Incheon Metropolitan City Office of Education proposed to us how to block information leakage by malicious code simply by installing software on a PC while using the existing business environment. We quickly implemented that concept and applied it to the Incheon Metropolitan City Office of Education.

#4
First, the administrator divides the IP address into the Intranet and the Internet. Some sites such as banks, National Tax Service, and government agencies may be included as Intranet if necessary. The mcloudoc central drive is only connected to the Intranet mode and not visible in Internet mode. Internet connection is blocked in Intranet mode and Intranet connection is blocked in Internet mode. The exchange of data between the Intranet and the Internet uses a function called Document Export Secure Disk. In Intranet mode, the export of a central document requires approval. Documents saved on the exported disk in the Internet mode can be viewed in the Internet mode. In this way, it provides an excellent network separation environment without changing the network environment and without a network data exchange system. In this environment, even if your PC is infected with malicious code on the Internet in the Internet mode, this malicious code cannot leak information outside.
  
#5
And to show you, I included Google as an Intranet site, on the Internal mode. Let me connect. It is well connected. Now I will go to the Internet mode.
The Central Drive is gone. Let's connect to the Internet site, Facebook. It is well connected. Let's connect to the in-house calendar site. It doesn’t work. And the Document Export Secure Disk shown here can be used to exchange data between Internet and Intranet by using it in both modes.

There are some precautions when an administrator sets up the list of IP bands for Intranet mode and Internet mode. First, this is for Intranet mode. In the Intranet mode, it is necessary to confirm that all the required servers including the DNS server, groupware server, and remote support site are included in the allowed IP band. The list of allowed servers can be set up in comparison with the mcloudoc basic policy to reduce trial and error. And in Intranet mode, there are exceptions that allow multiple Internet sites for specific purposes. If you need to add more sites continuously because there are too many, it is better to affiliate. And if you have a single site but need to use more domains and IP addresses internally, we recommend that you also join it with the Intranet mode.

Then let’s look at the precautions in the Internet mode. In Internet mode, you need a DNS or Windows update server. You need to check if the connection is blocked.
And since you may need some Intranet services on Internet mode, you should also make a careful comparison with the mcloudoc basic policy to set it up and help reduce trial and error.

#6
There are precautions when setting the IP band for Intranet and Internet mode. If you need a DNS server, groupware server, and remote support site in the allowed IP band in Intranet mode in your work, you need to make sure these servers are included. You can reduce the trial and error by setting the list of servers to allow in line with the mcloudoc basic policy that we provide. And, in some cases, employees may request additional servers that are needed in Intranet mode. First, it is recommended not to include them if there will be more of these sites. Second, we recommend that you do not add to the Internet mode if you have one site but need to add a lot of IPs with it, or if you need to add another domain name other than the site name.

#7
These are the precautions for Internet mode, and it’s same for Internet mode. DNS servers and Windows update servers are also required. If it is blocked because it is an Intranet IP address, you will need to allow it. If you use the policy settings provided by mcloudoc even in Internet mode, you can easily set the policy without error.

#8
The Privacy Act stipulates that the Internet must be controlled when using a personal information processing system. NetworkLock can be operated under this condition. NetworkLock can control the use of the Internet in the Intranet mode for personal information processors even when the network is not completely separated between the Intranet and the Internet. And NetworkLock can set different network control policies according to each person's job. For each user, you can assign a server access permission or an internet site access permission differently. However, NetworkLock is not a condition for privacy authentication, it also requires additional security solutions such as firewalls, antivirus, network access control, and DB access control.

#9
The first effect is to prevent malicious code infection, and the second is to prevent information from being leaked by malicious code. Infection with malicious code causes problems such as inconvenience or data loss. However, the leakage of information by malicious code causes a bigger problem. Our precious information is leaked to the enemy, and it brings a terrible result that can be economically or militarily irreversible.

Therefore, information leakage by malicious code is a much bigger problem than malicious code infection. However, a number of local governments requiring network separation are not able to separate networks due to cost problems. NetworkLock provides the most effective way to prevent the leakage of information by this malicious code, and does so at a low cost.

#10

I have just explained NetworkLock, our network separation function. Now, I hope that our information communications network act reflects these latest technologies. If security is applied through differentiating by task, an effective information leak prevention environment can be established.

So here is my question today.
"What are the advantages and disadvantages of NetworkLock as a network separation function?". Please leave a comment below the video.
Please subscribe to mcloudoc today and I’d appreciate it if you click like.
Let me finish up here. See you in the next video.

Resources (블로그)
- Download a ClouDoc document centralization solution brochure

- Download a mcloudoc document centralization cloud service brochure

- How ClouDoc responds to ransomware
(Chn)http://www.net-id.co.kr/renewal/download/Cloudoc_against_ransomware_chn_20171215.pdf

댓글 없음:

댓글 쓰기