The Cybersecurity Protection System is the fundamental national policy, system, and method in China's cybersecurity field, playing a crucial role in ensuring cybersecurity. Network operators in various industries and regions shall, in accordance with the requirements of the Cybersecurity Protection System, legally carry out network grading, record filing, security construction rectification, level assessment, and self-inspection, etc. The formal release and implementation of GB/T 22239-2019 "Information Security Technology - Basic Requirements for Cybersecurity Protection System" marks the entry of China's cybersecurity protection system into the 2.0 era.

"New Infrastructure" is one of the key terms in the macro policy field in 2020. It refers to infrastructure construction based on the technology end, primarily including seven fields: 5G infrastructure, ultra-high voltage, intercity high-speed rail and urban rail transit, new energy vehicle charging stations, data centers, artificial intelligence, and industrial internet. The IDC (Internet Data Center) - Internet data center serves as the infrastructure and support for other "new infrastructure" such as 5G, industrial internet, big data, and artificial intelligence. To ensure the provision of high-bandwidth, high-quality service, and high-security hosting services, the security of the IDC backbone network system is of paramount importance. According to the "Management Measures for the Protection of Information Security Grades," the basic network must not be classified as Grade Three, and it must not be lower than the level of the information systems it carries. Therefore, the IDC backbone network needs to strictly implement the regional network security protection system and carry out Grade Three protection construction for network security.

Design of Security Technical Measures

The design content of the security system for the backbone network of IDC mainly covers "one center and triple protection." This includes the Security Management Center, Secure Communication Network, Secure Zone Boundary, and Secure Computing Environment.

Key Design Points for Secure Communication Network

Offer hardware redundancy for communication lines, critical network equipment, and key computing equipment; bandwidth management devices ensure system availability.

Deploy firewalls between critical network zones and other network areas to provide reliable security isolation.

Key Design Points for Safe Zone Boundary

Deploy the next-generation firewall to implement access control based on application protocols and content for data streams entering and exiting the network.

Deploy systems against DDoS attacks, intrusion detection systems, traffic analysis systems, etc., to detect network attack behaviors initiated from external or internal sources at critical network nodes. Conduct detection, analysis, alerting, and prevention of network attacks, particularly new types of cyber attacks.

Key Points for Designing a Secure Computing Environment

Deploy fortresses to centralize audits of critical user actions and important security events through mechanisms such as fortress hosts (operation and maintenance auditing).

Key Design Points for Security Management Center

Divide different management roles, and implement centralized identity authentication, access authorization, and operation auditing through a bastion host.

Deploy vulnerability scanning to promptly discover information on various system vulnerabilities.