Enterprise Internet access and firewall Construction

Enterprise Internet access and firewall Construction

Author: Zhao Yang

We believe that in the next 10 years, the changes, expansion and improvement of communication networks will have a profound impact on human life than any changes in the communication industry since the last century. This is a network revolution and a communication revolution. In many aspects, this revolution has just begun. Internet applications have indeed brought a lot of convenience to people's lives and work. But how to achieve connection with the Internet and how to ensure its own security, this article will focus on the firewall technology, combined with its own practical experience, to talk about a little bit of his initial views.

1. Why should we set up a safe fire area?

With the launch of e-commerce and e-government, more and more networks need to be connected to the Internet. Generally, you need to set up a host system that provides public services on the Internet, such as web server, email, server, and FTP server. However, if you simply connect these hosts to the Internet using only the routes, it will undoubtedly make "hackers" accessible, and they will try their best to destroy your host.

A reasonable practice is to isolate these servers that are provided to external users through certain technologies and equipment so that those devices form a protected area, which we generally call a fire prevention area. This method separates the Intranet from the Internet. If a network hacker has successfully intruded into the external area of the firewall, the fireproof area can provide additional protection between the attacker and the internal system, so first, the Fire Prevention Area enhances the security of the unit network.

Second, through the establishment of fire zones, we can effectively control the Internet access through internal networks, including traffic statistics, access control, and other aspects, effectively control the cost and access content as needed.

In addition, the IP address range of the internal network is isolated from that of the Internet through the fire prevention zone, so that the IP address range of the internal network is not affected by the IP address of the Internet, ensuring the independence and scalability of the internal network.

It can be seen how important it is to set up fire zones when the unit connects the system to the Internet. In addition, the enterprise can further set up security protection zones, that is, set up internal fire zones.

2. Basic principles of Firewall

In a computer network system, a computer system directly connected to an Internet network in a fireproof area is called a firewall, which can connect both the internal network and the Internet network. If you want to connect from the internal network to the Internet, you must use Telnet to connect to the firewall first, and then connect to the Internet from the firewall. The main function of the firewall is to prevent external users from directly accessing the internal network. Currently, two firewall types are available: Filter and proxy.

The filter firewall does not allow websites with certain Internet addresses to access your network, so that you can access the internal network only after filtering by the filter firewall. In this way, in addition to some network functions, this IP address filtering Firewall blocks all network functions. The other is the proxy server. you can log on to the firewall and access any system in the internal network, that is, the firewall connects to the network.

2.1 IP address filtering Firewall

In an information packet exchange network such as the Internet, all the current information is divided into a certain length of information packets, including the sender's IP address and the recipient's IP address. The packet filtering firewall checks all IP addresses in the information package and filters information packets according to the filtering rules specified by the system administrator. If the firewall sets an IP address as dangerous, all information from this address will be blocked by the firewall. This type of firewall is widely used. For example, the relevant national departments can use the packet filtering firewall to prohibit domestic users from accessing foreign sites with "problems.

A filter firewall is an absolute filtering system that blocks others from accessing the internal network, but it does not tell you who enters your public system or who enters the Internet from the inside. Generally, this firewall is very secure and does not require a user name or password to log on. This firewall is fast and easy to maintain. It is usually the first line of defense. Packet filtering vro has obvious drawbacks. Generally, it does not have a user's usage record, so it cannot find hacker attack records from the access record, attacking a pure packet-filtered firewall is easier for hackers. They have accumulated a lot of experience in this aspect. "Information packet impact" is a common attack method for hackers. Hackers send a series of information packets to the packet filter firewall, but the IP addresses in these packets have been replaced, instead, it is a string of sequential IP addresses. Once a packet passes through the firewall, hackers can use this IP address to disguise the information sent.

2.2 proxy server
If packet filtering is performed only based on the selected IP address, IP packets are either forwarded or restricted as they are not blocked, then, the proxy server completely unblocks the package and re-encapsulates it after functional analysis. The best example is to execute Telnet on an internal website. The internal website first transmits the IP request package to the proxy server, and then analyzes it by the server, and then generates a new request to the target site. Requests from the internal network cannot reach the target website without going through the proxy server, because these IP packets are not automatically forwarded on the proxy server. The reverse is the same. In this way, after the client software is used to connect to the proxy server, the proxy server starts its client proxy software and then returns data. Because the proxy server repeats all communications, it can record all ongoing work. As long as the configuration is correct, the proxy server is absolutely secure, which is the most desirable. It blocks access from anyone. Because there is no direct IP address path, all IP addresses need to be converted and sent.
as you can see, by setting up a firewall, employees within the organization can use email to browse WWW and file transmission, but cannot access any computer within the company, you can also disable mutual access between different internal departments.

3. How to Set firewall servers

A level-1 firewall is the external hub of the entire internal network and must be set up. It connects to the internal network of the unit and leads to the network of the Fire Prevention zone. Hosts that provide external services, such as web server, email server, pop3server, and FTP server, can be placed on the network of the Fire Prevention zone. Some people think that since these Service hosts are intended for external users, why should they not directly put them out of the firewall, but in the firewall to accept firewall control? In fact, this principle is very simple: first, in the firewall, you can leave a record for any visitor accessing your server for future tracing or statistical analysis. Second, you can increase the security of your server to avoid hacker attacks on your server. Firewall settings ensure that your server host only provides the services it should provide, and block all improper access and connections to prevent hackers from opening backdoors on your service host. This is why we need to build a fire-proof network to place all external service hosts.

According to actual needs, the Organization can add firewall configurations to the network of some important departments with security concerns. This is the so-called internal firewall (intranet firewall ). The functions of the internal firewall are similar to those of the primary firewall. However, because of the large number of firewalls, the firewalls are allocated to the networks of various departments. Therefore, the management rules and system maintenance are set, it should not be too difficult.

The organization wants to build a secure network environment. In addition to using firewalls, it must also properly plan its architecture and formulate its security policies. The most important thing is that it must thoroughly implement its security policies, firewall is one of the necessary and important tools to implement these security policies. The trend of Internet network commercialization is becoming more and more obvious, and the security plan of the network of the Organization is even more urgent. A good firewall plan must fully cooperate with the implementation of the security policies formulated by the Organization, in addition, the secure architecture can provide a convenient and secure network environment for the Organization.

4. Firewall purchase policy

(1) Before selecting a firewall, you must first know the basic performance of the firewall.

Firewalls generally have the following performance:

① In addition to advanced identification measures, the firewall should also adopt as many technologies as possible, such as packet filtering technology, encryption technology, and trusted information technology. At the same time, it is necessary to provide identity identification and verification, information confidentiality protection, information integrity verification, system access control mechanisms, authorization management, and so on.

② The firewall filtering language should be friendly and flexible. It should also have filtering attributes such as source and destination IP addresses, protocol types, source and destination TCP/UDP ports, and inbound and outbound interfaces.

③ The firewall should faithfully support its own security policies, flexibly accommodate new services and organizations, and change the required security policies. The firewall should contain centralized SMTP access capabilities to simplify SMTP connections between local and remote systems and implement centralized processing of local e-mail.

④ If a firewall requires an operating system such as UNIX, version security of the system itself is an important issue to be considered and should be part of the firewall. When other security tools are used, ensure the integrity of the firewall host, and the system should be fully installed. Firewalls and operating systems should be updated and can be easily used to solve system faults.

(2) Before purchasing a firewall, you should carefully develop security policies, that is, determine a thorough plan.

Security policy specifies who or what people or things are allowed to be connected. That is to say, you must first consider where the firewall is placed on the network system to meet your needs and determine the level of risks that the firewall can accept.

(3) the economy should be considered on the basis of practicality and security.

5. Internet Application Instances

5.1 system design objectives

(1) first, establish and install a firewall using a programmable router as the package filter. This method is the most common network interconnection security structure currently used. The vro selectively transmits or blocks data packets based on the source/destination address or packet header information.

(2) The basic method for establishing and installing a firewall is to install the firewall in a dual-port host system to connect to the internal network. Both the internal network and the external network can access this host, but the external network cannot communicate directly with the host on the Intranet.

(3) In addition, the firewall system provides external firewalls, internal audits, and billing systems for billing purposes.

In fact, the firewall must be an integrated firewall that integrates IP traffic billing, traffic control, network management, user verification, and security control. The main functions of the system include preventing external attacks, protecting internal networks, and solving security issues of network boundaries. Using the firewall to isolate internal and external networks, you can use the access proxy function to control IP addresses and ports.

5.2 fireproof AREA STRUCTURE

What we actually use is to set up a fire prevention zone between the internal network and the Internet access network. The fire zone consists of Cisco 2501 routes and E-MAIL servers, Web servers, and proxy servers, connected to each other using a hub. Allow access restricted by external internet users. Allow external access to internal websites through proxy servers.

5.2.1 filter vrouters

Cisco 2501 connects to Chinanet (163) and chinainfo (169 domestic Multimedia Information Network) through MODEM and ddnleased lines to connect to the Internet. It is mainly used for filtering routing and Network Address Translation (NAT ). Although each server in the Fire Prevention zone is equipped with a 163 address and a 169 address, only the 169 address CIDR block is configured on the server network segment in the Fire Prevention zone. In this way, all the servers that need to be accessed include a 163 address (202.96.xx.xx) are converted into an IP package containing the 169 address (10.103.xx.xx. This task is completed by vrouters 2501. In this way, neither speed nor device is affected, but management is convenient.

5.2.2 proxy server
5.2.1.1 configuration and main functions
Proxy Server Configuration: p11/M memory/6.4G hard drive 4/3 c509 Nic 2/Lunix operating system, which is mainly used as the proxy server for internal network access and is also the main firewall, generally, the IP address of the outbound IP address is set to 202.96.xx.5. In this way, an attacker attempts to attack the server after the hacker intercepts the IP address. In addition, this server is also used as the Front Page Server, so that when you access the same website internally, you only need to provide the data to be obtained from the server itself. This increases the speed and reduces costs.
5.2.2.2 Traffic Control
in terms of traffic statistics, traffic statistics can be performed by IP address and service type respectively, you can collect statistics on inbound and outbound traffic in and out of China. You can customize subnet segments in China and Abroad Based on your needs. Different subnet segments can have different access control and billing standards. Inbound traffic refers to the traffic from the external network to the internal subnet, and outbound traffic refers to the traffic from the internal subnet to the external network. The IP firewall can separately count the traffic from the internal subnet to the domestic and foreign countries, as well as the inbound and outbound traffic from the internal and external subnets. Supports statistics management by traffic logs, databases, statistics, computation, query, and reports, real-time monitoring, and network disconnection status.
the firewall can monitor the network status in real time and keep historical records. administrators can view the network disconnection status in charts. The administrator can monitor the traffic used by each user and suspend the user's use for the current month as needed.
5.2.2.3 main technologies
the main technologies include IP packet filtering, IP billing, IP and MAC address ing, RADIUS user authentication and authorization, host security, address translation.

5.2.3 other servers

5.2.3.1 Web Server

Configuration: P11/MB memory/6.4gb hard drive 2/3c509 Nic 1/Windows NT, which is mainly used to store the company homepage, and in order to ensure access security and improve access speed, we need to apply for a 169 MB Storage space on the system, mainly as the homepage access image.

5.2.3.2 E-MAIL and DNS Server

Configuration: P11/256mb memory/6.4gb hard drive 2/3c509 Nic 2/Lunix main external email receiving, outgoing email sending and domain name conversion. Provides SMTP and p0p3 functions.

5.3 installing the system

5.3.1 Network Address Allocation

Before installation, apply for ddnleased line from the telecommunications department, and apply for 20 169 IP addresses (10.103.xx. xx) and 8 163 IP addresses (202.96.xx.xx ). Assign IP addresses. Among them, three 163 IP addresses are used for the line and router, and five IP addresses are used for the server. Four 169 IP addresses are used for network connection, and three 169 IP addresses are used for lines and routers. Five 169 IP addresses are used for public 163 IP addresses, that is, four 169 IP addresses are retained.

Our CIDR Block allocation is as follows:

Each vro, web server, email server, and proxy server is allocated with one 163 address and one 169 address. These devices are connected through the same 169 network segment. We set a virtual network segment for 163, and the route is responsible for converting the 163 network address to the 169 address. The IP addresses of the internal network are all 172.16.xx.xx. To connect the proxy server and mail server to the internal network, an internal network address is assigned to each proxy server and mail server.

5.3.2 system installation

A network connection

Route B and install and debug the operating systems of each server

C. Set the NIC address based on the address allocation. Note that the 169 address of the proxy server should be set to the gateway address)

D. Agent Server billing software and front page installation and debugging

E. Web Server debugging

Installation and debugging of F Mail Server domain name Conversion

5.4 firewall system maintenance principles

Firewall maintenance firewall management and maintenance work is a long-term and meticulous work. After a certain level of business training, you must be clear about the structure of your computer network system, including the firewall.

Conducts regular scans and inspections to Detect System Structure Problems and promptly eliminate and restore them.

Ensure that the communication lines between the system monitoring and firewall are unobstructed, so as to trigger alarms, repair and handle other installation information for security issues.

To ensure that the entire system is in a quality service status, you must monitor, manage, and maintain the host system around the clock.

6. Summary

Our current system has implemented basic security and daily traffic control, mainly including:

① Establish a virtual address to effectively control external access and prevent external intrusion;

② Control bidirectional information flows and information packages, and calculate inbound and outbound traffic to control costs;

③ Hide the internal IP address and the actual network structure through address translation;

④ It is easy to provide VPN functions.

Currently, the system design cannot completely block experienced hacker attacks, especially internal hacker attacks. The server uses Red Hat Linux. The system itself is not infected with common viruses, but it cannot filter out viruses. The Workstation may still be attacked by viruses. Therefore, in the future, network security needs to be further developed in terms of technology and management.