Flexible customization of subnet security starts from the entrance

At present, enterprises with large scale and many functional departments are generally divided during LAN deploymentSubnet. Merge different functional departments into one subnet and customize different policies to facilitate different production and security needs. The biggest benefit of this differentiation management is flexibility and adaptability to different environments and needs. After dividing the network security, you should start from the entrance of each subnet, plan, formulate policies, and deploy them. With flexible customization, administrators can prevent threats from being attacked to the maximum extent.

Recently, I deployedLan, The subnet is divided according to different departments, and different network access and itsSecure Access Policy. Next we will write down the relevant policies and solutions to help you. However, before the introduction, we should first make a brief analysis on the various subnet security policies to facilitate our selection as needed.

　　I. Security Policy

　1. IP subnet Policy

When designing a network, we usually divide different business departments into different VLANs and map VLANs to different IP subnets. Therefore, the IP subnet policy is applicable to scenarios with low security requirements, network Design with high demands for mobility and simple management. The following command is usually used to set an IP subnet policy VLAN:

Vlan 1 ip address 192.168.10.0 255.255.255.0

When the IP address of the user terminal is set to 192.168.10. *, the terminal automatically enters VLAN 1. This subnet policy has certain security, because to enter the IP subnet VLAN, you must know which IP subnets are defined in the switch.

　　2. MAC address policy

The MAC address policy requires us to first configure the MAC address of the terminal that belongs to the VLAN to the switch. Only terminals that meet our preset MAC address can enter the VLAN. MAC address VLAN is more secure than IP subnet VLAN, but the configuration workload is relatively large. This policy is suitable for network design with high security and mobility requirements. The MAC address VLAN is usually set using the following command:

Vlan 1 mac 01: 01: 01: 02: 02: 02

　　3. IP/MAC binding policy

The IP/MAC binding policy requires us to configure the IP/MAC address of the terminal that belongs to the VLAN to the switch in advance. Only the terminal that complies with our preset IP/MAC address can enter the VLAN. The IP/MAC address VLAN is more secure than the mac vlan. It is suitable for network design with high security and mobility requirements and few VLAN users.

Another function of binding an IP/mac vlan is to prohibit users that comply with the policy from modifying the IP or MAC. Changes to the IP/MAC will lose the matching of the VLAN policy, this terminal is therefore placed in an isolated VLAN. To bind a VLAN to an IP address or MAC address, run the following command:

Vlan 1 binding mac-ip 00: 00: 39: 59: 0a: 0c 21.0.0.10

When the IP address of the user terminal is set to 21.0.0.10 and MAC to 00: 00: 39: 59: 0a: 0c, the terminal automatically enters VLAN 1. This subnet policy is more secure, because to enter the IP/MAC subnet VLAN, you must know whether the IP/mac vlan policy is defined in the switch and at least one defined IP/MAC address is required.

4. User Authentication Policy

The biggest difference between user authentication VLAN and the above-mentioned rule VLAN is to check the legality of end users rather than the legality of the terminal itself, and more suitable for terminals shared by multiple users. A valid account is provided for end users. Different accounts correspond to different VLANs or determine whether the switch port is opened or closed. The user account determines which VLAN the terminal enters. Because it is user authentication, the implementation of this policy must introduce the user authentication server to complete the corresponding authentication and authorization work, which increases the complexity of network management.

This subnet policy requires that VLANs used for user authentication must obtain valid user accounts and be used for authentication by different users in public.

　　5. DHCP Policy

DHCP is the protocol for the terminal to automatically obtain the IP address, which is very convenient for visitors. By defining DHCP for a VLAN, the visitor can automatically obtain the IP address and access the corresponding visitor VLAN. The following command is usually used to set a DHCP policy VLAN:

Vlan 1 dhcp port 3/1-24

When the IP address of a user terminal is set to automatically obtained, the terminal automatically enters VLAN 1 and obtains the corresponding IP address. This subnet policy is applicable to scenarios without special security requirements. It facilitates the flexible access of visitors and ensures the security isolation of the enterprise intranet.

　　II. Specific deployment

1. Design Planning

The company is a machine manufacturing plant with a large scale and many departments, including engineering, sales, finance, leadership, and visitors, during network planning and design, we adopt different VLAN policies based on different department requirements for network security, makes the entire network the most unified in terms of security, flexibility, ease of use and ease of management. The specific subnet division and planning are as follows:

We divide the Enterprise into four subnets with the following security levels:

Finance Department: high security and fixed ports

Administration Department: high security level and mobile requirements

Business Department (engineering, sales): General Security Level and mobile requirements:

Temporary Department (guest): low security level, restricted access

When the MAC address of the user terminal is set to 01: 01: 01: 02: 02: 02, the terminal automatically enters VLAN 1. This subnet policy is more secure than the first one, because to enter the MAC subnet VLAN, you must know whether the mac vlan policy is defined in the switch and at least one defined MAC address.

2. Specific deployment

Finance Department

For the financial department, secure access is the first requirement. We strictly control the access methods and locations of users and terminals connected to the financial department. Here we adopt VLAN access design with fixed ports. Assign a fixed interface on the switch to the Finance Department. Only these ports belong to VLAN1 (VLAN of the finance department). This avoids the security risks of other department personnel entering the finance department from other ports; users who receive network interfaces from financial departments also use authentication to authenticate their identities. In this way, even if a user has received network interfaces from financial departments through some means, because there is no valid identity account, the connected network port will always be closed, thus ensuring the access security of the financial department.

Administrative Department

The leader VLAN is very important in the enterprise because the leader VLAN has a high priority and access permissions. At the same time, due to the particularity of the leader, in our network access security design, we should not only consider the security of this VLAN, but also consider the convenience of access by leaders. In the network VLAN design, except for the fixed allocation of access ports of the financial department, all other network interfaces are set with "mobile", so that users can access any port other than the finance department, all vswitches can allocate VLANs based on the features of the terminal and the preset VLAN policies of the vswitch. For leaders, we use the ip-mac binding method. No matter which network interface the leader accesses the network, the switch directly divides it into corresponding VLANs through ip-mac learning; because other users are allocated to isolated VLANs when accessing the network, they still cannot obtain the leading ip-mac even through the scanning technology. Therefore, the leading VLAN is highly secure.

Business Department

For the VLAN design of the Sales Department and Engineering Department, we can adopt the ip subnet mode. Different departments automatically enter the corresponding VLAN according to the ip subnet policy due to their different ip addresses.

Temporary Department

Due to the temporary nature of visitors and temporary departments, we have adopted the DHCP address automatic allocation and ip subnet policy in the VLAN design. We have enabled the DHCP policy for all network interfaces except the finance department; when the interface receives the DHCP data request packet, the packet is automatically allocated to the temporary VLAN to obtain the IP address that matches the packet. When the visitor obtains the IP address of the corresponding Temporary VLAN, through the ip subnet policy, the visitor terminal automatically enters the temporary VLAN. This design ensures that visitors can access the Internet from any port of the network and is effectively isolated from Intranet users. For a temporary VLAN, we use the ACL access control policy to strictly restrict its access to resources and applications. For example, we only allow internet browsing and mail sending and receiving.

　　Summary:

I have seen some enterprise LAN, which are also divided into subnets, but often each subnet adopts the same security policy. Although this uniform approach is convenient, it cannot meet the specific needs of various departments of the enterprise. Generally, the network administrator is exhausted due to different requirements of clients in different subnets. Therefore, according to the specific needs of the enterprise, the flexible customization of subnet security and access policies not only satisfies the enterprise's needs, but also greatly frees the network administrator himself. Why not?