How to improve the security operation and management maintenance of network interconnection system in enterprises

1.1 Scene Description

1.1.1 Learning Purposes

By learning, you can independently complete all the common technologies involved in the entire enterprise network.

1.1.2 Learning Requirements

Master: Configure the security management of network equipment.

Master: Configure access control lists.

Master: Configure secure routing protocols.

Mastery: Identity authentication and access mechanism.

Master: Configure the Virtual private network.

1.1.3 Learning emphases and difficulties

1. Learning Focus

Configuring security management Routers and routers: the key to explaining the login password is not a privileged password. How to achieve the login authentication of network device.

The ability to configure access control: Understanding what line access is. How to control different line access verification.

Configuring Secure routing Protocols: Understanding how the various routing protocols are securely communicated.

Configure Virtual Private network: Master the method of configuring the virtual private network of site to site.

Implementation of authentication and network access control: Master Various methods of authentication and use of the occasion.

2. Learning Difficulties

Configure access control capabilities: distinguish between the use of various control techniques.

Secure routing protocol: Understanding how the routing protocols are securely communicated.

1.2 Knowledge Preparation

1.2.1 ACL overview

Access Control List,acl is a list of instructions for routers and switch interfaces that control the packets in and out of ports. ACLs are applicable to all routing protocols, such as IP, IPX, AppleTalk, and so on. This table contains matching relationships, conditions, and query statements, which are just a frame structure designed to control some type of access.

Communication between information points, internal and external network communication is an essential business demand in the enterprise network, but in order to ensure the security of intranet, it is necessary to ensure that unauthorized users can only access specific network resources, so as to achieve the goal of controlling access. In short, ACLs can filter traffic in the network, and control access to a network of technical means.

The definition of ACLs is also based on each protocol. If the router interface is configured to support three protocols (IP, AppleTalk, and IPX), then the user must define three ACLs to control the packets of these three protocols separately.

1.2.2 RIP

As a distance vector routing protocol, RIP uses the distance vector to determine the optimal path, specifically, to provide hop count (hop count) as a yardstick to measure the routing distance. Hop count is the number of relays that a packet passes from this node to the destination node, i.e. the number of routers that a package must pass through to reach the destination.

Each entry in the RIP routing table contains information such as the final destination address, the next hop node (next hop) in the path to the destination node. The next jump refers to the message on the Internet to reach the destination node through this network node, if not directly delivered, then this node should send this message to a transit point, this point is called the next jump, the transfer process is called "Hop" (Hop).

If you have a router with two unequal speeds or different bandwidths to the same destination, but the hop count is the same, RIP considers the two routes to be equidistant. RIP supports up to 15 hops, that is, the number of routers to pass between the source and destination networks is 15, and the hop count of 16 is unreachable. In this way, for larger networks with over 15 hops, RIP has limitations.

RIP communicates routing information by broadcasting UDP (using port 520) packets, by default, the router broadcasts its own routing table every 30 seconds to the network it is connected to, and the router that receives the broadcast adds the received information to its own routing table. Each router is so broadcast that all routers on the final network will know all the routing information.

Broadcast updated routing information adds one hop number per router. If broadcast information passes through multiple routers, the path with the lowest hop number is the selected path. If the preferred path does not work, other paths with the secondary low hop count (backup path) will be enabled.

1.2.3 OSPF

OSPF is a class of interior gateway Protocol (Internal Gateway Protocol IGP) for routing between routers belonging to a single autonomous system (AS). OSPF uses link state technology, where routers send each other directly connected link information and the link information it has to other routers.

Each OSPF router maintains a database of the same autonomous system topology. From this database, the shortest path tree is constructed to calculate the way out by the table. When the topology changes, OSPF can quickly recalculate the path and generate only a small amount of routing protocol traffic. Multiple paths for OSPF support overhead. The zone routing feature makes it possible to add routing protection and reduce routing protocol traffic. In addition, all OSPF routing protocol exchanges are validated