Learn about the basic configuration of the security router for SMEs (1)

Network security is a required course for small and medium-sized enterprise network management. The author has collected the experiences of Qno xianuo in supporting enterprise users across China for your reference. First of all, let's talk about the basic configuration, that is, how to configure the WAN and LAN of the router. The main purpose is to enable the users of small and medium-sized enterprises to make good use of the router functions during planning, it provides better network services to internal users and improves the business efficiency.

Based on the practical support experience of Qno's Technical Service Department, When configuring basic security routers, medium and small enterprises need to pay special attention to three aspects: Wide Area Network end, lan end and public server. These three aspects are described as follows.

I. Wide Area Network end

The wide area network end is the line connecting the router to the internet operator. Wan lines are also the main path for broadband access. Therefore, if a line is dropped or congested, the broadband access of enterprises will be interrupted! This situation can cause great problems for some enterprises. Therefore, the primary consideration of wide area network security is how to ensure the stability of the line and maintain the operation of enterprises in various circumstances.

Most small and medium-sized enterprises use single-line ADSL because of small Internet users or limited funds. Enterprises require a large amount of bandwidth, or have high network requirements, such as the service industry or the foreign trade industry, they may use optical fibers with relatively high costs. Based on the user experience supported by Qno, it is found that the configuration of multiple Wan lines is preferred in the following situations:

Occasionally requires a large number of uploads/downloads: As a result of informatization, many enterprises need to perform a large number of download operations from time to time. For example, a mineral trading company in Chengdu needs to upload sales reports and inventory data every day after work, which takes a lot of time. For example, a private enterprise located in Ningbo often needs to download design drawings from foreign customers' servers for production. When downloading, the network management system generally does not want to be affected by the Internet access or downloading of general users. Therefore, you can apply for two lines: Generally, both lines are open for Internet use; however, when special work is required, it can be controlled to retain specific lines for a large number of download tasks to ensure that important data can be transmitted on time. After the multi-Wan configuration is adopted, the network administrator can work overtime in the office to wait for data transmission, which can be greatly reduced!

Cross-network problems: A trading company of agricultural products in Jinan, Shandong Province often needs to establish a VPN connection with its headquarters in Beijing. But I don't know why, the connection is always unstable, and data has not been transmitted yet, you have to bring it online again. This situation may be caused by the instability caused by the establishment of VPN networks across different carriers. For example, the Headquarters uses the lines of China Netcom, while the branches use the lines of China Telecom, resulting in insufficient cross-network bandwidth, and the phenomenon. In this case, you can also use a multi-WAN router to solve the problem. That is, the Headquarters can access the lines of China Netcom and China Telecom at the same time, and the external points of the China Netcom line establish a VPN from the entrance of China Netcom, the outer point of China Telecom is a VPN built from the telecom line, which can solve the small or unstable cross-network bandwidth.

When backup is required: Another advantage of Multi-Wan lines is the provision of backup. A common situation is that some regional operators will add fiber-optic user ADSL lines. In this case, the optical fiber can be used with ADSL for backup. In the case of a fault in the former, ADSL will be used first. Some users want to use lines of different carriers. In this way, the line of carrier B can be replaced when A problem occurs in the line or data center of carrier. For some industries, such as the media industry, it is important to have Internet access at any time.

When AD bandwidth is insufficient: Most enterprises use ADSL. According to statistics, most broadband users in small and medium-sized enterprises use ADSL for Internet access. However, in some regions, the relative bandwidth of ADSL is relatively small. For example, the 64 K/64 K line is obviously insufficient for enterprise applications, but the application for optical fiber is more expensive than several ADSL lines, in this case, using a multi-WAN router to aggregate multiple ADSL lines is a feasible and cost-effective method.

The wide area network is the only route for enterprises to access the Internet, so it is crucial for enterprises to access the Internet. According to a market survey conducted by Qno xiaonuo, many enterprises are interested in wireless broadband access, such as 3G or WiMax. They hope to use wireless access as an aid for wired access, this more or less represents the importance and expectations of enterprises for wide-area network access.

Ii. Lan

The LAN end is the line that is connected to the enterprise user. Some routers have LAN ports and can be connected to switches. Some network administrators connect the routers to the backbone switches and then to the General switches. Both of the above methods can be used. The latter is suitable for applications with large throughput. For general enterprise applications, the local port of the router can be forwarded with the bandwidth. Therefore, hardware configuration is relatively simple.

The experience of Qno's technical service personnel points out that IP address management is important for a good security network configuration. IP is the address of the computer on the Internet. Therefore, you must be able to effectively manage the address to prevent attacks or control problematic computers. For network management, IP management should pay attention to the following four important items: using a fixed IP address for computers, issuing a fixed IP address for DHCP servers, and preventing unauthorized computer access and group management, the following are the descriptions:

The computer uses a fixed IP Address: The computer uses a fixed IP address, which is the strictest configuration method. In this way, you must manually enter IP address-related data in the computer. The advantage of doing so is that the IP address of each machine must be specified in advance. If no IP address is specified in advance, the Internet cannot be accessed. external users or computers cannot access the Internet easily through the enterprise network. However, for users, you must set a fixed IP address and reset it in other scenarios. This will cause a lot of trouble for some users who often need to move, such as business personnel or senior executives.

The DHCP server issues a fixed IP address.: The advantage of DHCP server is that users do not need to make any settings on the computer, which is more convenient for users. However, the disadvantage of DHCP is that, without any control, any user can access the enterprise's network, and it is easy to launch internal attacks, resulting in an impact. Therefore, an enterprise can issue an IP address through DHCP, but at the same time limit the IP address that can be obtained by the computer for management. The IP/MAC binding function of the Qno xiaonuo router allows you to identify the MAC address of a computer and issue a specific IP address based on the network management configuration, so that you can manage the IP address. At the same time, the IP/MAC binding function can also prevent users from modifying IP addresses to obtain high permissions. incorrect MAC/IP combinations will be blocked by the router's "blocked wrong MAC address, this function can also prevent ARP attacks.