Whether or not vro configuration is secure is also very important for small and medium-sized enterprises. Many people may not know the specific steps and methods of vro configuration. It does not matter. After reading this article, you will certainly have a lot of GAINS, I hope this article will teach you more things. Based on the practical support experience of Qno's Technical Service Department, When configuring Security routers, medium and small enterprises need to pay special attention to three aspects: Wide Area Network end, lan end and public server. These three aspects are described as follows.
I. Wide Area Network end
The wide area network end is the line on which the router is configured to connect to the internet operator. Wan lines are also the main path for broadband access. Therefore, if a line is dropped or congested, the broadband access of enterprises will be interrupted! This situation can cause great problems for some enterprises. Therefore, the primary consideration of wide area network security is how to ensure the stability of the line and maintain the operation of enterprises in various circumstances.
Most small and medium-sized enterprises use single-line ADSL because of small Internet users or limited funds. Enterprises require a large amount of bandwidth, or have high network requirements, such as the service industry or the foreign trade industry, they may use optical fibers with relatively high costs. Based on Qno's experience in supporting users, Qno is more inclined to adopt multi-Wan line configuration in the following situations: occasionally, a large number of uploads/downloads are required: as a result of informationization, many enterprises need to perform a large number of download operations from time to time. For example, a mineral trading company in Chengdu needs to upload sales reports and inventory data every day after work, which takes a lot of time. For example, a private enterprise located in Ningbo often needs to download design drawings from foreign customers' servers for production. When downloading, the network management system generally does not want to be affected by the Internet access or downloading of general users. Therefore, you can apply for two lines: Generally, both lines are open for Internet use; however, when special work is required, it can be controlled to retain specific lines for a large number of download tasks to ensure that important data can be transmitted on time. After the multi-Wan configuration is adopted, the network administrator can work overtime in the office to wait for data transmission, which can be greatly reduced!
When there is a cross-network problem: a trading company in Jinan, Shandong Province often needs to establish a VPN connection with its headquarters in Beijing. But I don't know why, the connection is always unstable, and data has not been transmitted yet, you have to bring it online again. This situation may be caused by the instability caused by the establishment of VPN networks across different carriers. For example, the Headquarters uses the lines of China Netcom, while the branches use the lines of China Telecom, resulting in insufficient cross-network bandwidth, and the phenomenon. In this case, you can also use a multi-WAN router to solve the problem. That is, the Headquarters can access the lines of China Netcom and China Telecom at the same time, and the external points of the China Netcom line establish a VPN from the entrance of China Netcom, the outer point of China Telecom is a VPN built from the telecom line, which can solve the small or unstable cross-network bandwidth.
When backup is required: Another advantage of the Multi-Wan line is that the backup function is provided. A common situation is that some regional operators will add fiber-optic user ADSL lines. In this case, the optical fiber can be used with ADSL for backup. In the case of a fault in the former, ADSL will be used first. Some users want to use lines of different carriers. In this way, the line of carrier B can be replaced when A problem occurs in the line or data center of carrier. For some industries, such as the media industry, it is important to have Internet access at any time.
When AD bandwidth is insufficient: most enterprises use ADSL. According to statistics, most broadband users in small and medium-sized enterprises use ADSL for Internet access. However, in some regions, the relative bandwidth of ADSL is relatively small. For example, the 64 K/64 K line is obviously insufficient for enterprise applications, but the application for optical fiber is more expensive than several ADSL lines, in this case, using a multi-WAN router to configure multiple ADSL lines is a feasible and cost-effective method. The wide area network is the only route for enterprises to access the Internet, so it is crucial for enterprises to access the Internet. According to a market survey conducted by Qno xiaonuo, many enterprises are interested in wireless broadband access, such as 3G or WiMax. They hope to use wireless access as an aid for wired access, this more or less represents the importance and expectations of enterprises for wide-area network access.
Ii. Lan
The LAN end is the line connecting the local network to the enterprise user. Some routers have LAN ports and can be connected to switches. Some network administrators connect the router configurations to the backbone switches first, connect to a common vswitch. Both of the above methods can be used. The latter is suitable for applications with large throughput. For general enterprise applications, the local port configured by the router can be forwarded with the bandwidth. Therefore, hardware configuration is relatively simple. The experience of Qno's technical service personnel points out that IP address management is important for a good security network configuration. IP is the address of the computer on the Internet. Therefore, you must be able to effectively manage the address to prevent attacks or control problematic computers. For network management, IP management should pay attention to the following four important items: using a fixed IP address for computers, issuing a fixed IP address for DHCP servers, and preventing unauthorized computer access and group management, the following are the descriptions:
The computer uses a fixed IP Address: The computer uses a fixed IP address, which is the most rigorous configuration method. In this way, you must manually enter IP address-related data in the computer. The advantage of doing so is that the IP address of each machine must be specified in advance. If no IP address is specified in advance, the Internet cannot be accessed. external users or computers cannot access the Internet easily through the enterprise network. However, for users, you must set a fixed IP address and reset it in other scenarios. This will cause a lot of trouble for some users who often need to move, such as business personnel or senior executives. DHCP servers issue fixed IP addresses: the advantage of DHCP servers is that users do not need to make any settings on the computer, which is more convenient for users. However, the disadvantage of DHCP is that, without any control, any user can access the enterprise's network, and it is easy to launch internal attacks, resulting in an impact. Therefore, an enterprise can issue an IP address through DHCP, but at the same time limit the IP address that can be obtained by the computer for management. The IP/MAC binding function configured by the Qno xiaonuo router can identify the MAC address of the computer and issue a specific IP address based on the network management configuration, so that the IP address can be managed. At the same time, the IP/MAC binding function can also prevent users from modifying IP addresses to obtain high permissions. incorrect MAC/IP combinations will be blocked by the router's "blocked wrong MAC address, this function can also prevent ARP attacks.
Prevent Unauthorized computers from accessing the Internet: uncontrolled computers often cause security problems for network administrators. Some users will bring their own computers with viruses, or even users on other floors will access the company's network via wireless networks. This problem can be solved by preventing unauthorized computers from accessing the Internet. In Qno's IP/MAC binding function, Qno provides the "Block MAC addresses not in the corresponding table" function, which completely prevents Internet access for MAC addresses not configured by the network administrator.
IP/MAC binding function of Qno xiaonuo Router
The IP/MAC binding function configured by the Qno na router allows the network administrator to type the user's IP address and MAC address so that a fixed IP address can be assigned to the user each time the DHCP service is used. In addition, the "Block incorrect MAC address" and "Block MAC addresses not in the corresponding table" feature provides more advanced features to provide a layer-1 security protection. Group Management: In addition to binding IP addresses and MAC addresses, it can effectively control the use of the outdoors. In addition, the group function can be used to manage users more conveniently. For example, if the IP Group function provided by Qno is used, different IP users can be set to different groups, for example, the enterprise senior supervisor is set to a group, the business department is set to a group, and the internal administrative staff is set to a group. Users in different groups can apply different control permissions or bandwidth management principles. This function can greatly simplify management and avoid the leakage of the Internet.