We know that a lot of education units in order to ensure network access speed, at the same time there are two or more Internet outlets, one is through the Education Network link to the Internet, the other is to apply for telecommunications lines directly connected to the Internet and many other access modes. This multiple export environment for better use of bandwidth, let the network part of the terminal to take the education network of exports, the other part of the terminal to take the telecommunications line, so that it can be a good use of existing bandwidth resources, will not cause the waste of bandwidth, in such a network environment, the traditional network security solution is to install a firewall at each exit, Because the general routing technology only based on the target address to do the way out by choice, and the destination address in the Internet is unique, but access to the source address is not the same. Days Fuse Network defender firewall 4000 based on the source address and destination address of the communication to do the way out by choice. The dual address routing technology of this source and purpose can be well adapted to the environment with multiple network exits. Thus greatly reducing the cost of network security construction.
For the sake of understanding, we illustrate. As shown in the following illustration, the education internal network is connected to the firewall eth2 port through the central switch, the firewall eth1 port connects the Telecommunication gateway, the ETH0 port connects the gateway. The internal network divides several Vlan,vlan gateways as the central three-tier switch, The gateway of the central switch is the firewall, the internal network accesses the Internet through the firewall, can connect to the Chinese education network from the Gateway 64.10.6.5 of the Education Network, the Chinese education Network connects to the Internet. 202.10.1.2 can also be connected to the Internet through a telecommunications gateway.
Because the target addresses to the Internet are the same, and we know that there is usually only one default gateway to the firewall, which means that a common firewall can only use one outlet in the network to connect to the Internet. But if you route to the source address, the problem is solved. We can specify the office network 172.16.0.0/16 Connect to the Internet through the Education Gateway 61.10.6.4, while the internal student network 10.0.0.0/8 directly to the Internet through a telecommunications gateway 202.10.1.2. In this way, the intranet data packets after the central switch to the firewall, firewall according to the source address and destination address of the packet, matching Firewall routing table, decision packet next hop Gateway. Also browse the www.topsec.com.cn Web site, the student network initiated by the access firewall to the data message forwarded to the education gateway, and the office network launched access to the firewall to the packet forwarding to the telecommunications gateway. Ensure the full use of network resources. At the same time, the source purpose of the firewall dual address routing function has a feature, is the firewall's routing table without the firewall's own interface of the source address route, the firewall can for the internal network and the Internet bridge, that is, the firewall for the intranet to provide access to the Internet, and the Internet is not access to the firewall, It is also a good measure of the firewall's own protection.