Firewall and vswitch combination for easy Intranet/Internet isolation

Firewalls and switches are still commonly used. What will happen to the cooperation between the two? I would like to share it with you here and hope it will be useful to you. With the maturity and rapid development of network and Internet technologies, more and more enterprises and institutions have begun to set up networks to automate office work and share Internet information. However, security issues have also emerged. iMaxNetworks (memory network company) proposed a solution based on the characteristics of E-government networks to achieve Intranet/Internet isolation by combining switches, firewalls, and switches.

Solution 1: firewalls and switches implement physical isolation between the Intranet and the Internet

The network system is composed of two relatively independent and interrelated parts: the internal LAN and the external internet. Both use a star topology and a m Switched Fast Ethernet technology. There is no physical connection between the Intranet and the external network. As a result, intruders from the Internet cannot access the Intranet from the external network through a computer, which guarantees the security of important data on the Intranet most effectively, intranet and Internet are physically isolated.

The imaxnetworks terminal provides a cost-effective physical isolation function between the Intranet and the Internet. It switches between the Intranet and the Internet through physical switches, and physically information terminals are connected to only one network, therefore, hackers cannot intrude into another network even if they intrude into one network. To establish an Intranet/Internet isolation solution, you must install at least one terminal server on both the Intranet and the Internet.

Solution 2: Firewall and switch are combined to implement Intranet/Internet isolation

VLAN isolation Intranet and Internet: e-government networks have a variety of services. To achieve unified interconnection between multiple networks and ensure the security of each network, in addition to data leakage and tampering at the application layer by means of encryption and signature, VLAN technology is used on the LAN firewall and switch, place devices of different service networks in different VLANs for physical isolation to completely avoid unnecessary mutual access between networks. VLAN-based VLAN (IEEE 802.1Q) is the most mature and secure technology. Firewall access control guarantee.

Core network security: to simplify network construction and avoid complicated management by using too many devices, thus reducing network security, you can place a high-speed firewall through which, security Control and filtering are performed on all inbound and outbound data packets to ensure the security of the access core. In addition, to ensure the security of business hosts and data, no uncontrollable mutual access between office networks and business networks is allowed, an ACL should be set in the firewall and switch for VLAN division. Encrypted data transmission: Data Encryption is required for data transmission and interconnection through the public network (broadband MAN). Stronger encryption algorithms can be considered when encrypting key services.

Set the DMZ area for external access: for external network access, the security policy that must be adopted is to reject all special rules. That is, all external access is considered insecure by default and must be rejected completely. Only some specially authenticated and permitted access can be made to the network. The interconnection with the network center and other internal LAN uses a ceasefire zone (DMZ), and sets a centralized authentication point for security authentication on access users. The authentication and related servers are located in the ceasefire zone, services are exchanged through the proxy server, and external networks are not allowed to directly access the internal system.