Network management must learn: SME Secure router configuration

Network security, for small and medium-sized Enterprises network management is already a compulsory course. The author collects Qno's experience of supporting enterprise users throughout China for readers ' reference. First of all, we start from the basic configuration, that is, the router's WAN and LAN How to configure, the main purpose, so that small and medium-sized enterprises in the planning, they can use the various functions of the router, to provide internal users with better network services, improve business efficiency.

Comprehensive Qno Technical Services, the actual support experience, the general small and medium-sized enterprises in the basic configuration of secure routers, the need to pay special attention to the network, LAN-side and public server three aspects. These three aspects are described below.

One, Wan end

The WAN terminal is the route that the router connects to the network operator. The WAN line is also the main path of broadband access, so if there is a drop or congestion, the enterprise's broadband access will be interrupted! This situation for some enterprises will be a big trouble. Therefore, the primary thinking of the WAN end in security is how to ensure the stability of the line and maintain the operation of the enterprise in various situations.

Most small and medium-sized enterprises, due to the small number of Internet access, or funds are limited, so most of the use of single line ADSL. The need for more bandwidth, or for higher network requirements, such as services or foreign trade industry, may use relatively high cost of fiber. Based on Qno's experience in supporting users, the following are found to be more likely to be configured with multiple WAN lines:

I need a lot of on/download: Due to the results of the information, many enterprises need to carry out a large number of loading and downloading operations. For example, a mining and trading company in Chengdu every day, need to upload sales reports and inventory data, need more time. Another example is located in Ningbo, a private enterprise, often need to download the design from a foreign client's server for the production of the plan. When you want to download, the network management generally do not want to be affected by the general user's Internet or download, therefore, two lines can be applied: Generally, both lines are open for users to use on the Internet, but when special work is required, it can be controlled to retain specific lines for a large number of downloads to ensure that important data can be delivered on time. The use of multiple WAN configuration, network management overtime in the office waiting for data transmission, can be greatly reduced! (Computer science)

There is a problem when: Shandong Jinan agricultural products business companies, often need and in Beijing's headquarters to establish a VPN online, but do not know why, online is always very unstable, often the data has not been finished, and have to go back online. This kind of situation, most likely is the VPN establishes crosses the different network of operators to produce the instability problem, for example the headquarters uses the Netcom the line, but the branch uses the telecommunication line, the cross net bandwidth insufficiency, but produces the phenomenon. This situation, can also be used to solve the multiple WAN router, that is, the headquarters at the same time access to netcom and telecommunications lines, belong to the external point of the Netcom network from the gateway to establish a VPN, telecom's external point from the telecommunications line to build a VPN, so you can solve the problem of small or unstable

When a backup is needed: Another advantage of multiple WAN lines is the provision of backup functionality. A common situation is that some regional operators will increase the number of fiber users ADSL line, this time can be fiber with ADSL for backup, in the former failure, with ADSL first top. Some users want to use different carriers of the line, so in a carrier line or computer room problems, can b carrier line replacement. For some industries, such as the media industry, need to be able to surf the Internet at any time, this function is Wang as important.

Ad bandwidth is not enough: the General enterprise with ADSL to many, according to statistics show that the increase in SME broadband users is the use of ADSL Internet. However, some regions provide relatively small adsl relative bandwidth, such as 64k/64k line, for enterprise application is obviously insufficient, but the application of fiber is more than a few ADSL more expensive, in this case, the use of multiple WAN routers to converge multiple ADSL lines, is a feasible and cost-effective way.

Since the WAN end is the only route for enterprises to surf the internet, it is crucial for enterprises to surf the Internet. Qno's market research shows that at this stage many companies for wireless broadband access, such as 3G or WiMAX have expressed considerable interest in the hope that wireless access as a support for wired access, which more or less represents the enterprise for the wide-area network access to the attention and expectations.

Second, LAN-side

LAN end is internal to the enterprise users of the line, some routers themselves have LAN port, can be connected to the switch, and some network management will be the router to the backbone of the switch, and then down to the general switch. Both of these methods are available, the latter suitable for the application of large throughput, general enterprise applications, router's local port can be forwarded with the bandwidth. So in hardware configuration, this is simpler.

Qno the experience of the technical service staff that to make a good security network configuration, IP management is the top priority. IP is the address of the computer on the Internet, so it is necessary to manage the address effectively in order to prevent attacks or to control the problem computer. For the network management, in the IP administration should pay attention to the matter, mainly for the computer using fixed IP address, DHCP server to issue fixed IP, to prevent unauthorized computer access and group management, and other four important projects, the following are described separately:

The computer uses fixed IP address: The computer uses the fixed IP address, is the most rigorous configuration way. This approach requires users to manually type IP address-related data on the computer. The advantage of this is that each machine's IP must be specified in advance, without the specified IP, you can not access the Internet, foreign users or computers can not easily access through the corporate network. But for users, you have to set a fixed IP, and then reset it on other occasions, causing a lot of trouble for some users who often need to move, such as business people or senior executives.

The advantage of a DHCP server issuing a fixed IP:DHCP server is that the user does not have to make any settings on the computer, which is more convenient for the user. But the disadvantage of DHCP is that if you do not control, a user can enter the enterprise's network, but also easy to launch attacks on the internal, the impact. Therefore, for enterprises, the better way is to issue IP addresses through DHCP, but also to limit the IP address that the computer can obtain for management. Qno Ip/mac binding function of the router, that is, according to the configuration of network management, to identify the computer's MAC address to issue specific IP, so that the IP can be managed. At the same time Ip/mac binding function can also prevent users to modify IP to obtain higher permissions, the wrong combination of MAC/IP, will be routers "blocked the wrong MAC address" block, this function can also prevent ARP attacks.

Preventing unauthorized computers from surfing the Internet: For network management, unregulated computers often cause security problems. Some users will take their own to the poisoned computer, or even other floors of users through the wireless network into the company network. This can be done by preventing computers that are not allowed to surf the internet. Qno the Ip/mac binding function, the "blockade is not in the corresponding table column MAC address" function, to achieve network management is not configured MAC address completely unable to surf the internet.

Qno the Ip/mac binding function of the grand-Connaught router

　　

Figure I: Qno the Ip/mac binding function of the router, the network administrator can type the user's IP and MAC address, so that when using DHCP service, each issue fixed IP to the user. In addition, "Block error MAC Address" and "blockade is not in the corresponding table column MAC address" can provide a more advanced function, provide a layer of security.

Group Management: In addition to IP/MAC binding, can effectively control the user, in addition to the appropriate use of group functions, but also more convenient for users to manage. For example, the IP Group feature provided by QNO will enable different IP users to be set up into different groups, such as a group of business executives, a set of business units, and a set of internal administrative staff. Different groups of users, the application of different regulatory authority or bandwidth management principles, this function can significantly simplify management, but also to avoid the control of the phenomenon of slip through the cracks.

IP Group Features

　　

Figure II: IP Group functions, different IP users can be classified into different groups, and named, through the management of the group, one to achieve a comprehensive control function. You can also avoid a security vulnerability because of a loss of configuration.
Third, internal build public server

Previously, it was perhaps only a larger enterprise that set up a public server for external users to access. However, the popularization of information so that small and medium-sized enterprises may also set up different public servers to external users. For example, figure File Exchange, technical update information, report payment, etc. can be achieved by setting up a public server.

To provide an open service, an enterprise must have a fixed address for Internet users to establish in the server address bar. The general approach is to use the IP address or domain name as the identification, but these two methods for small and medium-sized enterprises are more expensive, the cost of each month is higher. Fortunately, the emergence of DDNS can allow enterprises to use dynamic IP, even if the use of ADSL to obtain dynamic IP, but also allows users to memory domain name way to access the server. Qno also mentioned the dynamic Domain name DDNS service to Enterprise users, is currently conducting the final phase of the testing work, will be open to qno in the recent users, please wait and see.

The following for different needs, the internal build public server configuration, mainly divided into a fixed public network IP, provide a public server and provide a number of public servers three kinds of circumstances:

There is one or more fixed public network IP, relatively high level of security: if there are multiple fixed IP, but also want to isolate the server to the extranet, the highest security, you can through the hardware DMZ qno-Connaught Router port, connected to one or more servers, so completely isolated, external users network packets will not enter the intranet , you get the highest security. This application is the safest, but the author found that the network management is also the least familiar.

There is one or more fixed public network IP, allow internal server to open up: Some applications want the server can be easily accessed by intranet and extranet users, while there are fixed public network IP available, you can use one to one NAT function, the intranet server and the public network IP to produce a corresponding relationship, This server for the extranet users, like the public network server, while the internal network users, like intranet server generally. This configuration is very convenient, so popular, but due to the lack of proper isolation, it is necessary to make some bandwidth or limited firewall settings to increase security.

Use DDNS to provide a number of public servers, the need for higher security: Enterprises to use ADSL Internet, there is often no fixed IP use, must apply for dynamic Domain name services. Qno users can apply for the service to the Grand Connaught. The virtual server is open and qualified for the network port at a time, so it can be ignored and relatively safe for the abnormal port requirements. This is appropriate for a particular server port use. Using the virtual server function technology, can open the internal multiple servers.

The virtual server corresponds to a network service port

　　

Figure three: The virtual server is a network service port corresponding way, open to the internal server, because only a limited number of ports, so you can get higher security.

Use DDNS with dynamic IP to provide a server with no specific port, low security requirements: Some applications do not have a specific port, the server depends on the needs of the application and the client software to determine the communication port, then can not use the virtual server. The typical example is video surveillance, or remote digital camera, most of the special port, then have to all the port service requirements, through the "Internal DMZ server" function, go to the server. This feature is a software DMZ that does not need to connect to the entity's DMZ, but instead points to an internal server. However, because all ports are open, security is also low, it is recommended to set the corresponding firewall control rules. This feature a WAN port can only provide one server to use.

DMZ Server for Webcam

　　

Figure Four: The DMZ server is suitable for the network camera, the application of the port is uncertain, but the relative security must be the corresponding firewall configuration.

The above for WAN, LAN and open server three aspects, the small and medium-sized enterprise Security router function, often encountered some problems, made a preliminary introduction. Believe that for the enterprise network management, there is considerable help. Follow-up, we will also according to user needs, to discuss the SME security router "configuration and management" related functions.