The small network has two modules: the company Internet module and the Park module. The company's Internet module has a connection to the Internet, and also ends up with VPN and public services (DNS, HTTP, FTP, SMTP) information flow. The Park module contains layer 2nd switching capabilities with all users as well as admin with intranet servers. A discussion of this design is premised on the use of small networks as the head end of the enterprise. (Computer science)
Internet module
The Internet module provides internal users with a connection to the Internet and enables users to access information on the public server over the Internet, while also providing VPN access to remote locations and remote workers. This module does not apply to e-business types.
The key devices involved in the Internet module are: SMTP server, DNS server, ftp/http server, firewall or firewall router, Layer 2nd switch (dedicated VLAN supported).
A server with a public address is the easiest to attack. The following are potential threats to Internet modules: unauthorized access, application layer attacks, virus and Trojan horse attacks, password attacks, denial of service, IP spoofing, packet eavesdropping, network reconnaissance, trust relationship utilization, port redirection.
Design Guide-the module is extremely strong in the design of a small VPN network. VPN functionality is compressed into one chassis, but still performs routing, NAT, IDs, and firewall features. Two main alternatives are mentioned when determining how to implement this function. The first is to use a router with a firewall and VPN capabilities. This choice provides great flexibility for small networks, as routers will support all advanced services that may be indispensable in today's network. As an alternative, a dedicated firewall with a VPN can be used instead of a router. This setting poses some limitations to deployment. First, firewalls are usually just Ethernet, requiring some conversion to the appropriate WAN protocol. In the current environment, most wired and DSL routers/modems are provided by telecommunications service providers and can be used to connect Ethernet firewalls. If a device requires a WAN connection (such as a DSL circuit for a telecommunications provider), then the router must be used. The use of private firewalls does not provide the advantage of easy configuration of security and VPN services, providing improved performance when performing firewall functions. Regardless of which device you choose, consider some of the VPN factors. Note that routers tend to allow the flow of information through, while the default settings for firewalls tend to block the flow of information.
Starting with the ISP's client edge router, the ISP exit restricts the secondary flow of information that exceeds the predetermined threshold to reduce DDoS attacks. Also at the entrance of the ISP router, the RFC1918 and RFC 2827 filtering feature will prevent spoofing of the source address for the local network and private addresses.
At the entrance to the firewall, RFC1918 and RFC2827 will be used first to verify the filtering capabilities of the ISP. In addition, because of the great security risks posed by fragmented groupings, firewalls discard fragmented groupings that should not be considered standard information flow on the Internet. This filtering may cause some qualified traffic to be discarded, but this is acceptable given the risk of allowing the above-unqualified flow of information to pass. The flow of information destined for the firewall is limited to the IPSec information flow and any necessary protocols for routing.
The firewall provides connection state execution and detailed filtering for sessions initiated through the firewall. Servers with public addresses can prevent TCP SYN floods by using Half-open connection restrictions on the firewall. From the filtering point of view, in addition to the public service area to limit the flow of information to the relevant address and port, in the opposite direction is also filtering. If an attack involves a public server (by circumventing the firewall and host-based IDs), then it should not attack the network further. To mitigate this attack, specific filtering will prevent the public server from issuing any unauthorized requests to any other location. For example, a Web server should be filtered so that it cannot produce requests on its own, but only requests from clients. This setting helps prevent hackers from downloading more applications to the compromised machine after the initial attack. It also helps prevent hackers from triggering unwelcome sessions during the main attack. An example of this attack is to generate a xterm from a Web server and then send it to the hacker's machine via a firewall. In addition, a dedicated VLAN on DMI can prevent a compromised public server from attacking other servers in the same zone. This information flow can not even be discovered by firewalls, thereby proving the importance of a dedicated VLAN.
From a host perspective, each server in the public service area has host intrusion detection software for monitoring any undesirable activity at the OS level, as well as activities for ordinary server applications (HTTP, FTP, SMTP, and so on). The DNS host should respond only to the necessary commands while eliminating any unnecessary responses that might help the hacker's network reconnaissance attacks. This includes preventing zone transfers from any location (except for qualified level two DNS servers). In the messaging service, the firewall filters SMTP information at layer 7th to allow only the necessary commands to reach the mail server.
The security features of firewalls and firewall routers typically include limited nids functionality. This functionality can affect the performance of your device, but it can provide some information about the attack if you are under attack. You are sacrificing some of your performance in exchange for attack transparency. If you do not use IDs, many attacks will be discarded, but the monitoring station will not know what specific attacks have occurred. VPN connectivity is implemented through firewalls or firewalls/routers. Remote locations authenticate each other with preshared keys, and remote users are authenticated through the access control server in the campus module.
Designs that are different from the above design will be designed to increase network capacity or to assign different security features to different devices. This design is more and more like the medium network design to be discussed later in this article. You can increase the manageability of a remote user base by adding a dedicated remote access VPN concentrator before you fully adopt a midsize network design.
Park Network Module
The campus network module contains the end user workstation, the intranet server, the Management Server, and the related layer 2nd infrastructure needed to support these devices. In a small network design, this layer 2nd functionality has been incorporated into a single switch.
Design Guide-The main function of the campus switch is to exchange the production and management information flow and to provide connectivity for the company and the Management Server and users. VLAN can be implemented within the switch to reduce trust between devices and exploit attacks. For example, a company user may need to communicate with a corporate server but may not need to communicate with each other.
Because there is no layer 3rd service in the Park module, it is important to note that this design is increasingly focused on application and host security due to the openness of the internal network. As a result, HIDs is also installed on key systems in the park, including corporate servers and management systems.
Setting up a small filter router or firewall between the management station and the rest of the network can improve overall security. This setting will allow management traffic to be transmitted only in the direction that the administrator deems necessary. If the level of trust within the organization is high, then HIDs can be canceled (although we do not recommend doing so).
Branch office and standalone configuration
Remote access VPN functionality is not required in branch offices, as corporate headquarters typically provides this functionality. In addition, the management host is typically located in a central location that requires managing the flow of information through the location to the location of the VPN connection back to corporate headquarters.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.