How to select an Access Network

Selecting an appropriate access method is a very important part of the access network project. Therefore, we use an instance to describe what needs special attention when selecting an access network method, I would like to share it with you here and hope it will be useful to you. What kind of VPN technology should the University Library choose to address the needs of off-campus users for reasonable access to all types of library resources? From the current usage of libraries, it is reasonable to use IPSEC and SSL together.

As we have previously analyzed, upstream resource vendors have limits on resource applications. In addition to limiting the IP addresses that initiate requests, they also limit the traffic generated by a single IP address, therefore, among a large number of out-of-school users in the library, we divide users into two types: users who use library resources frequently and access a large amount of data (mainly teachers, but few users ), the other type is that users who use a small number of times and access a small amount of data (mainly students, a large number) are divided by users, we assign an IPSEC access network to a large but small number of instructor users, so that a large amount of user traffic can be allocated to different IP addresses to avoid problems caused by excessive traffic of a single IP address, students with a large number of access requests distribute the SSL access network mode, which greatly reduces the maintenance workload of the client by using the ssl vpn without the need to deploy the client, thus realizing the rapid deployment of VPN applications in the library.

After a long period of testing, wasu library chose to use domestic professional VPN manufacturer Sangfor Technology launched the IPSEC/SSL integrated VPN platform: Sinfor M5100-S. This product integrates both the IPSEC and ssl vpn functions on a gateway, and uses the integration of the two technologies to meet the needs of Library applications, at the same time, the integrated design can greatly reduce the investment of the entire VPN product and meet the needs of low-cost and efficient IT construction in the education industry.

The IPSEC client needs to be configured during the deployment process, which seriously affects the use of the entire VPN System in Library applications. For a large number of off-campus users, VPN is only a way for users to access campus network resources. If they need to master professional technologies before they can be applied, the deployment of the entire application will be greatly affected. To solve the above problems, Sangfor technology has released a usb key-based client zero configuration function, which can store remote users' security policies in USB keys (also known as dkeys) similar to USB flash drives. In this way, the remote user carries the DKEY that identifies his/her identity and stores the corresponding security policy configuration information, which can be securely connected to the library on any computer. After the IPSEC client software is installed, you do not need to perform any configuration. You only need to insert the DKEY and enter your own password to complete the selection of the access network mode, so that the VPN Client has no configuration, it is as safe and convenient as using cash machines.

Multi-line smart routing to solve the problem of cross-carrier network interconnection

At present, large-scale VPN networks are often cross-carrier. However, the bandwidth for interconnection between domestic carriers is too low, resulting in low access speeds between different carriers, seriously affecting the VPN application effect. As a leading VPN and network security R & D provider in China, Sangfor technology innovatively adopts the multi-line smart routing function in IPSec VPN, and successfully applied to the IPSec/SSL Integrated Gateway-Sinfor M5100-S. For Remote Access Users distributed to networks of different carriers, the M5100-S automatically migrates to the fastest line. As long as you apply for multiple carrier lines at the VPN headquarters, the connection latency and bandwidth between different carriers can be solved most effectively.

To solve the problem of cross-carrier network interconnection, generally, you need to purchase a single line Load balancer for other solutions to achieve multi-line load balancing. The multi-line load balancing of Sinfor M5100-S saves the procurement cost for the university library and reduces the amount of maintenance in the future. For university libraries, a large number of out-of-school users use ADSL and other Internet connections provided by China Telecom. The direct access speed to education network resources is not ideal. Multi-line smart routing is used, the Library only needs to apply for a common line (such as ADSL) from a telecom operator to achieve high-speed access for off-campus users.

Multiple authentication methods for High Security

In SINFOR M5100-S, ssl vpn uses SSL protocol encryption to establish a secure private encryption channel, in addition to using a 1024-bit asymmetric key to enhance security, but also using DKEY (a USB authentication device) perform two-factor authentication and use a PIN to protect the security of the DKEY. This usb dkey supports two VPN systems, which is secure and convenient. SINFOR M5100-S built-in LDAP/AD, Radius, SecurID, SMS authentication and other security authentication methods, according to the corresponding security level, the client combination of several authentication methods, this maximizes the legitimacy of connected users. At the same time, because the sinfor ssl vpn only uses port 443 to transmit data during the tunnel connection, it greatly reduces the possibility that the virus may intrude into the VPN network from a remote client.

More detailed access control functions, improved user and Resource Management

The SINFOR M5100-S provides a detailed division of permissions for each URL and different applications through its unique role management feature. By setting different roles for different users to assign access authorization, a single user can assign multiple roles to fit various complex organizational structures. Role-Based Access Restrictions provide strong security for the network. With reasonable roles, administrators can allocate various electronic resources that can be accessed by remote users based on their identities and permissions. For example, teachers can access various foreign resources, students can only access resources of the education network in China. The behavior tracking engine allows administrators to view all access records of remote access users.

SINFOR M5100-S has a variety of built-in user and resource management methods, can be self-built user, can also be imported from a third party. M5100-S supports LDAP/AD, RADIUS and other third-party authentication, can be based on groups, public accounts, private accounts and other ways to manage users. At the same time, the M5100-S integrates multiple methods, such as group user concurrency restrictions, public account concurrency restrictions and user traffic restrictions, to ensure that users use VPN resources reasonably. In addition, in the M5100-S visual management graphical user interface (GUI) Real-time Monitoring status bar, you can monitor the user access in real time, observe the operation of the entire VPN system.

Supports Dynamic IP addresses for ease of use

Due to the popularity of broadband and the reduction of ADSL charges, small and medium enterprises in China usually use dynamic IP Access methods such as ADSL dialing. Sinfor M5100-S integrates the web-based Dynamic ip addressing technology of Sangfor technology, so that the Sinfor M5100-S does not require a fixed ip address during deployment, fully support dynamic ip address. In addition, when enterprises are using the ssl vpn function of the M5100-S, you can use the same webagent as the IP Sec VPN to resolve the dynamic IP address of the gateway, reducing the amount of Administrator maintenance. Mobile office staff are more convenient to connect to the company's intranet using a browser. Because Dynamic IP is supported, M5100-S is also suitable for small and medium enterprises.

Traditional ipsec vpn often requires complicated installation and configuration when deploying clients. With the help of Sinfor M5100-S's original web-based IPSec client online installation method, you can easily install and use IPSec VPN. You can deploy an IPSec/ssl vpn network as needed.

Widely used

SINFOR M5100-S not only provides secure access to Web systems, but also enables access to the vast majority of C/S applications through ssl proxy technology. Whether it is a Windows, Linux client, or even a handheld device, you can easily use the ssl vpn secure access network method as long as you have an SSL browser.

Integrated firewall to effectively protect internal services

Unlike most SSL VPNs, SINFOR M5100-S integrates a high-performance Enterprise Firewall that only opens port 443 to the outside, which can effectively protect internal servers from various attacks from the Internet, including DOS attacks on open ports. Using an IPSEC/ssl vpn security gateway can effectively address multiple aspects of digital library remote access applications. The IPSEC/ssl vpn technology will surely become a new trend, it is widely used and popularized.