Learn how to configure the security router for SMEs

Network security is a required course for small and medium-sized enterprise network management. The author has collected the experiences of Qno xianuo in supporting enterprise users across China for your reference. First of all, let's talk about the basic configuration, that is, how to configure the WAN and LAN of the router. The main purpose is to enable the users of small and medium-sized enterprises to make good use of the router functions during planning, it provides better network services to internal users and improves the business efficiency.

Based on the practical support experience of Qno's Technical Service Department, When configuring basic security routers for small and medium-sized enterprises, special attention should be paid to the wide area network terminals and bureaus.

The local area network and public servers. These three aspects are described as follows.

I. Wide Area Network end

The wide area network end is the line connecting the router to the internet operator. Wan lines are also the main path for broadband access. Therefore, if a line is dropped or congested, the broadband access of enterprises will be interrupted! This situation can cause great problems for some enterprises. Therefore, the primary consideration of wide area network security is how to ensure the stability of the line and maintain the operation of enterprises in various circumstances.

Most small and medium-sized enterprises use single-line ADSL because of small Internet users or limited funds. Enterprises require a large amount of bandwidth, or have high network requirements, such as the service industry or the foreign trade industry, they may use optical fibers with relatively high costs. Based on the user experience supported by Qno, it is found that the configuration of multiple Wan lines is preferred in the following situations:

Occasionally requires a large number of uploads/downloads: As a result of informatization, many enterprises need to perform a large number of download operations from time to time. For example, a mineral trading company in Chengdu needs to upload sales reports and inventory data every day after work, which takes a lot of time. For example, a private enterprise located in Ningbo often needs to download design drawings from foreign customers' servers for production. When a local file is to be downloaded, the network management system generally does not want to be affected by the Internet access or download of normal users. Therefore, you can apply for two lines: Generally, both lines are open for Internet use; however, when special work is required, it can be controlled to retain specific lines for a large number of download tasks to ensure that important data can be transmitted on time. After the multi-Wan configuration is adopted, the network administrator can work overtime in the office to wait for data transmission, which can be greatly reduced!

Cross-network problems: A trading company of agricultural products in Jinan, Shandong Province often needs to establish a VPN connection with its headquarters in Beijing. But I don't know why, the connection is always unstable, and data has not been transmitted yet, you have to bring it online again. This situation may be caused by the instability caused by the establishment of VPN networks across different carriers. For example, the Headquarters uses the lines of China Netcom, while the branches use the lines of China Telecom, resulting in insufficient cross-network bandwidth, and the phenomenon. In this case, you can also use a multi-WAN router to solve the problem. That is, the Headquarters can access the lines of China Netcom and China Telecom at the same time, and the external points of the China Netcom line establish a VPN from the entrance of China Netcom, the outer point of China Telecom is a VPN built from the telecom line, which can solve the small or unstable cross-network bandwidth.

When backup is required: Another advantage of Multi-Wan lines is the provision of backup. A common situation is that some regional operators will add fiber-optic user ADSL lines. In this case, the optical fiber can be used with ADSL for backup. In the case of a fault in the former, ADSL will be used first. Some users want to use lines of different carriers. In this way, the line of carrier B can be replaced when A problem occurs in the line or data center of carrier. For some industries, such as the media industry, it is important to have Internet access at any time.

When ad bandwidth is insufficient: Most enterprises use ADSL. According to statistics, most broadband users in small and medium-sized enterprises use ADSL for Internet access. However, in some regions, the relative bandwidth of ADSL is relatively small. For example, the 64 K/64 K line is obviously insufficient for enterprise applications, but the application for optical fiber is more expensive than several ADSL lines, in this case, using a multi-WAN router to aggregate multiple ADSL lines is a feasible and cost-effective method.

The wide area network is the only route for enterprises to access the Internet, so it is crucial for enterprises to access the Internet. According to a market survey conducted by Qno xiaonuo, many enterprises are interested in wireless broadband access, such as 3G or WiMax. They hope to use wireless access as an aid for wired access, this more or less represents the importance and expectations of enterprises for wide-area network access.

Ii. Lan

The LAN end is the line connecting the local network to the enterprise user. Some routers have LAN ports and can be connected to switches. Some network administrators connect the routers to the backbone switches first, and then connect to the general switching machine. Both of the above methods can be used. The latter is suitable for applications with large throughput. For general enterprise applications, the local port of the router can be forwarded with the bandwidth. Therefore, hardware configuration is relatively simple.

The experience of Qno's technical service personnel points out that IP address management is important for a good security network configuration. IP is the address of the computer on the Internet. Therefore, you must be able to effectively manage the address to prevent attacks or control problematic computers. For network management, precautions for IP address management are as follows, the following describes four important projects:

The computer uses a fixed IP Address: The computer uses a fixed IP address, which is the strictest configuration method. In this way, you must manually enter IP address-related data in the computer. The advantage of this is that the IP address of each machine must be specified in advance, and the Internet cannot be accessed without an IP address specified in advance. external users or computers cannot access the network easily through the enterprise network. However, for users, you must set a fixed IP address and reset it in other scenarios. This will cause a lot of trouble for some users who often need to move, such as business personnel or senior executives.

The DHCP server issues a fixed IP address.: The advantage of DHCP server is that users do not need to make any settings on the computer, which is more convenient for users. However, the disadvantage of DHCP is that, without any control, any user can access the enterprise's network, and it is easy to launch internal attacks, resulting in an impact. Therefore, an enterprise can issue an IP address through DHCP, but at the same time limit the IP address that can be obtained by the computer for management. The IP/MAC binding function of the Qno xiaonuo router allows you to identify the computer's MAC address and release a specific IP address based on the network management configuration, so that you can manage the IP address. At the same time, the IP/MAC binding function can also prevent users from modifying IP addresses to obtain high permissions. incorrect MAC/IP combinations will be blocked by the router's "blocked wrong MAC address, this function can also prevent ARP attacks.

Prevent Unauthorized computers from accessing the Internet: For network administrators, uncontrolled computers often cause security problems. Some users bring their own computers with viruses, or even users on other floors access the company's network via wireless networks. This problem can be solved by preventing unauthorized computers from accessing the Internet. In Qno's IP/MAC binding function, Qno provides the "Block MAC addresses not in the corresponding table" function, which completely prevents Internet access for MAC addresses not configured by the network administrator.

Figure 1

Figure 1: The IP/MAC binding function of the Qno na router. The network administrator can type the user's IP address and MAC address so that a fixed IP address can be assigned to the user each time the DHCP service is used. In addition, the "Block incorrect MAC address" and "Block MAC addresses not in the corresponding table" feature provides more advanced features to provide a layer-1 security protection.

Group Management: In addition to binding IP addresses and MAC addresses, it can effectively control the use of the outdoors. In addition, the group function can be used to manage users more conveniently. For example, if the IP Group function provided by Qno is used, different IP users can be set to different groups, for example, the enterprise senior supervisor is set to a group, the business department is set to a group, and the internal administrative staff is set to a group. Users in different groups can apply different control permissions or bandwidth management principles. This function can greatly simplify management and avoid the leakage of the Internet.

Figure 2

Figure 2: IP group function, which can classify different IP users into different groups and name them. Through group management, all-round control functions can be achieved at one time. You can also avoid security vulnerabilities due to missing configurations.

3. Build an internal public server

In the past, only a large enterprise may have set up a public server for external users to access. However, the popularization of information technology makes it possible for small and medium-sized enterprises to set up different public servers for external users. For example, file exchange, technical updates, and report delivery can be achieved by setting up public servers.

To provide public services, enterprises must have a fixed address so that Internet users can be built on the server address bar. The general method is to use IP addresses or domain names for identification, but these two methods are expensive for small and medium-sized enterprises, and the monthly cost is high. Fortunately, the emergence of DDNS allows enterprises to use dynamic IP addresses. Even if ADSL is used to obtain Dynamic IP addresses, users can also access the server in the form of memory domain names. Qno xiaonuo also introduced the dynamic domain name DDNS service to enterprise users. The test is currently underway and will be available to Qno xiaonuo users in the near future. Please wait and see.

The following describes the configurations of an internal public server based on different requirements, including a fixed public IP address, a public server, and multiple public servers:

There are one or more fixed public IP addresses with relatively high security:If you have multiple fixed IP addresses and want to isolate the server from the Internet to achieve the highest security, you can connect to one or more servers through the hardware dmzport of the Qno na router, in this way, the network packets of external users are completely isolated and will not enter the Intranet. This ensures the highest security. This kind of application is the safest, but I find that it is also the least familiar with network management.

One or more fixed public IP addresses are allowed to be disclosed by internal servers:Some applications hope that the server can be easily accessed by users on the Intranet and the Internet. When a fixed public IP address is available, the One to one NAT function can be used, the Intranet server corresponds to the public IP address, so that this server is for Internet users, like a public network server, and for Intranet users, like an intranet server. This configuration is quite convenient, so it is very popular. However, because there is no proper isolation, some bandwidth or restricted firewall settings are required to increase security.

Using ddns to provide multiple public servers requires high security:If enterprises use ADSL to access the Internet, there is usually no fixed IP address, and dynamic Domain Name Service must be applied. Qno xiaonuo users can apply for related services from xiaonuo. The Virtual Server opens a limited network port at a time, so you can ignore the abnormal port requirements, and the security is relatively high. This is suitable for specific server ports. Using the virtual server function technology, multiple internal servers can be opened.

Figure 3

Figure 3: Virtual servers are opened to internal servers in the form of network service ports. As only limited ports are opened, high security can be achieved.

Using DDNS with dynamic IP addresses to provide a public server with unspecified ports has low security requirements: Some applications do not have specific ports, and the server will decide the communication port with the client software as needed, in this case, you cannot use a virtual server. A typical example is video surveillance or remote digital cameras. Most of them use special ports. In this case, we have to use the internal DMZ server to fulfill all port service requirements, go to the server. This function is software DMZ. Instead of connecting to the DMZ port of the entity, it directs to an internal server. However, because all ports are open and secure, we recommend that you set the corresponding anti-fire wall control rules. This function can only be used by one server at a WAN port.

Figure 4

Figure 4: DMZ servers are suitable for network cameras and applications with unknown ports. However, the corresponding firewall configuration must be performed for relative security.

In terms of Wan, lan, and open Server, the above section gives a preliminary introduction to the functions and common problems of small and medium-sized enterprise security routers. I believe it will be of great help to CEN. In the future, we will talk about the "configuration and management" functions of the security routers for small and medium-sized enterprises based on user needs.