Network security device practices

 

We will discuss the practices of network security equipment, and we should arrange the location of the equipment in actual work. The advantages of such deployment are extremely inadequate.

1. Basic router filter practices

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T412G49-0.png "/>

Disadvantages:

1. The service area is in the Intranet. Once the server is broken, it will directly attack the Intranet without going through the filter of the router.

2. access list control is extremely similar for external users to access

3. A large number of ports need to be opened

Dual-route DMZ Design

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4124G4-1.png "/>

Features:

1. The Public Service Area is separated from the Intranet. Once the public service area is broken, a second router is required to access the Intranet.

2. The second server has a more detailed ACL

Status firewall DMZ Design

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4125J0-2.png "/>

We can use status firewalls to replace routers.

1. Some firewalls do not support advanced routing protocols and Multicast

2. We perform RFC 1918 2827 filter at the entry.

DMZ Design of A Three-interface Firewall

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T41263S-3.png "/>

This is the classic design we usually adopt now.

1. All traffic must be filtered by the firewall.

2. Make sure to restrict access from the public service area to the Intranet. Otherwise, the public service area is still in the Intranet structure. The old saying goes: do not trust the Internet or your own public service area.

Multi-firewall Design

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4125V9-4.png "/>

1. The trust service area accepts half-trust requests, half-trust accepts non-trust requests, and non-trust accepts Internet requests.

2. We recommend that you use products from Multiple Firewall vendors to prevent product vulnerabilities.

Different acl categories

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4122S6-5.png "/>

 

This article is from the "cisco network" blog. For more information, contact the author!