Network security device practices

Source: Internet
Author: User

 

We will discuss the practices of network security equipment, and we should arrange the location of the equipment in actual work. The advantages of such deployment are extremely inadequate.

1. Basic router filter practices

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T412G49-0.png "/>

Disadvantages:

1. The service area is in the Intranet. Once the server is broken, it will directly attack the Intranet without going through the filter of the router.

2. access list control is extremely similar for external users to access

3. A large number of ports need to be opened

Dual-route DMZ Design

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4124G4-1.png "/>

Features:

1. The Public Service Area is separated from the Intranet. Once the public service area is broken, a second router is required to access the Intranet.

2. The second server has a more detailed ACL

Status firewall DMZ Design

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4125J0-2.png "/>

We can use status firewalls to replace routers.

1. Some firewalls do not support advanced routing protocols and Multicast

2. We perform RFC 1918 2827 filter at the entry.

DMZ Design of A Three-interface Firewall

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T41263S-3.png "/>

This is the classic design we usually adopt now.

1. All traffic must be filtered by the firewall.

2. Make sure to restrict access from the public service area to the Intranet. Otherwise, the public service area is still in the Intranet structure. The old saying goes: do not trust the Internet or your own public service area.

Multi-firewall Design

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4125V9-4.png "/>

1. The trust service area accepts half-trust requests, half-trust accepts non-trust requests, and non-trust accepts Internet requests.

2. We recommend that you use products from Multiple Firewall vendors to prevent product vulnerabilities.

Different acl categories

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T4122S6-5.png "/>

 

This article is from the "cisco network" blog. For more information, contact the author!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.