1. Preface:
When the number of hosts in the production environment reaches a certain scale, how to manage them securely requires special attention. Generally, the Secure Gateway product is used before the office environment or the Internet reaches the production environment. I have been using CheckPoint and Juniper for nearly 10 years. The related enterprise-level products of these two brands have a long history and have comprehensive functions. They have been proved professional by many users. Aside from the low-cost factors, they are all good products worth choosing.
From a practical point of view, what specific functions do enterprises need for such security gateways/firewalls? Some important functions in CheckPoint FeatureList are listed below. You can answer the above question:
Application and access control. By creating precise policies based on users, user groups, hosts, and host groups, the network administrator securely controls access to clients, servers, and applications.
Authentication. Use the Security token/activity directory or other mainstream authentication methods to authenticate the identity.
Transmission encryption. All content of network communication is encrypted to prevent obtaining key content through network sniffing.
NAT. Use Network Address Translation (NAT) to hide network topologies and real addresses.
Bridge. Detects and forwards traffic in the bridging mode without interfering with the original network topology and IP routing.
The log records and status, and changes data to security intelligence through SmartLog. SmartLog is an advanced log analyzer that provides instant search results, real-time visibility into billions of log records in multiple time periods and domains.
Integrated security management integrates views, details, and reports through a unified and intuitive graphic interface, allowing IT managers to easily manage various security management functions.
The features, operations, interfaces, and configurations of CheckPoint and Juniper are not described here.
Next, this series of articles will introduce an original open-source solution, which aims to basically implement the above functions to replace expensive enterprise-level products.
2. Software selection:
I have not found a single software that can replace CheckPoint or Juniper. Otherwise, this series of articles will not be so long as 650.) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140101/00124R624-0.gif "alt =" j_0063.gif "/>. When selecting a software environment, the main principle is to overwrite the previously mentioned function list. The software list is as follows:
OpenVPN: Implements VPN, transmission encryption, and NAT.
IPtables: Implements application and access control and logging.
Radiusclient: Implements authentication.
PHP/Mysql: Implements integrated security management.
LVS/HeartBeat: Implements load balancing and HA. The expansion of this solution is very convenient and inexpensive.
In addition, my company uses an RSA-based security token product to improve the security of user authentication. We use the Radius protocol to connect the VPN system and the security token system.
3. System Architecture
Describes the system architecture of the security gateway solution and the process for users to access the online environment.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140101/00124SG8-1.jpg "title =" itbbox .jpg "alt =" 153850494.jpg"/>
This figure shows the logical architecture of the system. In actual use, the configuration and quantity of physical servers or virtual machines can be adjusted according to specific requirements. AllInOne is also possible.
The data streams used by the user to access the production environment are as follows:
The user first initiates a VPN connection request to the server Load balancer server.
After receiving the request, the Server Load balancer in DR mode forwards the request to the following Real Server.
The RealServer authenticates users to the security token server or other Radius servers.
After the user passes the authentication, the user establishes an encrypted VPN connection. We recommend that you use the TCP protocol for OpenVPN, so that the persistent connection between the user and the VPN Server is more reliable.
When a connection is established, OpenVPN/IPTABLES Real Server obtains a list of all rules of the user or host group from the configuration database. IPTables applies these rules.
Users can access the online environment securely according to the rules.
When the load on a single OpenVPN/IPTABLES Server is too high, you can directly add a new host to the LVS Real Server LIST, so that the entire system can be freely expanded.
The management end can add, delete, and modify user/user group/host/Host group/Network/IP range/Network Group/application port group/rule set. If the modified content on the Management end is related to the logged-in user, the management end will dynamically issue the user-related rules.
In the next article, I will introduce in detail the configuration process of each component and some development content involved in the integration process.
This article is from the "computer art" blog!