Network security is a required course for small and medium-sized enterprise network management. The author has collected the experiences of Qno xianuo in supporting enterprise users across China for your reference. First of all, let's talk about the basic configuration, that is, how to configure the WAN and LAN of the router. The main purpose is to enable the users of small and medium-sized enterprises to make good use of the router functions during planning, it provides better network services to internal users and improves the business efficiency.
Based on the practical support experience of Qno's Technical Service Department, When configuring basic security routers, medium and small enterprises need to pay special attention to three aspects: Wide Area Network end, lan end and public server. These three aspects are described as follows.
I. Wide Area Network end
The wide area network end is the line connecting the router to the internet operator. Wan lines are also the main path for broadband access. Therefore, if a line is dropped or congested, the broadband access of enterprises will be interrupted! This situation can cause great problems for some enterprises. Therefore, the primary consideration of wide area network security is how to ensure the stability of the line and maintain the operation of enterprises in various circumstances.
Most small and medium-sized enterprises use single-line ADSL because of small Internet users or limited funds. Enterprises require a large amount of bandwidth, or have high network requirements, such as the service industry or the foreign trade industry, they may use optical fibers with relatively high costs. Based on the user experience supported by Qno, it is found that the configuration of multiple Wan lines is preferred in the following situations:
Occasionally, a large number of uploads/downloads are required: as a result of informationization, many enterprises need to perform a large number of download operations from time to time. For example, a mineral trading company in Chengdu needs to upload sales reports and inventory data every day after work, which takes a lot of time. For example, a private enterprise located in Ningbo often needs to download design drawings from foreign customers' servers for production. When downloading, the network management system generally does not want to be affected by the Internet access or downloading of general users. Therefore, you can apply for two lines: Generally, both lines are open for Internet use; however, when special work is required, it can be controlled to retain specific lines for a large number of download tasks to ensure that important data can be transmitted on time. After the multi-Wan configuration is adopted, the network administrator can work overtime in the office to wait for data transmission, which can be greatly reduced!
When there is a cross-network problem: a trading company in Jinan, Shandong Province often needs to establish a VPN connection with its headquarters in Beijing. But I don't know why, the connection is always unstable, and data has not been transmitted yet, you have to bring it online again. This situation may be caused by the instability caused by the establishment of VPN networks across different carriers. For example, the Headquarters uses the lines of China Netcom, while the branches use the lines of China Telecom, resulting in insufficient cross-network bandwidth, and the phenomenon. In this case, you can also use a multi-WAN router to solve the problem. That is, the Headquarters can access the lines of China Netcom and China Telecom at the same time, and the external points of the China Netcom line establish a VPN from the entrance of China Netcom, the outer point of China Telecom is a VPN built from the telecom line, which can solve the small or unstable cross-network bandwidth.
When backup is required: Another advantage of the Multi-Wan line is that the backup function is provided. A common situation is that some regional operators will add fiber-optic user ADSL lines. In this case, the optical fiber can be used with ADSL for backup. In the case of a fault in the former, ADSL will be used first. Some users want to use lines of different carriers. In this way, the line of carrier B can be replaced when A problem occurs in the line or data center of carrier. For some industries, such as the media industry, it is important to have Internet access at any time.
When AD bandwidth is insufficient: most enterprises use ADSL. According to statistics, most broadband users in small and medium-sized enterprises use ADSL for Internet access. However, in some regions, the relative bandwidth of ADSL is relatively small. For example, the 64 K/64 K line is obviously insufficient for enterprise applications, but the application for optical fiber is more expensive than several ADSL lines, in this case, using a multi-WAN router to aggregate multiple ADSL lines is a feasible and cost-effective method.
The wide area network is the only route for enterprises to access the Internet, so it is crucial for enterprises to access the Internet. According to a market survey conducted by Qno xiaonuo, many enterprises are interested in wireless broadband access, such as 3G or WiMax. They hope to use wireless access as an aid for wired access, this more or less represents the importance and expectations of enterprises for wide-area network access.
Ii. Lan
The LAN end is the line that is connected to the enterprise user. Some routers have LAN ports and can be connected to switches. Some network administrators connect the routers to the backbone switches and then to the General switches. Both of the above methods can be used. The latter is suitable for applications with large throughput. For general enterprise applications, the local port of the router can be forwarded with the bandwidth. Therefore, hardware configuration is relatively simple.
The experience of Qno's technical service personnel points out that IP address management is important for a good security network configuration. IP is the address of the computer on the Internet. Therefore, you must be able to effectively manage the address to prevent attacks or control problematic computers. For network management, IP management should pay attention to the following four important items: using a fixed IP address for computers, issuing a fixed IP address for DHCP servers, and preventing unauthorized computer access and group management, the following are the descriptions:
The computer uses a fixed IP Address: The computer uses a fixed IP address, which is the most rigorous configuration method. In this way, you must manually enter IP address-related data in the computer. The advantage of doing so is that the IP address of each machine must be specified in advance. If no IP address is specified in advance, the Internet cannot be accessed. external users or computers cannot access the Internet easily through the enterprise network. However, for users, you must set a fixed IP address and reset it in other scenarios. This will cause a lot of trouble for some users who often need to move, such as business personnel or senior executives.
DHCP servers issue fixed IP addresses: the advantage of DHCP servers is that users do not need to make any settings on the computer, which is more convenient for users. However, the disadvantage of DHCP is that, without any control, any user can access the enterprise's network, and it is easy to launch internal attacks, resulting in an impact. Therefore, an enterprise can issue an IP address through DHCP, but at the same time limit the IP address that can be obtained by the computer for management. The IP/MAC binding function of the Qno xiaonuo router allows you to identify the MAC address of a computer and issue a specific IP address based on the network management configuration, so that you can manage the IP address. At the same time, the IP/MAC binding function can also prevent users from modifying IP addresses to obtain high permissions. incorrect MAC/IP combinations will be blocked by the router's "blocked wrong MAC address, this function can also prevent ARP attacks.
Prevent Unauthorized computers from accessing the Internet: uncontrolled computers often cause security problems for network administrators. Some users will bring their own computers with viruses, or even users on other floors will access the company's network via wireless networks. This problem can be solved by preventing unauthorized computers from accessing the Internet. In Qno's IP/MAC binding function, Qno provides the "Block MAC addresses not in the corresponding table" function, which completely prevents Internet access for MAC addresses not configured by the network administrator.
|
IP/MAC binding function of Qno xiaonuo Router |
Figure 1: IP/MAC binding function of the Qno na router. The network administrator can type the user's IP address and MAC address so that a fixed IP address can be assigned to the user each time the DHCP service is used. In addition, the "Block incorrect MAC address" and "Block MAC addresses not in the corresponding table" feature provides more advanced features to provide a layer-1 security protection.
Group Management: In addition to binding IP addresses and MAC addresses, it can effectively control the use of the outdoors. In addition, the group function can be used to manage users more conveniently. For example, if the IP Group function provided by Qno is used, different IP users can be set to different groups, for example, the enterprise senior supervisor is set to a group, the business department is set to a group, and the internal administrative staff is set to a group. Users in different groups can apply different control permissions or bandwidth management principles. This function can greatly simplify management and avoid the leakage of the Internet.
Figure 2: the IP Group function classifies users of different IP addresses into different groups and names them. Through group management, the comprehensive control function is achieved at one time. You can also avoid security vulnerabilities due to missing configurations.
3. Build an internal public server
In the past, only a large enterprise may have set up a public server for external users to access. However, the popularization of information technology makes it possible for small and medium-sized enterprises to set up different public servers for external users. For example, file exchange, technical updates, and report delivery can be achieved by setting up public servers.
To provide public services, enterprises must have a fixed address so that Internet users can be built on the server address bar. The general method is to use IP addresses or domain names for identification, but these two methods are expensive for small and medium-sized enterprises, and the monthly cost is high. Fortunately, the emergence of DDNS allows enterprises to use dynamic IP addresses. Even if ADSL is used to obtain Dynamic IP addresses, users can access the server by memorizing domain names. Qno xiaonuo also introduced the dynamic domain name DDNS service to enterprise users. The test is currently underway and will be available to Qno xiaonuo users in the near future. Please wait and see.
The following describes the configurations of an internal public server based on different requirements, including a fixed public IP address, a public server, and multiple public servers:
There is one or more fixed public IP addresses, which are relatively high-level security: if there are multiple fixed IP addresses, and want to isolate the server to the Internet, to achieve the highest security, you can connect to one or more servers through the hardware dmzport of the Qno xiaonuo router. This completely isolates the network packets of external users from the Intranet and achieves the highest security. This kind of application is the safest, but I find that it is also the least familiar with network management.
There is one or more fixed public IP addresses that allow internal servers to be disclosed externally: Some Applications hope that servers can be easily accessed by users on the Intranet and Internet, and when a fixed public IP address is available, the One-to-one NAT function can be used to correspond the Intranet server to the public IP address. In this way, this server is for Internet users, just like the internet server and Intranet users, it is like an intranet server. This configuration is quite convenient, so it is very popular. However, because there is no proper isolation, some bandwidth or restricted firewall settings are required to increase security.
Using DDNS to provide multiple public servers requires high security: If enterprises use ADSL to access the Internet, there is usually no fixed IP address, and dynamic Domain Name Service must be applied. Qno xiaonuo users can apply for related services from xiaonuo. The Virtual Server opens a limited network port at a time, so you can ignore the abnormal port requirements, and the security is relatively high. This is suitable for specific server ports. Using the virtual server function technology, multiple internal servers can be opened.
|
A virtual server corresponds to a network service port. |
Figure 3: a virtual server is opened to an internal server in the form of a network service port. Because only a limited port is opened, high security can be achieved.
Using DDNS with dynamic IP addresses to provide a public server with unspecified ports has low security requirements: Some applications do not have specific ports, and the server will decide the port to communicate with the client software as needed, in this case, you cannot use a virtual server. A typical example is video surveillance or remote digital cameras, which mostly use special ports. In this case, we have to pass the "Internal DMZ server" function to all port service requirements, go to the server. This function is software DMZ. Instead of connecting to the DMZ port of the entity, it directs to an internal server. However, since all ports are open and secure, we recommend that you set the corresponding firewall control rules. This function can only be used by one server at a WAN port.
|
Suitable for network cameras on DMZ servers |
Figure 4: the DMZ server is suitable for network cameras and other applications with unknown ports, but the firewall must be configured for relative security.
In terms of Wan, lan, and open Server, the above section gives a preliminary introduction to the functions and common problems of small and medium-sized enterprise security routers. I believe it will be of great help to CEN. In the future, we will talk about the "configuration and management" functions of the security routers for small and medium-sized enterprises based on user needs. If you are an enterprise's network manager or technician and need to discuss or consult with them in terms of technology, you can log on to www.qno.cn. We have an online technical forum and go directly to our technical support for online communication.