First, what "line" is used for networking?
When building a campus LAN, many users pay attention to switches, routers, network cards and other equipment, which is undeniably correct, but sometimes they ignore an inconspicuous problem, that is, network cables. In the campus LAN, the integrated wiring system consists of six subsystems: inter-building subsystem, equipment subsystem, management subsystem, vertical (trunk) subsystem, horizontal subsystem, workspace subsystem, different subsystems and the use of equipment. Generally speaking, there are three kinds of wiring used in LAN: twisted pair, coaxial cable and optical cable. In the campus LAN, it is necessary to select the corresponding wiring cable according to the actual situation. For example, the connecting cables between buildings in the campus are exposed to the outside, and they are interfered by the sun rain forest and lightning all the year round. At this time, optical cable is the most suitable transmission medium. Because optical cable has the remarkable characteristics of high bandwidth, long transmission distance, strong anti-interference ability, good security, anti-aging and long service life, in addition, as far as most campus networks are concerned, the transmission volume of multimedia information carried by campus networks will be increasing, such as multimedia teaching, electronic reading, video-on-demand and other applications, and the transmission medium of backbone networks must have the ability to carry gigabit rates. At this time, only optical cable can meet the wiring requirements of outdoor backbone network. For coaxial cable, because the supply is hard to find, its cost has exceeded that of optical cable, and it is more suitable for short-distance core equipment connection, such as connecting cable between switch and router.
The campus network is a campus network, and the subsystems between buildings are connected by optical cables, which can provide gigabit bandwidth and have enough room for expansion. If twisted pair is selected, it is easy to induce lightning strike outdoors and even damage the equipment because there is no shielding layer. Twisted pair is easy to age and has a short life because of the harsh outdoor environment. Moreover, the twisted pair is not allowed to exceed 100 meters, which is not suitable for connecting the main cables between buildings. However, for indoor wiring media in campus, because the management area subsystem needs to be merged into the inter-equipment subsystem for centralized management, the cable length is relatively long. Because optical cable is expensive, it is more practical to choose twisted pair. Moreover, the current shielded twisted pair copper wire (STP) has good anti-interference and transmission distance, which can not only support the network transmission bandwidth requirements of general school information management applications, but also fully support the transmission of multimedia information in MPEG-2 format. In campus LAN, there are three commonly used network protocols: NetBEUI, IPX/SPX and TCP/IP. In actual networking, which network protocol to choose depends on the actual scale of campus network, network application requirements, network platform compatibility and network management. NetBEUI protocol is designed for small and medium-sized LAN. It uses single Partnames to define network nodes, and does not support multi-segment networks (non-routable), but it has the characteristics of very simple installation, no configuration and less memory occupation. Therefore, for the local area network of primary and secondary schools, because of the low performance of the machine, only the older Windows 95/98/NT system is often installed, just for simple files and equipment.
For campus LAN, because there are many network segments or routers connected with the outside world, and the computers equipped in the school have good performance, NetBEUI protocol can not meet the networking requirements at this time. It is suggested to choose IPX/SPX or TCP/IP protocol for networking. IPX/SPX protocol has strong adaptability to complex environment and powerful routing function, and is suitable for large-scale networks, but it is limited to NetWare network environment and cannot be directly used in Windows network environment. But in order to realize the interconnection with NetWare platform, Windows system provides two IPX/SPX compatible protocols: NWLink SPX/SPX and NWLink NetBIOS. The former can only be used as a client protocol for accessing NetWare servers, while the latter can transfer information between NetWare platforms and Windows platforms, and can also be used as a communication protocol between Windows systems.
Nevertheless, most students and teachers are still used to using the Windows platform. At this time, it is an inevitable trend for campus network to choose TCP/IP protocol. Whether in local area network, wide area network or Internet, Unix system or Windows platform, TCP/IP protocol can meet the networking requirements of campus network. TCP/IP is a routable protocol, which adopts hierarchical naming rules. By configuring IP address, subnet mask, gateway and host name for each network node, the relationship between network and subnet is easy to determine, and good network adaptability, manageability and high network bandwidth utilization efficiency are obtained. However, the configuration and management of TCP/IP protocol is more complicated than NetBEUI and IPX/SPX, and takes up more system resources. Therefore, for primary and secondary schools with low machine performance or insufficient maintenance knowledge, TCP/IP protocol has a certain threshold in campus network. Many primary and secondary schools and university branches still have multiple LANs that are not interconnected. At this time, if the campus network is rearranged, it will not only increase the construction cost, but also bring some trouble to the maintenance. Therefore, schools should use appropriate network equipment to realize the interconnection of multiple local area networks, so that students, teachers and office workers can share resources and exchange information. For example, a middle school should connect the campus network with the local area network of the teacher building, and the distance between the campus network and the local area network of the teacher building is 500 meters. At this time, it can be interconnected by the cheap method of 10base5, and interconnected by a coaxial cable with a diameter of 10mm. Each network segment allows 100 sites, and the maximum allowable distance of each network segment is 500 meters. It can consist of five 500-meter-long network segments and four repeaters. However, this interconnection scheme has some limitations, and it is only suitable for local area network interconnection in campus, and can not meet the local area network interconnection needs of university branches.
If it is a university campus network, because there are many campuses, I hope to interconnect the local area networks of each campus. At this time, wireless router or wireless AP is used for interconnection, but the investment cost of wireless equipment is high, the transmission rate is seriously lost, and the security is not guaranteed. At this time, it is suggested to adopt a cheaper VPN scheme, which can pass a special encrypted communication protocol. Establishing a dedicated communication line between two or more campus intranets is just like setting up a private line, but it doesn't really need to lay physical lines such as optical cables, just like applying for a private line in a telecommunications bureau, but it doesn't need to pay for laying lines or buying hardware equipment such as routers. And the data exchange between networks is very safe. As long as the switches and firewall devices supporting VPN function are selected, the interconnection between multiple campus LANs can be realized.
In many university campus networks, students' dormitories and teachers' dormitories are interconnected by backbone networks. At the peak of Internet access, some users download BT or play online games, which makes a lot of LAN resources occupied, resulting in a serious shortage of campus network export bandwidth and extremely slow speed, which seriously affects the normal work and even causes the embarrassing situation of campus network paralysis. To this end, schools can install flow control software on the main server. Let them not play online video or online games. If they find out, they will be blocked from IP for 24 hours. If they feel that they occupy system resources, they can also use a switch with network management function to restrict the use of all machines in the LAN through the built-in control program of the switch.
Remote control may be the most common teaching application in campus LAN, which can improve work efficiency, give full play to the utilization rate of campus audio-visual equipment and strengthen the management of campus audio-visual equipment. For example, the campus broadcast system can play exercises, flag-raising music, class and class music ringtones, background music during recess, moral education and foreign language teaching, and self-run programs. , such as large-scale activities and short notice. This often requires the audio-visual teacher to play music in the studio, and because the performer is far away from the current sound, it is difficult to see the dynamics of the scene, and sometimes mistakes will occur, bringing unnecessary losses. Remote control solves the problem, and only one network cable is needed to control the computer playback in the broadcasting room on the spot. If there is no microphone cable connected to the studio, you can also talk to the computer in the studio through the voice software on the network to realize the function of microphone, and you can also hear the sound in the broadcast.
In order to realize remote control of all devices, each computer should be equipped with a network card and connected to the campus LAN. The internal network is connected to every classroom and office, and every teacher has a laptop. It is suggested to use a remote control server in the local area network, so that part-time network management teachers can complete various management work in their own offices or other computers in the school. In the actual networking, the main control computer is connected to the campus broadcast automatic playback system (the computer manages the power switch of the system through port commands). ), then install the controlled end software on the server, broadcast master computer and TV editing machine, and add a user and password. Install voice calling software (such as MSN, LAN conference system, enterprise QQ, NETMEETING, etc.). ), and install master control software and voice calling software on other computers. If there is any notice or voice, open the voice software of both computers at the same time. In the campus LAN, we often encounter some problems in the use and maintenance, such as the network card can be detected normally when restarting, but it can't be interconnected with other machines. This is mainly due to subnet mask or IP address configuration error, network cable blockage, network protocol error and routing error. The solution is to ping the loopback address of this network card (127.0.0. 1). If connected, the TCP/IP of this computer is working properly. If not, you need to reconfigure and restart the computer. The default speed of some network cards is 100M, which will also lead to network failure. You need to set the speed to 10M, 100M, or set it to an adaptive network cable speed according to the speed of the connected switch.
Campus Network Security Solutions
Campus network is a hierarchical topological structure, so the security protection of the network also needs hierarchical topological protection measures. In other words, a complete campus network information security solution should cover all levels of the network and be combined with security management.
First, the design principles of network information security system
1. 1 meets the requirements of Internet hierarchical management.
1.2 Original ze of demand, risk and cost balance
1.3 Principle of comprehensiveness and integrity
1.4 availability principle
1.5 step-by-step implementation principle
At present, for the newly-built network and the network that has been put into operation, the security and confidentiality of the network must be solved as soon as possible, and the following ideas should be followed when designing:
(1) greatly improves the security and confidentiality of the system;
(2) Maintain the original performance characteristics of the network, that is, it has good transparency to the protocol and transmission of the network;
(3) easy to operate and maintain, convenient for automatic management, and no additional operation is needed;
(4) Try not to affect the original network topology, which is convenient for the expansion of the system and its functions;
(5) The security system is cost-effective, and can be used for a long time after one-time investment;
(6) The security and password products are legal, which is convenient for the safety management unit and password management unit to check and supervise.
Based on the above ideas, the network information security system should follow the following design principles:
According to the characteristics of large-scale Internet network and many users, this paper puts forward a hierarchical management solution for Internet/Intranet information security, and divides its control points into three levels to implement security management.
-Level 1: Central network, which mainly realizes the isolation of internal and external networks; Access control of internal and external network users; Monitor intranet; Backup and audit of intranet transmission data.
-The second level: the department level, which mainly realizes the access control of intranet and extranet users; Access control between departments at the same level; Security audit of departmental network.
-the third level: terminal/individual user level, which realizes the access control of the internal hosts of the departmental network; Security protection of database and terminal information resources.
The principle of balancing demand, risk and cost is difficult to achieve and is not necessarily necessary for any network. Study the actual quantity of a network (including task, performance, structure, reliability, maintainability, etc. ), and make qualitative and quantitative analysis of the threats and possible risks faced by the network, and then formulate norms and measures to determine the security strategy of the system.
The principle of comprehensiveness and wholeness uses the viewpoint and method of system engineering to analyze network security and specific measures. Safeguard measures mainly include: administrative and legal means, various management systems (personnel audit, workflow, maintenance and guarantee systems, etc. ) and professional measures (identification technology, access control, password, low radiation, fault tolerance, anti-virus, using high-security products, etc. Good safety measures are usually the result of applying various methods. Computer network, including individuals, devices, software, data, etc. The status and influence of these links in the network can only be viewed and analyzed from the perspective of system integration, and effective and feasible measures can be obtained. That is, computer network security should follow the principle of overall security, and formulate a reasonable network security architecture according to the prescribed security strategy. Usability principle security measures need to be completed manually. If the measures are too complicated and harsh, the security itself will be reduced. For example, key management has similar problems. Secondly, the measures taken can not affect the normal operation of the system, such as not using or using less cryptographic algorithms that greatly reduce the running speed. Step-by-step implementation principle: Step-by-step implementation of hierarchical management Due to the extensive expansion of network systems and their applications, with the expansion of network scale and the increase of applications, network vulnerability will continue to increase. It is unrealistic to solve the network security problem once and for all. At the same time, the implementation of information security measures requires considerable expenditure. Therefore, if it is implemented step by step, it can meet the basic requirements of network system and information security and save money.
Second, the network information security system design steps
Analysis of network security requirements
Establish a reasonable target baseline and security strategy.
Know the price you are prepared to pay.
Formulate a feasible technical scheme
Project implementation plan (product selection and customization)
Formulate supporting laws, regulations and management measures
This scheme mainly analyzes the network security requirements, and based on the network hierarchy, proposes campus network information security solutions with different levels and security intensity.
Third, the network security requirements
It is the basis of establishing reasonable security requirements to accurately understand which security problems need to be solved in campus network information system. Generally speaking, the campus network information system needs to solve the following security problems:
Local area network LAN internal security issues, including the division of network segments and VLAN implementation.
How to realize the security of the network layer by connecting to the Internet?
How to ensure the security of application systems and how to prevent hackers from invading networks, hosts and servers.
How to realize the security of information transmission in WAN?
How to arrange encryption system, including the establishment of certificate management center, application system integration encryption, etc.
How to realize the security of remote access
How to evaluate the overall security of network system
Based on these security problems, the network information system should generally include the following security mechanisms: access control, security detection, attack monitoring, encrypted communication, authentication, hiding information inside the network (such as NAT), etc.
Fourth, the network security level and security measures
4. 1 link security
4.2 Network security
4.3 The security level of information security network is divided into link security, network security and information security network security level, and the security measures taken at the corresponding level are shown in the following table.
Information security information transmission security (dynamic security) data encryption data integrity authentication security management information storage security (static security) database security terminal security information leakage prevention information content audit user authentication authorization (CA)
Network Security Access Control (Firewall) Network Security Detection Intrusion Detection (Monitoring) IPSEC(IP Security) Audit Analysis Link Security Link Encryption
4. 1 Link security Link security protection measures are mainly link encryption devices, such as various link encryption machines. It encrypts all user data together and decrypts it immediately after it is sent to another node through communication lines. Encrypted data cannot be routed and exchanged. Therefore, users such as DDN Line can choose to route encryption equipment when encrypted data does not need to be routed.
General line encryption products are mainly used in telephone network, DDN, private line and satellite point-to-point communication environment, including asynchronous line cipher machine and synchronous line cipher machine. Asynchronous line cipher machine is mainly used in telephone network, and synchronous line cipher machine can be used in many private line environments.
4.2 Network Security Network security problems are mainly caused by the openness, boundlessness and freedom of the network. Therefore, when considering the security of campus network information network, we should first consider separating the protected network from the open and borderless network environment and becoming a manageable, controllable and safe internal network. Only in this way can the security of information network be realized, and the most basic isolation means is firewall. Firewall can be used to realize the isolation and access control between intranet (trusted network) and external untrusted network (such as Internet) or different network security domains of intranet, and ensure the availability of network system and network service.
At present, there are several mature firewalls in the market, one is packet filtering firewall, the other is application proxy firewall, and the other is composite firewall, that is, the combination of packet filtering and application proxy firewall. Packet filtering firewalls usually filter data streams according to the source or destination IP address, protocol type and protocol port number of IP packets. Compared with other firewalls, packet filtering firewall has higher network performance and better application transparency. Acting on the application layer, proxy firewall can generally proxy various application protocols, authenticate users' identities and provide more detailed log and audit information. Its disadvantage is that it is necessary to provide the corresponding proxy program for each application protocol, and the proxy-based firewall will often significantly reduce the network performance. It should be pointed out that the firewall technology is developing rapidly in today's increasingly prominent network security problems. At present, some leading firewall manufacturers have integrated many network edge functions and network management functions into firewalls, including VPN functions, billing functions, traffic statistics and control functions, monitoring functions, NAT functions and so on.
Information system is developing dynamically. Determining the security strategy and choosing the appropriate firewall products is only a good start, but only 60%-80% of the security problems can be solved, and the rest of the security problems still need to be solved. These problems include the threat of information system's high intelligence and initiative, the weakening of subsequent security policies and responses, system configuration errors, low security risk perception, and a dynamic application environment full of weaknesses, all of which are challenges to information system security.
The security of information system should be a dynamic development process, and it is a cyclic process of detection, monitoring and security response. Dynamic development is the law of system security. Network security risk assessment and intrusion monitoring products are the necessary links to achieve this goal.
Network security detection is an important means of network risk assessment. By using the network security analysis system, we can find the weakest link in the network system in time, check and report the weaknesses, loopholes and unsafe configurations of the system, and put forward remedial measures and security strategies to enhance network security.
Intrusion detection system is a real-time network intrusion automatic identification and response system. It is located on the network with sensitive data to protect, or anywhere on the network with risks. By intercepting the network data stream in real time, we can identify and record the intrusion and destructive code stream, and find out the network violation mode and unauthorized network access attempt. When network violation mode and unauthorized network access are found, intrusion detection system can respond according to system security policies, including real-time alarm, event login, automatic blocking of communication connection or implementation of user-defined security policies.
In addition, using IP channel encryption technology (IPSEC) can also establish a transparent secure encrypted channel between two network nodes. Among them, IP Authentication Header (IP AH) can provide authentication and data integrity mechanisms. Using IP encapsulation payload (IP ESP) can realize the confidentiality of communication content. The advantage of IP channel encryption technology is that it is transparent to applications, can provide host-to-host security services, and realize virtual private network (VPN) by establishing a secure IP tunnel. At present, the main security product based on IPSEC is network encryption machine. In addition, some firewalls also provide the same function.
Five, campus network security solutions
5. 1 Basic protection system (packet filtering firewall +NAT+ accounting)
User requirements: Meet all or part of the following requirements: solving the boundary security of the internal and external networks, preventing external attacks, protecting the internal network, solving the internal network security problem, isolating different internal network segments, establishing VLAN, filtering by IP address, protocol type and port, using two sets of IP addresses in the internal and external networks, requiring NAT function of network address translation, supporting the secure server network SSN, preventing IP fraud corresponding to IP address and MAC address, charging based on IP address, and traffic statistics and restrictions based on IP address.
The firewall runs on a secure operating system. Firewalls are independent hardware. The firewall has no IP address. Solution: adopt network guardian firewall PL FW 1000.
5.2 standard protection system (packet filtering firewall +NAT+ billing+proxy +VPN)
User requirements: On the basis of basic protection system configuration, all or part of the following items should be met: providing application proxy service, isolating internal and external networks, user identification, authority control, user-based billing, user-based traffic statistics and control, web-based security management, supporting VPN and its management, supporting transparent access, having self-protection ability and preventing common firewall attacks.
Solution:
(1) Select the basic configuration of network guardian firewall PL FW2000 (2) firewall+network encryption machine (IP protocol encryption machine).
5.3 Strengthen protection system (packet filtering +NAT+ billing+proxy +VPN+ network security detection+monitoring) User requirements: On the basis of standard protection system configuration, meet all or part of the following items: network security detection (including TCP/IP related devices such as servers, firewalls and hosts), operating system security detection, network monitoring and intrusion detection.
Solution: Select network guardian firewall PL FW2000+ network security analysis system+network monitor.