一种安全高效的校园边界网设计与实现
|
摘要
在当今网络技术飞速发展信息时代,校园网的建设加快了高校科研和教育技术的发展,已经成为了现代高校教育的基础平台,伴随的高校规模的不断扩大,出口瓶颈问题和出口的安全问题日益严重,出口一旦出现问题,会使得校园网成为一个信息“孤岛”,与外界失去联系,校园网边界网的建设已经成为了高校校园网建设的重中之重,所以怎样建设一个快速、稳定和安全的校园网出口值的我们探索和研究。
本文以“云南科技信息职业学院”空港新校区校园网实际项目为背景,研究边界网技术。通过分析现代校园网出口面临的各种挑战和难点,对边界网关键技术进行深入研究,在深入研究的基础上,结合云南科技信息职业学院新校区的建设需求,按照网络规划设计理论,对云南科技信息职业学院校园网边界网进行规划设计,并在规划设计的基础上,对规划方案提出了设备选型,系统部署以及完成后的测试方案。
本设计充分考虑了当前校园网出口建设需求,能实现多出口、高带宽、快速、稳定的内外网访问,系统采用了策略路由实现智能选路,提高各个出口的带宽利用率;采用VPN技术来实现校外用户对校园网内部的远程访问;用深度包检测和带宽嵌套技术对P2P软件的控制,实现带宽的科学管理;采用IDS和防火墙联动技术,取长补短保证出口安全,为了进一步提高外网访问内网的速度和保护web服务器的安全,设计增加了一台反向代理服务器,在不需要改变网络拓扑结构的前提下,进一步增强了出口的性能。
With the rapid development of network technology nowadays.The construction of campus network accelerate university research and the development of education technology. It becomes a modern university education foundation platform, along with the universities construction, the constant expansion of the bottleneck problem and exports export safety problem is getting worse.Export once appear problem, which becomes a campus network information "separate island", and external lose touch.The construction of campus net border has become the top priority of campus network construction.So how to build a quick, stability and security of campus network of our export, we need to exploration and study.
The background of this paper is a actual project. It's the "YunNan college of science and technology information" in KongGang campus of campus network. We research the boundary nets technology by this project. Through analysing challenges and difficulties of the modern campus net export, researching in depth on the key technology of boundary network construction. On the basis of further research, combined with the need of construction in YunNan college of science and technology information new campus. According to the network planning design theory, plan and design this campus boundary nets. And in the foundation of planning and designing, put forward the programme equipment selection.system deployment and the test scheme after completed.
This design has fully regard for the current construction of campus net export demand, can realize export more, high bandwidth, rapid and stable,inner and outer net access.This article adopt Policy-based Routing, improve all the exits selected the bandwidth utilization rate.Using a VPN technology to realize the outside of campus network users within remote access; With deep packet inspection and bandwidth nested technology for control of the P2P software for important service to improve, the bandwidth of the normal and stable, realize the bandwidth management.Adopt IDS and firewall linkage technology, export from safe, to further enhance the outer net connection speed and protect access web server security, we have added a reverse proxy server.In do not need to change the premise of network topology structure, further improves export performance.
本文以“云南科技信息职业学院”空港新校区校园网实际项目为背景,研究边界网技术。通过分析现代校园网出口面临的各种挑战和难点,对边界网关键技术进行深入研究,在深入研究的基础上,结合云南科技信息职业学院新校区的建设需求,按照网络规划设计理论,对云南科技信息职业学院校园网边界网进行规划设计,并在规划设计的基础上,对规划方案提出了设备选型,系统部署以及完成后的测试方案。
本设计充分考虑了当前校园网出口建设需求,能实现多出口、高带宽、快速、稳定的内外网访问,系统采用了策略路由实现智能选路,提高各个出口的带宽利用率;采用VPN技术来实现校外用户对校园网内部的远程访问;用深度包检测和带宽嵌套技术对P2P软件的控制,实现带宽的科学管理;采用IDS和防火墙联动技术,取长补短保证出口安全,为了进一步提高外网访问内网的速度和保护web服务器的安全,设计增加了一台反向代理服务器,在不需要改变网络拓扑结构的前提下,进一步增强了出口的性能。
With the rapid development of network technology nowadays.The construction of campus network accelerate university research and the development of education technology. It becomes a modern university education foundation platform, along with the universities construction, the constant expansion of the bottleneck problem and exports export safety problem is getting worse.Export once appear problem, which becomes a campus network information "separate island", and external lose touch.The construction of campus net border has become the top priority of campus network construction.So how to build a quick, stability and security of campus network of our export, we need to exploration and study.
The background of this paper is a actual project. It's the "YunNan college of science and technology information" in KongGang campus of campus network. We research the boundary nets technology by this project. Through analysing challenges and difficulties of the modern campus net export, researching in depth on the key technology of boundary network construction. On the basis of further research, combined with the need of construction in YunNan college of science and technology information new campus. According to the network planning design theory, plan and design this campus boundary nets. And in the foundation of planning and designing, put forward the programme equipment selection.system deployment and the test scheme after completed.
This design has fully regard for the current construction of campus net export demand, can realize export more, high bandwidth, rapid and stable,inner and outer net access.This article adopt Policy-based Routing, improve all the exits selected the bandwidth utilization rate.Using a VPN technology to realize the outside of campus network users within remote access; With deep packet inspection and bandwidth nested technology for control of the P2P software for important service to improve, the bandwidth of the normal and stable, realize the bandwidth management.Adopt IDS and firewall linkage technology, export from safe, to further enhance the outer net connection speed and protect access web server security, we have added a reverse proxy server.In do not need to change the premise of network topology structure, further improves export performance.
引文
[1]胡明华.高校校园网网络故障的诊断政策[J]2004.2:131-133.
[2]蔚红艳,黄勇,骆坚,蔚海潮.校园网应用技术[M].北京:清华大学出版社,2005.1:12-13.
[3]於肇鹏.中小规模校园网系统的设计与实现[J],大连理工大学学报,2008.1,112-114.
[4]范国渠.高校数字化校园整体构建策略与实施[J],山东师范大学学报,2009.3,76-78.
[5]李洋.DNS解析路由在多链路网络中的应用研究[J],实验科学与技术2010.1,34-36.
[6]于加鸣,朱晋宁,李志兰.多出口校园网网络体系结构的研究[J].计算机工程与科学,2006.3:139-142.
[7]罗国富,查贵庭,李恒贝.动态域名技术在多出口校园网中的应用[J].中国教育信息化,2007.12:82-84.
[8]王芳.VPN技术在校园网中的应用[D],东南大学,2007.5.
[9]Wu Jianping.Precomputation for Intra-domain Qos Routing [J], Computer Natworks,2005.4:923-937.
[10]Deering S,Hinden R.RFC2460[J],Internet Protocol,Version 6 Specificatio,1998.
[11]陈仁章.基于CDN技术实现教育网网站的跨网络快速访问[J],计算机工程与设计,2010.9,213-215.
[12]严世强,王建民,韩艳峰.Linux环境下NAT的实现[J],石家庄铁道学院,2002.02,123-125.
[13]尚遵义,崔立军.多出口路由策略实现及相关问题研究[J].大连铁道学院学报.2004.2:83-86.
[14]汪刚.多出口校园网路由技术的实现[J].南京工业职业技术学院学报.2004.4(4):18-20.
[15]Kent S,Atkinson R,Security Architecture for the internet Protocal[s].RFC 2401,1998.11:212-221.
[16]吴凌俊.高性能VPN网关的研究与实现[D],华中科技大学,2004.5.
[17]郑光.反向代理技术保护Web服务器的实现[J],计算机安全,2010.5:355-356.
[18]章伟辉,卫伟,周狄挺,劳洁莹.反向代理技术在校园网中的应用[J].福建电脑,2006.8:158-159.
[19]雷明彬.反向代理技术在数字化校园网中的应用[J],电脑与电信,2009.08:76-78.
[20]廖长武,汪刚.校园网组建[M].北京:清华大学出版社,2005.4:13-15.
[21]刘成.防火墙在校园网中的应用[J],绿色科技,2009.6:136-137.
[22]黎连业.计算机网络与工程实践教程[M].北京:科学教育出版社,2007.
[23]Park Kihong,On the Effectivess of Route-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets[J],ACM SIGCOMM,2001.
[24]付俊.一种分布式防火墙安全通信机制的研究与设计方法[D],湖北工业大学,2008.05:67-68.
[25]黄登玺.防火墙核心技术的研究和高安全等级防火墙的设计[J],计算机科学,2002.10:232-235.
[26]Chang Rocky K C. Defending Against Flooding-Based Distributed Distributed Denial-of-Service.A.TTACKS:A.Tutorial[J].IEEE.Communications Magazine,2002.10.
[27]Brian Caswell.Jay Beale.James C.Foster.Jeffey Posluns.Snort2.0 Intrusion Deteion[M],Syngress Publishiong,Inc,2003.
[28]王艳娜.深入探讨DMZ[J],网络与信息,2008.08:322-323.
[29]W.RehardStevens.TCP/IP Ⅲust ratedVolumel:TheProtoeols[J].US:Addison-Wesley.1994.1:102-103.
[30]邓平.大型校园网络建设方案的研究[J],安徽电子信息职业技术学院学报,2010.03:134-136.
[31]雒明世.瘦AP方案简介[J],电信交换,2010.2:144-146.
[32]刘海韬,黄家林.策略路由技术在多出口校园网中的应用[J],电脑与信息技术,2002.04:51-53.
[33]赵冰华.基于包特征检测的IP业务流分析模型[D],北京邮电大学,2009.
[34]Fasttrack peer-to-peer technology compuany [ebOL]. http://www. FastTrack.nu/.
[35]aroiu S, Gummadia P K, Gribble S D. A Measurement Study of peer-to-peer FlieSharing Systems[C]. Multimedia Computing and Networking,2002.
[36]卢芸羽.防火墙与IDS联动在校园网的应用研究[D].贵州大学.2008.5.
[37]王敏.改进型SSL VPN系统的研究与应用[D],四川大学,2005.5.
[38]吕俊霞.基于SSL VPN技术原理与实现[J],济南职业学院学报.2009.04:55-58.
[39]刘进军,张明勇.基于校园网日志数据挖掘系统的研究[J],滁州学院学报,2007.11:42-45.
[40]张捷.网络和系统的日志采集及分析[J],科技信息,2010.10:356-359.
[41]陆国丽.策略路由在多网络出口校园网中的应用[J],科技信息2010.12:47-48.
[42]莫雁林.网络安全与防火墙技术[J],信息安全,2010.10:20-21.
[43]韩刘.基于主动防御的校园网安全部署[J],信息安全,2010.06:2-3.
[44]刘静.基于防火墙与入侵检测系统联动的校园网GSN全局部署[J],网络安全,2011.01:12-15.
[45]宁天桥.应用流量控制设备打造高效校园网[J],科技信息,2010.03:125-127.
[46]赵钊.基于不同层次实现校园网流量控制的方法与实现[J],网络安全,2010.09:35-37.
[47]许可,王昭然.基于VPN的校园网远程接入系统的研究与实现,中国教育信息化,2010.11:72-75.
[48]杨新泉,刘勇.基于VPN技术的多出口校园网的设计,计算机与网络,2010.03:624-625.
[49]陆科,毛克乐.VPN技术在高校多校区网络互联中的应用分析[J],计算机科学,2010.1:255-258.
[2]蔚红艳,黄勇,骆坚,蔚海潮.校园网应用技术[M].北京:清华大学出版社,2005.1:12-13.
[3]於肇鹏.中小规模校园网系统的设计与实现[J],大连理工大学学报,2008.1,112-114.
[4]范国渠.高校数字化校园整体构建策略与实施[J],山东师范大学学报,2009.3,76-78.
[5]李洋.DNS解析路由在多链路网络中的应用研究[J],实验科学与技术2010.1,34-36.
[6]于加鸣,朱晋宁,李志兰.多出口校园网网络体系结构的研究[J].计算机工程与科学,2006.3:139-142.
[7]罗国富,查贵庭,李恒贝.动态域名技术在多出口校园网中的应用[J].中国教育信息化,2007.12:82-84.
[8]王芳.VPN技术在校园网中的应用[D],东南大学,2007.5.
[9]Wu Jianping.Precomputation for Intra-domain Qos Routing [J], Computer Natworks,2005.4:923-937.
[10]Deering S,Hinden R.RFC2460[J],Internet Protocol,Version 6 Specificatio,1998.
[11]陈仁章.基于CDN技术实现教育网网站的跨网络快速访问[J],计算机工程与设计,2010.9,213-215.
[12]严世强,王建民,韩艳峰.Linux环境下NAT的实现[J],石家庄铁道学院,2002.02,123-125.
[13]尚遵义,崔立军.多出口路由策略实现及相关问题研究[J].大连铁道学院学报.2004.2:83-86.
[14]汪刚.多出口校园网路由技术的实现[J].南京工业职业技术学院学报.2004.4(4):18-20.
[15]Kent S,Atkinson R,Security Architecture for the internet Protocal[s].RFC 2401,1998.11:212-221.
[16]吴凌俊.高性能VPN网关的研究与实现[D],华中科技大学,2004.5.
[17]郑光.反向代理技术保护Web服务器的实现[J],计算机安全,2010.5:355-356.
[18]章伟辉,卫伟,周狄挺,劳洁莹.反向代理技术在校园网中的应用[J].福建电脑,2006.8:158-159.
[19]雷明彬.反向代理技术在数字化校园网中的应用[J],电脑与电信,2009.08:76-78.
[20]廖长武,汪刚.校园网组建[M].北京:清华大学出版社,2005.4:13-15.
[21]刘成.防火墙在校园网中的应用[J],绿色科技,2009.6:136-137.
[22]黎连业.计算机网络与工程实践教程[M].北京:科学教育出版社,2007.
[23]Park Kihong,On the Effectivess of Route-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets[J],ACM SIGCOMM,2001.
[24]付俊.一种分布式防火墙安全通信机制的研究与设计方法[D],湖北工业大学,2008.05:67-68.
[25]黄登玺.防火墙核心技术的研究和高安全等级防火墙的设计[J],计算机科学,2002.10:232-235.
[26]Chang Rocky K C. Defending Against Flooding-Based Distributed Distributed Denial-of-Service.A.TTACKS:A.Tutorial[J].IEEE.Communications Magazine,2002.10.
[27]Brian Caswell.Jay Beale.James C.Foster.Jeffey Posluns.Snort2.0 Intrusion Deteion[M],Syngress Publishiong,Inc,2003.
[28]王艳娜.深入探讨DMZ[J],网络与信息,2008.08:322-323.
[29]W.RehardStevens.TCP/IP Ⅲust ratedVolumel:TheProtoeols[J].US:Addison-Wesley.1994.1:102-103.
[30]邓平.大型校园网络建设方案的研究[J],安徽电子信息职业技术学院学报,2010.03:134-136.
[31]雒明世.瘦AP方案简介[J],电信交换,2010.2:144-146.
[32]刘海韬,黄家林.策略路由技术在多出口校园网中的应用[J],电脑与信息技术,2002.04:51-53.
[33]赵冰华.基于包特征检测的IP业务流分析模型[D],北京邮电大学,2009.
[34]Fasttrack peer-to-peer technology compuany [ebOL]. http://www. FastTrack.nu/.
[35]aroiu S, Gummadia P K, Gribble S D. A Measurement Study of peer-to-peer FlieSharing Systems[C]. Multimedia Computing and Networking,2002.
[36]卢芸羽.防火墙与IDS联动在校园网的应用研究[D].贵州大学.2008.5.
[37]王敏.改进型SSL VPN系统的研究与应用[D],四川大学,2005.5.
[38]吕俊霞.基于SSL VPN技术原理与实现[J],济南职业学院学报.2009.04:55-58.
[39]刘进军,张明勇.基于校园网日志数据挖掘系统的研究[J],滁州学院学报,2007.11:42-45.
[40]张捷.网络和系统的日志采集及分析[J],科技信息,2010.10:356-359.
[41]陆国丽.策略路由在多网络出口校园网中的应用[J],科技信息2010.12:47-48.
[42]莫雁林.网络安全与防火墙技术[J],信息安全,2010.10:20-21.
[43]韩刘.基于主动防御的校园网安全部署[J],信息安全,2010.06:2-3.
[44]刘静.基于防火墙与入侵检测系统联动的校园网GSN全局部署[J],网络安全,2011.01:12-15.
[45]宁天桥.应用流量控制设备打造高效校园网[J],科技信息,2010.03:125-127.
[46]赵钊.基于不同层次实现校园网流量控制的方法与实现[J],网络安全,2010.09:35-37.
[47]许可,王昭然.基于VPN的校园网远程接入系统的研究与实现,中国教育信息化,2010.11:72-75.
[48]杨新泉,刘勇.基于VPN技术的多出口校园网的设计,计算机与网络,2010.03:624-625.
[49]陆科,毛克乐.VPN技术在高校多校区网络互联中的应用分析[J],计算机科学,2010.1:255-258.