淮阴卷烟厂网络设计与实现
摘要
当前,社会不断朝着信息化方向发展,各种网络技术不断涌现。信息化管理逐渐大众所接受,越来越多的企业将信息化管理应用到生产、业务谈判、采购、员工管理等领域,因此,如何建立起高效、安全的网络成了当务之急。企业把大量数据部署在内网的服务器上实现与外界的沟通,如果边界网络出现无法防御的攻击或者内部网络出现管理不善,势必给企业造成无法挽回的经济损失。因此,企业需要整体部署一套行之有效的网络方案来适应未来的发展。
本文以江苏中烟有限公司下辖烟厂项目为背景,由于现有网络不能满足日益壮大的业务需求,本人从企业网需求及未来发展考虑,大致分析了网络现状,并提出了新企业网的需求,将原有网络进行改进设计。首先,研究了当前企业网所需的一些关键技术的原理。然后根据需求分析,从基础网络设计部署、整体网络设计部署等方面进行详细说明。在设计中主要分内网设计,边界网设计和网络整体管理设计。内网的设计主要考虑的是交换网络的层次设计,边界网络的设计主要考虑如何通过防火墙、IDS、IPS、VPN、安全审计、内容管理方面等保障边界网络和远程通信的安全,网络整体管理设计主要考虑IP地址划分、VLAN划分和建立身份认证体系等内容。
通过本文所设计的整体解决方案,可以大大改善该烟厂的网络环境,为员工提供稳定先进的信息平台,间接提高员工的工作效率,以促使企业获得更大的经济收入。
At present, a variety of network technologies emerge with the development of the direction of information technology in the society. Information management is gradually being accepted by the public on more and more corporate information management applications to the field of production, business negotiations, purchasing, staff management. Therefore, how to build efficient and secure network has become a priority. A large amount of data is storage on severs to communicate with the outside world. If the boundary network is no defense against attack or internal network mismanagement, it can bound to cause irreparable economic loss to the enterprise. So it is necessary to design an overall plan of effective network solution which is accommodated in future development.
This thesis is based the background of a small cigarette factory project. Due to the existing network can not meet the growing demand for business needs and future development of the enterprise network. I consider that generally analysis of network situation and raise the needs of the new enterprise network in order to redesign the original network.
Firstly, I study the principle of some of the key technologies required for enterprise network. Then I make a detailed description from basic web design and boundary network design and other fields according to the requirement of analysis. And also purpose the views about IPv6technology in how to play a role in the future development. Mainly since the beginning of the design is about switch network design,border network design and overall network management design. The switch network design is mainly considered in the hierarchical design of switch network and the border network is mainly considered in how to build the security of perimeter network and remote communication by firewall, IDS, IPS, security audit system, content management systems, VPN and other equipment, the management design is mainly considered in how to devide IP address and VLAN and how to build the authentication system.
Through the design of the overall solution can greatly improve the enterprise's network environment and to provide a stable and state-of-the-art information platform for enterprise employees, and also indirectly improve the efficiency of the staff, to promote greater economic income.
本文以江苏中烟有限公司下辖烟厂项目为背景,由于现有网络不能满足日益壮大的业务需求,本人从企业网需求及未来发展考虑,大致分析了网络现状,并提出了新企业网的需求,将原有网络进行改进设计。首先,研究了当前企业网所需的一些关键技术的原理。然后根据需求分析,从基础网络设计部署、整体网络设计部署等方面进行详细说明。在设计中主要分内网设计,边界网设计和网络整体管理设计。内网的设计主要考虑的是交换网络的层次设计,边界网络的设计主要考虑如何通过防火墙、IDS、IPS、VPN、安全审计、内容管理方面等保障边界网络和远程通信的安全,网络整体管理设计主要考虑IP地址划分、VLAN划分和建立身份认证体系等内容。
通过本文所设计的整体解决方案,可以大大改善该烟厂的网络环境,为员工提供稳定先进的信息平台,间接提高员工的工作效率,以促使企业获得更大的经济收入。
At present, a variety of network technologies emerge with the development of the direction of information technology in the society. Information management is gradually being accepted by the public on more and more corporate information management applications to the field of production, business negotiations, purchasing, staff management. Therefore, how to build efficient and secure network has become a priority. A large amount of data is storage on severs to communicate with the outside world. If the boundary network is no defense against attack or internal network mismanagement, it can bound to cause irreparable economic loss to the enterprise. So it is necessary to design an overall plan of effective network solution which is accommodated in future development.
This thesis is based the background of a small cigarette factory project. Due to the existing network can not meet the growing demand for business needs and future development of the enterprise network. I consider that generally analysis of network situation and raise the needs of the new enterprise network in order to redesign the original network.
Firstly, I study the principle of some of the key technologies required for enterprise network. Then I make a detailed description from basic web design and boundary network design and other fields according to the requirement of analysis. And also purpose the views about IPv6technology in how to play a role in the future development. Mainly since the beginning of the design is about switch network design,border network design and overall network management design. The switch network design is mainly considered in the hierarchical design of switch network and the border network is mainly considered in how to build the security of perimeter network and remote communication by firewall, IDS, IPS, security audit system, content management systems, VPN and other equipment, the management design is mainly considered in how to devide IP address and VLAN and how to build the authentication system.
Through the design of the overall solution can greatly improve the enterprise's network environment and to provide a stable and state-of-the-art information platform for enterprise employees, and also indirectly improve the efficiency of the staff, to promote greater economic income.
引文
[1]陈华.浅谈路由器技术.[J].科技信息.2011(7):35-36.
[2]张海廷.常用动态路由协议的分析及比较.[J].电脑知识与技术:学术交流.2009(9):55-57.
[3]徐瑞.自动交换光网络路由控制模块研究.[D].南京.南京邮电大学.2009.
[4]康威OSPF路由协议安全性分析与研究.[D]北京.北京邮电大学.2010.
[5]邓永平.路由协议服务器的实现及其应用研究.[D]广州.华南理工大学.2003.
[6]王东OSPF路由协议在多区域中的应用.[J].重庆科技学院学报;自然科学版.2010(2):33-34.
[7]杭成宝OSPFv3协议的互操作性测试与研究.[D]包头.内蒙古大学.2010.
[8]陈怀颖.移动数据通信的安全加密方案分析.[J].计算机光盘软件与应用.2011(14):11-12.
[9]王龙.计算机网络安全与防火墙技术研究.[J].计算机光盘软件与应用.2011(13):11-12.
[10]姚东妮.防火墙发展的新趋势.[J].中国高新技术企业.2010(9):21-22.
[11]孙莉.IPv6网络性能与过渡技术研究.[D].北京.北京邮电大学.2007.
[12]邓永红等.IPv6技术综述.[J].有线电视技术,2004(10):32-34.
[13]黄平.IPv6下的DDoS攻击源追踪研究.[D]重庆.西南大学.2009.
[14]伍军云.IPv6过渡策略——基于NAT的隧道系统研究与设计.[D].南昌大学.2008.
[15]王德民.校园网的设计与管理.[J].齐齐哈尔大学学报:哲学社会科学版.2008(5).33-34.
[16]江海.NAT技术在支队级局域网的应用.[J].福建电脑.2010(2):19-20.
[17]任斌.网络视频与音频平滑度的设计.[D].南京.南京理工大学.2006.
[18]孙培松.VPN发展趋势及竞争策略研究.[D].北京.北京邮电大学.2008.
[19]格日勒图CNGI宁夏驻地网建设及部分应用的性能分析研究.[D].兰州.宁夏大学.2008.
[20]卷烟厂多业务承载网解决方案.[EB/DL]. http://www.h3c.com.cn/Solution/Gov_Corporation/Manufacturing/Solutions/20 1111/731886300040.htm.
[21]烟草智能安全网络.[EB/DL].http://www.h3c.com.cn/Solution/Gov_Corporation/Manufacturing/Solutions/20 1111/731884300040.htm.
[22]熊俊俊.移动IP技术与应用研究.[D].南京.南京邮电大学.2007.
[23]韩争胜.IPv6关键技术及其网络安全研究.[D].西安.西北工业大学.2005.
[24]常梅.IPv4向IPv6过渡技术的研究.[J].科技信息.2006(6):15-17.
[25]李群.基于数据挖掘的日志审计技术研究与实现.[D].浙江.浙江工商大学.2010.
[26]吕维新等.安全审计系统在昆明供电局网络安全管理中的应用.[J].电力信息化.2010(5):21-23.
[27]杜燕鹏等.IPv6:提速产业化.[J].中国电信业.2003(8):25-26.
[28]王建军Snort在校园网关键子网入侵检测中的应用.[D].山东.山东大学.2011.
[29]刘爱洁.负载均衡技术浅析[C].信息产业部北京邮电设计院第七届新技术论坛,2005.
[30]Zhang Wensong, WU Tingting, Wu Quanyuan. Design and Implementation of a Virtual Internet Server, Journal of software 2000.
[31]于加鸣,朱晋宁,李志兰.多出口校园网网络体系结构的研究[J].计算机工程与科学,2006(3):139-142.
[32]章伟辉,卫伟,周狄挺,劳洁莹.反向代理技术在校园网中的应用[J].福建电脑,2006(8):158-159.
[33]http//www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos-c/fqcprtl/qcfpbrhtm#23550.[EB/DL].
[34]R.Hinden and S.Deering,RFC 4291:IP Version 6 Addressing Architecture, February.
[35]S.Deering,R.Hinden,RFC 2460:Internet Protocol,Version 6 Sepcification, December 1998.
[36]中国协议分析网——IPv6对硬件平台技术要求浅析.[EB/DL].http://www.cnpaf.net/Class/IPV6/059161503152894560.htm.
[37]Chang Rocky K C.Defending Against Flooding-Based Distributed Disteibuted Denial-of-Service.A.TTACKS:A.Tutorial[J].IEEE.Communications Magazine,2002.10.
[38]Brian Caswell.Jay Beale.James C.Foster.Jeffey Posluns.Snort2.0 Intrusion Deteion[M],Syngress Publishing,Inc,2003.
[39]廖长武,汪刚.校园网组建[M].北京:清华大学出版社,2005.
[40]黎连业.计算机网络与工程实践教程[M].北京:科学教育出版社,2007.
[41]罗国富,查贵庭,李恒贝.动态域名技术在多出口校园网中的应用[J].中国教育信息化,2007(12):82-84.
[42]尚遵义,崔立军.多出口路由策略实现及相关问题研究[J].大连铁道学院学报.2004,25(3):83-86.
[43]汪刚.多出口校园网路由技术的实现[J].南京工业职业技术学院学报.2004.4(4):18-20.
[44]程明辉.VPN技术在园区网建设中的应用与实现.[J].民营科技.2011(8):8-9.
[45](日)丸山修孝.通信协议技术[M].王庆,译.北京:科学出版社,2004.
[46]V. Kompella, Y. Rekhter, Virtual Private LAN Service Using BGP Signaling[S]. IETF, RFC 4761,2007.
[47](美)Pepelnjak. J, Guichard J. MPLS and VPN Architectures(CCIP Edition)[M]北京:人民邮电出版社,2003,4.
[2]张海廷.常用动态路由协议的分析及比较.[J].电脑知识与技术:学术交流.2009(9):55-57.
[3]徐瑞.自动交换光网络路由控制模块研究.[D].南京.南京邮电大学.2009.
[4]康威OSPF路由协议安全性分析与研究.[D]北京.北京邮电大学.2010.
[5]邓永平.路由协议服务器的实现及其应用研究.[D]广州.华南理工大学.2003.
[6]王东OSPF路由协议在多区域中的应用.[J].重庆科技学院学报;自然科学版.2010(2):33-34.
[7]杭成宝OSPFv3协议的互操作性测试与研究.[D]包头.内蒙古大学.2010.
[8]陈怀颖.移动数据通信的安全加密方案分析.[J].计算机光盘软件与应用.2011(14):11-12.
[9]王龙.计算机网络安全与防火墙技术研究.[J].计算机光盘软件与应用.2011(13):11-12.
[10]姚东妮.防火墙发展的新趋势.[J].中国高新技术企业.2010(9):21-22.
[11]孙莉.IPv6网络性能与过渡技术研究.[D].北京.北京邮电大学.2007.
[12]邓永红等.IPv6技术综述.[J].有线电视技术,2004(10):32-34.
[13]黄平.IPv6下的DDoS攻击源追踪研究.[D]重庆.西南大学.2009.
[14]伍军云.IPv6过渡策略——基于NAT的隧道系统研究与设计.[D].南昌大学.2008.
[15]王德民.校园网的设计与管理.[J].齐齐哈尔大学学报:哲学社会科学版.2008(5).33-34.
[16]江海.NAT技术在支队级局域网的应用.[J].福建电脑.2010(2):19-20.
[17]任斌.网络视频与音频平滑度的设计.[D].南京.南京理工大学.2006.
[18]孙培松.VPN发展趋势及竞争策略研究.[D].北京.北京邮电大学.2008.
[19]格日勒图CNGI宁夏驻地网建设及部分应用的性能分析研究.[D].兰州.宁夏大学.2008.
[20]卷烟厂多业务承载网解决方案.[EB/DL]. http://www.h3c.com.cn/Solution/Gov_Corporation/Manufacturing/Solutions/20 1111/731886300040.htm.
[21]烟草智能安全网络.[EB/DL].http://www.h3c.com.cn/Solution/Gov_Corporation/Manufacturing/Solutions/20 1111/731884300040.htm.
[22]熊俊俊.移动IP技术与应用研究.[D].南京.南京邮电大学.2007.
[23]韩争胜.IPv6关键技术及其网络安全研究.[D].西安.西北工业大学.2005.
[24]常梅.IPv4向IPv6过渡技术的研究.[J].科技信息.2006(6):15-17.
[25]李群.基于数据挖掘的日志审计技术研究与实现.[D].浙江.浙江工商大学.2010.
[26]吕维新等.安全审计系统在昆明供电局网络安全管理中的应用.[J].电力信息化.2010(5):21-23.
[27]杜燕鹏等.IPv6:提速产业化.[J].中国电信业.2003(8):25-26.
[28]王建军Snort在校园网关键子网入侵检测中的应用.[D].山东.山东大学.2011.
[29]刘爱洁.负载均衡技术浅析[C].信息产业部北京邮电设计院第七届新技术论坛,2005.
[30]Zhang Wensong, WU Tingting, Wu Quanyuan. Design and Implementation of a Virtual Internet Server, Journal of software 2000.
[31]于加鸣,朱晋宁,李志兰.多出口校园网网络体系结构的研究[J].计算机工程与科学,2006(3):139-142.
[32]章伟辉,卫伟,周狄挺,劳洁莹.反向代理技术在校园网中的应用[J].福建电脑,2006(8):158-159.
[33]http//www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos-c/fqcprtl/qcfpbrhtm#23550.[EB/DL].
[34]R.Hinden and S.Deering,RFC 4291:IP Version 6 Addressing Architecture, February.
[35]S.Deering,R.Hinden,RFC 2460:Internet Protocol,Version 6 Sepcification, December 1998.
[36]中国协议分析网——IPv6对硬件平台技术要求浅析.[EB/DL].http://www.cnpaf.net/Class/IPV6/059161503152894560.htm.
[37]Chang Rocky K C.Defending Against Flooding-Based Distributed Disteibuted Denial-of-Service.A.TTACKS:A.Tutorial[J].IEEE.Communications Magazine,2002.10.
[38]Brian Caswell.Jay Beale.James C.Foster.Jeffey Posluns.Snort2.0 Intrusion Deteion[M],Syngress Publishing,Inc,2003.
[39]廖长武,汪刚.校园网组建[M].北京:清华大学出版社,2005.
[40]黎连业.计算机网络与工程实践教程[M].北京:科学教育出版社,2007.
[41]罗国富,查贵庭,李恒贝.动态域名技术在多出口校园网中的应用[J].中国教育信息化,2007(12):82-84.
[42]尚遵义,崔立军.多出口路由策略实现及相关问题研究[J].大连铁道学院学报.2004,25(3):83-86.
[43]汪刚.多出口校园网路由技术的实现[J].南京工业职业技术学院学报.2004.4(4):18-20.
[44]程明辉.VPN技术在园区网建设中的应用与实现.[J].民营科技.2011(8):8-9.
[45](日)丸山修孝.通信协议技术[M].王庆,译.北京:科学出版社,2004.
[46]V. Kompella, Y. Rekhter, Virtual Private LAN Service Using BGP Signaling[S]. IETF, RFC 4761,2007.
[47](美)Pepelnjak. J, Guichard J. MPLS and VPN Architectures(CCIP Edition)[M]北京:人民邮电出版社,2003,4.