基于cisco设备的企业网络设计及安全实现
摘要
企业网中,各分支机构内部网络的规划与实现和局域网技术的发展是密切相关的。此网络设计方案中采用了虚拟网技术(VLAN)。虚拟网络把交换机组成的网络在逻辑上分割成若干个广播域,减少了每个域的广播流量,进一步提高了交换网络的性能。虚拟网络技术和交换技术相结合,构成企业计算机网络的核心技术。
此外根据企业网络结构,设计采用了“从内到外”的方案实施原则,首先确保企业内部网的安全,其次保证各个服务器的安全,最后保证外网接入的安全。
企业的两个办公室的用户通过五类双绞线连接到内部网交换机,分别被配置到两个VLAN中,并且,为了安全考虑,设置访问控制列表禁止两个办公室之间互相访问。而企业需要对外开放的服务器,如WEB服务器、FTP服务器等,通过DMZ交换机连接到防火墙的DMZ端口,并且与DMZ交换机和防火墙一起安置在专用的服务器机房中,以进一步保证安全性。
防火墙是本网络安全设计的核心部分,它的作用不仅仅是作为外网、内部网以及DMZ区的安全中转站,还需要担任VPN服务器的角色,为远程用户以及移动用户提供安全的VPN接入服务,使用户能够被授权访问企业内部网中的共享资源。
同时,在防火墙上启用了IDS(入侵检测系统),任何对防火墙的攻击尝试或非正常的数据流量都将会在被防火墙阻止的同时发出警报并在Log中留下记录,以便管理员对入侵进行分析。
最后,对远程VPN用户需要进行的设计进行了介绍,以方便用户使用Cisco VPN Client或Windows自带的VPN拨号组件通过安全的IPSec/PPTPVPN访问企业内部网。
In the enterprise networks, the plan and the actualization of the branch office interior network is related with the development of the network technology. This network design technology used the virtual network (VLAN). The virtual Network which divided logically the network that composes with switches into several broadcast areas, reducing the flow in each area of broadcasting, further enhances the performance of the exchange network. The combination of the virtual network technology and the exchange technology is the key technology in the enterprise network .
According to enterprise network structure, design adopted the principle of the program called "from the inside to outside", the first network to ensure internal security, secondly ensure that all the server's security, the final guaranteed access to the safety net.
The users of two enterprises Office connected to the internal network switches bye the five categories UTP, were dispatched to two VLAN, and, considering for safety , set access control list prohibited the visits between the two office And the corporate needs of the outside world server, such as Web servers, FTP servers. Connected to the firewall DMZ port through the DMZ switch, DMZ with switches and firewalls placed together in a dedicated server room, for further ensure safety.
Firewall is the core part of the network security design. Its role is not only as external networks. Or the safe transit point of DMZ and the internal network, it is also the role as VPN server for remote users and mobile users with the security of VPN access service enables users to be empowered to corporate internal network of shared resources necessarily.
At the same time, the firewall enabled IDS (Intrusion Detection System), any attempt to attack the firewall or the abnormal flow of data would have been stopped by the firewall which would alert at the same time. And in the Log, records left to managers for the invasion of analysis.
Finally, the remote VPN users need for the design of the briefing, for the convenience of users of Cisco VPN Client or Windows built-in dial-up VPN components connect security IPSec/PPTP VPN to corporate internal networks.
此外根据企业网络结构,设计采用了“从内到外”的方案实施原则,首先确保企业内部网的安全,其次保证各个服务器的安全,最后保证外网接入的安全。
企业的两个办公室的用户通过五类双绞线连接到内部网交换机,分别被配置到两个VLAN中,并且,为了安全考虑,设置访问控制列表禁止两个办公室之间互相访问。而企业需要对外开放的服务器,如WEB服务器、FTP服务器等,通过DMZ交换机连接到防火墙的DMZ端口,并且与DMZ交换机和防火墙一起安置在专用的服务器机房中,以进一步保证安全性。
防火墙是本网络安全设计的核心部分,它的作用不仅仅是作为外网、内部网以及DMZ区的安全中转站,还需要担任VPN服务器的角色,为远程用户以及移动用户提供安全的VPN接入服务,使用户能够被授权访问企业内部网中的共享资源。
同时,在防火墙上启用了IDS(入侵检测系统),任何对防火墙的攻击尝试或非正常的数据流量都将会在被防火墙阻止的同时发出警报并在Log中留下记录,以便管理员对入侵进行分析。
最后,对远程VPN用户需要进行的设计进行了介绍,以方便用户使用Cisco VPN Client或Windows自带的VPN拨号组件通过安全的IPSec/PPTPVPN访问企业内部网。
In the enterprise networks, the plan and the actualization of the branch office interior network is related with the development of the network technology. This network design technology used the virtual network (VLAN). The virtual Network which divided logically the network that composes with switches into several broadcast areas, reducing the flow in each area of broadcasting, further enhances the performance of the exchange network. The combination of the virtual network technology and the exchange technology is the key technology in the enterprise network .
According to enterprise network structure, design adopted the principle of the program called "from the inside to outside", the first network to ensure internal security, secondly ensure that all the server's security, the final guaranteed access to the safety net.
The users of two enterprises Office connected to the internal network switches bye the five categories UTP, were dispatched to two VLAN, and, considering for safety , set access control list prohibited the visits between the two office And the corporate needs of the outside world server, such as Web servers, FTP servers. Connected to the firewall DMZ port through the DMZ switch, DMZ with switches and firewalls placed together in a dedicated server room, for further ensure safety.
Firewall is the core part of the network security design. Its role is not only as external networks. Or the safe transit point of DMZ and the internal network, it is also the role as VPN server for remote users and mobile users with the security of VPN access service enables users to be empowered to corporate internal network of shared resources necessarily.
At the same time, the firewall enabled IDS (Intrusion Detection System), any attempt to attack the firewall or the abnormal flow of data would have been stopped by the firewall which would alert at the same time. And in the Log, records left to managers for the invasion of analysis.
Finally, the remote VPN users need for the design of the briefing, for the convenience of users of Cisco VPN Client or Windows built-in dial-up VPN components connect security IPSec/PPTP VPN to corporate internal networks.
引文
[1]拉莫尔(美)著 CCNA学习指南(640-801)电子工业出版社 2004
[2]西格瑞斯(美)[等]著 Cisco局域网交换配置技术 机械工业出版社 2003
[3](A)Richard Deal al Cisco certified network associate study guide People's posts and telecommunications publishing house 2004
[4]Wade Edwards(美)[等]著 CCNP四合一学习指南中文版 电子工业出版社 2005
[5]Academy Program Wayne Lewis(美)著 思科网络技术学院教程CCNP3多层交换 人民邮电出版社 2006
[6]潇湘工作室译 CCNP学习指南路由器高级配置技术 北京机械工业出版社 2000
[7]J.D.Weguer(美)[等]著 IP地址管理与子网划分 机械工业出版社 2001
[8]张公忠、陈锦章著 当代组网技术 清华大学出版社 2000
[9]Khalid Raza(美)[等]著 综合IP网络设计解决方案 北京希望电子出版社 2000
[10](美)Syngree Media公司著 CCNP学习指南;CLSC Cisco局域网交换配置技术 机械工业出版社 2000
[11](美)Richard Froom,Balaji Sivsubramanian,Erum Frahim著 CCNP自学指南组建 Cisco多层交换网络(BCM SN)人民邮电出版社 2006
[12]Merike Kaeo,CCIE#1287著 网络安全性设计 人民邮电出版社 2005.93-434
[13]巴斯琴,德古著 CCSP Cisco安全 PIX防火墙(CSPFA)认证考试指南 人民邮电出版社 2005.173-278
[14]Vijay Bollapragada,Mohamed Khalid,Scott Wainner著 IPSec VPN设计 人民邮电出版社 2006.73-115
[15]何宝宏编著 IP虚拟专用网技术 人民邮电出版社 2002.57-124
[16]王达等编 著虚拟专用网(VPN)精解 清华大学出版社 2004.21-46
[17]拉莫尔(美)著 CCNA学习指南(640-801)电子工业出版社 2004.35-230
[18]西格瑞斯(美)著 Cisco局域网交换配置技术 机械工业出版社 2003.126-140
[19]Academy Program Wayne Lewis(美)著 思科网络技术学院教程 CCNP3多层交换 人民邮电出版社 2006.83-145
[20]潇湘工作室译CCNP学习指南路由器高级配置技术 北京机械工业出版社 2000.173-208
[21]Wendell Odom,CCIE#1624,Jim Geier,Naren Mehta,CCIE#9797 CCIE Routing And Switching Official Exam Certification Guide(2006),2Ed Cisco Press 2006.57-213
[22]Wei Luo,CCIE#13291,Carlos Pignataro,CCIE#4619,Dmitry Bokotey,CCIE#4460,Anthony Chan,CCIE#10266 Layer 2 VPN Architectures Cisco Press 2005.120-193
[2]西格瑞斯(美)[等]著 Cisco局域网交换配置技术 机械工业出版社 2003
[3](A)Richard Deal al Cisco certified network associate study guide People's posts and telecommunications publishing house 2004
[4]Wade Edwards(美)[等]著 CCNP四合一学习指南中文版 电子工业出版社 2005
[5]Academy Program Wayne Lewis(美)著 思科网络技术学院教程CCNP3多层交换 人民邮电出版社 2006
[6]潇湘工作室译 CCNP学习指南路由器高级配置技术 北京机械工业出版社 2000
[7]J.D.Weguer(美)[等]著 IP地址管理与子网划分 机械工业出版社 2001
[8]张公忠、陈锦章著 当代组网技术 清华大学出版社 2000
[9]Khalid Raza(美)[等]著 综合IP网络设计解决方案 北京希望电子出版社 2000
[10](美)Syngree Media公司著 CCNP学习指南;CLSC Cisco局域网交换配置技术 机械工业出版社 2000
[11](美)Richard Froom,Balaji Sivsubramanian,Erum Frahim著 CCNP自学指南组建 Cisco多层交换网络(BCM SN)人民邮电出版社 2006
[12]Merike Kaeo,CCIE#1287著 网络安全性设计 人民邮电出版社 2005.93-434
[13]巴斯琴,德古著 CCSP Cisco安全 PIX防火墙(CSPFA)认证考试指南 人民邮电出版社 2005.173-278
[14]Vijay Bollapragada,Mohamed Khalid,Scott Wainner著 IPSec VPN设计 人民邮电出版社 2006.73-115
[15]何宝宏编著 IP虚拟专用网技术 人民邮电出版社 2002.57-124
[16]王达等编 著虚拟专用网(VPN)精解 清华大学出版社 2004.21-46
[17]拉莫尔(美)著 CCNA学习指南(640-801)电子工业出版社 2004.35-230
[18]西格瑞斯(美)著 Cisco局域网交换配置技术 机械工业出版社 2003.126-140
[19]Academy Program Wayne Lewis(美)著 思科网络技术学院教程 CCNP3多层交换 人民邮电出版社 2006.83-145
[20]潇湘工作室译CCNP学习指南路由器高级配置技术 北京机械工业出版社 2000.173-208
[21]Wendell Odom,CCIE#1624,Jim Geier,Naren Mehta,CCIE#9797 CCIE Routing And Switching Official Exam Certification Guide(2006),2Ed Cisco Press 2006.57-213
[22]Wei Luo,CCIE#13291,Carlos Pignataro,CCIE#4619,Dmitry Bokotey,CCIE#4460,Anthony Chan,CCIE#10266 Layer 2 VPN Architectures Cisco Press 2005.120-193