Shulou(Shulou.com)06/01 Report--

Recently, the company has been informed by superior units that it is necessary for various branches to build a special financial network, one of which is that terminal devices are not allowed to access the Internet. Because each branch office does not have independent firewall equipment. Each branch accesses the Internet through the public network tunnel from the computer room exit of the headquarters. In the event of a public network tunnel failure, the traffic accessing the Internet is switched to the local line out. Therefore, simply restricting access in the headquarters computer room firewall can not achieve a complete effect.

Therefore, we considered several options:

1. Adjust the routing configuration of the end host

2. Local access switch details ACL control

3. The local egress router refers back to the null0 route

Among the three methods, choose one method combined with firewall filtering in the computer room of the headquarters.

After careful consideration, we choose to adjust the routing of the end host, which can simplify the network configuration and facilitate the helpdesk maintenance of the branch office. And the limitation of the terminal near the source pinches off the traffic accessing the Internet from the source and reduces the garbage flow in the intranet.

Terminal configuration idea

Looking at the routing of the end device, you can find that there is a default route that the host uses to access the Internet.

By deleting the route on the terminal device, coupled with the internal network and private network service routes, the host can be restricted from accessing the target.

Considering that the mainframe will restart when it is in use, this task needs to be performed after each boot.

Therefore, use the BAT script to adjust the route, and then power on the scheduling task to execute the script.

Terminal configuration steps

1. First, prepare the shybj.bat script. The sample content is as follows:

@ echo off

# # 10.16.25.1 is the local gateway address, and this entry is a private network route

Route-p add 10.16.0.0 mask 255.255.0.0 10.16.25.1

# # add a business address route. This entry is a business route.

Route-p add 10.4.1.0 mask 255.255.255.0 10.16.25.1

# # Delete the default route without modification

Route delete 0.0.0.0 mask 0.0.0.0

2. Run and open scheduled tasks

3. Create a boot task and run it with the highest permissions

Because administrator privileges are required to change the host route, the script should be executed with the highest privileges.

4. Set trigger conditions and delay startup by 1 minute.

After testing, the direct execution after boot is invalid, and the reason may be that the script execution after boot precedes the network startup.

5. Call the script

6. You can see that the task is ready

Restricting the access of private network equipment from the two dimensions of terminal and network equipment at the same time can ensure that the private network equipment is isolated from the Internet and meet the network construction needs of higher-level units.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.