Shulou(Shulou.com)06/01 Report--

Brief introduction of network security equipment mainly involved:

◇ Router:

Router is usually the Router of Cisco to add network security solutions. The new generation of Cisco Router is called ISR (Integrated Service Router), which can integrate IPS or Voice modules. in the external Router, we usually want it to play the role of Router, but when we can't buy an IPS device internally, we will advise customers to add IPS modules to the existing Router.

◇ Switch:

Generally speaking, Switch can only add IPS module to Core level, just like Router, it mainly adds *.

Detection function, Switch performance ok in the customer environment, and do not intend to buy more equipment, you can add modules to protect the network

Collaterals.

◇ × × ×:

× × is Virtual Private Network, so that computers in two domains can communicate as if they were in the same domain. This means that it is necessary to make sure that the external network cannot access or see the packet transmission between us, and the two domains can easily use network resources with each other. To do so, xxx must encrypt the flow through the packet so that the content of the transmission is not organically seen by outsiders, and the relative destination needs a decryption machine, which may also be a VNP or a software installed on notebook. Also because of the encryption of the transmission process, many requirements that want to be more secure in the transmission will also seek. Up to now, the main market operates with SSL × ×, because the existing client programs (such as IE) can be used to complete the procedures of encryption, decryption, and verification, and the user does not need a × × machine, or client-side programs. It is the easiest to import an environment and the easiest to use.

◇ FireWall:

FireWall is certainly the oldest network security product, but it is also the most classic product. To put it simply, it is like the switch of Port, such as the port on the left side of firewall. You have to ask Firewall first.

The second major function of Firewall is to distinguish network segments, such as DMZ can also be cut out from the Firewall, so as to ensure the flow of network packets. When traffic comes in from the outside, it is only allowed to flow to the DMZ area, not into the internal area network to avoid the mixing of external and internal network packets. The third function, that is, to distinguish the function of setting ACL from Router, SPI (StatefulPacketInspection) packet status check, you can quickly check the source and destination address, communication protocol, communication port, packet status, or other header information of the packet to determine whether it is allowed or denied!

◇ IPS/IDS:

This is still a very young product, at first called IDS (Intrusion Detection System) * detection system, Gu name

Meaning: after someone comes to my land, I will know that it is a person who can detect whether or not there is anyone.

Events! Later, people realized that when the bad guys ran into my house, I knew if it was possible to boycott at the same time.

What about the move? So the IPS (Intrusion Prevention System) * * defense system was born, writing in IPS.

Pattern, when the packet that flows through is determined to be a * * behavior when compared to pattern, immediately discard or block the source connection of the packet

Machine.

In general, IPS systems have more than one network segment, such as the picture above, which can be placed in front of the Firewall to more actively block the Firewall.

Or after the Firewall, you can directly compare whether the inbound traffic after flowing through the legitimate port is a * * behavior, and you can also analyze the outflow packets (to learn about the Internet behavior and situation of internal employees). In the real situation, whether to put the IPS in the firewall depends on the hardware throughput, and see which one has a good performance. The testing period of IPS is usually long, because there will be "misjudgment" when the IPS rule is turned on in the environment! It is normal, unless the opening rules are too loose, it is normal for normal packets to be blocked, then we need to adjust the rules, so testing IPS is a great opportunity to practice!

◇ Virus Wall:

VirusWall is a relatively simple product, the concept is to put the antivirus engine on Gateway, so that all the packets that flow through can compare to

Against the characteristics of the virus in the engine. Speaking of which, you should know the key point of evaluating ViruWall!

. What antivirus engine?

. The speed of drug sweep is fast or slow

No one can guarantee 100% anti-virus forever! It is purely a matter of probability. The anti-virus rate of each family is not certain, which can be made up.

The easiest way is to import an antivirus engine that is different from the original environment! For example, the original client uses norton, so viruswall will find a Kaba or front UTM with trend, and can also import McAfee's viruswall. VirusWall is a very simple product for installation engineers, just pay attention to which Port traffic the customer wants.

◇ WebSecurity

WebSecurity simply filters packets in Web traffic, aiming at whether each required URL comparison database is dangerous,

Or fishing, malicious purpose URL, if yes, directly block the online. If you connect to the destination, it may be because you are temporarily hacked or the URL is not in the database, and the returned packet is scanned by the virus engine again. Because it is aimed at Web, the virus engine has to choose the stronger engine for malicious website analysis. To put it simply, you need to import this device for fear that user will be poisoned on the Internet, or the phishing website will be cheated.

◇ ApplicationFirewall

For companies that attach great importance to web service, they should be more interested in this device. A simpler example is that when doing a test, you will always try the SQL language where the customer's Web page can be typed. When you put this device in front of WebServer, your grammar will immediately fail, and then you will try XSS, cookie, session again. Heh ~ is often an unfruitful experiment. Even if the IIS or Apache running by WebServer is not updated and has a well-known vulnerability, it still blocks the vulnerability. That's for sure! As mentioned before, network security is a matter of probability. It can reduce the probability of being attacked, but it cannot be invincible!

◇ Spam Wall:

E-mail is a great way to advertise, but as information becomes more and more developed, more and more business depends on e-mail

Advertising, slowly, users feel the inconvenience caused by too much e-mail, so the device to block spam is born.

It can be called Anti-spam or Spam wall. At first, spam simply blocked spam, but many * found this pipeline and also used mail to send a large number of phishing links, attaching virus files, and malicious links. So anti-spam also began to pay attention to the anti-drug work of mail. A good spam device should be effective in choice (accept email * *), low misjudgment rate, black, gray and whitelist, and easy to use.

◇ UTM/ASA:

Large patch UTM (Unified Threat Management) unified threat management equipment, its functions cover a wide range of areas, the general UTM equipment may have the function, will be determined according to the function of the brand. The concept is to take FireWall as the core and add all kinds of network security functions! For example, the ASA of Cisco is centered on firewall, and antivirus module or IPS module can be added.

Generally speaking, it is recommended to use UTM in an environment with less than 300 people, which is simple and large! However, in a larger environment, it is recommended that each function be operated by a different device. The reason is very simple, the same antivirus engine is good, the signature of UTM is certainly not as much as the signature of simple VirusWall!

◇ SIM/MARS:

The device is called SIM (SecurityInformationManagement) Network Security message Management, or a more apt name such as Cisco: MARS (Monitoring Analysis and Reporting System). Although it is in a small corner of the network, it can control all devices! This is a great device! Some people may think that all parts have been blocked by equipment! Why don't I spend a lot of money to do Report?

Let's first understand what kind of function it needs to do. The first one is to receive the function of log, which needs to receive messages from various devices.

Get together, Switch,Router,IPS,Firewall,viruswall... We must believe that it is impossible for all the devices in the environment to be of the same brand, so we must support all kinds of brands of dogs and cats!

The second function is Report, which links the messages of all devices together to make a look at all levels or departments.

Report. More advanced equipment can also achieve the third function, can cooperate with the defense! To determine where the threat is, you can

In order to issue appropriate defense instructions or policies to each network equipment and network security equipment.

The price of this equipment is usually quite high! The reason is that he needs a lot of support (various brands). In addition, he also needs refinement.

Accurately analyze, judge and organize the return information of each equipment. What is misjudgment? What is a threat? And notify the relevant personnel in real time, and suggest the appropriate practice.

◇ online behavior management:

There are two ways to configure the Internet behavior management device, InlineMode (configured in GateWay) or MirrorMode (equipped with

(set to CoreSwitch). The figure above shows the way to Mirror traffic directly from CoreSwitch. The two methods have their own advantages and disadvantages, from

Gateway is fast and direct in blocking! But when the equipment hangs up, you should consider the power of hardwarebypass! And Mirror

The advantage is that it is easy to import without changing the original architecture at all, but when blocking, you need to send the packet to the remote destination at the same time.

Server is online with the source client, so the network bandwidth resources are better! Which one is better in the end depends on the circumstances. The main function of this device is to look at the Internet access of internal users and then manage it. For example, after combining the internal AD Server, we can control that the spooky RD department can not use P2P, the depressed engineering department can not go to the * * website, and the accounting department can't open IM chat. There are also companies that use AD authentication, and there is no network available without logging in to AD (awesome).

◇ profile:

The concept of profiling is like a surveillance system near your home or in a bank, recording what you can see. This includes the contents of your mailbox, your chat history, which websites you have visited, which pictures you have captured, and even FTP files, all of which can be restored and reproduced! Also because of all the data, traffic, packets, the storage system is a great burden! The more you record, the shorter the backup time will be. Therefore, in practice, the profile recording device, such as the image above, may be filtered from IPS and compared from IPS's powerful packet comparison capabilities to select the packet content that you only want to record, such as only Web traffic or FTP traffic. Another way is to learn from the Internet behavior management device that a certain ip or a user is always watching the Internet, so record the whole process on it! We often joke that if MIS knows who is good at the stock market in the company, he can place an order with him! That's for sure! This also involves the issue of privacy, and the introduction often needs to be matched with the company policy.

◇ NAC:

NAC (NetworkAccessControl) network access control device, usually located at the junction of Gateway and client

The goal is to allow all devices coming in from Client to access the network above it with its permission (perhaps with AD authentication or web authentication), which is what the original NAC was doing. With the development of the market, new functions are usually needed to be accepted by customers. If you need to have the ability to protect the client, you can use some patch for client to update, such as the update patch of Windows, or the patch of some antivirus software, to ensure the security of End User, and then protect the entire network. I guess we will see a similar new term called CAP (Client Access Protect) in the future.

◇ Wireless Control:

The management of wireless may be painful for many people, and the purpose of this device is to control packet traffic in your airspace.

There may be many ways to do this, and I will only use the examples I have encountered to illustrate it. Find a Server installation console in ServerGroup

Software, and then place Sensor at the boundary points you want to detect, such as three Sensor at three points in the company's building, and then set up

Match goolgemap to capture the company's satellite image, and then give the appropriate scale, you can see it on Server, on the ground

Where is the picture? what kind of wireless signal, what kind of signal strength, SSID … When you want to terminate its connection with AP,

All you have to do is send out a reset packet, which is awesome! (but the price is not low.)

◇ IPAM:

For some large environments, you need to dynamically let user use network resources, or … Or MIS is too lazy to use DHCP

In the environment, it is a great solution to manage which computer or person is using the dynamic IP.

IPAM (IP Analysis Management) IP analysis management device that provides columns for Mac and IP access in a DHCP environment

Table, when there is an AD or RADIUS in the environment, the visible record will be: the link of the time-Mac-IP-User table allows the manager to quickly track who is using the IP, so the equipment often integrates the DNS Server and DHCP Server in the environment to enhance the consistency of information.

◇ Bandwidth Monitor:

You can try to ask MIS, what is the normal traffic in our environment? I often get answers like I don't know how to measure it.

The function of the BandwidthMonitor device is to provide bandwidth usage for all MIS network environments. Because it specializes in the analysis of bandwidth usage, it can be detailed to such as: total bandwidth usage, software usage, ip usage, individual ip bandwidth usage, individual ip software usage, protocol traffic, User name usage, group usage, Domain usage. It is very helpful for MIS to analyze who occupies the bandwidth of the network, or what software is used.

◇ software:

The use of software for network security device management is mainly because some packets are sent to the application layer, or they have to be analyzed by the operating system and applications before they can be managed and analyzed or protected; another reason is that the usage of EndUser can never be grasped through such as asset management software. Generally common network security software, such as DRM, is used to encrypt specific files in the environment, such as the company's specially designed CAD files, each of which is the painstaking work of the company. What is needed at this time is to encrypt all these files to protect the possibility of company information leakage. Need a Server in the distribution, and then use AD to apply GPO to distribute data to computers that log in to the network domain. In the future, as soon as user opens the file format to be encrypted, it will be encrypted directly! Another common software is asset management software. after Agent is distributed on the Client computer, Agent will automatically collect the software and hardware information on all the computers, and then send it back to the asset software server. This is what the initial asset software does, and can integrate data for software and hardware asset management in the environment. MIS, which likes to control all the information, puts forward the need to understand everything on the user side. Is it possible to directly control the software and hardware? Yes! Products are often produced as a result of demand, so the current asset management software not only collects client-side data, but also directly restricts the use of the user side, such as only reading USB, not writing, banning work hours, or directly using your computer as your own. (to put it more professionally, it is called remote repair function.)

Therefore, you can also directly record the desktop usage of the user! It's really MIS's favorite!

Source of the article:

Http://wenku.baidu.com/link?url=ypZzps8gKwQsqn0kK3zIj-zw4vbQUsQJAMv3rhJcEebRnel968eMamT0LgMIOCklL_nmOnephYV9IiQ7Yjcg-_Vr3mlvF7_nGpvEcdq7Ca7

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.