Product features of the network access system

Traditional network access technology requires the installation of a client, which has the following shortcomings:

Difficulty in implementation

Network administrators are required to help each user implement the installation. The implementation is difficult, and there are cases where users accidentally uninstall the client or ActiveX control. In 2012, a large domestic petrochemical enterprise abandoned the client or ActiveX control access control method and switched to client-less access control method due to difficulties in installing a network access client.

Bugs or security vulnerabilities exist

The client may have bugs or security vulnerabilities, which can easily cause terminal abnormalities or be exploited by attacks, leading to security risks and affecting the stability and security of the entire network.

Occupying system resources

Client-side controls need to run on the terminal system, which will occupy system resources (CPU, memory, hard disk, network bandwidth, etc.), causing the system to slow down and affect normal operation. Work. NAM equipment can monitor the network behavior of terminals in the network, and achieve master control and discovery of certain specific network behaviors, and proactively isolate or restrict them. For example, P2P downloads can be discovered and isolated.

Notification page after the terminal is isolated due to P2P software download. Terminal devices are managed by dividing different VLANs (for VLAN technical details, please refer to the third part of the technical introduction). Based on long-term experience in the access control industry and several technological updates, NAM equipment has gradually become more flexible and stable in the past few years. The customer's own VLAN topology can be retained, and only two new VLANs need to be added to the customer's network: registration VLAN and isolation VLAN.

In addition, NAM equipment is compatible with products from many equipment vendors (refer to Part 4 Supported Network Equipment).

VLAN management is implemented in different ways:

By switches (default method based on VLAN management)

By customer categories (default method based on role management)

Through client programs

Others...

Also, each switch can be combined with other methods to manage the use of VLANs. For example, through the default settings of the NAM device, after appropriate classification, a customer's printer can be assigned a VLAN based on the device the customer is connected to. This means you can easily have VLANs created by device type. Nowadays, most agencies deal with online inquiries from different types of companies, so their work requires network access. In most cases, a company's internal network rarely provides network access to unapproved individuals or devices. Furthermore, they rarely have network access to the company's internal environment to avoid administrative burden.

NAM devices support a special VLAN to manage visitors. If you use a guest VLAN, you can configure the guest VLAN to only access the Internet or authorized network resources. In the registration VLAN, provide instructions to guests on how to register to obtain network access. This is usually defined by the administrator providing network access.

There are several ways to register a visitor:

The administrator authorizes the visitor's account information in advance

Password

Visitor self-registration (requires or no authentication is required)

Visitor guarantee (employee associated with the visitor)

Visitor activated by email

Visitor activated via mobile phone ( SMS)

NAM devices also integrate online payment solutions such as Alipay. In this way, you can make online payments and obtain relevant network access. NAM devices can provide authentication to your users using multiple protocols/standards. This allows you to integrate NAM devices into your environment without requiring users to remember another username and password. Known authentication sources:

Microsoft's Active Directory

Novell's eDirectory

OpenLDAP

Cisco's ACS

RADIUS (FreeRADIUS, Radiator, etc.)

High availability of local user files has always been the focus of the research and development of NAM equipment.

The high availability of NAM devices has been proven in all of our deployments, whether using active or passive deployment modes. In our administrator manual, we describe in detail how to configure the NAM device and how to make it operate efficiently and stably. NAM equipment uses a variety of open standards to avoid manufacturer technology blockade. The standards we support and use mainly include:

802.1X

Simple Network Management Protocol (SNMP)

Standard SNMP Management Information Base (MIB) , such as BRIDGE-MIB, Q-BRIDGE-MIB, IF-MIB, IEEE8021-PAE-MIB

RADIUS

NetFlow/ IPFIX

Wireless ISP Roaming ( WISPR)

Deployment plan:

1. Adopt bypass deployment and VLAN isolation.

2. The user area is divided into: employee VLAN, isolation VLAN, BYOD (Bring Your Owner Device) device VLAN, and visitor VLAN.

3. Users use local account management, and visitors use email to apply for registration.

4. The service area is divided into: external service area VLAN and internal service area VLAN.

5. Quarantine area: P2P downloads, instant chat QQ software, the terminal has not upgraded the system and specified software patches.

6. The BYOD area mainly includes smartphones and tablets.

Deployment plan:

1. Adopt bypass deployment and isolation mode VLAN.

2. The logical levels are divided into central (headquarters), provincial (branch), and municipal (sales points).

3. Real-time data synchronization between upper- and lower-level devices and implementation of unified security policies.

4. Users use local accounts combined with domain account management, and visitors use text messages (SMS) to register and be reviewed by the administrator.

Deployment plan:

1. Use series deployment and network layer isolation.

2. Users use local account management, and visitors use SMS and email to apply and review.

3. Quarantine area: The terminal has not upgraded the system and specified software patches.

Security issues:

The intranet is chaotic, terminal models and systems are complex, and security incidents such as intranet scanning and intranet intrusion into servers have occurred.

Deployment plan:

1. Use series deployment and network layer isolation.

2. Deploy NAM devices to protect the service area from the network layer and allow only authorized users to access it.

3. Authorized users use local accounts and email accounts for management, and temporary users use application and review.

4. Access time is strictly limited to prevent unauthorized users from accessing the service area.