Network problem? Urgent need! ! ! ! ! ! ! ! !

Analysis of overall network security solutions for small and medium-sized enterprises

With the development of information technology, the application of computers has spread all over the world. Many enterprises rely on IT technology to build their own information systems and business operation platforms. The use of IT network has greatly enhanced the core competitiveness of enterprises and made them stand out in the information age.

Enterprises use communication networks to connect isolated stand-alone systems, communicate with each other and share resources. However, due to the * * * enjoyment of computer information and the unique openness of the Internet, the information security problem of enterprises is becoming more and more serious.

External security

With the development of Internet, network security incidents emerge one after another. In recent years, computer virus spread, worm attack, spam flooding and sensitive information leakage have become the most common security threats. For enterprise users, whenever they encounter these threats, they will often cause data destruction, system abnormality, network paralysis, information theft, work efficiency decline, and direct or indirect economic losses are also great.

Domestic security

According to the latest survey, more than 60% employees in the enterprises surveyed use the Internet to handle private affairs. Improper use of network will reduce productivity, hinder computer network, consume enterprise network resources, introduce viruses and spies, or make illegal employees leak enterprise secrets through the network, causing tens of millions of dollars in losses to enterprises.

Connection security between internal networks and between internal and external networks.

With the development of enterprises and the popularization of mobile office, new interactive operation modes such as corporate headquarters, branches and mobile office workers have gradually formed. How to deal with the information security of headquarters, branches and mobile office workers, not only to ensure the timely sharing of information, but also to prevent leakage, has become a problem that has to be considered in the process of enterprise growth. The security of the network connection between local institutions and headquarters directly affects the efficient operation of enterprises.

1. Analysis of the current situation of SME network

Small and medium-sized enterprises have different network topology institutions because of their different scales, industries, working methods and management methods. The network situation has the following kinds.

Centralized:

Small and medium-sized enterprise networks generally only set up a perfect network layout at headquarters. By using private line access, ADSL access or multi-line access, the total number of terminals in the general network ranges from dozens to hundreds. Some networks are subnetted and deployed with servers related to core business, such as databases, mail servers, document databases and even ERP servers.

Decentralized:

Multi-branch office and mobile office are adopted, and each branch has a small amount of network deployment. Large branches use private line access, and general branches use ADSL access. Mainly through VPN access to the company's host equipment and database, through mail or intranet for business exchange.

Comprehensive type:

Concentration is combined with dispersed phase.

Comprehensive enterprise network diagram

2. Network security design principles

The core goal of network security system is to realize effective control and management of network system and application running process. Any security system must be based on technology, organization and system.

System design principle

By analyzing the hierarchical relationship of information network, this paper puts forward a scientific security system and security framework, and analyzes various security risks according to the security system to solve possible security problems to the maximum extent.

Global integrated design principle

Judging from the actual situation of small and medium-sized enterprises, it is impossible to solve all security problems by relying on only one security measure. It is recommended to consider various security measures and use highly scalable security solutions and products.

Feasibility, reliability and safety

Feasibility is the foundation of security scheme, which will directly affect the fluency of network communication platform, reliability is the guarantee for the normal operation of security system and network communication platform, and security is the ultimate goal of designing security system.

3. Overall network security system architecture

The security scheme must be based on the scientific network security architecture, because the security architecture is the basis of the design and analysis of the security scheme.

Overall security system architecture

With more and more attacks and threats to the application layer, only the security solutions below the network layer are not enough to deal with the attacks from the application layer. For a simple example, those worms with backdoor programs can't be dealt with by simple firewall /VPN security system. Therefore, we suggest that enterprises adopt a three-dimensional and multi-level security architecture. As shown in Figure 2, this multi-level security system requires not only setting up a firewall /VPN at the network boundary, but also setting up protection measures against application layer attacks such as network viruses and spam, and putting the protection of application layer at the network edge. This active protection can completely block the attack content from the intranet.

1. Overall safety protection system

Based on the above planning and analysis, it is suggested that the network security system of small and medium-sized enterprises adopt integrated high-reliability security gateway to realize the following system functions according to the realization purpose of the system:

Firewall system

Virtual private network system

Intrusion detection system

Network behavior monitoring system

Spam filtering system

Virus scanning system

Bandwidth management system

Wireless access system

2. Contents of the proposal

2. 1. Overall network security scheme

Through the above demand analysis, we suggest adopting the following overall network security scheme. The design of network security platform includes the following parts:

? Firewall system: Firewall system is used to isolate and protect intranet and WAN. The server subnet in the internal network is protected by a separate firewall device.

? VPN system: Provide convenient IPSec VPN access for telecommuters and branches, protect the security during data transmission, and realize the controlled access of users to the server system.

? Intrusion detection system: As a supplementary function of firewall, intrusion detection equipment provides real-time alarm and positive response to attacks on monitoring network segments.

? Network behavior monitoring system: regulate online behavior in the network, monitor online behavior, filter web page access, filter email, limit online chat behavior, and prevent downloading illegal files.

? Virus protection system: strengthen the application strategy and management strategy of virus protection system to enhance the effectiveness of virus protection.

? Spam filtering system: filtering emails to prevent the invasion of spam and virus emails.

? Mobile user management system: the internal notebook computer is connected to the intranet for security control after going out to ensure the safety of notebook equipment. Effectively prevent viruses or hacker programs from being brought into the intranet.

? Bandwidth control system: enables network administrators to clearly understand the real-time data flow in the network. Master the average standard of network traffic, locate the baseline of network traffic, find out whether there is abnormal traffic in the network in time, and control the bandwidth.

The overall safety structure is as follows:

Network security planning diagram

This proposal recommends the use of French LanGate? Product scheme. Langate? UTM unified security gateway can fully meet all the security requirements of this scheme. Langate? UTM security gateway is a new generation of comprehensive security protection system which integrates firewall, VPN, intrusion detection, network behavior monitoring, anti-virus gateway, spam filtering, bandwidth management, wireless security access and other functions.

Langate? UTM product introduction

3. 1. Product Catalogue

LanGate is a new generation of overall network security hardware products based on special chip and professional network security platform. LanGate is based on a professional network security platform, which can detect security threats such as harmful viruses and worms on the network without affecting the network performance, and provides a cost-effective, high-availability and powerful solution for detecting and stopping attacks, preventing abnormal use and improving the service reliability of network applications.

On the basis of security platform, highly modular and highly extensible integrated LanGate network products provide excellent security protection services for enterprises through various extensible functional modules to prevent external and internal network attacks. This product integrates various functional application modules and performance modules on the security platform. Application modules add functions, such as ClamAV anti-virus engine or Kaspersky virus engine and spam filtering engine. This security modular architecture can enable new security services to be upgraded online in time, and save the network when new viruses and threats are rampant, without reinvesting funds and resources. LanGate products, which are easy to install and upgrade, simplify the network topology and reduce the related costs of finding, installing and maintaining various security services from multiple product suppliers.

3.2. Main functions

Network-based anti-virus

LanGate is a gateway-level security device, which is different from pure antivirus products. LanGate does virus scanning for HTTP, SMTP, POP and IMAP on the gateway, and can control virus scanning or interception in different network directions through policies. The flexibility and security of its application will eliminate unnecessary concerns of enterprises. LanGate's anti-virus engine can be upgraded online at the same time, and the virus database can be updated in real time.

Security Management Based on User Policy

The whole network security service strategy can be managed based on users, which provides greater flexibility compared with the traditional IP-based management method.

? Firewall function

The firewall of LanGate series products is based on state detection technology, which protects the computer network of enterprises from attacks from the Internet. The firewall passes through "external->;" "inside" and "inside->; "outside" and "inside->; "Provide a comprehensive security control strategy (between subnets or virtual subnets).

? VPN function

LanGate supports IPSec, PPTP and L2TP VPN network transmission tunnels. The characteristics of LAN gateway VPN include the following points:

? Support IPSec security tunnel mode

? Support policy-based VPN communication

? Hardware accelerated encryption IPSec, DES, 3DES

? X509 certificate and PSK demonstration

? Integrated CA

? MD5 and SHA authentication and data integrity

? Automatic IKE and manual key exchange

? SSH IPSEC client software supports dynamic address access and IKE.

? Establish VPN connection through PPTP supported by third-party operating system.

? Establish VPN connection through L2TP supported by third-party operating system.

? Support NAT traversal

? IPSec and PPTP

? Support wireless connection

? Stellate structure

? Content filtering function

LanGate's content filtering is different from the traditional content processing products based on host system architecture. LanGate device is a gateway-level content filtering, based on dedicated chip hardware technology. LanGate ASIC content processor includes a powerful functional scanning engine, which can match a large amount of content with thousands of keywords or other patterns. It has the function of filtering different types of content according to keywords, URL or scripting language, and also provides the function of screening-free list and combined keyword filtering. At the same time, LanGate can also filter and block emails and chat tools.

Intrusion detection function

LanGate's built-in network intrusion detection system (IDS) is a real-time network intrusion detection sensor, which can identify all kinds of suspicious network activities and take action. IDS uses attack signature library to identify thousands of network attacks. At the same time, LanGate records every attack in the system log and sends an alarm email or SMS to the network administrator according to the settings.

Spam filtering and antivirus features include:

? Identify the black and white list of SMTP server IP.

? Fingerprint identification of spam

? Real-time blacklist technology

? Scan all e-mail messages for viruses.

? Bandwidth control (QoS)

LanGate provides a means for network managers to monitor and manage network bandwidth, which can be controlled according to users' needs to prevent abnormal consumption of bandwidth resources, so that the network can allocate bandwidth reasonably in different applications and ensure the normal operation of important services. Bandwidth management can customize the priority to ensure that enterprises with demand for traffic can meet the needs of network management to the maximum extent.

? System reports and system automatic warnings

LanGate system has built-in detailed and intuitive reports, which can make all-round real-time statistics on network security. Users can define the threshold, and all events that exceed the threshold will be automatically notified to managers by email and SMS (combined with SMS gateway).

? Multi-link bidirectional load balancing

It provides multi-link load balancing of incoming and outgoing traffic, supports automatic detection and shielding of faulty multi-exit links, and supports a variety of static and dynamic algorithms to intelligently balance the traffic of multiple ISP links. Support multi-link dynamic redundancy, traffic ratio and intelligent switching; Support to limit the traffic size based on each link; Support a variety of DNS resolution and planning methods, suitable for various user network environments; Support firewall load balancing.

3.2. Advantages of Langate products

? Provide complete network protection.

? Provide highly reliable network behavior monitoring.

? On the basis of maintaining network performance, eliminate the threat of viruses and worms.

? Based on special hardware system, it provides high performance and high reliability.

? User policies provide flexible network segmentation and policy control functions.

? Provide HA high-availability port to ensure zero interruption service.

? Powerful system report and automatic alarm function.

? A variety of management methods: SSH, SNMP, WEB. WEB-based configuration interface (GUI) provides Chinese and English language support.

3.3 Introduction of Longgate Company

Languet Group, headquartered in France, was founded in 1998, and is committed to the research and development of unified network security solutions and products. As a professional IT security technology research and development institution in the early days, it specializes in the research of IT integrated network security equipment and solutions. Today, LANGATE has become the OEM and professional R&D partner of many UTM, firewall and VPN brands in Europe, and is the leader of IT security technology, providing efficient and safe comprehensive network management solutions and products for users in all regions of the world.

Patent LanGate? UTM integrates Firewall, VPN (virtual private network), Content Filtering, IPS(intrusion Prevention System), QoS (Quality of Service), Anti-Spam, anti-virus (anti-virus gateway) and wireless connection (wireless access authentication).

LANGATE promotes UTM overall network security solutions around the world, and its sales network covers more than 30 countries and regions around the world. LANGATE's product service department has subsidiaries all over the country, as well as certified partners, ISPs, distribution channels, certified var and certified si, providing professional and comprehensive IT security services to users around the world.