Campus network basic network construction and network security design analysis

Abstract: Along with the increasing popularity of the Internet and the booming development of network applications, the security of network information resources is of great concern. Hosts in the campus network network may be attacked by illegal intruders, and sensitive data in the network may be leaked or modified, ensuring the confidentiality, integrity, availability, controllability and reviewability of the network system has its own significance in terms of confidentiality, integrity, availability, controllability and reviewability. Through the network topology and network grouping technology to build the campus network network, through the physical, data and other aspects of the design of the network security to improve is an effective measure to solve the above problems.

Keywords: campus network; network construction; network security; design.

The wave of informationization represented by the Internet has swept across the world, and the application of information network technology has become increasingly popular and in-depth, accompanied by the rapid development of network technology, a variety of security problems have also appeared one after another, and the campus network has been "hacked" or damaged by viruses, which has resulted in extremely bad social impact and huge economic losses. This has caused very bad social impact and huge economic losses. Maintaining campus network network security needs to start from the network construction and network security design.

First, the construction of the basic network.

Due to the characteristics of the campus network (large data traffic, stability, economy and expandability) and the requirements of each department (access control between the production department and the office department), we use the following program:

1. Network topology selection: the network adopts a star topology (Figure 1). It is currently the most used and most common LAN topology. The nodes have a high degree of independence and are suitable for placing network diagnostic equipment in a central location.

2. Selection of networking technology: Currently, the commonly used networking technologies for backbone networks are Fast Ethernet (100Mbps), FDDI, Gigabit Ethernet (1000Mbps) and ATM (155Mbps/622Mbps). Fast Ethernet is a very mature networking technology with low cost and high performance-price ratio; FDDI is also a mature networking technology, but it is technically complex, costly and difficult to upgrade; ATM is a mature technology and an ideal network platform for multimedia application systems, but its actual utilization of network bandwidth is very low; Gigabit Ethernet has become a mature networking technology with lower cost than ATM network, and its effective bandwidth is very low; Gigabit Ethernet has become a mature networking technology with lower cost than ATM network, and its effective bandwidth is very low; Gigabit Ethernet has become a mature networking technology with lower cost than ATM network, and its effective bandwidth is very low. Gigabit Ethernet has become a mature networking technology with lower cost than ATM network, and its effective bandwidth is higher than 622Mbps ATM. Therefore, I recommend the use of Gigabit Ethernet as the backbone, Fast Ethernet switching to the desktop computer broadcast control network.

Second, network security design.

1. Physical security design In order to ensure the physical security of the campus network information network system, in addition to the requirements in the network planning and site, environment, but also to prevent the proliferation of system information in space. Computer system through electromagnetic radiation so that information is intercepted and loss of confidentiality of the case has been a lot of theoretical and technical support under the verification work also confirmed that this interception distance in the hundreds or even up to kilometers of the recovery display technology to the computer system information ___ has brought great harm. In order to prevent the information in the system from spreading out in space, it is usually to take certain protective measures physically to reduce or interfere with the space signal that spreads out. Normal precautionary measures are mainly in three aspects: shielding of the host room and important information storage, receiving and dispatching departments, i.e., the construction of a shielded room with efficient shielding performance, with which the main equipment is installed and operated in order to prevent the signal leakage of magnetic drums, tapes and high-radiation equipment. In order to improve the effectiveness of the shielding room, in the shielding room and the outside world of the various links, connections should be taken in the corresponding isolation measures and design, such as signal lines, telephone lines, air conditioning, fire control lines, as well as ventilation, waveguide, the door shut up and so on. Local network, LAN transmission line conduction radiation suppression, due to the inevitability of cable transmission of radiation information, are now using fiber-optic cable transmission, most of the equipment in the Modem out of the optoelectronic conversion interface, with fiber-optic cable connected to the shielded outdoor transmission.

2. Network **** enjoy resources and data information security design In response to this problem, we decided to use VLAN technology and physical isolation of the computer network to achieve. VLAN (Virtual Local Area Network) that is, virtual local area network, is a kind of local area network through the equipment logically rather than physically divided into a network segment to realize the virtual workgroup. VLAN (Virtual Local Area Network) is an emerging technology that enables virtual workgroups by logically, rather than physically, dividing devices on a LAN into segments.

The IEEE issued a draft standard for the 802.1Q protocol in 1999 to standardize the implementation of VLANs, which allow network administrators to logically divide a physical LAN into broadcast domains (or virtual LANs, or VLANs), each of which contains a group of computer workstations with the same requirements and attributes as the physical LAN. LAN that has the same attributes as the physically formed LAN.

However, because it is logically rather than physically partitioned, individual workstations within the same VLAN do not have to be placed in the same physical space, i.e., they do not necessarily belong to the same physical LAN segment. Broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, and even if two computers have the same network segment, they do not have the same VLAN number, and their respective broadcast streams will not be forwarded to each other, which can help to control the traffic flow, reduce the investment in equipment, simplify the management of the network, and improve the security of the network. security, it adds a VLAN header to Ethernet frames, divides users into smaller workgroups with VLANIDs, and restricts Layer 2 inter-access for users between different workgroups, each workgroup being a virtual local area network (VLAN). The benefits of virtual LANs are that they can limit the broadcast range and can form virtual workgroups to dynamically manage the network. From the current point of view, the way of dividing VLANs based on ports is one of the most commonly used ways. Many VLAN vendors utilize switch ports to divide VLAN membership, and the ports that are set are all in the same broadcast domain. For example, ports 1, 2, 3, 4, and 5 of a switch are defined as VLAN AAA, and ports 6, 7, and 8 of the same switch form VLAN BBB.This allows communication between ports and allows for upgrading of ****-enabled networks.

However, this segmentation model limits the virtual network to a single switch. Second-generation port VLAN technology allows VLANs to be segmented across multiple different ports on multiple switches, and several ports on different switches can form the same virtual network. The configuration process of dividing network membership by switch ports is straightforward.

3. Computer Virus, Hacker, and Email Application Risk Prevention and Control Design We use anti-virus technology, firewall technology, and intrusion detection technology to solve the related problems. Firewall and intrusion detection also play a big role in information security, access control.

First, anti-virus technology. Virus along with the computer system with the development of more than a decade, the current form and invasion path has undergone a huge change, almost every day there are new viruses appearing on the INTERNET, and with the INTERNET information exchange, especially EMAIL for dissemination, the dissemination speed is extremely fast. Computer hackers often use viruses with malicious programs to attack.

In order to protect servers and workstations in the network from computer viruses, and at the same time in order to establish a centralized and effective virus control mechanism, the world thesis network needs to apply network-based antivirus technology. These technologies include gateway-based antivirus systems, server-based antivirus systems, and desktop-based antivirus systems. For example, we are prepared to install a unified suite of network-based anti-virus products on the mainframe and set up an anti-virus central console in the computer information network, from which anti-virus software will be distributed to all network users, thus achieving the purpose of unified upgrading and unified management. After installing the network-based anti-virus software, not only can the host prevent viruses, but also the files transmitted through the host can be avoided by viruses, so that a centralized and effective anti-virus control system can be established to ensure the security of computer network information. The formation of the overall topology diagram.

Second, firewall technology. Enterprise firewall is generally a software and hardware integration of network security special equipment, specifically for the TCP / IP system network layer to provide identification, access control, security auditing, Network Address Translation (NAT), IDS, application agents and other functions to protect the internal LAN security access to the INTERNET or the public **** network, to solve the problem of security of the entrance and exit of the internal computer information network.

Some of the information on the campus network can not be released to the public, so the information must be strictly protected and confidential, so it is necessary to strengthen the management of access to the campus network network of external personnel to eliminate the leakage of sensitive information. Through the firewall, the access of external users to the campus network network is strictly controlled, and illegal access is strictly rejected. Firewalls can provide a variety of protection for the campus network information network, including: filtering out insecure services and illegal access, controlling access to special sites, providing monitoring INTERNET security and early warning, system authentication, and using logging functions to analyze the access situation. Through the firewall, you can basically ensure that access to the internal are safe can effectively prevent illegal access to protect the data on important hosts, improve network integrity. The network structure of the campus network is divided into the LAN of each department (internal security subnet) and the security subnet that simultaneously connects to the internal network and provides various network services to the outside. Topology diagram of the firewall.

The internal security subnet connects computers used throughout the interior, including various VLANs and internal servers. This network segment is partially open to the outside, prohibiting external illegal intrusion and attack, and controlling legitimate external access to realize the security of the internal subnet. The *** Enjoy Security subnet connects computers and servers that provide WEB, EMAIL, FTP and other services externally, and achieves port-level security through mapping. External users can only access servers that are open to the public as allowed by security rules, hiding other services of the server and reducing system vulnerabilities.

References:

[1]Andrew S. Tanenbaum. Computer Networks (4th Edition) [M]. Beijing: Tsinghua University Press, 2008.8.

[2]Yuan Jinsheng, Wu Yanong. Fundamentals of computer network security [M]. Beijing: People's Posts and Telecommunications Press, 2006.7.

[3]China IT Lab. VLAN and Technology [J/OL], 2009.