WAN security
Due to most of the wide area networks use public networks to perform data transmission, the possibility of interception and utilization when transmitting on wide area online is much larger than the local area network. If there is no dedicated software to control the data, you can easily intercept and decipher the communication data easily using the "package detection" tool software downloaded on the Internet.
Therefore, a means must be taken so that it is guaranteed when transmitting and receiving information on a wide area network:
1 In addition to the senders and reception, others are unknown (privacy);
2 Do not be tampered with (authenticity) during the transmission process;
3 Send Energy can recognize that the recipient is not a counterfeit (non-assault);
4 The sender cannot deny your own send behavior (unrecognizable).
To achieve the above security purposes, WAN usually uses the following security solutions:
1. Encryption Technology
The basic idea of encrypted network security technology is not to rely on the security of data channels in the network to implement the security of network systems, but to ensure the security and reliability of the network through encryption of network data. Data encryption technology can be divided into three types, namely, symmetrical encryption, asymmetric encryption, and irreversible encryption.
There is no key storage and distribution problem without key storage and distribution, which is suitable for distributed network systems, but its encryption calculation is considerable, so it is usually used in the case of limited data volume. The password in the computer system is encrypted using the non-reversible degree algorithm. In recent years, with the continuous improvement of computer system performance, the application of irreversible intensive algorithms has gradually increased, such as RSA's MD5 and the US National Standards Bureau's SHS. Cisco routers widely used in customs systems, there are two password encryption methods: Enable Secret and Enable Password. Among them, the Enable Secret uses the MD5 irreversible algorithm, so that the crack method has not been found (unless using a Dictionary attack method). ENABLE Password uses a very fragile encryption algorithm (i.e. to simply perform a password to XOR and or or operations), at least two cracked software. Therefore, it is best not to enable Password.
2. VPN technology
The core of VPN (virtual private network) technology is to use tunnel technology to encrypt the data encryption of enterprise special network, and transmit to sensitive data through the virtual public network tunnel to prevent sensitive data. VPN can be created on the Internet, service provider IP, frame relay, or ATM. The company has established VPN through the public network, just like the internal network through its own private network, enjoys high security, priority, reliability, and management, and its establishment cycle, investment funds and maintenance costs are greatly reduced. At the same time, it also provides mobile computing. Therefore, the VPN technology is launched, and it is red.
However, it should be noted that many core protocols of the current VPN technology, such as L2TP, IPSec, etc., have not yet formed a general standard. This makes the interoperability between VPN devices between different VPN service providers. Therefore, when enterprises build online selection, it must be carefully selected VPN service providers and VPN devices.
3. Identity certification technology
For users who have access to the headquarters from the outside, the risk of data transmission by using the public telephone network must be more strictly controlled. One common practice is to use identity authentication technology to verify the identity of the dial user and record the complete login log. More commonly used identity authentication technology, there are TACACS and industry-standard RADIUs proposed by Cisco. In the design of Xiamen Customs, the author selected the Cisco Ciscosecure ACS V2.3 software for RADIUS authentication.
External network security
Customs' external network construction, usually refers to both internets and two internets with external enterprise users. No matter which external network, TCP / IP-based Internet protocols are generally employed. The Internet Agreement's own open greatly facilitates the networking and interconnection of various computers, and directly promotes the rapid development of network technology. However, due to the neglect of security issues in early network protocols, and the Internet's security-based security is gradually threatened by the security of the Internet itself, the hacker event has occurred frequently. The threat to external network security is mainly manifested in: unauthorized access, pretending to legal users, destroying data integrity, and normal operation of the interference system, using network propagation viruses, line eavesdropping, etc.
The external network security solution mainly relies on firewall technology, intrusion detection technology and network antivirus technology. In the actual external network security design, the above three techniques (ie, firewall, intrusion detection, network anti-virus) are often taken. In the design of Xiamen Customs, the author selected the latest version of the three host adaptive dynamic firewall Gauntlet Active FireWall, NAI. The firewall product integrates Gauntlet Firewall, Cybercop Scanner, Cybercop Monitor, WebShield for FireWall and other suits, integrating firewall technology, intrusion detection technology with network antivirus technology, closely combined, complement, cost-effective.
