Data Center Network Solution
Chapter 1. Preface
As one of the important infrastructures of enterprise and the supporting platform of enterprise's information construction, data center plays an important role in scientific research and management of enterprise.
Data center network construction is a complicated project, which needs to be combined with the current situation of enterprises, their needs for future development, the requirements of the enterprises' internal IT service to the network, the development trend of the network technology itself and many other factors to consider. Completing this project successfully requires thorough project planning and implementation and close cooperation among personnel of each department and professional web designers and enterprises' project team . Its detailed technical design and implementation plan must be carried out after analyzing the actual situation of the business and demands for the long-term future development, including analysis of the existing IT overall planning, evaluation and analysis of critical business applications and analysis of related business operation requirements. Therefore, the project is definitely not the accumulation of some empty files, but a complex project with concerted efforts of the both sides. Upholding the principle of friendly and cooperative relations, we participate in this project design with the purpose to make use of our rich experience in network construction and planning and advanced network equipment to provide a whole solution. With the professional services, we are aimed to help build the backbone network of broadband data. We hope that in this project and in the future concrete physical structure design and project management, we will be able to carry out closer and sincere cooperation with your university.
Chapter 2. Principles And Ideas of Design
Section 1. Overall objectives and requirements of the project
Communication system is a network system based on the enterprise application. The network application is driven by the operating model of enterprise application, while network application drives the professional service, network management and network infrastructure. In this model, enterprises' top concern is the application of the network. But professional service, rigorous network management system and reliable network infrastructure are also the basis for carrying network application.
1.1 Demand analysis
Data center network mainly satisfies the internal research, communication, and office needs. It can improve the overall level of enterprise information construction and improve the general efficiency of scientific research, office and management of enterprises. The main requirements of enterprise network construction are as the following.
(1) realize the networking of all floor departments within the enterprise network.
(2) realize the secure access of all users within the enterprise network, ensure the high-speed and secure access of Internet users within the enterprise network, and reject some illegal users.
(3) build a high-speed, safe and efficient network base support platform to create conditions for the realization of "digital enterprises".
(4) realize the modernization of enterprise management system.
(5) realize the multi-media of enterprise system (including implementation of VoIP system).
1.2 Overall goal of network construction
To ensure safe, high-speed, and reliable interconnection among all computers;
To realize safe and reliable interconnection between enterprise network and China Mobile, Internet (China Telecom) and China Unicom;
To realize the network management system of enterprise network, realize effective configuration management, failure management, safety management, accounting management and performance management;
To put data center network as the fundamental operating environment to set up the fundamental environment of network application which is based on high-performance multimedia enterprise system and focuses on applications like information exchange, information release, inquiry and application of network applications such as video conference and offer advanced support means for leaders' decision-making, daily administrative management, enterprises and scientific research.
To set up the whole office automation system and various management information system in the network environment, to realize centralized management, processing and information sharing of all kinds of information in the whole organization;
To establish an all-unit Internet and Intranet application to provide services for information acquisition and information exchange throughout the organization;
To ensure that network system has the perfect security guarantee system structure and have sound security guarantee ability;
To ensure that the main part of enterprise network should be able to support the next generation Internet standards such as IPV6;
Section 2. Overall design principles of the project
Enterprise data center network, due to its operation of enterprise systems, needs to ensure the normal operation of the network. It is very important to avoid the sudden quality deterioration of enterprises even the suspension of enterprises because of network failure or change. As the data processing and forwarding center, the reliability of internet should be taken into full consideration .
The reliability of data center network depends on redundant technology, including power redundancy, processor redundancy, module redundancy, equipment redundancy, link redundancy and other technologies.
Module redundancy should consider that all key modules and environmental components of the backbone and core devices of internet junction point have the hot backup function of 1+1 or 1: N and all modules have the hot swapping function. When a critical module breaks down, the backup module can realize its function.
Device redundancy consider the possibility to provide a virtual routing device by two devices at the network core exit. For example, if the VRRP routing protocol is launched by the core device DCRS-9808, when one of the devices stops working due to breakdown, the other device automatically takes over its work, and will not cause the routing table of other nodes to re-calculate, thereby enhancing the stability of network.
Link redundancy considers the trunk connection (connection between the information center of computer network and the trunk building) to have reliable means of line redundancy. According to the large amount of business information and taking full account of the workload of operation and maintenance and other factors, DCRS-9808 can meet reliability requirements of data center-leve land flexibility requirements of enterprise network application. The self-healing system design and smooth software load function can achieve system upgrading function without restarting the switch. This network self-healing feature should be able to ensure that it will not cause instantaneous deterioration of business quality and will not cause business interruption. Besides, it should ensure more than 99.999% availability of the system and ensure that equipment is out-of-use at most 5.36 minutes per year. Only when achieve such indicators can we really reduce the maintenance workload of the network center and provide the enterprise with a high quality information network space.
The development trend of the network is based on the open network system of Internet Web technology. This not only brings new great convenience, but also brings increasing challenges from complex application and information technology challenges, and thus security is a key factor to consider for the construction of enterprise data center network.
Xiamen Node believes that the contents of network security should mainly include the following five aspects:
Identity authentication and authorization
Identity includes identification and authorization. Identification answers two questions, "Who are you" and "Where are you?"Authorization answers "What can you visit?".Careful deployment of identity mechanisms must be made, because if the facility is difficult to use, even the most rigorous security policy might be avoided.
Border security involves the function like firewall that determines which business is allowed or denied in different areas of the network, especially between the Internet and the campus network or between the dail-in network and the campus network.
The confidentiality and completeness of data
The confidentiality of data means that only entities that are allowed to read the data read data in an effective manner, while the completeness of data means that the data is not changed during transmission.
In order to verify the effectiveness of the safe infrastructures, regular security reviews should be conducted, including installation checks new system to find out measures to fight against malicious intrusion, possible special problems (denial of business attacks), and ensure the full compliance with security policies.
Because network security involves many above aspects and each aspect uses a variety of products and technologies, centralized and effective management of these products can help network administrators to effectively deploy and update their own security policies.
In terms of strategies and steps of network security implementation, we should follow the reincarnation mechanism and consider the following five aspects, developing a unified security strategy, purchasing the appropriate security products to implement security protection, monitoring network security situation (While facing attacks, security measures should be adopted), proactively testing network security risks and generating overall reports on network security and improving security policies.
The extend ability of network
From the development of enterprises' information system in our country, the expansion of the current number of users and the application system is the inevitable trend. The network system is facing the pressure of data flow increase. In designing the information network of enterprise system, the extend ability of the system should be fully considered so as to protect the network system investment.
The extendibility of the network includes the expansion ability of switching capacity of the equipment, the expansion ability of the number of ports, the expansion of the backbone broadband, and the expansion of the network scale.
Exchange capacity expansion should have the ability to continue to expand 2-4 times on the existing basis to meet the rapid expansion of IP business needs. Equipment selection should take full account of packet forwarding capability and data exchange capacity.
Port density expansion requires careful analysis of the expansion possibilities of users and application system and the configuration of highly expansible network equipment in information nodes with the possibility of expansion to meet the needs for the user access and system interconnection when the internet capacity expands.
The backbone equipment should have sufficient interfaces to meet the 4-8 times or even higher bandwidth expansion capabilities and meet the needs of rapid expansion of IP applications and business.
Network scale expansion should take into account the network structure, routing protocol planning and equipment's CPU routing processing capabilities and should be able to meet the needs for user access when the internet capacity expands and the necessary processing capacity when data flow changes or increases.
The core ten thousand megabytes switching equipment DCRS-9808 provides 12 slots, of which 8-bit business slots adopt IP-based communications and critical business design optimization and can provide uninterrupted, wire-speed, non-blocking ten thousand Megabytes or high-density gigabit switching.
7.2T backplane bandwidth and up to 1786Mpps wire-speed forwarding performance can ensure that the needs of the switch with network core large data volume to be met and provide a variety of access modules to meet the needs of a variety of enterprise network applications and offers IPv6 and L2 MPLS functions to meet the advancement requirement of enterprise network.
Advancement and maturity
All the components of the system should be fully considered about its advanced nature. We cannot blindly pursue practicality and ignore the advancement. Only when today's most advanced technology closely combines with our practical application requirements can we get the maximum system performance and efficiency.
As enterprise is the pioneer of network technology application, in the network design, we fully consider the enterprise network equipment's support for new technology standards, such as, IPV6, MPLS VPN and other technologies. For enterprise network center and the occasion with the demands of large data exchange, the core switch should be able to meet the load balancing function of the server so as to meet the needs of enterprises' users for the large amount of data communication.
As the information system basis, the network structure and network equipment configuration and bandwidth should be able to fully meet the needs of network communications. Network hardware structure should undergo the long-term test in the practical application. In addition, the running speed and performance should be stable and reliable, with sound and practical solutions, and get more wide use and support from the third-party developers and users around the world. Extensive support and use on a global scale. At the same time, we should choose very promising and more advanced technologies and products from the long-term technological development view to meet the needs of the future development of the system.
With the increasing number of devices in the network and more and more complicated network technology, the importance of network management becomes more obvious - the complexity of network causes rising uncertainties of the system, decreasing reliability and greater losses resulted from longer "downtime". However, it is often the case that because of the neglect of network management and the lack of professional training of network management personnel and the lack of integrated solutions of network management, there is nowhere to go when problems arise, by then the importance of network management can be aware. As a set of perfect and reliable-demanding system, of course, it is not expected to remedy when it is too late, so the network management is one of the essential considerations of network design. From the operating system of the device itself with some of network management functions to simple network management tools, and even powerful large-scale management system, users can realize, step by step, a comprehensive network management functions according to their actual network applications and funding arrangements.
Compatibility and openness
Only systems that support compatibility can work with other open systems. The hardware and software products used in the network should support international industry standards or actual standards so that they can coexist with different manufacturers' open products in the same network. The standard communication protocol should be used in communication to enable different operating systems and different network systems and different networks to communicate smoothly.
For network equipment in the same scope of work, hardware requirements are required to comply with NEBS standard system certification, to ensure that the operation equipment will not bring negative impacts to other service-offering devices, not cause any harm to people and environment and reduce fire hazards. Only the core network equipment that meets NEBS international standard certification can meet the above key needs and the construction requirements.
There are still many decisive factors that need to be considered with the needs of users in the system integration design process.
For example, the estimation of network data traffic is an important basis of the bandwidth required by the network. Taking the information service system as an example, its working mode is mainly divided into two kinds, including LAN internal workstation's visit for information resources in the network server and the remote computer's visit for information resources in the LAN's network server. As LAN internal workstations' visit on the network server may cause network's largest data traffic, which then makes the connection between the server and network equipment become the bottleneck of system and cause the network congestion. Therefore, it requires a rough estimation of the need for this data flow in order to configure the network equipment and communication bandwidth with equivalent capacity between the server and the workstation.
In accordance with the above design principles, it is necessary to select technologically advanced, economical, practical, adaptable, highly reliable and extendable equipment so that the system will have a high cost performance and truly meet the application needs.
The Section 3. The overall design thought of the project
Hierarchical design approach can bring the following three advantages to the network.
Extend ability: The network can have modular growth without encountering problems;
Simplicity: By dividing network into many small modules the overall complexity of network is reduced and troubleshooting becomes easier.
Design flexibility: It makes it easy for network to upgrade to the latest technology. Upgrading any level of network will not affect other levels and there is no need for changing the entire environment.
Manageability: Hierarchical structure makes the configuration of a single network device much less complex and easier to manage.
To build a large and excellent performed integrated network with strong extendability and upgrading ability, hierarchical network design principles must be adopted in the design. Specifically, the main function of core backbone is to provide high-speed transmission and routing optimization of communication. The tandem network layer is mainly responsible to complete the network traffic control mechanism to make the access network and the core layer isolated from each other, but also to be able to distinguish applications with different priorities so as to support end-to-end services.
End-to-end network service assurance
The fundamental goal of the enterprise network is to serve all units and even all the public related to enterprises' information, which is also one of the fundamental goals of data center network construction. This requires not only the need to provide cheap bandwidth, but more importantly, to ensure five aspects of "network operation quality" at a higher level :
End-to-end actual network performance
End-to-end network security and reliability
End-to-end quality of service (QOS) guarantees
End-to-end business's easy implementation
End-to-end network manageability
Chapter 3. Overall Plan of System
The overall design of the network system mainly includes the following major parts:
Overall plan of network construction
Topology of network interconnection
System reliability and policy routing design
Routing protocol planning (throughout the enterprise network to consider)
Wireless LAN design
Security design of data center network
Remote office support
Spare parts of data center product and after-sale solutions
Personnel training program
Section 1. Overall Construction Plan of Enterprise Network
1.1 General description of the program
In this program, we use the "top-down" design ideas. The top-down design approach is suitable for network design from the top of the OSI reference model to the lower level. Before the selection of routers, switches and media running at a lower level, it focuses on application, session and data transmission. In addition, we also believe that "a good network design must be clear that the needs of customers contains many business and technical goals, including availability, extendability, affordability, security and manageability." Hence, in designing network system, we should try to stand in the user's point of view to consider the problem in order to meet users' application needs and technical requirements.
The network system is a large port density network system, which has a high requirement of bandwidth and security and supports a large number of users and application types. In the network design, Xiamen Node uses advanced Gigabit Ethernet and Layer 3 switching equipment as the backbone network, taking into account the core network equipment to support 10G / 100G Ethernet network to meet users' future upgrading needs. Its overall structure is extendable 10G / 100G Ethernet backbone, in the network convergence layer node, it designs modular structure Gigabit Ethernet routing switch and Gigabit Ethernet connection to access layer switches and application servers. Network users use 10/100 / 1000M exchange to the desktop connection. The entire network can be divided according to the actual needs of VLAN AND the backbone of the network center supports the wire routing among VLANs.
1.2 Network topology design
program design summary:
1. The internal and external network physical isolation design idea are adopted to ensure that the application security of intranet (office network) is not affected by external networks (including VoIP / wireless / apartment users)
2. Intranet network structure employs full redundancy design to meet the needs of all office business systems in the data center for network security, efficiency and stability.
3. External network applications (including VoIP / wireless / apartment users) use a separate network structure design, not only to ensure the performance of application systems but also to take full account of the system flexibility and cost performance;
4. External Internet users' access to the network will be through the VPN + certification to ensure the safety of network applications;
1.3 The design of network core layer
1.3.1 The core layer design of internal
After completion, the data center network will carry various applications, such as web browsing, e-mail services, multimedia, remote office, VOD on demand, video conferencing, monitoring and other applications, so the network backbone needs to have high performance to ensure the smooth operation of the above application systems. Fully considering the above factors, the design of enterprise network uses dual-core program, the core of the engine room were designed to use two 100 thousand megabytes core switches as the core switch of enterprise's data center. The two core equipment adopt two gigabit links through the link aggregation to achieve communication connection between the two core 4G full duplexes. Each core switch is connected to two firewalls through a single Gigabit link to achieve redundant backup of critical links.
1.3.2 Design of external core layer
External network core switch uses multi-service 10-gigabit routing switch. This switch is responsible for the access of wireless users of the data center, VoIP system data exchange and the Internet needs of users from eighth floor apartment area.
Multi-business 10-gigabit routing can switch products with business intelligence as its core concept. The product possesses mature IPv6 features, wire-speed MPLS L2 / L3 VPN function, multi-plane separation design with high reliability, high-performance L2 / L3 switching, rich and refined QoS strategy, strong support for integration of business and integration of security features. Therefore, it can help users to effectively improve business efficiency and business competitiveness. Business10-gigabit routing to switch products can be used as one of the key equipment of the campus network and metropolitan area network. It not only can reduce the complexity of the next generation network, but also provide a good investment protection.
1.4 Network convergence layer design
On the one hand, the convergence layer of enterprise server group network, in the server group network, is the core layer of the network elements, involving in the core layer of network routing design. On the other hand, it is the convergence point connected to all switches of the access layer as well as the center of network policy control. Therefore, The high-availability design of the convergence layer should also be considered from these aspects.
The aggregation layer is deployed in the form of a 3-layer switch pair, realizing device level redundancy. Switches of the aggregation layer can connect with each other through 2 backbone links or use routing protocol with 3-layer switch aggregation technology can be used to combine the ports and links between convergent layer switches to achieve high availability of high-speed interconnects. Aggregation Layer switches can be connected through Layer 2 backbone links, or Layer 3 switches can be used to enable routing protocols.
For connection from the convergence layer to the core layer, each aggregation layer switch uses a dual link to connect to different core layer switches for uplink redundancy. The connection to the core layer uses 3-layer switch, enables fast convergence routing protocols consistent with the core layer and performs equivalent multi-path settings to achieve link load balance and improve route convergence speed.
The aggregation layer is the convergence point of all switches of the access layer. When the 2-layer connection is used among switches in the convergence layer and the access layer, VRRP, HSRP, or GLBP can be used to implement the redundancy backup and load carrying of the gateway. In the case of a link or node failure, the convergence rate depends on the default gateway redundancy and failover. By reasonably configuring various protocol status timers, the convergence speed of sub-second can be achieved.
According to the above analysis, from the actual situation of the data center network, Xiamen Node designs a three-tier network structure. In the server area, two gigabit switches are used as a converged switch and the convergence employs VRRP protocol to achieve dual-machine. Uplink to the two core switches is realized by 3-layer routing. All servers use dual network cards, each of which is connected to a convergence switch. The network card is bundled through software to form a dual link redundancy and load balance.
1.5 Network access layer design
In the enterprise network construction, we found that in the past two years, all kinds of network attacks within the network have posed great threats to users' application and network stability, especially ARP attacks, which have been a headache for users. What's more, ARP attacks will emerge in different variant versions regularly, causing network to interrupt form time to time. Intelligent security access switch can provide a complete set of dynamic protection against ARP attack and can prevent a lot of attacks from the terminal in the access layer so as to ensure the stable operation of users' application.
1.6 One-stop safe export design
All employees in the enterprise have to access INTERNET through the enterprise network export, and at the same time, to protect the stability and redundancy of the whole network exports, there must be a number of external network exports, which requires that the enterprise network export area in the multiple export situation have a higher performance to make users within the enterprise smoothly access to external networks through different exports without bottlenecks. Therefore, in the data center network exports, two firewalls are deployed. The firewall is designed for large enterprise's network center network. It is powerful, with stable and high performance, brilliant attack ability of anti-denial of service. At the export of external network, a full gigabit multi-business firewall to protect the security of external network applications.
1.7 Access the Internet with user authorization
In this project, Xiamen Node uses the full gigabit multi-business firewall to control users' access. Through the security unified manager, the management of enterprise network's access to external network can be achieved. So can a flexible authorization access mechanism.
The method has the following characteristics:
Powerful user access control
◆ The account uniqueness is certificated to prevent multiple users from sharing an account online.
◆ Different permissions are opened to different business users.
◆ Authorization for external network is different according to different IP addresses, such as the access to web browsing service.
◆ Applications BT, e-Donkey and QQ can be developed or closed for different users.
Section 2. System Reliability and Routing Design
2.1 System reliability design
2.1.1 Redundancy policy
Implementation Objective: To establish a LAN with a reliability of 99.999%.
LAN system is required to have 7x24 hours of continuous operation, thereby requiring a high demand of system reliability. System reliability is determined by the following factors:
Redundant design of physical equipment
Logical backup of the data link
Physical redundancy of the data center network is accomplished primarily by providing redundant equipment and redundant links. In the network, the two core switches are backed up for each other and key business switches access to the two core switches through the dual-link backup for each other. The load balance and redundant backup of devices can be achieved by SPANNING TREE and flexible configuration of routing policies.
Common redundancy strategy for LAN
(1) physical redundancy of core switch;
(2) dual power supply redundancy of core switch;
(3) switches in the access layer use dual-link to the LAN core switch to achieve link and equipment redundancy;
(4) distribution layer and core layer adopt routing policies to achieve the hot backup of equipment and the link.
2.1.2 Access switch redundancy policy
Implementation purpose: to prevent a single point of access switch failure from causing network paralysis
In this project, a switch failure that provides an edge device to access to LAN will affect all edge devices connected to the switch module, which can affect up 24 users.
In order to ensure the reliability of the network operation, policy is changed for corresponding backup machines that provide 1 hour service.
2.2 Policy routing
Purpose of implementation: routing and diversion are arranged according to user category and business classification.
Generally, regardless of whether it is through RIP, OSPF, BGP, or MPLS marking protocol, the route is mostly determined by the destination address, so it cannot effectively split the network traffic or set up strategy for network traffic. However, policy routing capability sometimes is one of the necessary functions in today's diverse network environments. In the enterprise network, users as the enterprise research must be connected to China Mobile's network exports, and dormitory network users are usually led to CHINANET exports. Such a diversion will not affect the scientific performance of the enterprise network, and by appropriate shunt, high-speed or low-speed exports can be assigned corresponding flow so that the application of bandwidth of can be effectively allocated.
The general route is not possible to achieve this shunt, which can only be achieved through the policy routing (PBR), the source address classification and developing its next hop exit IP address. This is also where the policy route is different from the general route, that is, basing on the source address information routing and not the destination address information routing. What the policy routing can do is not only routing and diversion according to users' types. Furthermore, it can also do routing or diversion according to the business category. As with ACLs, internet equipment that requires policy routing must have complete and diversified policy routing support and strong hardware handling ability in order to be able to perform 3-layer wire-speed forwarding while launching.
2.3 IP routing selection
Implementation object: switch of aggregation layer
Implementation purpose: exchange routing information and facilitate the network management of network management personnel.
3-layer routing switch can support a wide range of routing protocols, including some common routing protocols such as RIP, OSPF static routing and so on. Hence, it can achieve compatibility with other brands of routing switches.
It is suggested that the OSPF dynamic routing protocol should be applied in the routing switch of the core and the convergence layer of network. The protocol has many advantages, such as fast convergence speed and fast network response. It is very suitable to be used in such network scale.
As the access layer equipment changes frequently, in order to avoid routing oscillation at the core of network caused by equipment downtime of the access layer, it is recommended to deploy static routing between the convergence layer and access layer to facilitate network management.
Section 3. Network security design of data center
The information system of enterprise network, through the enterprise network information sharing, communication and collaboration, makes enterprise network's management activities become value-added process of enterprise network. Through this system government can achieve its function of management service in various fields, such as, politics, economics, society and life. It helps government's release and access of decision-making information and supports decision-making activities. Moreover, it can achieve information exchange and interactive processing of office business, support enterprise network's activity implementation to complete the whole process of enterprise network activities. However, the function of enterprise network information system is based on the fact that the system is secure and effective. The security of enterprise network information system is the key to realize system function. "National Information Leading Group's Guidance on China's Enterprise network construction" (17th file) clearly points out that the establishment of enterprise network and information security system is one of main goal sand tasks of enterprise network construction. To avoid causing the situation of "only taking net, no security; repairing the road, no car running", therefore, in the enterprise network construction, guaranteeing information security must be taken as a key work.
3.1 Security threats faced by enterprise network
In the computer network, security threats come from all sides, and some even result from our own mistakes. The factors that affect the security of computer network are natural and human. Natural factors include temperature, humidity, dust, lightning, static electricity, floods, fires, fires, earthquakes, air pollution and equipment failures, while human factors include unintentional and deliberate ones, such as negligence of deleting data due to misoperation and man-made intentional destruction such as hacking. A lot of highly confidential data and electronic wealth stored and flowing in the network have long been goals of hackers' spy and action.
In terms of the scope of our discussion, there are four factors that affect network security, including hackers, viruses, mistakes of legitimate personnel, and the vulnerability of network system itself. In detail, the current threats of network of mainly include the following aspects.
(1) legitimate personnel themselves
In a fully secure network, security bug caused by human factors is undoubtedly the greatest risk of the entire network security.
Network administrators or network users have corresponding permissions, so using these rights to damage the network security is also possible. If the operating password is leaked, confidential files on the disk might be used and some important information have the risk of being stolen due to that temporary files are not deleted in time, all of which may make the network security mechanism useless and cause serious damage from the inside.
(2) unauthorized access
Without prior consent, the use of the network or computer resources is considered as unauthorized access, such as intentionally avoiding the control mechanism of system access ,abnormal use of network equipment and resources, or expanding authority without authorization, access to information beyond rights. It is mainly in the following forms, fake, identity attacks, illegal users to enter the network system for illegal operations, legitimate users to operate in an unauthorized manner and so on.
(3) information leakage or loss
This means that sensitive data is intentionally or unintentionally leaked or lost. It usually includes the loss or leakage of information in the transmission (e.g. "hackers" use electromagnetism to leak or eavesdrop in order to intercept confidential information, or after analyzing some parameters like the flow direction, traffic, communication frequency and length of information introduce user's password, account and other important information), the loss and leakage of information in the storage medium, through the establishment of hidden tunnels and other means to steal sensitive information.
(4) damage to data integrity
It refers to illegally stealing the right to use, delete, modify, insert some important information to obtain a response beneficial to the attacker, maliciously adding and modifying data to interfere with the normal use of users.
(5) attack of denying service
It will continue to interfere with the network service system, change its normal operating procedures and implement unrelated procedures to slow down or even paralyze the system, causing legitimate users to be excluded and cannot enter the computer network system so that they cannot get corresponding services.
Attack of denying service is a devastating attack and the earliest one is "e-mail bomb". It is manifested that in a very short period of time users receive a large number of junk e-mails, which affects the normal business operation. Sometimes it is so serious that it will make system shut down and network paralyzed. "Information bomb" attack is more deterrent. Once explosion, it will cause network system paralyzed.
(6) virus spreading through the network
Since computer viruses were discovered for more than a decade, their types have increased geometrically and the number of victim computers doubled every year. The proliferation of many viruses have brought disastrous consequences. At the same time, the mechanism and variants of viruses continue to evolve and spread rapidly through the network. For example, virus can intrude into network by e-mail, software download, file servers, firewalls and other ways, with the transmission medium being fiber, cable or telephone line. They often delete and modify files, causing the program to run wrong, halt, and even hard ware destroy. Although people have made great achievements in preventing and controlling viruses in stand-alone environment, the computer network undoubtedly puts forward new challenges for virus prevention and control. The dissemination of net work brings great difficulties to virus detection and elimination, making virus much more destructive than the stand-alone system and users difficult to prevent. Therefore, it has a big public hazard of computer and secure development of its network.
(7) the inherent vulnerability of the network system
From the beginning of internet construction, there is a lack of a general concept of security, so there are full of security risks and inherent security flaws. For example, the TCP / IP protocol itself that Internet depends on is not very safe.
Security flaws of IP layer protocol include:
application layer protocols like Telnet, FTP, SMT and other protocols lack of authentication and confidentiality measures;
rely on software configuration IP address, resulting in address counterfeit and address spoofing;
IP protocol supports source routing, that is, the source node can specify information, including the intermediate route to the destination node, providing conditions for source routing attack.
(8) safety and quality of transmission line
Although it is difficult to eavesdrop on specified information in coaxial cable, microwave, or satellite communications, there is no absolutely secure communication line in terms of security. No matter what kind of transmission lines are taken, the poor quality of communication line will directly affect the networking effect and sometimes even cause network interruption. For example, for a city's telephone lines, the main electrical indicators are DC electrical performance indicators (loop resistance, insulation resistance), AC characteristics (line attenuation, line attenuation AC frequency characteristics), AC characteristics impedance and so on. When communication line breaks down, the computer network will be interrupted, which is more obvious. The problem is not so obvious when the line breaks down from time to time, the line attenuation is serious or the noise is serious, however, which will have negative impacts on the communication network and can seriously endanger the integrity of communication data.
3.2 Security design for the enterprise network
Through the above analysis, we think that the security bugs related to the routing and switching platform in this internal and external network systems' establishment of data center are mainly found in (5) and (6). The following is the network company's solution.
We believe that in order to completely cure problems of (5) and (6), besides strengthening the security of device itself and the ability to fight against virus, we must also isolate the problem on the user PC and must be able to discover problems, also called the new concept of secure access.
According to the current situation of enterprise network, Xiamen Node chooses to configure a multi-business full gigabit firewall device, which can effectively prevent DDOS and other security issues. Please see the function description of unified threat manager on security in detail.
3.2.2 Backbone network against DDOS attacks
We know that to prevent hackers on the external INTERNET from attacking internal users or resources, we can utilize firewall, IDS and other network equipment. However, we can do nothing to prevent internal users from attacking some internal business-related important servers. In spite of that the server is equipped with firewall, DDOS attacks will make the firewall connected to the bandwidth damaged. Especially now the internal LAN network bandwidth is generally wider, and a variety of hacker programs such as DDOS, DOS and other small attack programs of denying services can be gotten from the INTERNET easily.
3.2.3 Anti-virus design of the whole network
The internet has been seriously impacted by shock waves, oscillatory viruses or similar variants and new viruses. Especially, such viruses can lead to three switches in paralyzed state (CPU utilization rate of 100%), greatly affecting the normal business applications of traffic system and resulting in very serious losses.
In order to take preventive measures, we recommend that the access control be adopted within the entire enterprise network and all levels of network exports.
3.2.4 Security access control of the whole network
In order to prevent some people who have ulterior motives access to information within the internal and external network system of enterprise network through these public ways, and thus further attack the internal network, we recommend the use of dynamic routing protocol authentication technology. Only routers with the same authentication password router can enable a normal network dynamic routing learning. Otherwise, even if the illegal router is connected to network, it cannot get the internal network routing information through the dynamic routing protocol .
In order to ensure the stability and reliability of the whole platform, we need not only to work hard in the network equipment itself, such as redundant power supply and management engine on the core switch, but also work on control from MD5 encryption of OSPF protocol, ACL of the whole network, port speed limit and other aspects. However, these are still not enough. We need to use technologies of operators like telecommunication to control users accessing to the network. We can take real-time control of these users, effectively prevent users from using BT to download and consume export resources of Internet and prevent users from using other people's IP / MAC to do harm to the internal and external systems of enterprise network or related resources.
This is DCSM-A system, a solution for enterprise network security access based on the 802.1X, which takes centralized management while deploying distributed security domains to achieve secure communication and refined management of user behavior:
It has notification function for the online user's short message and various reverse check functions for user name / user IP / user MAC .
It has VLAN authorization control for on-line users based on the policy, internal and external network access control, anti-agent, avoiding IP and MAC address embezzlement and illegal DHCP Server.
It has various binding and binding list control function and Internet time control function.
It has the network virus detection alarm / isolation function of online users, real-time detection and alarming of shockwave virus, Sasser virus, abnormal packet speed, imbalance between sending and receiving packet (network scanning) and so on. The administrator can isolate the user and prohibit user with virus from entering the net.
DCSM can almost solve all the current problems of security management and identity authentication faced by enterprise. through by five unifications and ten integrations.
Five unification, ten integration contents are as follows:
● the value of Web and 802.1x integration
Achieving Web and 802.1x integration through the authentication and accounting management platform can easily connect with access switches and export gateway equipment. different regions can be used according to business needs Different certification management means can be adopted for different regions. For example, relatively strong 802.1x authentication mode is suitable for the guest area to to achieve multi-element terminal binding in the access terminal. For the office area, we can use a flexible and convenient Web Portal authentication.
● the value of admittance and exist integration
In achieving admittance and exist integration through the authentication and accounting management platform, business users only need a set of account password and can access to internal and external network after a certification. At the same time, it can also achieve internal network visit without charging but external network visit with charge. Through interaction between the authentication platform and export flow control equipment, you can achieve a very flexible billing, not only in accordance with the internet time, but also traffic or bandwidth.
● the value of wired and wireless integration
Enterprise network possesses both wired network and wireless network access capabilities. Wired and wireless integration can avoid the use of different authentication and billing platforms of wired and wireless networks, thereby enhancing the user's internet experience. Whether users use wired or wireless internet access, they can avail a unified authentication and accounting platform for authentication, billing, management, which reduces the network investment and easy for management.
● the value of IPv4 / IPv6 integration
The newly established enterprise network also carries IPv4 and IPv6 protocols. Authentication and accounting management platform needs to support both IPv4 and IPv6 so that the administrator can easily see the user's IPv4 and IPv6 related information to facilitate management. The unified authentication of IPv4 and IPv6 enhances the IPv6 network security to avoid the situation that IPv6 users can access to network without authentication.
● the value of private and standard integration
The enterprise network construction period is longer, and the equipment often needs to upgrade, which resulted in that the construction of the enterprise network is almost impossible to use equipment from the same factory, which requires that certification and billing management platform connect with switches of different manufacturers to achieve interoperability between the exchange, to achieve 802.1x unified authentication in access port. No matter which mainstream manufactures' access switches are used, it requires that certification and billing management platform can connect with them to achieve 802.x certification in terminal and possess some featured functions, such as multi-elment binding, instant message and forced offline.
● the value of identity authentication and security management integration
Identity certification management platform contains billing certification and security management. It can not only achieve certification based on user name and password, but also achieve security checks host computer through cooperation with the client software to ensure that only a secure terminal can access to network. After access to network, the client's private change of IP and MAC can be prevented and ARP-related network attacks can also be avoided.
● the value of identity management and bandwidth management integration
Through the interaction between certification management platform and export flow control equipment of enterprise network, the integration between identity certification and bandwidth management can be achieved. Flow control equipment can set up policies and allocate bandwidth resources according to specific users. It can also allocate bandwidth resources based on user groups and set up different policies for different user groups.
● the value of integration of network element management and service management
Certification management platform can not only realize the network element management, but also can realize the easy-to-use user self-service management, which is convenient for users to enjoy some services, such as business operation, information modification, information inquiry, bill introduction, problem warranty and so on.
●integration between real-name audit and public opinion monitoring integration
Through the interaction between the certification and accounting management platform and the online behavior audit system, you can realize real-name audit in the online behavior audit system, rather than the traditional IP-based audit, and realize real-time public opinion monitoring and opinion poll function.
3.2.5 802.1X unified certification and accounting program
l. Networking instructions
There is a need to deploy access switch supporting 802.1x, responsible for users' access authentication data. For non-brand access switches, they only need to support the standard 802.1x.The internal network is deployed DCSM as AAA unified management center to open unified accounts, configure the billing strategy, control users' account binding and so on.
DCSM receives the authentication and accounting data of the access switch from 802.1x. The traffic of the user will not pass through DCSM. Two DCSMs can be used to network in the form of main machine to ensure the stable performance of the whole core network.
2. Program features
Unified certification and billing of equipment from multiple manufacturers. Client-side with wired and wireless network integration realizes unified identity of wired and wireless network. At the same time, it solve the users' long-troubled problem, that is, unified certification cannot achieved with equipment from multiple manufacturers. Because the period of university enterprise network construction is longer, different manufacturers' equipment may be used in different stages due to different needs. For the current 802.1x certification, manufacturers are using private certification. The terminal equipment must install unique private client-end to access the switch and have authentication and billing system interaction to achieve private 802.1x certification. This private certification depends highly on the access device, not easy for follow-up application expansion. Wired and wireless integrated client-end, combined with DCSM unified identity authentication platform, regardless of whether the access device is good product, only with supporting standard 802.1x protocol and installing wired and wireless integrated client-end, can interact with the DCSM authentication platform, achieve private 802.1x authentication, real-time message notification, IP address upload, forced offline, keep alive and other functions.
Access control is safe and reliable:
There are powerful security access management functions, not only to achieve the binding of authentication, anti-proxy internet access, but also can achieve ACL forwarding control function based on the secure switch so as to prevent the impact of the network from attack, scanning, ARP virus, shock wave virus in the form of network address counterfeit and so on .
Through the scanning of network, DCSM can dynamically discover the network situation in real time, determine whether there are various problems in the network, and discover network terminals, servers and network equipment in real-time. Even in the case that the terminal is enabled to use personal firewall that can prevent ping, DCSM can still find these terminals by other ways and obtain the configuration information of these terminals. This provides technical means for dynamically understanding the changing situation in the network and discovering problems in the network, IP address management and terminal asset management.
For the terminal, the following interoperability can be achieved:
√ block and forced offline
√ information collection
√ mandatory patch upgrade
√ forced client-end upgrade
√ connect with Rising and other anti-virus to ensure the safety of client machine before surfing the internet.
√ send real-time messages
√ start and stop the software process in the user's main machine
√ flexible authentication and billing
There are prepaid business (powerful, emphasis on the function of real-time forced disconnection after running out of expense), post-paid business (very few people use). There are accurate flow billing and accurate time billing by day and by month. It supports users' internet time control, and can prohibit users from surfing the internet in some time period. It has management policy based on the authorization group. Through the authorization group function it can implement the flexible authorization function for users, user groups, and VLAN .
Easy network management
It supports mandatory offline management for users. Anti-agent, preventing IP address tamper after surfing the internet and the use of illegal DHCP Server can be achieved. It has user management based on user group and supports the account template mode, user web self-registration account function, saving the administrator's workload to input a large amount of user information. It also has user web self-modified billing strategy function so that users can modify billing strategy in accordance with management.
3.2.6 Web access authentication and accounting program
1. Principle mechanism
The access switch redirects the unauthenticated users' HTTP request to the Portal Server. After users get the authentication interface, they submit the user name and password for authentication. Portal Server obtains the user name and password submitted by the user, and sends the DCSM server for check with other user access information (including access switch IP, access switch port, access switch Vlan, user IP address, user MAC)
DCSM informs Portal Server verification result after a series of judgments such as access review strategy and billing strategy. The Portal Server notifies the switch of the direction or block based on the verification result and notifies the user of the verification result. After the user successfully certified, the user goes to the live page and can access to the network.
2. Program features
WEB identity authentication scheme, based on Dot1x security design ideas, launches certification in the closest level to user, that is, user's access port to ensure that only legitimate users can access to the network and illegal users are blocked outside the network.
WEB identity access authentication program completely adopts Dot1x security control method in the user identity binding. It can not only achieve a simple check of the user name and password, but also achieve a six binding check of the access switch IP, access switch port, Vlan of access port, User IP, user MAC to ensure that legitimate users can access to the internet only by using legitimate IP in the legitimate information point by legitimate terminal to achieve a high degree of security management control.
For the huge Windows users, WEB authentication mode can further enhance the terminal security checks through ActiveX controls to prevent the access of terminals that don't install critical operating system patches and specified anti-virus software. It forces users to enhance security awareness and timely implement security reinforcement of terminal .
Through WEB authentication, it can ensure that the user accessing to the network is credible, and that the user's IP is credible through user certification and through IP credibility to ensure non-repudiation of users' behavior. In this way all IP- traced audit can trace back to the end user, having a strong deterrent effect on deliberately illegal network attacks and sabotage.
With the Internet behavior audit system, it can achieve audit and network behavior alarm control linkage based on the user's behavior, and then implement effective monitoring and management for the user's illegal network behavior .
Easy to use
The traditional Dot1x authentication method involves the issuance, deployment, installation and configuration of the authentication client-end, which not only increases the maintenance work, but also greatly reduces the network availability. Moreover, the client's inherent operating system compatibility and other problems lead to that enterprise network's access authentication technology is not effectively implemented, resulting in some college users to give up the enterprise network security access control.
WEB identity authentication technology does not use the client-end. Through the operating system equipped in the browser, access authentication can be achieved, not only to facilitate end-user, but also solve the inherent problems of Dot1x client authentication.
WEB access authentication technology reduces the difficulty of the implementation of access control and the difficulty of promotion and enhance the availability of access control technology, which will further promote the implementation of identity access authentication security measures.
Access switch can support both WEB access authentication and Dot1x access authentication. With DCSM system it can control different users in different regions to use different authentication methods, that is, the same account in different regions can use different authentication methods and different identity accounts in the same area can use different authentication methods so as to achieve flexible management and control.
The access switch can prevent and block illegal network behaviors, such as ARP spoofing, malicious ARP scanning, and private DHCP server while implementing Dot1x or WEB authentication.
While adopting Dot1x or WEB authentication, the access switch allows users without authenticate or failing to authenticate to access the specified public resources, such as the DCSM self-help system, the WSUS server, the anti-virus server, etc. so that resources of the enterprise network can be used reasonably and efficiently.
There are intranet security access and external network flexible billing. WEB access technology solves technological problems of the enterprise network security access, but it should not mix safe access within school with Internet billing operations for beyond-school access. Otherwise, it will become intranet certification, not conducive to the implementation of enterprise network's identity access and the normal operation of the enterprise network's billing business. With the switch WEB identity access certification, a secondary-to-primary authentication technology is provided. Primary certification, in turn through the access switch and external network billing gateway, achieves security access operation and management of secure access of intranet and flexible billing of external internet.
Intranet security access and external network's application control and rate control based on user are achieved. After meeting needs of network access and network operation, wet also need to consider enhancing reasonable and effective application of export bandwidth resources, implementing flexible application control, which is closely related to the network access, because these three are all based on the user identity, and only basing on the user's identity is reasonable and traffic and application control can be effectively deployed. With the traffic shaping and user access management DCFS series gateway, we realize user-based security access control, rate and application management, network operation and management, to promote enterprise network more secure, more controllable, more efficient and make it to better serve teachers and students.
DCSM system can realize unified identity authentication implemented with the AD domain and LDAP. Only the use of a user name and password can achieve access authentication of network level and application system and achieve unified identity management with digital enterprise construction.
3.3 VLAN setting scheme
VLAN are logically equivalent to broadcast domains. More specifically, we can compare VLAN as a set of end users. These users can be on different physical LANs, but they can communicate freely like they are on the same LAN without physical location limitation. Here, the definition and division of the network is not necessarily related to physical location and physical connection. The network administrator can flexibly create and configure the virtual network through the corresponding network software according to the different needs, and allocate the bandwidth it needs for each virtual network.
In the network design, as the core equipment of enterprise and office, multiple VLANs are divided according to the specific needs, of which ADMIN as a device for management VLAN. This can control the communication between these different VLANs, which can save costs and guarantee the security of important network segments, while reducing the broadcast and conflict to improve system availability.
802.1Q is used as a VLAN transport protocol between the access layer switch and the distribution layer switch.
According to the current application demands, network VLAN is configured before the implementation of network, according to the needs.
3.4 Anti-virus security strategy of system
In recent years, network virus is increasingly serious. The safe operation of the network urgently requires an effective solution to prevent and control virus.
By analyzing the current trend of anti-virus software development we are aware that the centralized management of the network anti-virus system has the best effect. If you use a stand-alone anti-virus program in a network environment, users of each workstation will set up their own management software according to their own preferences, so this kind of setting is of no commonality. Some users may remove or turn off anti-virus software that is executed on their computers so that their workstations cannot be protected. In addition, anti-virus software using virus feature comparison technology must rely on the latest virus code file to effectively play its role, and it needs to constantly upgrade and update feature files and software cores to deal with the new various viruses.
For a large network, the deployed anti-virus system will be very complex and huge. In particular, in the case of geographical separation of all networks, management and maintenance of anti-virus services and situation within the entire system through a monitoring center seem to be very important. This can greatly reduce the number of maintenance personnel and maintenance costs, and shorten the response time for system upgrade and maintenance.
An effective anti-virus strategy of enterprise network environment must take into account the following aspects and protect of the main invasion points of the virus in the network environment.
1. Client-end: Each user's PC platform must have the appropriate anti-virus software for installation prevention.
2. Server side: The network also has a large number of PC servers such as file servers, application servers and so on. Users in the daily work will often transfer files with these servers, which also formed another way of virus transmission. These servers also need to install the appropriate anti-virus software.
3. Gateway: Gateway is to isolate equipment of the internal network and external network, such as firewall, proxy server and so on. Virus protection at the gateway level can play a role in isolating viruses from external networks.
4. Mail server: E-mail has now become an important way to spread virus. It is very meaningful to have a centralized mail virus prevention for the mail server. A good mail or group mail virus prevention system can connect with the server's mail transfer mechanism to complete the virus removal of the virus on the server. In addition, because the current mail virus transmission has been expanded from the previous simple attachment to content carrying, a good mail anti-virus system should have the ability to clear up virus in the message.
5. At the SMTP gateway, it is recommended to use mail gateway-level anti-virus devices to filter each e-mail getting in and out of the company's network and each attachment it entails to check whether it conforms to the set policy.
6. In addition, it is suggested to use centrally managed network anti-virus system. Through a monitoring center it can manage and maintain the entire system's anti-virus services and general situation, which greatly reduces the number of maintenance personnel and maintenance costs, and shortens the upgrade and response time of system maintenance.
3.5 Firewall security control strategy
In the data center's network export, the deployment of two firewalls are designed for the center network of medium-sized enterprise network and they are powerful, stable and excellent in performance, high attack ability of denying service. The firewall is especially intended for medium-sized enterprise users with complex network structures. It is equipped with 16 10/100 / 1000M ports that adapt to Ethernet and 8 SFP gigabit ports. It provides a security control scheme among multiple subnets of complex network. In the network, there are servers as gigabit network interface. The multi-port characteristic of firewall not only can directly access a large number of network servers, but also can effectively divide different security areas and eradicate the problem that springboard intrudes among servers and other security risks, protecting network security and reducing the cost. The device uses 64-bit multi-cored and multi-threaded processor chip and high-speed switching technology to achieve the chip-level hardware acceleration performance of VPN, QoS traffic management functions and avoid the poor ability of traditional ASIC and NP security system to have new connection and flow control.
The most cost-effective security gateway
Hardware chip - level solution based on multi-cored and multi - threaded processor with high performance
Support multi-interface link load balance, support port backup and provide link choose priority
64-bit high security operating system with independent intellectual property rights
Chip-level hardware acceleration depth testing, IPSEC VPN, SSL VPN and other functional modules
Support USB KEY to login SSL VPN with two-factor authentication
Support P2P (BT, e-Mule, Thunder, etc.) application control, provide high-speed hardware's support for QOS whose granularity of key applications is 1kbps QOS support and support online games optimization
Support security guarding of application layer and support Java Applet, Active-X, URL filtering and other functions.
Very low power consumption (45W) and save users' energy costs
Support client-end with ARP prevention, comprehensive defense against virus and attack based on ARP
Support SNMPV1 V2 and OSPF protocol package
Flexible deployment, easy maintenance, easy management
3.6 Other security policies
(1) the implementation of the network routing security control and distribution
Using the 'route filtering -Routing Filtering' technology, we can restrict the routing of certain network segments to publish to other network segments so that the routing information is only transmitted to the appropriate network range, providing network access security control.
(1) MD5 certification of the network routing protocol
In order to prevent some people with ulterior motives to connect to network information within the data center, and further attack the internal network, we recommend the use of dynamic routing protocol authentication technology. Using this technology, only routers with the same authentication password is able to do normal network dynamic routing learning, or even if the illegal router access to the network, it cannot get the internal network routing information through the dynamic routing protocol.
Section 4. Network management
Considering the characteristic of network user concentration, we propose the system management program based on LinkManager5.0 NM.
Network management of information network is an important part of network construction and it is the prerequisite to ensure the normal operation of LAN system. Network management not only requires advanced, practical technical support means, but for large networks, it needs a reasonable and effective organizational system and rules and regulations. Network management is the key component of network availability, and the definition and implementation of network management is the main content of network management design.
In the current environment, users require more and more convenient network management, which is summarized as the following:
Chinese interface, simple operation, online help: reduce the difficulty of network management personnel to improve management efficiency;
Really realize the whole network management: eliminate the network blind spots and control the whole network situation.
Fault distinction, accurate positioning and troubleshooting: problems should be found timely and can be quickly responded to reduce user losses;
Centralized or distributed network management is appropriate for different network structures to meet the different management methods;
Intelligent configuration of the whole network QoS (Quality of Service) strategy: to achieve service quality assurance of end-to-end users and applications, a variety of business models in the network to ensure network quality of key users and key business;
Performance management and security management are also basic network management issues of great concern.
The existing network management system platforms are HP Open view, IBM Tivoli, CA TNG, etc. These network management systems are mainly developed for all the global computer networks with more function, but they are not closely related to characteristics of user business of Chinese operators.
Based on the Chinese market, equipment / network element level network management system in line with the characteristics of Chinese operators' broadband MAN is offered.
I. Network Management System - Link Manager
Network management systems of The Link Manager family include:
1.1 Identify all SNMP devices with the potential to manage devices of different manufacturers at the same time;
1.2 Advantages of integrated distributed network management and centralized network management;
1.3 Provide network status information as much as possible;
1.4 Chinese management interface;
1.5 Easy to operate;
1.6 Not rely on expensive network management platform;
1.7 Achieve the perfect unity between network equipment management and user management. So does the network management and network traffic billing system.
4.1 Network management planning features
(1) using Link Manager network management system;
(2) all the state information collected to a network management workstation;
(3) suitable for centralized service mode.
LinkManager broadband network management system is based on the highly integrated Windows NT platform that is perfect in function, practical and easy to use. It is based on users' actual needs in China's broadband network operators, combined with the five functional domain architecture of ISO network management model. It is a set of broadband network management system with independent research and development and intellectual property rights .
In terms of satisfying the needs of broadband network operators, LinkManager especially designs the user management at the system level and equipment level, whose essence is to seamlessly integrate ideals like user isolation, information management with the management of the Layer 2 and Layer 3 switchboards equipment that access to the broadband. By providing functions like one-click isolation, updating user records, abnormal user monitoring, user-initiated statistics, automatic payment checking, automatic MAC address learning, remote configuration, it can simplify operations and strengthen management.
While performing device management, LinkManager has a "vertical + horizontal" management feature that is oriented to the specified device and supports universal network device. It provides a full range of device management and function management for network devices with SNMP function. Besides, it can support other network devices with universal SNMP function and provide topology and common network management information for the entire network.
4.2 Key features of network management system
LinkManager NM is a new generation of integrated network management software based on years of development and service experience. With the development principle of being easy to use, practical and enough to use, LinkManager NM is located to implement in-depth and comprehensive monitoring on the network and business applications. It has integrated function, such as the network topology discovery, resource management, equipment management, terminal management, performance management, fault analysis, monitoring of abnormal flow, server management, database management, WEB monitoring and so on.
LinkManager NM can make the complex network management work simple and user-friendly through the visual, instrumental and intelligent network navigation management model so that network management software can drive users to be familiar with and control their own network, greatly reducing the threshold of user technology entry and helping the majority of network management personnel to easily control the network.
Network topology discovery network anomaly monitoring terminal legitimacy monitoring server management
business application management Network link management statistics report
Out Of The Box: NM is ready for use, easy to install and it does not need additional reference.
One-stop navigation: The NM navigation system can guide the user to establish a whole system of network management in one step.
Intelligence: it can automatically discover the network and its services, automatically configure the monitoring object and performance threshold, automatically analyze the fault and issue an alarm.
Multi-Dimension: It monitors and manages network from the routing, equipment, terminals, traffic, failure and other aspects in multiple perspectives and aspects.
Overview: Showing in the Portal way, it helps network management personnel to control the operation of the network very easily and clearly.
Widescreen: It is the first domestic widescreen design, easy to display more information centrally.
Personality: User can establish their own characteristic network management center according to their needs and equip personalized monitoring interface.
1. Network topology discovery
It can discover various types of topology structure of large-scale network automatically, accurately and timely. Preparation for topology discovery is the advantage of LinkManager NM over other products. It can be automatically updated according to the administrator settings. The topology is intuitive and the interface can be customized.
2. Network operation monitoring
It can achieve continuous monitoring, report the operation of the network and give an alarm if abnormal conditions are found.
(1) device failure and link blocking alarm
(2) equipment and link performance alarm
(3) abnormal traffic alarm, such as ARP virus outbreak, BT download and so on.
3. Terminal legality monitoring
NM has a built-in legitimacy monitoring engine that can automatically monitor the basic attributes (IP address, MAC address, host name, connected switch port, etc.) of the terminal equipment in the network without additional network bandwidth, provide terminal-oriented security, activity and traffic management, and block illegal terminal access through a variety of security policies.
4. Server management
There are various monitoring methods, such as SSH (remote login), Agent, SNMP, etc. Servers being monitored include Windows, Linux, HP-UX, AIX, Solaris, and monitoring results are displayed according to classification and highlighted clearly.
5. Business application management
It has in-dpth monitoring on Oracle database, WEB services, Email services and other business applications to show their operational health.
6. Network link management
From the business point of view of it can monitor and analyze the important network link, evaluate the on-off, load and health of the link and automatically track the on-off of the link and manage SLA of the link.
7. Statistics report
Section 5. Wireless LAN Design
Wireless LAN, is a seamless wireless communication network in a particular area through the wireless local area network (Wireless Local Area Network, WLAN for short) technology so that every corner of the region is in the network and form a full coverage of wireless network.
For the new office building that will often receive foreign personnel, the use of WLAN coverage can facilitate access to the Internet, and through the physical isolation and the effective isolation of enterprise's internal network it can prevent leakage of corporate secrets.
Therefore, in order to ensure the safety of the office network, in this design, all wireless AP in the building are connected through the network (external network) and wireless controller. At the same time, the wireless controllers are directly connected with core switch of external network. Through the use of wireless users independent network segment, export firewall policy isolation and other means it can maximize local area network security. If the wireless user needs to enter the internal network, it will use VPN + authentication to ensure network security.
The biggest feature of the wireless network is the high degree of space freedom and flexibility. It can avoid large-scale laying of network cable and fixed equipment investment, effectively reducing the network construction costs and greatly enhancing the flexibility of the network construction. Wireless LAN bandwidth is very wide, suitable for a large number of two-way and multi-way multimedia information transmission, especially for the lecture hall or venue and other places with higher density of information points and unfixed locations. They can find the basis and approach of solution through the construction of wireless LAN.
In fact, a wireless network has become an important symbol of modern office.
5.1 Wireless LAN design principles
5.1.1 Wireless and wired isolation
The wireless network of the new office building is mainly used for people in the apartment area or foreign personnel to visit the Internet. Through the implementation of secure access strategy in the firewall, supplemented by certification and authorization mechanism of certification management system, as well as internal and external network physical isolation, it can effectively isolate wireless users and enterprise internal network.
5.1.2 Compliance standard
The technology support used in wireless LAN should be international standards or industry standards. Special technologies and protocols of a certain manufacturer should not be used to ensure the intercommunication of network equipment and be conducive to network investment protection.
5.1.3 Centralized management + distributed forwarding of the network structure
The previous generation of wireless LAN architecture adopts wireless switch plus thin AP structure, making the wireless LAN's network performance, network management and security management capabilities greatly improved and making it possible to construct large-scale wireless network. But with the increase in wireless data traffic, wireless switches not only become a bottleneck in data transmission, but also prone to have a single point of failure. Increasing the wireless switch will undoubtedly greatly increase the cost of networking.
A new generation of wireless LAN architecture uses wireless controller plus intelligent AP architecture. The new generation of smart AP that can be fat and thin can centrally managed and configured, and can directly forward the data locally, which successfully avoids problems of the third generation of wireless LAN and becomes the inevitable trend of wireless LAN development.
5.1.4 Safety and reliability
In the network security, the wireless LAN system must have the same security measures required by the wired LAN. The security of the wireless network is mainly considered from the following aspects:
1) access authentication: have a variety of user authentication methods;
2) full encryption of the data link;
3) have radio wave monitoring capabilities and can provide wireless intrusion detection and wireless terminal location tracking function.
Reliability mainly refers to that it can provide intelligent radio wave automatic control and switching capabilities to ensure that a single AP access point to automatically switch to the adjacent AP in the event of failure and have hot backup of dual wireless controller .
5.1.5 Selection of wireless technology
With the arrival of 802.11n, WLAN field is undergoing fundamental changes, which are impressive as the birth of WLAN. The high data rate of 802.11n final standard 300Mbps lays a solid foundation for the realization of the whole wireless enterprise network. Rich multimedia applications will be seamlessly deployed in every node within the network, whose superior performance has far more surpassed the previous 802.11a / b / g technology. With 802.11n backward compatible line, the technology is mature enough to gradually replace 802.11a / b / g, becoming the first choice for enterprises to set up WLAN.
According to the principle of wireless network design, and combined with the specific circumstances, it is suggested to use 802.11n centralized WLAN solution and deploy enterprise-class dual-band 300M wireless AP (R3) in the 5-8 floor apartment area. All AP access to wireless controller through twisted-pair cable and take centralized management, reducing the workload of network administrators.
5.2 Wireless networking design
Compared with wired network, there are much more factors to consider in the deployment of wireless network AP, such as the distribution of building, the thickness of wall and material. Therefore, only after the field survey, it is possible to accurately determine the location and quantity of AP deployment. After repeated communication and testing between our team and your company team members, we have decided that the data center building needs a total of 22 AP to achieve the building's wireless signal coverage.
AP is mostly placed in the ceiling, walls and other places difficult to directly observe the work of equipment, which requires that the wireless network must be centralized managed to achieve real-time monitoring and management of the entire network equipment.
The use of wireless networks can be divided into different types of wireless access services. Therefore, the design can adopts the WLAN multi-SSID technology and set up multi-business differentiation method. For example, a SSID can be used by the internal staff of government, and the other can be dedicated to the guests. The main purpose of multi-SSID is to allow wireless terminals to access to network in different security authentication and encryption ways.
In the standard of 802.11, the encapsulation format of the packet is defined in different encryption cases. Therefore, users can use different encryption methods for wireless access, such as WEP, TKIP (WPA), 802.11i (WPA2), etc., but different encryption ways cannot exist in the same SSID.
ASSID can cover the entire network, or limit to certain areas within the office area. Part of the new office building has access to the whole network, and then put some authorization limits for the SSID, such as, SSID used by guest. However, some SSID can only broadcast in the office area, only for some departments, such as SSID used in the office area of some departments.
5.3 User management design
The role of the user can be set in the network wireless system, and each role can be based on rules such as user rights and accessible resource settings. When an ordinary user accesses a different SSIDs, he or she only has access to the resources corresponding to the SSID or VLAN. Therefore, to access to resources from different VLANs demands users to log in different SSIDs, which is very inconvenient. The rights management based on the user role is bundled with the user authentication. When the wireless user successfully passes the authentication, he or she will obtain a preset user role privilege and access the network resource corresponding to the other SSIDs. In this way, a user with all the privileges can access all the SSID corresponding voice, data and video services through a SSID login, thus simplifying the user's authority settings and user management complexity.
Some VIP accounts are open to some special guests, who is assigned to a higher authority role. There are more relaxed restrictions in bandwidth. All of these are very consistent with the general business network management needs in configuration, use and management .
5.4 Wireless security design
In the network wireless system, security protection of the system can be built in a number of layers. The security design is as follows:
(1) multiple SSIDs: Multiple SSIDs with different security policies can be set up in the network wireless system according to the needs so that different users and applications can be distinguished. In addition, SSID can also choose hiding way, in which users cannot see in order to prevent illegal users from attempting to connect. SSID's ability to limit its occurrence scope is also a way to achieve security and enables enterprises to implement different levels of security protection in different regions.
(2) encryption: The network wireless system supports a variety of encryption methods. Layer 2 of encryption supports various encryption methods, such as static WEP, dynamic WEP, TKIP, WPA and 802.11i. Layer 3 encryption supports IPSec VPN encryption, which not only makes encryption more flexible so that users can choose encryption methods according to their actual needs, but also ensures security of data transmission of enterprise's secret-related departments.
(3) three ways of user authentication
① WPA-PSK + captive portal + VPN.
Encryption uses WPA-PSK, and the use of static WEP is not recommended, due to security risks. Captive portal + VPN authentication mode is used while VPN also has a three-tier encryption with higher security. Authentication server selection is more flexible, such as RADIUS, LDAP, Windows NT, Active Directory, TACACS, or even DCWS-6028 built-in account database.
② WPA + 802.11x
Encryption is better to use WPA, or dynamic WEP if the client-end does not support. Authentication uses 802.11x, and authentication server selects RADIUS.
③ Dynamic PSK
Dynamic PSK ™ is a network-exclusive user authentication and encryption technology. Traditional wireless encryption keys are the same for all users and are quite fragile. They are shorter in length and easily decoded. Dynamic PSK ™ technology provides a 64-byte key for each user, enabling complete and very secure authentication and encryption.
(4) the user's role (role):
Each type of users can establish a related role, each of which has a user status firewall setting and a bandwidth control setting, so that we can set up corresponding security strategy according to the authority of each government staff .
(5) Bandwidth control:
The bandwidth used by each user can be set, which on the one hand, can ensure the possession of network resources by government's important applications, on the other hand, when viruses of client-end break out, all the network bandwidths will not be taken up.
5.5 Features of wireless solutions
1) certification integration. Wireless solutions can be seamlessly integrated with the certification billing system DCSM-A to achieve an unified authentication between wireless network and wired network. It also supports the third-party radius authentication and Windows AD certification. It can protect the government's early investment and facilitate the implementation of a unified user rights management.
2)network management integration. Wireless products can perform network management through a proprietary wireless controller or FlexMaster, but also perform unified management by the LinkManager through the SNMP protocol, which can simplify the enterprise network management.
3) network structure integration. The wireless solution uses a smart AP and a wireless controller to network, and the wireless controller is connected to the core switch or aggregation switch without changing its existing network architecture. Wireless data forwarding is given to local access switch to complete to avoid forwarding bottlenecks like the tandem networking of wireless switch.
4) security and defense integration. Wireless solutions fully support TSA trusted secure access program and use centralized security management approach, fully realizing the secure operation of government's wireless network.
5) green environmental network. Wireless products of wireless solutions all pass a rigorous RoHS test. Its unique antenna technology ensures less use of AP than other manufacturers to achieve greater wireless coverage and better network Qos and can reduce by 90% Of electromagnetic pollution.