Firewall model: Department FW20 10
System functions:
1, the first professional firewall kernel with independent copyright in China.
2. Packet filtering firewall based on stateful detection.
3. Virtual bridge with packet filtering function
4. It has TCP flag bit detection function.
5. It has the function of bidirectional network address translation.
6. Support network port multi-IP address binding and multi-subnet multi-IP application.
7. Support the binding of IP address and network card MAC address.
8. Real-time system and network status monitoring
9. Functional module software is easy to upgrade and expand.
10, based on WEB interface management, easy to manage.
Typical network scheme:
Small offices/organizations usually have an independent local area network, which is connected to the Internet through private lines (ADSL, DDN, etc.). ) and need to protect the internal network from external intrusion. In this typical application, the firewall is built behind the dial-up access equipment, which can protect the security of small enterprise intranet users accessing the Internet. In the government and large enterprises, there are independent large-scale local area networks, which need to be connected to the external network through various broadband connections to provide various application services for the external network. Enterprise-level Skynet firewall for large enterprise networks, in addition to its unique attack defense function and excellent basic functions such as TCP tag detection, also has powerful processing capacity and perfect functional modules, which can protect thousands of workstations and important server groups in enterprises in a nearly transparent way and will never become a network bottleneck. By setting a Skynet firewall, the intranet zone and the neutral zone are separated in the local area network, and the network security of the external server and the internal local area network is distributed.
Recommended models: Tianwang firewall enterprise FW30 10 standard type, Tianwang firewall enterprise FW3060 extended type.
Basic firewall system functions include:
1, an excellent firewall kernel independently developed.
2. Packet filtering function based on state detection.
3. Virtual bridge function with packet filtering function
4. It has TCP flag bit detection function.
5. It has the function of bidirectional network address translation.
6. It has the functions of traffic statistics and traffic restriction.
7, through the interface upgrade, simple operation.
8. It has the internationally pioneered DoS defense gateway technology, which can effectively prevent various DoS attacks.
9. Support a network port to bind multiple IP addresses, thus supporting multiple subnets and multiple IP applications.
10, which supports the binding of IP and MAC addresses and effectively manages IP address resources.
1 1, with real-time system monitoring function, can observe the system running status and network connection.
12, with real-time alarm function, alarm by phone and email.
13, with system operation records, which can record all the operations of the system administrator.
Network black hole module
Network structure detection used to block hackers and return error information to hackers can effectively prevent external attacks.
Network data recording module
It is used to record network data traffic, user traffic billing and other functions. The module needs to install client software on PC for data collection, analysis and processing, and can also import the analysis results into database to realize automatic processing.
Transparent proxy function
Bandwidth that can limit users' online time.
Virtual private network
Typical network scheme of content filtering and URL interception
Network security scheme of XXX enterprise group
The design of this scheme follows the following ideas:
Balance principle of risk, cost and efficiency
Comprehensive consideration
In order to ensure the availability of the system, the security system has good transparency, centralized management of applications and easy maintenance.
Practical safety products must be legal products tested by public security departments. And it must be a domestic safety product.
Combined with application system, it provides a comprehensive security scheme combining network and application.
security policy
The purpose of making security policy:
Divide safe areas
Formulate security policies, including user access control, define access levels and determine service types.
Security policy:
Purpose:
Divide safe areas.
Formulate security policies, including user access control, define access levels and determine service types.
Audit and filtering, only access and response processes that meet the security policy can pass, and other access requests are rejected.
According to the analysis of user needs, the enterprise internal network can be divided into the following security areas:
Internal network segment
Public network segment
External network segment
Network segments belonging to three security areas are interconnected by Skynet firewall.
Existing applications and service types that need to be audited and filtered include: it is very important for network service providers to protect network security from attacks, so the selection of firewalls must be cautious. Skynet Firewall Telecom Class is a high-capacity and high-performance firewall specially designed for ICP (Internet Content Provider) websites and IDC data centers. It can support a large number of peak visits and concurrent connections, and meet the complex business and data exchange needs of various ICP websites and IDC data centers. It contains all kinds of excellent functions of the basic firewall system, plus powerful functional modules, and can also be extended to the dual-computer hot backup function, so that the system can automatically switch abnormal firewall systems immediately and fully protect network service providers from illegal attacks.
Recommended model: Tianwang firewall carrier grade FW 5010ICP; FW5060 IDC type
For small websites, we recommend using FW50 10 ICP, and for ISP network operators such as large ICP websites or IDC data centers, we recommend using FW5060 IDC, which provides more powerful processing power than ICP, and has load balancing function and dual-machine hot backup function.
It is worth mentioning that at present, doS and DdoS attacks seriously threaten the security of ICP website, and Skynet's unique DoS defense gateway can effectively shut out such attacks. Many successful cases have proved that the telecom level of Skynet firewall is indeed the patron saint of various websites and data centers.
function
Basic system functions, including:
1, an excellent firewall kernel independently developed.
2. Packet filtering function based on state detection.
3. Virtual bridge function with packet filtering function
4. It has TCP flag bit detection function.
5. It has the function of bidirectional network address translation.
6. It has the functions of traffic statistics and traffic restriction.
7, can be upgraded through the interface, and the operation is simple.
8. It has the internationally pioneered DoS defense gateway technology, which can effectively prevent various DoS attacks.
9. Support a network port to bind multiple IP addresses, thus supporting multiple subnets and multiple IP applications.
10, which supports the binding of IP and MAC addresses and effectively manages IP address resources.
1 1, with real-time system monitoring function, can observe the system running status and network connection.
12, with real-time alarm function, alarm by phone and email.
13, with system operation records, which can record all the operations of system administrators ■ network black holes.
Used to prevent illegal network detection.
■ Network data recording
It is used to record data types and traffic through the firewall. The module needs to install client software on PC for data collection, analysis and processing, and can also import the analysis results into database to realize automatic processing.
■ Dual-machine hot backup
Firewall system capable of instantly and automatically switching abnormal work
■ Load balancing
User requests can be intelligently distributed to multiple servers.
Typical network scheme:
A large ICP website is going to provide web services with ten servers, four as Smtp servers and two as P0P3 servers. The expected inflow data is 2325M, and the outflow data is1214m;
network structure
According to the current network requirements of this large ICP site, we suggest using the carrier-grade FW5060 IDC security solution based on Skynet firewall.
In order to ensure the stability and fault tolerance of the site, this scheme adopts two ICP Skynet firewalls, which ensure uninterrupted normal operation through the hot standby function of the two firewalls, and divide the whole network into two physically independent network segments:
Public network (public network)
Private network (private network)
Among them, the public * * * network segment provides Internet-oriented WAN connection and support for accepting Internet users' access; The private network segment includes 10 Web servers, 4 Smtp servers and 2 P0P3 servers, which are used to provide Web and e-mail application services.
security policy
Purpose:
Divide safe areas
Formulate security policies, including user access control, define access levels and determine service types.
Audit and filtering, only access and response processes that meet the security policy can pass, and other access requests are rejected.
According to the analysis of users' needs, Beijing Railway Station network can be divided into the following security areas:
Internal network segment
External network segment
Network segments belonging to two security areas are interconnected by Skynet firewall.
Existing applications and service types that need to be audited and filtered include: with the rapid development of network technology, the expansion of network infrastructure in China. At present,
Network backbone has entered the optical fiber era. In addition to the backbone of telecommunications, the government and large enterprises have also begun to popularize optical fiber, and gigabit firewall products based on optical fiber have become the key. Our company started the development of Skynet Gigabit Firewall as early as 1999. By absorbing the excellent experience of foreign counterparts and the wisdom of top domestic technicians, we finally successfully launched the first gigabit firewall in China in April 2000, and its excellent performance was immediately recognized by users. In 2002, based on the original Gigabit Skynet firewall, the flagship class of Gigabit FW8060 was developed. With the brand-new hardware system and software kernel, Skynet firewall has reached a brand-new height, and its powerful functions and performance can meet the requirements of the most demanding users. Skynet firewall, which combines excellent network performance and system performance, is gigabit. Through the optimized kernel, it realizes the organic combination of extremely efficient hardware data exchange ability and system parallel processing ability, and supports millions of concurrent connections. It can support the network requests of tens of thousands of users, and fully meet the large-flow data application requirements of various broadband network application services. Recommended model: Skynet firewall gigabit FW80 10 backbone; Skynet firewall Gigabit FW8060 flagship
Excellent performance based on Gigabit:
■ Gigabit line speed firewall system
■ Packet filtering function based on gigabit status
■ Gigabit NAT connection
■ Provides gigabit virtual private network performance and supports more than 20,000 IPSEC security tunnels.
■ Support millions of concurrent user connections.
■ More than 40,000 access control settings are supported.
licence
Type description
SNFW-FT-BH network black hole
Network data record
SNFW-FT-RH dual-machine hot standby
Performance list:
Gigabit wire speed firewall system and NAT connection
Performance of Gigabit Virtual Private Network Based on 3DES Encryption
Packet filtering function based on gigabit state
Support more than 500,000 concurrent user connections.
Support more than 40,000 access control settings.
Supported standards include ARP, TCP/IP, UDP, IPSEC, 3DES, etc.
Support more than 20,000 IPSEC security tunnels.
Typical scheme
Security solutions for e-commerce applications
Nowadays, e-commerce websites need to support tens of thousands of concurrent connections, and network security devices need to support a large number of user connections and respond to tens of thousands of requests at the same time. Today, software firewalls based on traditional commercial operating systems cannot provide services of this scale. Many sites rely on additional network devices to achieve load balancing among multiple firewalls. The management of multi-firewall system is difficult because administrators need to synchronize between firewalls. Gigabit firewall supports up to 500,000 concurrent connections, which can meet the requirements of high-traffic e-commerce websites. Because many hosts are symbolically in the same place, Gigabit firewall supports VPN mode, so that data and commands between hosts can be transmitted in a secure tunnel (this secure tunnel is actually in the public network, but because the firewall encrypts the data, it looks like it is transmitted in a tunnel). Gigabit firewall also supports highly practical dual-computer hot backup, and its software can maintain the ongoing concurrent connection. This ensures that even if the system fails, the connection can still be maintained, and consumers will not turn to other websites because of losses.
Today, most popular e-commerce companies distribute their web hosts to provide customers with quick response. They all focus on their core business and need network services, including security services for web host devices. Gigabit firewall provides controllable firewall and VPN security services. Virtual host system and its multi-user architecture provide a convenient way to manage multiple users in the system. Each virtual host system can have a set of policies based on its independent users. By configuring the IEEE802. 1qVLAN flag between the firewall and the switch, the communication of each virtual host system can be safely transmitted to the client, thus providing a secret and secure connection.
Enterprise security solutions
Enterprise security requires the ability to handle large-scale concurrent connections. Enterprises usually have multiple servers for remote site access or remote user access. These servers provide e-mail, web, ftp, NFS or other application services and need to support large-scale concurrent connections. In addition, as more and more commercial applications are provided through IP networks, server groups connected through Gigabit Ethernet also need internal firewall protection. As more and more services are provided through the Internet, the number of Internet connections of enterprises themselves has also greatly increased. It is not surprising that a site has multiple T3 or OC3 connections that need to be protected. For example, enterprises need to use their own Internet lines to connect with other large networks for video conferencing or large server/host database query, and also need to support high-speed VPN. They also need to support a large number of VPN tunnels to connect their branches and remote offices, instead of expensive frame relay services. There are also employees who work from home. These employees access the company's network through the latest broadband technology.