入侵防御系统在企业网络中的应用
摘要
本设计从实际需求出发,利用虚拟路由器技术及最短开放路径优先算法,并且结合了入侵防御系统技术,设计并且实现了保障数据安全的网络系统。根据企业的实际情况,把网络设计为四层,分别为网络接入层、网络分布层、网络核心层及入侵防御层。网络接入层主要用于连接网络服务器及其他网络终端,网络分布层主要用于配置路由策略,网络核心层主要用于高速转发数据,而入侵防御层主要是用于检测与过滤数据。最短路径优先算法实现了企业内部的网络互通,网络地址转换技术实现了内部网络与外部网络的连通。
而入侵防御系统技术则实现了对数据的检测与过滤的功能,可以有效的阻挡ICMP洪水、SYN洪水、UDP洪水等拒绝服务攻击。在本设计中,入侵防御系统被设计在企业网络的最外层,充当网络攻击的首道防御墙。IPS设置了在线的接口对模式,所有的数据都会流经它,它不仅可以检测数据,还可以进行对数据的过滤,而设置了CDP的丢弃模式可以最大限度的隐藏边界的设备信息,提高了安全性,把旁路设置为自动工作模式,当分析引擎不能工作时就不会检查数据,这样可以最大程度的保障数据的可持续性。当然最重要的是防御网络上最常见的三种攻击,这个设计的思路都是利用协议的缺陷特点来实现防御的,它们都是具有相同的速率限制、拒绝在线的攻击者的数据包、产生告警、记录攻击者的信息等防御行为特点。
关键词:网络地址转换;开放最短路径优先算法;虚拟路由器冗余协议;入侵防御系统
The application of intrusion prevention system in enterprise network
ABSTRACT
This design embarks from the actual demand, the use of virtual router technology and Open Shortest Path First algorithm, and combined the technology of the intrusion prevention system, was designed and implemented to ensure data security of network system.According to the actual situation of the enterprise, the network is designed as four layers, namely network access layer, network distribution layer, network core layer and intrusion prevention layer.The network access layer is mainly used to connect to the Internet server and other network terminal, network distribution layer is mainly used for configuring the routing strategy, network core layer is mainly used for high speed data forwarding, and intrusion prevention layer is mainly used to detect and filter the data.The Shortest Path Priority Algorithm realizes the network intercommunication within the enterprise, and the Network Address Translation technology realizes the connection between the internal network and the external network.
However, the Intrusion Prevention System technology has realized the function of detecting and filtering the data, which can effectively block the denial of service attacks such as ICMP flood, SYN flood and UDP flood.In this design, the Intrusion Prevention System is designed to be the outermost layer of the enterprise network and acts as the first defense wall for network attacks.IPS set up online interface mode, all data flows through it, it can detect not only the data, also can undertake to data filtering, CDP discard mode can be set up by the maximum hidden border equipment information, improve the safety, the bypass mode is set to automatically, when the analysis engine can't work will not check the data, it can maximize the sustainability of the security data., of course, the most important thing is that three of the most common attack on defense network, the design train of thought are using defect characteristics to realize the defense of the agreement, they are all have the same rate limit, refused to online attackers packets, warning, record information such as defense behavior characteristics of attackers.
Key words: Network Address Translation;Open Shortest Path Priority Algorithm;Redundant Protocol of Virtual Router;Intrusion Prevention System
目录
1.2 课题研究目的与意义............................................................................. 2
2 构建网络系统的相关技术................................................................................ 4
2.1.1 OSPF的基本原理........................................................................ 4
2.1.2 OSPF的默认路由........................................................................ 4
2.2 使用VRRP来实现网关冗余................................................................ 5
2.3 NAT的工作原理..................................................................................... 6
2.4 入侵防御系统技术................................................................................. 6
3 关于入侵防御系统的需求分析........................................................................ 8
3.1 可用性需求分析..................................................................................... 8
3.2 功能性需求分析..................................................................................... 8
3.3 可行性需求分析..................................................................................... 8
4.1 企业网络结构的概述............................................................................. 9
4.2 三层网络结构的设计............................................................................. 9
4.3 入侵防御层的设计方案....................................................................... 10
5 入侵防御系统的实现...................................................................................... 12
5.1 配置路由策略..................................................................................... 12
5.1.1 进行初始化配置...................................................................... 12
5.1.2 使用OSPF协议来实现企业内部网络的相互连通.............. 12
5.1.3 VRRP网关冗余的实现.......................................................... 13
5.1.4 NAT网络地址转换的实现..................................................... 14
5.2 IPS的防御实现..................................................................................... 15
5.2.1 接口对的配置.......................................................................... 15
5.2.2 CDP模式的配置..................................................................... 17
5.2.3 配置IPS的旁路模式.............................................................. 18