Article Directory
- 1. Basic structure of network-based information system
- 2. Divide the phases of the network system construction project
- 3. Network requirements research and system design principles
- 4. Network user survey and network engineering demand analysis
- 5. Basic method of overall network design
- 6. Selection of key network equipment
- Seven, network server selection
- Eight, the basic method of network system security design
1. Basic structure of network-based information system
The network-based information system structure should include the network operating environment, network system, and network operating system.
1. Network operating environment
The network operating environment refers to the basic facilities and equipment conditions required to ensure the safety, reliability and normal operation of the network system, mainly including two parts: the computer room and the power supply .
(1) Computer room, equipment room and wiring room.
The computer room is used to place switches, core routers, servers and other core equipment, including equipment rooms, wiring rooms and other places where routers, switches and wiring facilities are placed in various buildings.
(2) Power supply.
The interruption and failure of power supply will cause the key equipment of the system to stop working, important data will be lost and the network system will be paralyzed, and the consequences will be very serious.
2. Network system
Network transmission infrastructure and network equipment are two necessary parts of the network supporting information systems.
(1) Network transmission infrastructure.
The indoor structured wiring system, building structured wiring system, metropolitan area network backbone optical cable system, wide area network transmission line, microwave and satellite communication system, etc., which are completed according to the requirements of distance, bandwidth, electromagnetic environment and geographical environment, etc., are the infrastructure of network transmission.
(2) Network equipment.
Gateways, routers, switches, bridges, hubs, repeaters, transceivers, modems, network cards, and telecommunication servers are all common network devices.
3. Network Operating System
The network operating system mainly relies on the data transmission function provided by the communication facility to provide shared resource management and other network service functions for high-level users.
4. Network application operating environment and software development tools
(1) Network database management system.
The network database management system is the basis of developing the network application system, whether it is a small enterprise or a large company covering the whole country, the data management needs the support of the database management system.
(2) Network software development tools.
Database development tools, Web application development tools and standard development tools are the main network software development tools.
(3) Network application system.
On the basis of the network operating system and network application software development tools, the general or special system developed according to the needs of users is the network application software system.
5. Management and network security system
A practical network system must have a complete network management system. The purpose of establishing a computer network is to provide a communication environment with good performance and safe communication for networked computer systems.
Network security technology is a solution to achieve the purpose of safe storage, processing and transmission of information in the network environment by solving the existing security problems.
2. Divide the phases of the network system construction project
The division of network system construction project phases is shown in the figure:
3. Network requirements research and system design principles
The basic principles of network demand research and system design are as follows:
(1) Conduct full investigation to deeply understand user business activities and user information needs.
(2) In order to avoid blindness, it is required to fully demonstrate the feasibility of system construction and system development on the basis of investigation and analysis, fully considering the requirements and constraints (funding, work basis and technology, etc.).
(3) Use the concept of system to complete the planning and design of network engineering technology scheme.
(4) Fully consider the time limit requirements, and arrange the tasks of network system establishment according to the different stages of design, demonstration, implementation, acceptance, user training, and maintenance. The whole process of large-scale network system construction requires professional supervision companies to supervise.
(5) The documentation at each stage must be complete and standardized.
4. Network user survey and network engineering demand analysis
1. Internet user survey
Network user survey refers to direct communication with existing or potential network users to understand their application requirements for future systems (such as reliability, availability, security, scalability, response time to user requests for network-based information systems, traffic, etc.). The development of network-based information systems is the purpose of users to form networks. Defining the purpose, requirements, and application of the user's network construction is the main task of the network application demand investigation.
2. Geographical distribution of network nodes
Before determining the network scale, layout and topology, it is necessary to have a clear understanding of the geographical distribution of network nodes:
- The number of users and the specific location of their respective distribution.
- Investigation of the internal structure of the building.
- Survey of buildings.
3. Application Profiling
- Internet/Intranet service
- database service
- Network basic service system.
4. Detailed analysis of network requirements
The detailed analysis of network requirements mainly includes: analysis of overall network requirements, analysis of integrated wiring requirements, analysis of network reliability and reliability, analysis of network security requirements, and analysis of network engineering cost estimation.
5. Basic method of overall network design
The tasks to be completed at this stage are as follows: design the overall goal of network construction, determine the design principles of the network system scheme, overall design of the network system, design network topology, select network equipment, and design network system security.
1. Overall objectives and design principles of network engineering construction
The principles of network system design are practicality, openness, high reliability, security, advancement and scalability.
2. Network structure and topology design method
The most effective way to solve the complexity of the scale, structure and technology of the network system is to use the idea of layering to design, and the design of large and medium-sized network systems must be based on this point. Among them, the core layer network is used to connect the server cluster, each building subnet switching router, and the exit connected to the metropolitan area network; the aggregation layer network is used to connect the subnets distributed in different locations to the core layer network to realize the function of route aggregation;
The access layer network is used to connect end-user computers to the network. Fiber connections with redundant links are used between core routers in a typical system, and between core routers and aggregation routers;
Between the aggregation router and the access router, and between the access router and the user's computer, a lower-priced unshielded twisted pair (UTP) connection can be selected depending on the situation.
3. Core layer network structure design
The backbone of the whole network system is the core layer network, which is the focus of design and construction. At present, the technical standard applied to the core layer network is mainly GE/10GE, the core equipment is a high-performance switching router, and the core router is connected with an optical fiber with redundant links. 40%-60% of the entire network traffic needs to be carried by the core layer network.
There are server cluster connections serving the entire network in the core layer network. From the perspective of improving the availability of server clusters, there are two connection schemes as shown in the figure.
Among them, link redundancy is used in Figure a to directly connect two core routers, which is characterized by direct use of the core router’s bandwidth, but more core router ports are occupied, and high-end router ports are expensive, so the cost of equipment will increase; Figure b uses a dedicated server switch, and a switch connected to the server cluster is added on top of the two core routers, and the link redundancy method is used to indirectly connect to the two core routers. The advantage is that it can share the bandwidth of the core router.
4 Structure design of aggregation layer network and access layer network
The aggregation layer network can connect subnets located in different locations to the core layer network to realize the function of route aggregation. When the network scale is average, or in the construction of the first phase of the project, in order to increase the port density, multiple parallel GE/10GE switches can be stacked. One switch uses optical ports to cascade upwards through optical fibers, and the aggregation layer and the access layer are merged into one layer.
As shown in the figure, there are two design schemes of the aggregation layer and the access layer network.
Actual situation verification: The ratio of the uplink bandwidth between layers to the next-level bandwidth is generally controlled at 1:20. (bandwidth calculation)
5. Real questions on cyber attacks over the years
Knowledge about cyber attacks
1. SYN Flooding attack: use an invalid IP address and use the three-way handshake process of the TCP connection to make the victim host in the request for an open session until the connection times out. During this period, the victim host will continue to accept such session requests and eventually stop responding due to resource exhaustion.
2. DDos(分布式拒绝服务攻击) 攻击:Use multiple compromised systems to send a large number of requests to focus on attacking other targets, and the victim device denies service because it cannot handle it.
3. SQL injection attack: It belongs to the exploitation of system vulnerabilities, and it is difficult to be blocked by network-based intrusion prevention systems and host-based intrusion prevention systems. Firewalls (network-based protection systems) cannot block this attack.
4. Land attack: Send a data packet to a certain device, and set the source IP address and destination address of the data packet as the address of the attack target.
5. Protocol spoofing attack: an attack that steals privileges by forging the IP address of a certain host. There are the following types:
(1) IP spoofing attacks.
(2) ARP spoofing attack.
(3) DNS spoofing attack.
(4) Source routing spoofing attack.
6. DNS spoofing attack: The attacker uses some kind of deception to make the user obtain a wrong IP address when querying the server for domain name resolution, so that the user can be directed to the wrong Internet site.
7. IP spoofing attack: It is a technology to defraud privileges by forging the IP address of a certain host, and then carry out attacks.
8. Cookie tampering attack: By tampering with cookies, illegal access to the target site can be achieved, which cannot be blocked by network-based intrusion prevention systems.
9. Smurf attack: The attacker pretends to be the IP address of the victim host, and sends a directional broadcast packet of echo request to a large network. Many hosts in this network respond, and the victim host will receive a large number of echo reply messages. A network-based intrusion prevention system can block Smurf attacks.
10. The network protection system cannot block Cookie tampering, DNS spoofing, and SQL injection.
11. Both network-based intrusion prevention systems and host-based intrusion prevention systems are difficult to block cross-site scripting attacks and SQL injection attacks.
Relevant real questions over the years
Question 1: The attacker uses multiple compromised systems to send a large number of requests to focus on attacking other targets, and the victim device denies service because it cannot handle it. This attack is called ( ).
A. APT attack
B. DDoS attack
C. SQL injection
D. violent attack
Correct answer: B
Reference analysis:
[Analysis] APT attack: An attack form that uses advanced attack methods to carry out long-term persistent network attacks on specific targets. This attack will actively dig out the vulnerabilities of the trusted system and application program of the attacked object, use these vulnerabilities to build the network required by the attacker, and use 0day vulnerabilities to attack. DDoS attack (distributed denial of service attack): The attacker breaks through multiple systems and uses these systems to attack other targets intensively. Hundreds of hosts send a large number of requests, and the victim device denies service because it cannot handle it. SQL injection is to insert SQL commands into Web forms to submit or enter query strings for domain names or page requests, and finally trick the server into executing malicious SQL commands. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the background database engine for execution. It can obtain a database on a website with security vulnerabilities by entering (malicious) SQL statements in a web form, instead of executing SQL statements according to the designer's intention. Brute force cracking attack means that the attacker tries all possibilities to crack the user's account name, password and other sensitive information by systematically combining all possibilities (such as the account name and password used when logging in). Attackers will often use automated scripts to combine the correct username and password. So choose option B.
Question 2: The attacker uses an invalid IP address and uses the three-way handshake process of the TCP connection to make the victim host in the request for an open session until the connection times out. During this period, the victim host will continue to accept such session requests and eventually stop responding due to resource exhaustion. This attack is called ( ).
A. DDoS attack
B. Land attack
C. Smurf attack
D. SYN Flooding attack
Correct answer: D
Refer to analysis:
[Analysis] DDoS attack means that the attacker breaks through multiple systems and uses these systems to attack other targets intensively. A large number of requests cause the victim device to refuse service because it cannot handle it; The SYN Flooding attack is the situation described in the title. So the answer is D.
Question 3: The attack that the network firewall cannot block is ( ).
A、DoS
B. SQL injection
C. Land attack
D、SYN Flooding
Correct answer: B
Reference analysis:
[Analysis] Network firewalls can detect incoming and outgoing data packets and have anti-attack capabilities, which can block DoS attacks, and C and D are also common DoS attacks. Common DoS attacks include Smurf attack, SYN Flooding, Distributed Denial of Service attack (DDOS), Ping of Death, Tear doop and Land attack. Item B is a system vulnerability, and the firewall cannot prevent its attack.
Question 4: Among the following attack methods, which one cannot be blocked by a network-based intrusion prevention system ( ).
Question 41: Among the following attack methods, which one is difficult to be blocked by network-based and host-based intrusion prevention systems ().
A、SYN Flooding
B. SQL injection
C、 DDOS
D、Ping of Death
Correct answer: B
Refer to analysis:
[Analysis] The so-called SQL injection is to insert SQL commands into the query strings submitted by web forms or input domain names or page requests, and finally trick the server into executing malicious SQL commands. For example, many film and television websites previously leaked VIP member passwords, most of which were exposed through query characters submitted through web forms. Such forms are particularly vulnerable to SQL injection attacks. SQL injection is a vulnerability intrusion, and the application intrusion protection system is adopted. Others use network-based intrusion prevention systems.
Correct answer: B
Reference analysis:
[Analysis] Host-based intrusion prevention systems can block buffer overflows, change login passwords, change dynamic link libraries, and other intrusions that attempt to seize control from the operating system. Network-based intrusion prevention systems mainly perform packet filtering protection, such as discarding offensive data packets or blocking connections. The application intrusion prevention system can prevent attacks such as cookie tampering, SQL code embedding, parameter tampering, buffer overflow, forced browsing, malformed data packets and data type mismatch. Option B belongs to the application of intrusion prevention system functions, so choose B option.
Question 49: Among the following attack means, which one is difficult to be blocked by both the network-based intrusion prevention system and the host-based intrusion prevention system ().
A. SYN Flooding attack
B. Cross-site scripting attack
C、 Teardrop
D. Smurt attack
Correct answer: B
Reference analysis:
[Analysis] Host-based intrusion prevention systems can block buffer overflows, change login passwords, change dynamic link libraries, and other intrusions that attempt to seize control from the operating system. Network-based intrusion prevention systems mainly perform packet filtering protection, such as discarding offensive data packets or blocking connections. The application intrusion prevention system can prevent attacks such as cookie tampering, SQL code embedding, parameter tampering, buffer overflow, forced browsing, malformed data packets and data type mismatch. Options A and C belong to denial of service attacks, which can be blocked by host-based intrusion prevention systems, and option D belongs to virus attacks, which can be blocked by network-based intrusion prevention systems. Option B belongs to the application of the intrusion prevention system function, so choose B option.
Question 5: Among the following attack methods, a network-based intrusion prevention system 可以阻断的是( ).
A. Cookie tampering attack
B. DNS spoofing attack
C. Smurf attack
D. SQL injection
Correct answer: C
Reference analysis:
[Analysis] The network-based intrusion detection system uses the original network packet as the data source, receives and analyzes the data packets flowing in the network in real time, so as to detect whether there is an intrusion behavior. Cookie tampering attack, illegal access to the target site can be realized by tampering with the Cookie. DNS spoofing is a deception in which an attacker pretends to be a domain name server. SQL injection is to insert SQL commands into web forms to submit or enter query strings for domain names or page requests, and finally trick the server into executing malicious SQL commands. None of the above three methods are attacks by blocking the network or consuming network resources. Smur attack, the attacker pretends to be the IP address of the victim host, and sends a directed broadcast packet of echo request to a large network. Many hosts in this network respond, and the victim host will receive a large number of echo reply messages. A network-based intrusion prevention system can block Smurf attacks. Therefore option C is correct.
Question 6: Among the following attack vectors, a network-based intrusion prevention system 无法阻断的是( ).
Question 36: Among the following attack methods, network-based intrusion prevention system and host-based intrusion prevention system 都难于阻断的是().
A. SYN Flooding attack
B. Cookie tampering attack
C. DDOS attack
D. Smurf attack
Correct answer: B
Reference analysis:
[Analysis] SYN Flooding attacks, DDOS attacks and Smurt attacks are all denial of service attacks, which can be blocked by network-based intrusion prevention systems. Therefore, option B is correct
Question 6: The attacker uses some means to enable the user to obtain the IP address of another website when visiting a certain website, so as to guide the user's visit to other websites. This attack method is called ( ).
A. DNS spoofing attack
B. ARP spoofing attack
C. violent attack
D. Replay attack
Correct answer: A
Refer to the analysis:
[Analysis] DNS spoofing attack is that the attacker uses some deceptive means to make the user obtain a wrong IP address when querying the server for domain name resolution, so as to guide the user to the wrong Internet site. So option A is correct
Question 7: Among the following methods, which one uses the vulnerability of the host application system to attack ()
A. Land attack
B. Brute force attack
C. Source routing spoofing attack
D. SQL injection attack
Correct answer: D
Reference analysis:
[Analysis] The application of the intrusion prevention system can prevent many intrusions, including cookie tampering, SQL code embedding, parameter calculation modification, buffer overflow, forced browsing, malformed data packets, data type mismatch and other known vulnerabilities. It can be seen that the SQL injection attack belongs to the attack type that exploits the vulnerability of the host application system, so the answer is D.
Question 13: The attack that the packet filter router can block is ().
A. Teardrop
B. Cross-site scripting
C. Cookie tampering
D. SQL injection
Correct answer: A
Reference analysis:
[Analysis] Routers usually have a packet filtering function, which can filter the data packets received from a certain port that meet certain characteristics and not forward them. Teardrop is an attack method based on UDP pathologically fragmented data packets, and its working principle is to send multiple fragmented IP packets to the victim. The packet filtering router can analyze the fragmented data packet received, and calculate whether the fragment offset (Offset) of the data packet is wrong. Thereby blocking the Teardrop attack. Cross-site scripting (also known as XsS) refers to the use of website vulnerabilities to maliciously steal information from users. Cookie poisoning is a process in which an attacker modifies a cookie (personal information in a website user's computer) to obtain unauthorized information from the user, and then steals the identity. SQL injection is to insert SQL commands into Web forms to submit or enter query strings for domain names or page requests, and finally trick the server into executing malicious SQL commands. Therefore option A is correct.
Question 15: The attack method of stealing privileges by forging the IP address of a certain host belongs to ().
A. Trojan horse attack
B. Vulnerability intrusion attack
C. Protocol spoofing attack
D. Denial of service attack
Correct answer: C
Reference analysis:
[Analysis] There are several types of protocol spoofing attacks:
(1) IP spoofing attacks.
(2) ARP spoofing attack.
(3) DNS spoofing attack.
(4) Source routing spoofing attack.
Among them, the IP spoofing attack is a technology that cheats privileges by forging the IP address of a certain host, and then attacks. Therefore option C is correct.
Question 21: The attacker sends a data packet to a certain device, and sets both the source IP address and the destination IP address of the data packet to the address of the attack target. This attack is called ( ).
A. SYN Flooding attack
B. DDoS attack
C. Ping Of Death attack
D. Land attack
Correct answer: D
Reference analysis:
[Analysis] SYN Flooding attack: use the 3-way handshake process of the TCP connection to attack. The attacker host uses an invalid IP address. Perform a TCP 3-way handshake with the victim host. DDoS Distributed Denial of Service Attack: Attackers compromise multiple systems. And use these systems to focus attacks on other targets. Thousands of hosts send a large number of requests, and the victim device denies service because it cannot handle it. Ping of Death attack: attack by constructing an ICMP packet with an abnormal heavy buffer size. Land attack: Send a data packet to a certain device, and set the source IP and destination IP of the data packet as the address of the attack target.
Question 57: Among the following intrusion detection system structures, the single point failure has the most serious impact ( ).
A. Collaborative
B. Hierarchical
C. Centralized
D. Equivalent
Correct answer: C
Reference analysis:
[Analysis] The biggest problem of centralized intrusion detection system is the problem of single point of failure, that is, once it is attacked and stops working, the entire network system will be in danger. The main problem of the hierarchical intrusion detection system is that it cannot adapt well to the change of the network topology and is difficult to deploy, and if the upper layer intrusion detection module is attacked, the effectiveness of its intrusion detection will be greatly reduced. Collaborative intrusion detection systems are still coordinated by a unified central control mechanism, and the risk of single points of failure still exists. The application of the peer-to-peer model makes the distributed intrusion detection system truly avoid the occurrence of a single point of failure. So choose option C.
6. Selection of key network equipment
1. Basic principles of network key equipment selection
(1) Selection of manufacturers and product lines.
Key network devices such as core routers and aggregation routers must be mature and mainstream products, preferably from the same manufacturer.
(2) Consider the scalability of the network.
When selecting backbone network equipment, a certain margin must be left to ensure the scalability of the system.
(3) Considering the advanced nature of network technology.
The update speed of network equipment and technology is fast. People often use "Moore's Law" to describe the value of network equipment. The risk of equipment selection is relatively high. It is necessary to collect opinions, inspect products and services on the spot, and make prudent decisions.
2. Basis for router selection
(1) Classification of routers.
Router performance mainly refers to the backplane switching capability of the router. A router with a backplane switching capability greater than 40Gbit/s is called a high-end router; a router with a backplane switching capability lower than 40Gbit/s is called a low-end router. According to the position of the router in the network, it can be divided into high-end routers used as the backbone equipment of the core layer, enterprise-level routers used for the aggregation layer, and low-end routers used for the access layer.
(2) Key technical indicators of the router.
① Throughput.
The throughput of a router refers to its packet forwarding capability, which involves two aspects: port throughput and machine throughput. The throughput of the router is closely related to the number and rate of the router's ports, packet type, and packet length.
②Backplane capability.
The backplane is the physical channel between the input and output of the router, which determines the throughput of the router. High-performance routers generally use a switch structure, while traditional routers use a shared backplane structure.
③ Delay and delay jitter.
Delay is related to packet length and link transmission rate, and it marks the processing time for routers to forward packets. Delay has a great impact on network performance. High-speed routers generally require IP packets with a length of 1518B, and the delay is not greater than 1ms.
④ Packet loss rate.
The packet loss rate refers to the probability of packet loss caused by the limitation of packet forwarding capability under continuous and stable load conditions. It is often used as a performance measure for routers when they are overloaded.
⑤ Burst handling capacity.
We often measure the burst processing capability by the maximum sending rate at which data packets are sent at the minimum frame interval without causing loss.
⑥ Service quality.
The quality of service of the router is mainly manifested in the queue management mechanism, port hardware queue management and support for Qos protocols. The queue management mechanism refers to the router's queue scheduling algorithm and congestion management mechanism. The strategy of queue scheduling algorithm mainly includes: supporting fair queuing algorithm, supporting weighted fair queuing algorithm, congestion control, virtual output queue, priority management and so on. The port hardware queue management is realized by the port hardware, and the priority of each queue is controlled by the queue scheduling algorithm. The router should be able to support Differentiated Services (DiffServ) protocol, Resource Reservation Protocol (RSVP) and Multi-Protocol Label Switching (MPLS) protocol.
⑦Routing table capacity.
The routing table is the main basis for the router to determine the packet forwarding path. It is one of the main tasks of a router to establish and maintain a routing table that is compatible with the current network link state and node state.
⑧ reliability and availability.
The main indicators of router reliability and availability are in terms of equipment redundancy, trouble-free working time, internal clock accuracy, and hot-swappable components.
The reliability and availability indicators of a typical high-end router should reach the following points.
- The continuous working time without failure (MTBF) is greater than 100,000 hours, and the system failure recovery time is less than 30 minutes.
- The system has an automatic protection switching function, and the main and backup switching time is less than 50ms.
- SDH and ATM interface automatic protection switching function, the switching time is less than 50ms
- There is no single point of failure within the router system.
- Main components such as main processor, main memory, switching matrix, power supply, bus manager and network management interface need to have hot-swappable redundant backup, line cards require backup, and provide remote test and diagnosis capabilities.
⑨Network management capabilities.
The network management capability of the router is manifested in that network administrators can centrally manage and operate network resources through network management programs and general network management protocols such as SNMPv2. The granularity of network management indicates the granularity of router management. Network management includes five parts: configuration management, accounting management, performance management, fault management and security management. The management of routing ports, network segments, IP addresses or MAC addresses all belong to the category of network management.
3. Types and main technical indicators of switches
(1) Classification of switches.
① According to the type of technology supported, the switch can be divided into 10Mbit/s Ethernet switch, FastEthernet switch and GE switch with a rate of 1Gbit/s.
②According to the internal structure, switches can be divided into modular switches and fixed port switches. Modular switches are also called rack switches. Inside the chassis are redundant power supplies, built-in power supplies, and a multi-slot host cabinet. The slots can be used to insert extended switching modules and network management modules. The advantage of this kind of modular switch is that it has strong functions and high reliability, and it can flexibly select and configure modules according to the size of the network, the number of access nodes and the bandwidth.
Fixed-port switches can only support one LAN protocol, contain a small number of expansion slots and have a fixed number of ports. This kind of switch looks like a rack-mounted hub, and there are usually 8 RJ 45 ports. In addition, 16/24/48/80 port switches are also commonly used types. Generally, it has 1-2 fixed 100Mbit/s or 1000Mbit/s uplink ports. The advantage of the fixed port switch is that it is cheap and easy to install, and it is more suitable as a connection device for a small LAN node or an access device for a large network.
③ According to the application scale, switches can be divided into: enterprise-level switches, department-level switches and workgroup-level switches.
(2) The main technical indicators of the switch.
The main technical indicators of the switch include: backplane bandwidth, total full-duplex port bandwidth, switching mode, frame forwarding rate, delay, modular or fixed port configuration, support for VLAN capabilities, etc.
① Backplane bandwidth.
The backplane of the switch refers to the physical channel between the input end and the output end of the switch. The wider the backplane bandwidth, the faster the data processing capability of the switch, the smaller the packet forwarding delay, and the better the performance.
② Full-duplex port bandwidth.
The calculation method of full-duplex port bandwidth is as follows: port number port rate x2 An important data index in switch selection is the ratio of backplane bandwidth/total bandwidth of full-duplex ports. The higher the ratio, the closer the switch is to a high-performance wire-speed non-blocking switch, the better its performance, and the higher the cost.
③ frame forwarding rate.
Frame forwarding rate refers to the maximum number of frames that a switch can forward per second. Latency refers to the time from when the first byte of the frame enters the switch to when the last byte of the frame leaves the output port of the switch.
④Support VLAN capability. When users choose a switch, they are very concerned about whether it supports VLAN capabilities. Most switches support 802.1Q protocol except for some switches that support Cisco's special Group Management Protocol (CGMP). The division of VLAN can be based on port, also can be based on MAC address or IP address.
④Support VLAN capability. When users choose a switch, they are very concerned about whether it supports VLAN capabilities. Most switches support 802.1Q protocol except for some switches that support Cisco's special Group Management Protocol (CGMP). The division of VLAN can be based on port, also can be based on MAC address or IP address.
⑤ Expansion capability of modular switches (chassis switches).
Scalability is the main feature of modular switches. This type of switch can achieve the purpose of supporting different types of protocols and different port bandwidths by selecting different types of control modules, such as FE modules, GE modules, ATM modules, etc., or the number of different modules.
(3) The configuration selection of the switch.
Configuration selection is a problem that cannot be ignored when selecting a switch. The configuration of the switch has the following aspects.
① Number of expansion slots: The number of expansion slots refers to the maximum number of modules that can be inserted in the expansion slots of fixed-port switches.
② Number of rack slots: The number of rack slots refers to the maximum number of modules that can be inserted into a modular switch.
③Maximum stackable number: The maximum stackable number refers to the maximum number of switches that can be stacked in a single stacking unit.
④Maximum/minimum number of GE ports: The maximum/minimum number of GE ports refers to the maximum/minimum number of ports with a rate of 1000Mbit/s that a switch can support.
⑤Port density and port type: Port density refers to the maximum/minimum number of ports that a switch can support, and port type refers to full-duplex or simplex.
⑥Buffer size: The role of the buffer is to coordinate the rate matching between different ports.
⑦ Supported network protocol types: Usually, switches without expansion slots or fixed configurations only support one protocol (such as Ethernet protocol), and switches with expansion slots or rack-mounted switches can support multiple protocols (such as GE, FE, FDDI protocols, etc.). At the same time, we should also pay attention to the layer 2 exchange strategy supported by the switch, such as 802.3x congestion control and flow control protocol, 802.1d spanning tree algorithm, 802.1p priority queue control, etc.
⑧MAC address table size: The MAC addresses of hosts or devices connected to different ports are stored in the MAC address table of the switch. The switch determines the port for frame forwarding based on this table, and this table must be updated at all times.
⑨Equipment redundancy: Avoiding the threat of a single point of failure is very important for demanding applications.
⑩Manageability: Different switches support different network management protocols. Commonly used network management protocols and software include SNMP, HPOpenview, IBMNetView, etc.
Seven, network server selection
1. Classification of web servers
①Internet/Intranet general server.
②Database server.
③ file server.
The disadvantage of the shared hard disk service system is that the user needs to connect the server hard disk every time, and the user needs to use DOS commands to establish the DOS file directory structure on the special disk body and maintain it, so it is inconvenient to use, and the efficiency and safety cannot be guaranteed.
④ Application server.
The application server is a kind of network server that provides dedicated services, based on the browser/server (Browser/Server.B/S) working mode. The main technical features of the application server are as follows:
- The application server builds network applications on the basis of Web services, and uses the browser/server model to design the software system between the client and the server.
- After the network building unit purchases the equipment, the user does not need to perform special configuration, and it is easy to use and cost-effective.
- The traditional C/S structure database server adopts a two-layer structure of client and server, while the application server forms a three-layer architecture.
(2) Classified by application scale, network servers can be divided into: basic-level servers, workgroup-level servers, department-level servers, and enterprise-level servers.
Comparison of various levels of servers
| server type | configuration | performance | Application range |
|---|---|---|---|
| Basic server | Generally, it is a PC server with only 1 CPU and low configuration | General data processing ability | A small LAN server generally used for office file and printer sharing |
| workgroup server | Generally support 1-2 CPUs, configure hot-swappable folding large-capacity hard disk, each power supply, etc. | It has good data processing ability, ease and scalability | It is suitable for applications that require a large amount of processing data, high processing speed, and high reliability. It can be used for Internet access, and can also be used to replace traditional enterprise-level PC server upgrades |
| departmental server | One section supports 2-4 CPUs, adopts symmetric multiprocessing (SMP) technology, configures hot-swappable large-capacity hard disk, backup power supply, etc. | It has good data processing ability, ease and scalability | Suitable as an application server for small and medium-sized networks, a small database server, and an enterprise server for Web servers |
| Enterprise Server | Generally support 4-8 CPUs, adopt the latest CPU and symmetric multiprocessing (SMP) technology, support dual PCI throughput and high internal bandwidth. Equipped with large-capacity hot-swappable wire reels and various electrical appliances, and the key components have redundancy | It has good data processing ability, ease and scalability | At present, it is widely used in finance, securities, inspection, metropolitan and communication industries |
(4) Related technologies adopted by the server
In order to improve the performance of web servers, many servers are designed using different technologies:
- Hot-swap technology.
- Cluster (Cluster) technology.
- High-performance storage and intelligent I/O technology.
- Symmetric Multi Processing (Symmetric Multi Processing, SMP) technology.
- Emergency Management Port (EMP) technology.
- Non Uniform Memory Access (NUMA) technology.
- Service processor and Intel Server Control (Intel Server Control, ISC) technology.
The hot-swap function enables users to replace faulty hard disks, boards and other components without power interruption, so that the system's ability to respond to emergencies is greatly improved. In addition, the high-end application of the disk mirroring system improves the hot-swappable function of the disk, greatly reducing the time for system failure repair. Cluster (Cluster) technology has greatly improved the system's data processing capabilities. It is a server system that provides high-speed communication lines to a group of independent computers and makes them form a shared data storage space. If one of the hosts fails, the program running on the host will be transferred to other hosts immediately. It can be seen that the cluster computing technology can greatly improve the availability, reliability and disaster tolerance of the server. But it has an impact on the performance of the system.
One of the important indicators for measuring server performance and selection is storage capacity. The storage system bus must adopt the Small Computer System Interface (Small Computer System Interface, SCSI) standard, and at the same time use the redundant array of independent disks (Redundant Array of Independent Disk, RAID) technology to form a number of hard disk drives into a whole and be managed by the array manager; on the basis of increasing disk capacity, by improving parallel read and write capabilities, the access speed and throughput of the disk can be improved; in order to achieve load balancing and improve system efficiency, the intelligent I/O system can be used to be responsible for interrupt processing, buffering Work on storage and data transfer.
2. Web server performance
The performance of the server is mainly manifested in: disk storage capacity, computing processing capacity, high availability, scalability and manageability, etc.
(1) Disk storage capacity.
Disk storage capacity and 1/0 service speed are important indicators of disk storage capacity , and the hard disk and disk interface bus are the main factors that determine these two important indicators. Hard disk performance parameters include: spindle speed, internal transfer rate, single disk capacity, average track time and cache. The disk interface bus is currently mainly the SCSI standard.
(2) Computing and processing capabilities.
A high-speed CPU can greatly improve the server's computing power, but there are many factors that affect the server's processing power. Taking Intel1's CPU structure as an example, the actual components that make up the CPU include: CPU core (Pentium Processor Core), first-level cache (L1 Cache), second-level cache (L2 Cache), front-side bus (FrontSide Bus, FSB), and back-end bus (BackSide Bus, BSB). Among them, the CPU core is responsible for executing instructions and processing data, and its performance is directly related to the operation processing capability. The first-level cache directly provides the CPU with the instructions and data required for calculation; the second-level cache is mainly used to store controller, memory, and cache retrieval table data. The front side bus is the bus that connects the CPU and the host chipset. The backside bus is the bus that connects the CPU core and the L2 cache.
The relationship between CPU speed and server performance is explained below.
If CPUa and CPUb adopt the same technology, the main frequency of CPUa is Ma, the main frequency of CPUb is Mb, Mb>Ma, and Mb Ma<200MHz, then the performance of the server configured with CPUb is improved by (Mb Ma)/Max50% compared with that configured with CPUa, which is the 50% law of CPU.
The relationship between the number of CPUs and server performance is described below.
If a high-end server supports 8-way SMP CPUs, and its memory, network speed, and hard disk speed are sufficient, that is, there is no bottleneck caused by adding CPUs to the system, then increasing from a single CPU to 2 CPUs, the system performance is 170% of a single CPU; increasing to 4 CPUs, the system performance is 300% of a single CPU; increasing to 8 CPUs, the system performance is 500% of a single CPU. And studies have shown that L1 Cache, L2 Cache, FSB and BSB have a significant impact on the overall performance of the system.
(3) High availability of the system.
System high availability can be described by the following formula: System high availability = MTBF / (MTBF + MTBR) Among them, MTBF is the mean time between failures; MTBR is the mean time to repair.
如果系统高可用性达到99.9%,那么每年的停机时间<8.8小时;系统高可用性达到99.99%,每年的停机时间<53分钟;系统高可用性达到99.999%,每年的停机时间<5分钟。
(4) Scalability.
The scalability of the system is mainly manifested in the expansion capabilities of processors and storage devices.
(5) Manageability.
The manageability of the system is manifested in: friendly management software interface, perfect remote monitoring and management capabilities, support for hot-swappable functions of hard disks, memory, processors, power supplies and other equipment, which is convenient for disassembly, maintenance and upgrade.
3. Basic principles of server selection
- Choose a server according to the different needs of the product.
- Choose servers according to the characteristics of different industries.
- Select the server according to different application characteristics.
Eight, the basic method of network system security design
1. Basic content involved in network security technology
Network security technology is to solve the problems existing in network security, so as to achieve the security goal of information storage, processing and transmission in the network environment. Network system security design should focus on the following aspects.
(1) Information security issues in the network.
Information security in the network mainly includes information storage security, information transmission security and encryption technology. Information storage security refers to ensuring that information stored in computers is not illegally used by unauthorized network users. Information transmission security refers to ensuring that information is not leaked or attacked during network transmission. The security threats in the transmission of information mainly include: intercepting information, eavesdropping on information, tampering with information and forging information. The encryption and decryption of data is the main problem of cryptography research, and it is also the main technology to ensure the information security in the network system. Users can use ciphertext to represent important information that needs to be protected during storage or transmission to ensure the security of plaintext.
Tips: Encryption refers to the process of converting plaintext into ciphertext, and decryption refers to the process of restoring ciphertext to plaintext through inverse transformation.
(2) Network anti-attack technology.
Attacks on the Internet in the Internet can be divided into service attacks and non-service attacks. From the means of hacker attack, it can be roughly divided into the following eight types: system intrusion attack, buffer overflow attack, denial of service attack, spoofing attack, virus attack, Trojan horse attack, backdoor attack and firewall attack.
Service attack refers to launching an attack on a server that provides a certain service for the network, causing the "denial of service" of the server and making the network work abnormally. Denial of service attack will cause the legitimate users of certain services to be unable to access the services they have the right to access, manifested in the consumption of bandwidth and computing resources, the collapse of systems and applications, and so on. Specific network services include E-mail, Telnet, FTP, WWW services, etc.
For example, the Telnet service provides remote connection on the well-known TCP port 23, and the WWW service waits for the client's browsing request on the TCP port 80. Because TCP/IP lacks security measures and authentication, it provides conditions for attackers. An attacker may attack the www service of a certain website, try to paralyze its server or modify its homepage, so that the website www can no longer work normally.
Non-service attacks are not aimed at a specific application service, but at low-level protocols such as the network layer. It often exploits the loopholes in the protocol or operating system to achieve the purpose of attack. It is more concealed and often ignored by people, so it is a more dangerous attack method. Source routing attacks and address spoofing both fall into this category. The attacker may launch an attack on the network communication equipment, causing its work to be blocked or paralyzed, causing the subnet or local area network to be paralyzed. The insufficiency of TCP/IP (especially IPv4)'s own security mechanism provides convenience for attackers.
Research on network attack defense should mainly address the following issues.
①Who are the attackers?
②What are the possible attack methods and types?
③ Timely detection and reporting of network attacks.
④How to adopt the corresponding network security strategy and network security protection system.
(3) Anti-repudiation issues.
Anti-repudiation refers to how to prevent the sender from denying the information it has sent, or the receiver from denying the information it has received.
(4) Internal security precautions of the network.
Internal network security prevention refers to how to prevent internal users with legal identities from intentionally or unintentionally doing harmful acts to network and information security. It mainly includes: violating network security regulations, bypassing firewalls, and connecting to external networks privately, causing system security vulnerabilities; intentionally or unintentionally leaking network user or network administrator passwords;
The staff must solve the unsafe factors from within the network from both technical and management aspects. On the one hand, the network management software monitors the user's working status and network operation status at any time, and records and audits the use of important resources; on the other hand, it formulates and continuously improves the network use and management system, and strengthens user training and management.
In addition to the above four points, research on network security loopholes and countermeasures, spam, grayware and rogue software, network anti-virus, network data backup and disaster recovery are also aspects that should be considered in network system security design.
2. Principles of network system security design
From the perspective of network engineering, the basic principles to be followed in network system security design are as follows .
①The principle of overall design;
②The principle of overall consideration;
③The principle of hierarchy;
④The principle of autonomy and controllability;
⑤The principle of effectiveness and practicality;
⑥The principle of safety and value.