Standard solutions for organizing Internet access for small organizations
The school portal supports Internet access management.
Management is carried out through integration with the Squid proxy server.
To change access rights, go to the menu: Service → Internet access....
This action is available only to representatives of the school administration.
To give access to the Internet, just check the box next to the user name (student, teacher), or the whole class. To revoke access, you need to uncheck the box. Changes are applied after clicking the "Save" button.
To the car in local network accessed the Internet, guided by the permission configured in the Portal, you need to configure it to use a proxy server.
The proxy server address is the address of your school server on the local network where the School Portal is installed. Proxy port - 3128 .
When a user accesses the Internet through a proxy server, a login and password will be required from School portal.
To reliably prevent Internet access bypassing the proxy server, it is worth checking that the school server does not provide Internet routing to the machines of interest, and also that the machines do not have access through a switch, modem, router, Wi-Fi and other equipment educational institution, to which staff and students have online access.
Content filtration systems (SCF)
Both the absence of SCF and integration with multiple providers are supported.
The SCF setting is located in the left column of the Internet access management page.
Some SCFs require registration to manage lists of prohibited resources (for example, social media, obscene materials, collections of abstracts, etc.). Such settings are changed in the web interfaces on the SCF website itself, and not in the Portal. User support on filtration quality issues is provided by the organization servicing SCF. The Portal only allows you to enable or disable sending requests to SCF DNS servers from the school’s proxy server and nothing more.
SCF, similar to access to the Internet, applies only to machines that are configured strictly through the school proxy server.
Important! The operation of the SCF after switching on must be checked according to your expectations, since the Portal cannot automatically check this for you. The terms and conditions for the provision of SCF may be changed by their manufacturers at any time. It is worth subscribing to news from the service you use.
What to do if the Portal displays the message “Function disabled” or something does not work.
The checks and actions in this part of the article are provided only for Ubuntu Server 10.04 LTS:
All actions must be performed as the root user.
1. Is squid installed?
Dpkg -s squid3 | grep -i version
If not, install:
Apt-get install squid3
2. Are these parameters in the Portal configuration file?
Auth = basic htpasswd = /var/www/sp_htpasswd sp_users_allowed = /var/www/sp_users_allowed
If not, add and run
Pkill speedy
3. Is Squid running? Listening on port 3128?
Examination:
Netstat -ntlp | grep 3128
The response should be something like this (1234 is an example, you may have a different process number):
Tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 1234/(squid)
How to start Squid:
/etc/init.d/squid3 start
* Starting Squid HTTP Proxy 3.0 squid3
4. Set Squid to autostart:
Update-rc.d squid3 enable
5. Create, if not, and set access rights to service files responsible for management by the Portal:
Touch /var/www/sp_htpasswd /var/www/sp_users_allowed chown www-data.proxy /var/www/sp_htpasswd /var/www/sp_users_allowed chmod 660 /var/www/sp_htpasswd /var/www/sp_users_allowed
6. The Squid configuration file out of the box is not ready for integration; it needs to be corrected.
First, make sure it DOES NOT have portal integration (multiple patching is not acceptable):
Grep "School Portal Internet Control" /etc/squid3/squid.conf
If the above command line is output, then this step should be skipped.
However, if the configuration file has been changed in such a way that the line is there, but the integration does not work, take original file configuration from Squid and perform this step on it.
So, if there is NO line:
6.1. Removing rules that prevent integration and changing error pages to Russian versions:
Perl -i-original -p -e "s!^http_access deny all$!#http_access deny all!; s!^# error_directory /usr/share/squid3/errors/templates$!error_directory /usr/share/squid-langpack /ru!;" /etc/squid3/squid.conf
6.2. Adding an integration fragment:
Echo " # ============================= # School Portal Internet Control # To disable replace /etc/squid3/squid.conf with /etc/squid3/squid.conf-original # =========================================== auth_param basic program /usr/lib/ squid3/ncsa_auth /var/www/sp_htpasswd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive on acl sp_users_allowed proxy_auth "/var/www/sp_users_allowed" http_access allow sp_users_allowed http_access deny all " > > /etc/squid3/squid.conf
If such a block appears more than once in the squid.conf file, remove the duplicates, even if everything works. With repetition, each time the admission list is updated from the portal, Squid will sprinkle warnings in its log about redefining the rules.
6.3. After making changes, Squid needs to be restarted.
/etc/init.d/squid3 restart
7. Next, use the web interface of the School Portal to distribute Internet access. You should see a change in the list of allowed portal user logins in the /var/www/sp_users_allowed file after clicking the "Apply" button in the portal web interface.
Squid access logs (/var/log/squid3) will contain portal user logins. You can use any log analyzers that are compatible with the Squid log format. Integration with the Portal does not violate the default format of logs; the difference is the presence of logins from the portal in the place where there would be a dash in the absence of user authorization.
8. Check if the firewall on the school server and on the client machines. By default, on a clean Ubuntu Server, the firewall allows all connections; if you interfered with its configuration by any means, ensure that connections from the school’s local network to port 3128 of the server and outgoing connections from the server are allowed.
The administrator distributes Internet resources for company employees, creating lists of prohibited or allowed domain names, IP addresses, etc. At the same time, he can set restrictions on time or amount of traffic. In case of overspending, access to the Internet is automatically closed.
Attention: The administrator can always provide management with a report on the network usage of each employee.
- Flexible system of rules for controlling Internet access:
- restrictions on operating time, on the amount of sent/received traffic (traffic accounting) per day and/or week and/or month, on the amount of time used per day and/or week and/or month;
- filters that control user access to unwanted resources (sexual, gaming sites);
- developed system traffic restrictions And access speed for each user. In case of excessive traffic, Internet access is automatically closed;
- lists of prohibited or allowed domain names, IP addresses, parts of the URL string, access to which is prohibited/allowed by the administrator;
- the ability to set a range of allowed and prohibited IP addresses;
- hourly schedule of the user's work on the Internet;
- filters that allow you to configure highly efficient “banner cutting”.
- Counting and viewing statistics user activity according to various parameters (days, sites) for an arbitrary time interval. Viewing Internet statistics of user activity for the current month via HTTP is only possible for users on the local network.
- Built-in billing system automatically calculates the cost of a user’s work on the Internet based on price, time and/or traffic volume. You can set tariffs for each user individually or for a group of users. It is possible to switch tariffs depending on the time of day, day of the week, or site address.
Office information security
- VPN support A Virtual Private Network is a combination of individual machines or local networks in a network, the security of which is ensured by a mechanism for data encryption and user authentication.
- Built-in firewall prevents unauthorized access to server data and local network by prohibiting connections via certain ports and protocols. The firewall functionality controls access to the necessary ports, for example, to publish a company's web server on the Internet.
- Kaspersky Antivirus and Panda integrated into the proxy server UserGate, act as filters: intercepting data transmitted via HTTP and FTP protocols. Support for POP3 and SMTP mail protocols is implemented on upper level. This allows you to use the built-in antivirus to scan mail traffic. If the letter contains an attached file with a virus, the proxy server UserGate will delete the attachment and notify the user about this by changing the text of the letter. All infected or suspicious files from letters are placed in special folder in the directory UserGate.
Administrator UserGate can choose whether to use one anti-virus module or both at the same time. In the latter case, you can specify the order in which each type of traffic is scanned. For example, HTTP traffic will first be scanned by an antivirus from Kaspersky Lab, and then by a module from Panda Software - Mail protocol support
POP3 – and SMTP – proxies in UserGate can work with or without a NAT driver. When working without a driver, the account in mail client on the user side is configured in a special way. When working using a driver (working as a proxy in transparent mode), setting up mail on the user's side is performed in the same way as with direct access to the Internet. Future support for POP3 and SMTP protocols at the top level it will be used to create an antispam module.
Administration using the UserGate proxy server
- Network rules
In a proxy server UserGate support for NAT (Network Address Translation) technology has been implemented. network address) And Port mapping(assignment of ports). NAT technology is used to create transparent proxies, and supports protocols other than HTTP or FTP.
A transparent proxy allows users to work without special settings, and administrators are freed from the need to manually configure user browsers. - Additional module Usergate Cache Explorer designed to view the contents of Cache memory. Working with this function is simple: you just need to specify the location of the ug_cache.lst file from cache folders. After reading the contents of this file Usergate Cache Explorer will show a list of cached resources. On the panel Cache management Explorer has several buttons that allow you to filter the Cache content by size, extension, etc. The filtered data can be saved to a folder on your hard drive for further careful study.
- Port assignment function(Port mapping) allows you to bind any selected port of one of the local IP interfaces to to the required port remote host. Port assignments are used to organize the operation of bank-client applications, games and other programs that require packets to be forwarded to a specific IP address. If you need access from the Internet to a specific network resource, this can also be achieved using the port assignment function.
- Traffic management: control and account for your network traffic
The “Traffic Management” function is designed to create rules that control access of local network users to the Internet, to create and change tariffs used UserGate.
Attention: NAT driver built into the proxy server UserGate, provides the most accurate accounting of Internet traffic.
In a proxy server UserGate there is a possibility of separation various types traffic, for example, local and foreign Internet traffic. Traffic and IP addresses are also monitored active users, their logins, visited URLs in real time. - Remote administration allows the system administrator to be mobile, because it is now possible to administer the proxy server UserGate remotely.
- Automatic and manual mailing users of information about their traffic by e-mail, including through servers with SMTP authorization.
- Connection to cascade proxy with the possibility of authorization.
- Flexible report generator with the ability to export to MS Excel and HTML.
- Various ways to authorize users: according to all protocols; by IP address, by IP+MAC, IP+MAC (subscription); by user name and password; using Windows authentication and Active Directory.
- Importing users from Active Directory - now you don’t have to manually create several hundred users, the program will do everything for you.
- Task Scheduler allows you to perform one of the predefined actions at a specified time: send statistics, launch a program, establish or terminate a dial-up connection, update anti-virus databases.
- UserGate supports the following protocols:
- HTTP (caches);
- FTP (caches);
- Socks4, Socks5;
- POP3;
- SMTP;
- Any UDP/TCP protocol via NAT (Network Address Translation) and through port assignment.
Saving money on using the Internet
Using built-in filters UserGate blocks the loading of advertising from the Internet and prohibits access to unwanted resources.
Attention: The administrator can prohibit downloading files of a certain extension, for example jpeg, mp3.
Also, the program can remember (cache) all visited pages and pictures, freeing up the channel for downloading useful information. All this in to a large extent reduces not only traffic, but also time spent on the line.
Proxy server UserGate: accounting of your network traffic!
Before discussing authentication of network users, it is necessary to develop rules for controlling access to the network. Networks are no longer monolithic entities. In most cases, there is one external access point - an Internet connection via an ISP ( Internet Service Provider- Internet service provider). Network access control rules will determine what security needs to be installed at network entry points.
Gateways
Gateways are the points at which network traffic will be transmitted from the organization's network to another network. For gateway points, access control rules must take into account the nature of the network on which the bridge is installed.
- Access control rules for incoming and outgoing telephone calls (Dial-in and Dial-out). Covers authentication requirements. Hiding a telephone network access point is quite difficult. Therefore, it is important to define controls for this access. There are many considerations regarding access rules, such as creating modems solely to handle outgoing signals ( out-bound-only) for dial-out access. It is necessary to write a rule clause that will prescribe the use of appropriate controls.
All telephone access to the network must be secured using strong authentication controls. Modems must be configured for either dial-in or dial-out access, but never both. The network administrator must provide procedures for guaranteed access to modem systems. Users should not install modems at other points on the network without appropriate sanctions.
- Other external connections. Possible various connections to the network from outside the organization. The rules can stipulate direct access of clients to the network through a virtual private network VPN(Virtual Private Network) and through extensions of an organization's network known as extranets.
- Internet connection. Different from other connections because people want to have open access on the Internet, while access permission is provided by the organization's services. The rules governing these connections are discussed in Chapter 6, Internet Security Rules.
As with any rules, you should expect that there will be requests to change access control rules. Regardless of the reasons why rules need to be adjusted, it should be possible to make exceptions to the rules through a rule review mechanism. If a safety management committee has been established as required by policy (see Chapter 3, Safety Responsibilities), information security"), then you can request that the committee revise the rules.
Any gateway proposed for installation on a company network that may violate the rules or procedures prescribed by those rules should not be installed without the prior approval of the security management committee.
Virtual private networks and extranets
An increase in the number of networks in an organization forces us to look for new connection options. remote offices, clients and simplifying access for servicing counterparties or potential counterparties. This growth gave rise to two types external connections: virtual private networks ( VPN- Virtual Private Network) and extranets. VPNs are an inexpensive way to install information communication between two or more divisions of an organization located in different territories. Organizations create VPN by connecting all departments to the Internet and installing devices that will encrypt and decrypt information in both departments communicating with each other. For users, working through a VPN will look as if both departments are located in the same territory and working on a single network.
Checking the authority of auxiliary systems
Before we continue, it is important to remember that each of the gateways or supporting systems is an entry point into an organization's network. At any entry point, the authority of the flow of data entering and exiting the network must be verified in some way. One issue to consider is the requirement for authorization external connections to auxiliary network systems. This can be a problem for auxiliary systems that are constantly connected to the network. For such support systems, it is necessary to determine how their presence on the network will be authorized. In fact, even temporary network connections, such as incoming modem connections, can have strict authentication requirements.
This section of the rule does not need to describe authentication requirements - they are discussed in the next section, "Login Security." Here we can only note the need for authentication requirements. The rules regarding authentication standards will be discussed in the next section. However, to ensure that the issue of authentication is addressed for secondary systems, the following can be added to the firewall rules clause.
Applications required for gateways to operate must be authenticated by the network. If the application itself cannot be authenticated, then the authentication rules described in this document, should apply to auxiliary systems connected through gateways.
Entries: 4Remote Internet access control (parental control)
This guide describes the process of setting up computers running operating systems Windows family XP, 7 or Linux (Ubuntu) for remote control access to Internet sites.
The manual does not describe in detail how to work with the Rejector service, which will be discussed below, it only allows you to configure your computer in such a way as to take full advantage of its capabilities.
All tools used are free or open source software.
Introduction
The Internet is an excellent tool for studying, relaxing or communicating with friends. But in addition to the network useful information, there is also something undesirable for your child. In addition, surfing the Internet for many hours can distract you from other important activities, such as homework, sports, sleep, or socializing with peers. Therefore, it is necessary to monitor the child’s online activities.
There are many different methods control, but they are not always effective. Persuasion and educational conversations can work for a very short time, because being on the Internet can captivate a child so much that he forgets about all the persuasion. And bans can negatively affect the development of useful skills for searching and learning on the Internet.
In such cases, special programs for restricting and controlling access to the network will help you. With their help, you can protect your child from the negative influences of the Internet, but at the same time provide freedom of action. One such tool is the Rejector Internet Access Control System.
Rejector is a centralized project for controlling access to the Internet. It will allow you to protect children and teenagers from dangerous information. Essentially, Rejector is a DNS server with the ability to control it remotely.
How it works?
You register, add your IP, configure access parameters. You can use the service without registration, but then you will not be able to use all its features.
Your computers are configured so that everything DNS queries were sent to Rejector DNS servers 95.154.128.32 and 176.9.118.232.
Each request is checked against your settings, such as blocked categories or sites, allowed or blocked sites, bookmark lists or scam sites, and if blocked, the request is redirected to the blocking page.
You can customize this page as you wish.
Allowed requests that pass the check go into the general request cache for quick delivery to all clients.
More detailed description You can find the Rejector product on the official website rejector.ru
Instructions for setting up the system
1. Create a user with normal rights
Typically, when installing an operating system, a user with Administrator rights is created. Such a user can produce everything possible actions, provided by the operating system until the system itself is removed.
To exclude the reversibility of all our further actions on the user side, which we take control of, we will create a user with limited rights, and for the Administrator - we will use a password.
On Windows, this is done through the Control Panel; V Linux creation user is available through System Settings.
2. Set up a network connection
Rejector is a service that is essentially a DNS server. To work with it, you first need to configure network connection so that DNS queries are sent to Rejector DNS servers 95.154.128.32 and 176.9.118.232.
This is done differently on Windows and Linux.
Windows XP
Windows Vista
Detailed instructions are located at
Windows 7
Detailed instructions are located at
On most operating systems Linux family used to configure the network Network program Manager. In order to change the DNS server, do the following:
Press RMB on the connection indicator and, in context menu, select the item Change connection
If you are using DHCP server when connecting to the Internet, then in the IPv4 parameters we change Setting method on Automatic (DHCP, address only)
In field DNS Servers enter two addresses separated by commas 95.154.128.32, 176.9.118.232
Making a connection Available to all users And Automatically connected
3. Register on the Rejector website
In principle, this is where we could start. But now that one of the difficulties is behind us, we do this easily and simply. Follow the link and fill out simple form for registration.
4. Add a managed network
By registering on the service, we can create the required number of networks or, which, in principle, is the same thing - clients that we will manage. Networks (Clients) are identified on the service by their IP address. Therefore, in order to control Internet access of a computer, you need to know its IP address. For now, let's just create a Network through the Control Panel on the Rejector website at.
Fill out the Add Network form. Network name - here you can indicate your child's name if he has his own computer and you want to control it. Status- most likely you will have Dynamic IP address(rare provider allocates for its clients Static address free), so select this radio button. Network ID- you can write in Latin the name you specified in the first field.
5. Sending IP address
For the service to work, it needs to constantly “know” the client’s IP address, which can change from connection to connection (Dynamic IP address). This is the main problem that this guide addresses.
The service developers themselves offer the Rejector Agent program, which sends the client’s IP address to the server. But, this program cannot work autonomously. Therefore, we will take advantage of the other opportunity provided. Namely, updating using an HTTP request (description at the link).
To update Client information via an HTTP request in background, we need the Curl program. This program is capable of sending casts by HTTP protocol to the Internet via the command line. We will set the parameters for this program in the script; for Windows this will be a bash file for Linux - sh.
Curl is freely available and has a Windows version, so we'll use it in both environments. For Windows latest version The programs can be downloaded from the link. To install, just unpack the contents of the resulting archive into the C:\WINDOWS\SYSTEM32 folder (this will make it easier to launch the program). In a Linux operating system, it will most likely already be installed.
6. Script for regularly updating the IP address
The site offers the following HTTP request http://username: [email protected]/ni...,
which will update the IP address value. We will substitute it as a parameter for the curl program.
The address update request must be sent from the computer that we want to control. Due to the fact that the text terminal processes commands in a special way, the request text had to be changed slightly. The script text for Windows and Linux is given below.
For Windows
:loop
curl "http:// login%%40mail-server.com:password@updates.rejector.ru/nic/update?hostname= net-name"
# Make a delay of 300 seconds
ping -n 300 127.0.0.1 > NUL
echo 111
goto loop
Where login%%40mail-server.com is yours Mailbox, which was used to register on Rejector (the @ sign was replaced by %%40); password - password; net-name — network name on the Rejector service. Place the script text in a regular text file, replace the extension with .bat and you will get an executable script.
For Linux
#! /usr/bin/sh
while true; do curl -u [email protected]:password "http://updates.rejector.ru/nic/update?hostname=... sleep 300; done;
Everything here is similar to the entry for Windows. Write this text to a text file with the extension sh.
Both scripts contain the Rejector account password in open form, so it is necessary to hide their contents from viewing for regular user. This is implemented differently in Linux and Windows
In order to prohibit viewing and editing of this created by us, it is necessary to change the owner and group of the file to root and deny everyone except the owner access to the file. If you have the skills to work in command line, then you need to go using the command CD to the directory with the script file and execute the command chown root:root skcrypt.sh And chmod 700 script.sh.,To do the same in graphical shell, you need to run it first file manager with administrator rights, find the script file and change Rights, using the context menu.
Without going into how you can change file permissions similar to Linux, I applied the following solution. Let's transform our executable file to an EXE file to hide its contents. For this purpose we will use free program Bat To Exe Converter. I suggest downloading its Russified version from the link or on the official website of the program. The program does not require any explanation in operation. At the input we put our bat file, at the output we get an exe file.
7. Set it to start automatically
Left to do last step. Let's do it automatic start programs along with system startup. This is done differently in Linux and Windows.
We log in as Administrator and move our executable file.exe to the PogramFiles folder. In the user's home directory, find the folder Main menu, in it Programs, Autorun where we place the shortcut from our program (this can be done by dragging the program itself while holding down Shift key). Ready.
Place the executable file in the folder /usr/bin. Let's edit the launch file local applications systems /etc/rc.local, adding a line in it before exit 0.
/usr/bin/script.sh
Where script.sh- the name of our file.
This completes the system setup. You can go to the Rejector service and configure the network operating mode.
Pavlov Sergey System engineer at Softmart
This article presents the most popular ways to connect the office of a small organization to the Internet. The article does not address issues of choosing a provider and issues of choosing end equipment for connecting to the network. We assume that the provider provides the organization with the following:
1. Network interface Ethernet RJ45 - standard for network equipment in local networks
2. IP address - one or more, permanent or dynamic
3. Gateway IP address and DNS
Let us also give a small portrait of the organization for which this article is intended:
1. Number of computers in the network - up to 30;
2. There is one online file server or server corporate system management;
3. Web server and the organization’s mail server is located at the provider, and not on the enterprise’s local network;
4. The Internet channel will be used by employees primarily for working with e-mail and viewing Web pages;
5. The organization’s computers and servers must be protected from unauthorized access via the Internet;
Possible but rarely encountered conditions can also be mentioned:
1. Secure connection of employees to the organization’s network remotely - from home or another office;
2. Secure connection small offices geographically dispersed;
3. Web server placements, mail server, any server internal system management within the organization's network with the provision free access to them by employees or clients via the Internet;
With this approach, a personal computer or server is allocated to organize access to the Internet. The server or PC is equipped with additional network card. One of them connects to the provider’s network, the other to network switch organizations.
It is advisable to run the NAT service on the gateway - network translation of IP addresses.
Advantages of this solution:
1. The ability to use a wide range of software to solve a variety of problems, for example:
to protect the server and network from attacks from the Internet;
For antivirus protection server, traffic or Email;
to protect against spam;
for traffic counting;
to manage access to the Internet by employees of the organization;
2. One IP address from the provider is enough.
3. A sufficient level of protection of the local network from external influences is provided through the use of the NAT service.
4. Low cost firewall, since solutions for personal computers are allowed.
5. Only the gateway computer is visible from the Internet, and hackers can only attack this computer. The local network, including servers and workstations, is not accessible to them in principle. Thus, if the gateway fails, the organization’s local network continues to function.
Flaws
1. If the gateway computer is also used as a regular work station one of the employees, for example, based on cost savings, then serious security problems are possible. A user working on the gateway can, through his actions, weaken the server's security. In addition, there may be problems with the performance of the gateway, since the user will take up part of the computer's power;
2. It is highly not recommended to use the gateway as an organization’s file server due to the server’s accessibility from the Internet. A powerful firewall (not a personal one) and the work of a very qualified specialist to configure security on the gateway are required. However, this is a very common configuration in small organizations;
3. Additional software must be purchased. The NAT service is not included in Windows operating systems except Microsoft Windows XP (NAT implemented, but with some limitations). The cost of firewalls varies from tens of dollars to several thousand. At a minimum it is required special program to provide Internet access to all users of the local network. (the program is called a proxy server).
4. Required additional device- LAN card.
Approximate cost of implementing this solution:
|
Personal computer - gateway |
$40 0 |
|
|
Proxy server |
UserGate 3.0 (10 sessions) |
$ 129 |
|
Firewall |
Kaspersky AntiHacker |
$39 |
|
Additional network card |
D-Link DFE-530TX |
$10 |
|
Customization Services |
Softmart |
$70 |
|
Total |
$648 |
With this approach, organizing access to the Internet requires obtaining additional quantity IP addresses from the provider for each personal computer on the organization’s local network. This solution probably provides the most fast connection employees of the organization to the Internet. However, this solution is rarely used when there are more than two computers in a company for two reasons:
1. The provider is extremely reluctant to allocate IP addresses, and will recommend that you switch to any other scheme for connecting computers to the Internet.
2. This decision potentially the least secure in terms of protecting your data from unauthorized access and attacks from the network.
Advantages:
1. easy setup of computers.
2. no need to buy additional computer- Gateway.
3. no need to buy additional software - a proxy server.
Flaws:
1. A comprehensive security system must be installed on each computer.
2. Depends on the provider’s ability to provide multiple IP addresses
3. No statistics on channel usage
The cost of releasing this solution:
For each computer on the network:
|
Firewall |
Kaspersky AntiHacker |
$39 |
|
Settings |
Softmart |
$10 |
|
Total |
$49 |
Organizing access using D-LINK devices
D-Link offers a wide range of devices for secure connectivity small organizations to the Internet. All solutions can be divided into two large classes:
1. DI series routers
2. DFL series firewalls
The DI family devices have been specifically designed for the purposes and tasks of small offices. They have all the necessary functionality for more than reasonable price. Depending on the model, the devices may be equipped with:
firewall,
dot Wi-Fi access,
built-in proxy server,
network port printer connections,
built-in ADSL modem
VPN module
All devices support:
1. DHCP (function of dynamically assigning IP addresses to computers on the network)
2. NAT (function of dynamic translation of IP addresses from an internal network to IP addresses on the Internet)
3. Function virtual server necessary to organize access to local server from the Internet
4. The Secure Zone function, necessary for organizing access to several local resources from the Internet
Advantages
3. Low price for your class.
4. Protection against attacks using NAT, + the ability to enter rules for prohibiting domains, addresses, etc.
7. The ability to create secure connections on the Internet (VPN) for communication with other offices.
8. Possibility of organizing access to internal resources of the local network.
9. Ability to support mobile users (Wi-Fi).
10. Possibility of connecting a network printer.
Flaws:
2. There are hardware restrictions on the number of simultaneously working employees. The DI device can handle up to 2000 simultaneous connections without noticeable performance degradation.
3. The equipment is sensitive to attacks from within, e.g. network viruses. With such attacks, the load on the device increases sharply.
4. The device itself is poorly protected from standard network attacks. In this case, these organizations and computers, as a rule, do not suffer.
5. Statistics on the use of the channel by employees are not detailed enough.
Approximate cost of the solution
|
D-Link DI-604 |
D-Link |
|
|
Settings |
Softmart |
|
|
Total |
Devices of the DFL family are already high-performance firewalls, equipped with all conceivable and new-fangled solutions for protecting the local network and organizational resources from intrusion. Depending on the specific model The device can, for example, be equipped with:
detection system IDS intrusions
systems for detecting typical attacks and repelling them
bandwidth management system
load balancing system
VPN
You need to select a model based on the number of computers on the network and security requirements. It is best to contact a D-Link Solutions Consultant for assistance.
Advantages:
1. Hardware solutions are very reliable, compact and unpretentious.
2. The devices themselves are well protected from attacks from the Internet and well protect the perimeter of the organization’s local network.
3. Protection against network attacks, including: SYN, ICMP, UDP Flood, WinNuke, port scanning, spoofing, address spoofing, denial of service, etc.
4. Once the system is configured, it does not require further tuning.
5. There is no dedicated computer - gateway.
6. Easy installation and setting.
7. Low price for its class.
8. Possibility of creating secure connections on the Internet (VPN) for communication with other offices.
9. Possibility of organizing access to internal resources of the local network.
Flaws:
1. Setup must be performed by a qualified technician.
2. Statistics on the use of the channel by employees are not detailed enough.
Approximate cost of the solution
D-Link DFL-100 D-Link $200
Settings Softmart Total $230
Conclusion
With all the wealth of choice, it seems to us that the most optimal solution for a small organization there is still a solution based on one of the models D-Link devices DI family. The devices are simple, compact, affordable and quite functional. The only thing that DI solutions can be reproached for is the lack of some capabilities of proxy servers, for example, statistics on the volume of downloaded information on employees. After all, it is this data that is usually used by providers to bill for channel use. If this function is vital for your organization, then you should additionally consider purchasing a proxy server, for example, UserGate from eSafeLine. Just do not forget that the proxy server will require the purchase of an additional computer.
