Since the 9 O started, the Internet became popular in the country, with many websites and application development, Internet users have contributed to a substantial increase in the short period of time, gradually beginning to affect people's lives, from the education Entertainment knowledge-based economy and so forth have played a lot of changes, it can be through the Internet with friends around the world exchange information, but also to learn lessons for distance learning or through the library's website for information retrieval, business practices can also be reached via the Internet, more important is the Internet has created a non-entity from the virtual world, beyond the real life of all forms of regulation. Many applications, Nagaki the Internet, commercial activities can be said to be one of the most important part of using Internet Jin Xing's financial transactions and marketing activities, may from time to no longer be limited to the capital, personnel, She Bei, regional, point of sales of the limited physical, make SMEs more competitive, but there were many unprecedented e-business models, such as Business to Business (B to B), Business to Client (B to C), Client to Business (C to B), and Client to Client (C to C) and so many investors before the follow-up to join the ranks of the Internet, like the so-called second industrial revolution, the place, in many of these applications, the network security has been a core issue one, because whether it is business or the transfer of data users are often involved money or personal private information, so data security is the primary issue.
In the past, industry in the exchange of messages to both the company and the company or between departments within the company may have to pull a line, this is not the economy, and there are many regional or equipment constraints, the business would really be Communications dynamically generated when a network connection of their own, without the need for off-line when you can to save costs, coupled with the popularity of the Internet and the technology is simple, and many of the important people try to confidential files via internet Way to transfer, but is afraid of information to be stolen or, cause irreparable damage, so hope to establish a connection through the Internet data transmission channel (tunnel) is absolutely safe, this is the basic concept of VPN.
A cost
Use the Internet VPN, the most simple as that advantage is cost savings, both traditional VPN T1 or ISDN line frame, the cost is really scary, including installation fees, monthly fixed monthly fee, and based on distance increased costs, etc., the cost and much higher than the Internet VPN.
2 flexible
ISP can provide integrated business services, the traditional point to point connection, because the bandwidth required for each point difference required for the hope with different bandwidth circuitry, so can result in equipment of the cumbersome and wasteful, maintaining them is complex problems, but because of the Internet VPN service to provide by ISP, could base bandwidth provided by ISP is different for each one point selection of bandwidth you need will not only flexible but also save costs, and The need to plan according to different bandwidth.
3 full extension of
Geographical expansion of: General of IPS vendors, in a Guo Jia or regions have many of the positions are normally, so when Ban Gongshi of the Guimo change Banqian O'clock, Wang Lu Xian's Yidongjiaowei simple where only one point on the ISP need Xiugai the Lian Xian Shan , and generally action-based notebook computer users can also dial-up ISP to join the VPN system, that the action the user is no longer limited to line limits. Bandwidth scalability: when a branch is insufficient bandwidth, we can easily according to the local ISP to upgrade the services provided, does not need drastic changes to the line.
Channel (Tunnels)
1 Virtual
VPN connection with the traditional green the biggest difference is that organizations need to dynamically generated when the connection, VPN usually does not maintain a permanent connection, that is, when the transmission ended, on the release of bandwidth for offline use to others When opening a channel between two endpoints, the output terminal is usually used by the IP packet will be dealt with later sent to the Internet, often the information is part of this deal include encryption or increase recognition of the information, and re-calculation of IP Header When the receiver receives this packet will remove the IP Header and after the reorganization, and then decode the data and identify actions. Tunneling through the packet channel in the general office can exist between two different types of endpoints, there is a general workstation, or security gateway (Security Gateway) between the security gateway is a router or firewall may be posed by this can be any combination of the two endpoints into a LAN-to-LAN, LAN-to-Client, Client-to-Client form.
2 Private (privatization)
VPN's set up one of the conditions is that when communication between two end points, the need to reach the question of privatization, the so-called privatization is established through the channels on a shared data transmission medium, the result is equivalent to do in the green transmission, it must meet the following four conditions
Authentication (identification): identification of sources of information is the identity of the other claims
Access Control (access to): restricted right to use the machine without access to data
Confidentiality (data confidentiality): to prevent illegal users to read or copy the information content
Data Integrity (Data End Positive): the process of determining where data transmission has not been changed
To achieve the above-mentioned conditions, must be added many additional procedures such as encryption procedures for electronic signature process, hashing methods recognized procedures, but also because both sides have a common Confidential Information (key) called the key, so there must be a mechanism management.
DDoS attacks in the current Firewall Anti flaws
Firewall (Firewall) is a network security in a very important part of most organs of the majority of companies think that just install a "firewall" device should be able to solve their security problems. It is mainly through the access restrictions to protect their own internal network, not subjected to attack. However, the firewall must have the correct environment settings to play on the security mechanism. Therefore, a strong firewall or not depends mainly on the environmental setting of the level, when the firewall rules based on multiple security of different services Packet Filters and Proxies, it is often easy to cause the system to the environment the firewall settings manager error but left some loopholes in system security, be an opportunity for an intruder. The Packet Filter Firewall for the IP packet is usually the header fields and managers to filter rules, these fields are mainly:
Packet type (Packet Type), such as: IP, UDP, ICMP, or TCP source host of the IP address of the target host of the IP address, source TCP / UDP port number, target TCP / UDP port numbers
Firewall products present to come to withstand DDoS attacks, it is difficult for many of the following reasons:
1. Firewall is a human to manually set (Static Configure), and therefore not suitable for dynamic settings (Dynamic Configure), because each mode of attack is not necessarily, you can not know the attacker's source address, and used to attack the protocol, unless you want to be a very complete set, otherwise, it is difficult to do an effective anti-DDoS attacks.
2. Moreover, the current Firewall settings are often used rather Cuosha 100 must not let one person's way, that is, it does not distinguish between normal and attack packets of different packets, for example, most network administrators ICMP Ping to withstand the attack, will set the Firewall to all incoming packets ICMPPing sparing both, however, it does not block ICMP Ping Response packets, this approach allows users outside the Firewall can not Ping the Firewall internal IP address, although the aim is to achieve the prevention, not a good way, but now the mode of attack has been changed to transferring large amounts of false ICMP Ping Response packets, so, Firewall Zhi Hao Lian ICMP Ping Response of packet gave block off in order to block this type of attack packets, this will cause inconvenience Firewall User inside. Therefore, we urgently need a rapid and effective tool for detecting DDoS attacks, so we can attack the first time to do processing.