remote access

Specific Applications

User running Windows computer and network connections can dial remotely access their network to get services, such as files and printer sharing, email, plan, and SQL database access .

User classification

There are two types of people who need remote access, one is a system administrator, and the other is a common user.

System administrators typically need to remotely access network devices or servers of the enterprise, perform remote configuration management operations. From the development of current product development, most enterprise-class network devices or servers, usually provide remote configuration management interfaces or features, administrators can use Telnet, SSH, Web GUI, and even remote management software terminals, from enterprise networks The WAN side enters the intranet for management and maintenance.

The remote access needs of ordinary users are usually remote office workers, out-of-person personnel, Judi is the need for business executives, and often need to operate ERP, CRM, HR and other information systems, and view, Approval, bill of lading and other operations. Today, in today's continuous development of progress, more and more such distance visits have gradually become the focus of corporate IT administrators.

Demand Classification

There are three ways to remote access requirements for ordinary users.

The first class is the port that opens the internal application system, allowing external IP to directly access, and prevent illegal users through the application system itself.

The second class is the TERMINAL service feature provided by Windows Server 2003 and updated versions, running Windows Remote Desktop on the external PC, first connect to the Terminal Server of the intranet, and then access the Server Agent Access Inland application system.

Third category is to use VPN technology to implement remote connections to the intranet of the enterprise, thereby accessing the intranet application in the VPN.

First Class: Open Port Portment

Open the port of the internal application system directly on the firewall. For example, the application port of a company ERP system is 7001 to 7006, which can be forwarded to the 7001 ~ 7006 port to the internal network of the ERP server IP address on the firewall. Excessive or remote office people can enter the ERP system directly via 7001 ~ 7006 ports of the enterprise public network IP. After passing the authentication of the ERP system itself, you can enter the ERP system.

The implementation of this approach is very simple, and companies with limited technical capabilities, especially those with limited budget, are a common solution. But its threat is also obvious. Open the ERP server port directly to the public network, will bring security risks such as cyber attacks, hackers. Especially in today's viruses and attacks, this is undoubtedly a serious threat to the security of internal application systems and application system servers.

Sequence: Remote Desktop Technology

Windows XP, all versions of Vista are integrated with remote desktop terminals, just turn on the Terminal Service function on the application system, and open 3389 port on the firewall (ie remote desktop technology special port), out or remote office personnel can connect to the application system server through the remote desktop terminal on your own PC, and then run the relevant application system program.

This program becomes common because Windows has spread. Several points of the program are:

1, to access the application via a remote desktop, equivalent to the client program on the application system server, or access the internal application using the intranet PC of Terminal Server The generated file is saved in the server by default. If you need to save on the remote PC or on the printer connected to the remote PC, you need to further configure the Terminal Service disk mapping function, as well as more complex settings such as the remote printer driver on the server.

2, the remote desktop technology itself needs authentication, more important validation mechanisms than the first type of scheme, and the security is inevitably above the first type of scheme.

3, the external PC is to connect to the intranet server through a remote desktop, still need to open 3389 port to the public network, and the server that is attacked and invaded due to the open port is still present.

4, the remote desktop technology itself does not encrypt the transmitted data, if someone deliberately uses the capture tool on the network, it is possible to recover the transmitted data, thereby causing the internal information that should belong to enterprise. Even the disclosure of commercial confidentiality.

Some products have been used on the market, using remote desktop technology as the core, and develops remote access platform software that facilitates management and maintenance. Some brands have enabled disk mapping and remote printing, and provide simple encryption. Safety and operability are improved compared to Windows, but the installation steps are more cumbersome. And the encryption level is low, there is a risk of crack. The risk of the server 3389 port is still difficult to avoid.

Third Category 3: VPN Technology

VPN technology Application is the same, the biggest advantage is that the data is in the VPN encrypted channel, corresponding security Sexuality. There are three mainstream VPN technologies: PPTP VPN, IPSec VPN, and SSL VPN.

PPTP VPN

PPTP is a remote dialing technology, and the PPTP VPN dial is provided with the dial-up program comes with the Windows. Users can remotely dial the enterprise PPTP VPN gateway with a dial-up program that comes with a previously configured account, which is remotely dialped into the enterprise PPTP VPN gateway to access the internal application in the intranet IP address.

The advantage of PPTP VPN is the popularity of technology, and Windows comes with dialing programs that make end users do not need to purchase additional software separately, reduce cost and maintenance. A disadvantage is that the PPTP protocol itself provides a lower level of encryption, providing corresponding security for data on public online. However, the PPTP has not highly accepted the security level, and there is a risk of cracking from the heart. And after the user has dial into the intranet, there is no corresponding permission management, and any intranet resource can be accessed, which is not conducive to internal network information security management.

IPsec VPN

IPsec VPN has declined by its cost of 168 encryption security, as well as the cost of core technology, has become a company Construct a preferred scheme for cross-regional VPN networks. Arbitrary two networks, as long as IPSec VPN is established, the application and access to the other party can be transferred in the same local area network.

The gateway router on the market is usually supporting the IPSec VPN feature, which is also used to establish a cross-regional VPN between enterprise headquarters and branches to connect multiple local area networks. IPsec VPN If you are used to resolve remote access, you must install the IPSec VPN client program on the remote PC. Usually such a client program is not free, the price is from hundreds of pieces to thousands of pieces. And the client's configuration is usually more complicated, and there is a certain technical difficulty for the company's general employees, especially enterprise executives. Similarly, IPsec VPN is also difficult to do to manage, as long as connecting VPN, you can access any system without restrictions, which is not conducive to internal information security management.

SSL VPN

The 128-bit encryption technology used by SSL VPN can also provide high grade data transmission security. And SSL technology is widely built into various mainstream browsers. General users only need to access through HTTPS mode, and data can be transmitted in the channel of SSL encryption, avoiding the cumbersome of installation and commissioning, nor for additional input costs. It is because of high security, easy application and low cost advantages, SSL encryption technology has been widely used with online banking, online shopping, online payment, etc. Industry for security and mobility requirements.

For enterprises out or remote office staff, simply open the browser, enter the enterprise SSL VPN portal URL or IP, use the individual's VPN account to log in, you can enter the enterprise intranet, access all kinds of intranet resources . The SSL VPN products on the market usually have user rights management functions, and some can be used for user groups, such as financial groups, administrative groups, etc. - Permission settings, all members permitted or disable access to which intranet resources are allowed or banned in the management group. Or application system. There are also a few products that can even perform permission settings for each user, and greatly enhance the operability of enterprise intranet information security management.

Scheme Select

Comprehensive analysis, VPN technology is more won in information transmission security, and has gradually been concerned by many domestic enterprises. However, there are also shortcomings in VPN technology, especially remote operations such as ERP systems via VPN, usually higher than the bandwidth requirements. The insufficient bandwidth means a long wait. To solve this problem, the best way is to adopt the combination of VPN and remote desktop technology, especially SSL VPN + remote desktop technology.

Remote Desktop

SSL VPN guarantees transmission security to avoid open server port while providing permission management. The characteristics of remote desktop technologies are only the change of the screen, theoretically, the bandwidth required for each connection is only 28.8K, which greatly reduces the requirements of the remote operating application system. The remote desktop technology can be used in the SSL VPN channel.

breakthrough limit

Remote server power supply

can only be remotely managed when the server power is actually turned on, so it must first ensure the distal end The power supply and the reserve power supply are working properly. The uninterruptible power supply (UPS) system is standard equipped, and power is temporarily continued when the local public power supply is interrupted. The UPS battery is generally only a few minutes of emergency power supply - time is only enough to complete the server shutdown process.

Some servers cannot be turned off at all (or not allowed). For application availability levels requiring zero downtime, consider the replacement power source of power supply before the UPS battery is exhausted: diesel generators, local thermoelectric construction facilities, such as solar or wind farm or methane powered fuel cells Group. You can choose a completely redundant public power provider and line, although this is unrealistic for most companies.

When the power is invalid, the remote server management tool does not help you - especially the power failure reason is when the switch panel fault or the circuit breaker trip. It is necessary to arrange a technical staff to check the problem to solve the problem.

Remote network

must use the network to manage a remote server, which requires a reliable Internet connection, network traffic over the local service provider, regional backbone network and remote service provider . Any interruption of any network communication will hinder the management of the remote server.

The redundant Internet connection of the remote data center is very common and useful. Real redundancy must use different operators to form different lines. Any redundant Internet provider must include line redundancy; many organizations are just signed with different Internet providers, but make multiple providers share the same physical lines, this redundancy is not enough.

can deploy dial-up Internet connection for emergency use, but remote server management is a challenge by dialing lines, and even the most experienced administrator.

Consider employing mechanics, maintaining internal networks locally on the remote site. A technician can find a failure router that leads to the connection problem, and the internal network adapter or switch port issue is found on site. These (physical) issues are not repaired by remote management tools.