There are many ways to isolate internal and external networks, and today we will talk about the mainstream 5 types:
DMZ (demilitarized zone) is a buffer zone between a non-security system and a security system to solve the problem that users who access the external network cannot access the internal network server after the firewall is installed. Generally speaking, an enterprise sets up two firewalls between the internal and external networks, and the area between the two firewalls is the DMZ zone. The internal network can actively access the DMZ zone, and the DMZ zone can actively access the external network, thus creating an intermediate buffer that allows for higher security standards. In order for a particular service to cross the network, it needs to penetrate the DMZ zone, which generally requires the deployment of ** (transit) equipment for that service in the DMZ zone.
Install two NICs on a physical host, one connected to the internal network and one to the external network. This isolation method is actually the construction of a special device that can connect to two networks at the same time, which generally needs to be managed by a special person. When cross-network file exchange is required, the sender transmits the data to the host, and the file content is reviewed and registered by a special person, and then the data is sent from the host to another network.
A protective barrier constructed on the boundary between the internal and external networks, and between the private and public networks. A firewall is erected between the two networks to block all cross-network communication by default. To allow a specific service to cross a network, you can configure special rules for the service on the firewall so that the traffic of the service can pass through the firewall. The benefits of using a firewall include protecting vulnerable services, controlling access to systems, centralizing security management, enhancing confidentiality, and recording and statistics on network usage and illegal use.
If an enterprise has implemented a cloud desktop virtualization platform, you can construct two virtual subnets (for example, an office virtual subnet and a R&D virtual subnet) in the virtualization platform, and the two virtual subnets are not connected to each other. Enterprises can isolate virtual desktops by assigning two virtual desktops to each employee who needs them, connecting two virtual subnets respectively. VM isolation is a good strategy to prevent viruses from spreading throughout your cloud environment.
The basic principle is to block the network communication protocol, adopt the private communication protocol internally, connect only one network at the same time, and connect the two networks in turn for data ferry.
According to the isolation scheme of enterprise users, the cloud box can realize the safe and orderly exchange and management of the internal and external networks on the basis of not changing the internal network architecture