How should the security of the Ethernet Switches system be set up?
Ethernet Switches as the core of the entire network, should be able to access and access to network information users to distinguish and authority control. More importantly, the Ethernet Switches should also cooperate with other network security devices, unauthorized access and network attacks to monitor and prevent.
Ethernet Switches in the enterprise network occupies an important position, usually the core of the entire network. In this hacker invasion surging, the virus raging network era, as the core of the Ethernet Switches is also a matter of course to take part of the responsibility of network security. Therefore, the Ethernet Switches to have the performance of professional security products, security has become a network construction must be considered among the most important. Security Ethernet Switches come into being, in the Ethernet Switches integrated security authentication, ACL (Access Control List, access control list), firewall, intrusion detection and even anti-virus function, the network security really need to "armed to the teeth"
Security Ethernet Switches three meanings
The most important role of the Ethernet Switches is to forward data, in the hacker attacks and virus intrusion, the Ethernet Switches to be able to continue to maintain its efficient data forwarding rate, not subject to attack interference, which is the Ethernet Switches the most basic security features. At the same time, the Ethernet Switches as the core of the entire network, should be able to access and access to network information users to distinguish and authority control. More importantly, the Ethernet Switches should also cooperate with other network security devices, unauthorized access and network attacks to monitor and prevent.
802.1x enhances security authentication
In the traditional LAN environment, as long as there is a physical connection port, unauthorized network equipment can access the LAN, or unauthorized users can connect to the LAN through the device into the network. This creates a potential security threat for some businesses. In addition, in the network of schools and intelligent communities, it is very important to verify the legitimacy of user access due to the billing of the network. IEEE 802.1x is the medicine to solve this problem, has been integrated into the two-tier intelligent Ethernet Switches to complete the user access security audit.
The 802.1x protocol is a LAN access control protocol that conforms to the IEEE 802 protocol set, which is called a port-based access control protocol. It can use the advantages of IEEE 802 LAN based on the provision of a link to the LAN user authentication and authorization means to achieve the legitimate user access to protect the purpose of network security.
The 802.1x protocol is seamlessly integrated with the LAN. 802.1x leverages the physical characteristics of the Ethernet Switchesed LAN architecture and implements device authentication on the LAN port. During the authentication process, the LAN port either acts as a certifier or as a requestor. In the case of a certifier, the LAN port first authenticates before the user needs to access the corresponding service through the port. If the authentication fails, the LAN port is not allowed to be accessed. When the request is made, the LAN port is responsible for submitting the access to the authentication server Service application. Port-based MAC locking only allows trusted MAC addresses to send data to the network. Data streams from any "untrusted" device are automatically discarded to ensure maximum security.
In the 802.1x protocol, only the following three elements to be able to complete the port-based access control user authentication and authorization.
1. client. Generally installed on the user's workstation, when the user needs to access the Internet, activate the client program, enter the necessary user name and password, the client program will send out the connection request.
2. Certification system. In the Ethernet system refers to the authentication Ethernet Switches, its main role is to complete the user authentication information upload, release work, and according to the results of certification to open or close the port.
3. Authentication server. (User name and password) to determine whether the user has the right to use the network system to provide network services, and according to the certification results to the Ethernet Switches to open or keep the port closed state.
The traffic control technology of the security Ethernet Switches limits the abnormal traffic flowing through the port to a certain extent and avoids the unrestricted abuse of the bandwidth of the Ethernet Switches. The traffic control function of the security Ethernet Switches can realize the control of abnormal traffic and avoid the network congestion.
Once the enterprise network has been a large-scale distributed denial of service attacks, will affect the use of a large number of users of the normal network, and even cause serious network paralysis, service providers become the most troublesome attack. The security Ethernet Switches uses specialized technology to guard against DDoS attacks, which can intelligently detect and block malicious traffic without affecting the normal business, thus preventing the network from being threatened by DDoS attacks.
Virtual LAN VLAN
Virtual LAN is an essential feature for secure Ethernet Switches. VLANs can implement a limited broadcast domain on a Layer 2 or Layer 3 Ethernet Switches that divides the network into a separate area that can control whether these areas can communicate. VLANs can span one or more Ethernet Switches, regardless of their physical location, as if they were communicating between the same network. VLANs can be formed in various forms, such as ports, MAC addresses, IP addresses, and so on. VLANs restrict unauthorized access between different VLANs and can set the IP / MAC address binding feature to restrict unauthorized user access to the user.
Firewall function based on access control list
The security Ethernet Switches adopts the access control list ACL to implement the security function of the packet filtering firewall and enhance the security guard capability. The access control list was previously used only at the core router. In a secure Ethernet Switches, access control filtering can be based on the source / destination Ethernet Switches slot, port, source / destination VLAN, source / destination IP, TCP / UDP port, ICMP type, or MAC address.
ACL not only allows network managers to use the network strategy, for individual users or specific data flow to allow or deny the control can also be used to strengthen the network security shielding, so that hackers can not find a specific host in the network to detect , And thus can not attack.
Intrusion Detection IDS
The IDS function of the security Ethernet Switches can be detected according to the contents of the report information and the data stream. When the network security event is discovered, the operation of the security event is sent to the Ethernet Switches, and the Ethernet Switches The port is disconnected. To achieve this linkage, the need for Ethernet Switches to support authentication, port mirroring, forced traffic classification, process control, port anti-check function
Device redundancy is also important
The physical security is the guarantee of the safe operation of the network. Any manufacturer can not guarantee that its products do not fail, and failure can quickly Ethernet Switches to a good device, is a matter of concern. Backup power supply, backup management module, redundant ports and other redundant equipment will be able to ensure that even in the case of equipment failure, immediately given the backup module, security network operation.