How to make Ethernet Switches and routers more secure?
The traditional network security technology focuses on system intrusion detection, anti-virus software or firewall. How is internal security? In the network security architecture, Ethernet Switches and routers are very important, in the seven-tier network, each layer must be safe.
Many Ethernet Switches and routers have a wealth of security features, to understand what, how to work, how to deploy, a layer of problems will not affect the entire network. The Ethernet Switches and routers are designed to be safe by default and are in safe settings. The settings for special operations are activated when the user requests them. All other options are closed to reduce the risk and the network administrator does not need to know Which options should be closed.
In the initial login will be forced to change the password, there are password options and login attempts to limit the number of times, and encrypted way to store. The limited number of accounts (maintenance account or back door) will not exist.
Ethernet Switches and routers must be secure in the event of a power failure, hot start, cold start, upgrade IOS, hardware, or a module failure, and should not compromise security and resume operation after these events occur, for reasons of logging, The network device should maintain a safe and accurate time through the network time protocol. The name managed by SNMP protocol connection should also be changed.
Resist DoS attacks
From availability, Ethernet Switches and routers need to be able to resist denial of service Dos attacks and maintain availability during attacks. The ideal state is that they should be able to respond when they are attacked, shielded against IP and ports. Each event will react immediately and log in the log, and they will be able to identify and respond to a worm attack.
Ethernet Switches and routers using FTP, HTTP, TELNET or SSH can have a code vulnerability in the vulnerability was found after the report, manufacturers can develop, create, test, release the upgrade package or patch.
Role-based administration gives the administrator the minimum permission to complete the task, allowing assignments, providing checks and balances, and only trusted connections to manage them. Administrative privileges can be assigned to a device or other host, such as administrative rights that can grant a certain IP address and a specific TCP / UDP port.
The best way to manage administrative privileges is to grant access to pre-access permissions, either through authentication and account servers, such as remote access services, terminal services, or LDAP services.
Encryption of remote connections
In many cases, administrators need to remotely manage Ethernet Switches and routers, usually only accessible from the public network. In order to ensure the security of the management of transmission, the need for encryption protocol, SSH is all remote command line settings and file transfer standard association, WEB-based use of SSL or TLS protocol, LDAP is usually a communication protocol, and SSL / TLS encryption this communication The
SNMP used to discover, monitor, configure the network equipment, can guarantee the authorized communication.
The establishment of login control can reduce the possibility of attack, set the number of attempts to log in, encounter such a scan can respond. The detailed log is very effective when it comes to trying to crack passwords and port scans.
Switch and router configuration file security can not be ignored, usually the configuration file saved in a safe location, in the case of chaos, you can remove the backup file, install and activate the system, restore to a known state. Some Ethernet Switches combine intrusion detection capabilities, and some are supported by port mapping, allowing administrators to select a monitoring port.
The role of the virtual network
A virtual local network VLAN is a limited broadcast domain on the second layer, consisting of a set of computer devices, usually on multiple LANs, possibly across one or more LAN Ethernet Switches, regardless of their physical location It is like communicating between the same network, allowing administrators to divide the network into a number of tasks that manage well-running small blocks, move, change devices, users, and permissions.
VLANs can be formed in various forms, such as switching ports, MAC addresses, IP addresses, protocol types, DHCP, 802.1Q flags, or user-defined. These can be deployed individually or in combination.
The VLAN authentication technology authorizes the user to enter one or more VLANs after the user passes the authentication process. The authorization is not given to the device.
Firewalls can control access between networks, the most widely used is embedded in traditional routers and multi-layer Ethernet Switches, also known as ACLs, firewalls mainly because they scan the depth of the packet is the end of the direct communication or through the proxy , Whether there is session.
In the access control between networks, the route filtering can be based on the source / destination switch slot or port, source / destination VLAN, source / destination IP, or TCP / UDP port, ICMP type, or MAC address. For some Ethernet Switches and routers, dynamic ACL standards can be created by the user after the authentication process, like a certified VLAN, but on the third layer. It is useful when an unknown source address is required to connect to a known internal target.
Now the network requirements are designed to be safe at all levels. By deploying the security settings of Ethernet Switches and routers, organizations can create traditional, secure technologies that are robust and secure at all levels.