Common solutions for LAN security

At present, the LAN basically uses the Ethernet based on the broadcast technology. The communication data packets between any two nodes are not only received by the NICS of the two nodes, it is also intercepted by the NIC of any node on the same Ethernet. Therefore, as long as hackers access any node on the Ethernet to listen, they can capture all the data packets that occur on the Ethernet and analyze the packets to steal key information, this is the inherent security risk of Ethernet.

In fact, many free hacking tools on the Internet, such as SATAN, ISS, and NETCAT, use Ethernet listening as their most basic means.

Currently, there are several solutions to LAN security:

1. network segmentation

Network segmentation is generally considered as a basic means to control the network broadcast storm, but it is also an important measure to ensure network security. The purpose is to isolate illegal users from sensitive network resources to prevent possible illegal listening. network segments can be divided into physical segments and logical segments.

At present, most of the local area networks of the Customs adopt vswitch-centered and vro-bounded networks. We should focus on the access control and layer-3 switching functions of the central switch, implements security control over the LAN by combining two methods: Physical segmentation and logical segmentation. For example, in the customs system, the intrusion detection function of DEC MultiSwitch 900 is actually a MAC address-based access control, that is, the preceding physical segmentation based on the data link layer.

2. Replace the shared hub with a switched hub

After the central switch of the LAN is segmented, the danger of listening over Ethernet still exists. This is because the network end user's access is usually through the branch hub rather than the central switch, and the most widely used Branch hub is usually a shared hub. In this way, when the user communicates with the host, the data Packet between the two machines is called the Unicast Packet) and will still be listened by other users on the same hub. A dangerous situation is that the user TELNET to a host. Because the TELNET program itself lacks encryption, every character entered by the user includes important information such as the user name and password ), will be sent in plain text, which gives hackers a chance.

Therefore, you should replace the shared hub with the exchange hub so that the unicast packet is transmitted only between two nodes to prevent illegal listening. Of course, the exchange hub can only control unicast packets, but cannot control Broadcast Packet) and Multicast Packet ). Fortunately, the key information in broadcast packets and multicast packets is far less than that in unicast packets.

3. VLAN Division

To overcome the Ethernet broadcast problem, in addition to the above method, you can also use VLAN Virtual LAN) technology to convert Ethernet communication into point-to-point communication, to prevent most network-based Listening intrusion.

Currently, there are three main VLAN technologies: VLAN Based on the switch port, VLAN Based on the node MAC address, and VLAN Based on the application protocol. Although the port-based VLAN is not flexible, it is relatively mature and has a significant effect in practical applications and is widely used. MAC address-based VLAN provides the possibility for mobile computing, but it also hides the risk of MAC fraud attacks. The protocol-based VLAN is theoretically ideal, but its practical application is not yet mature.

In a centralized network environment, all the host systems in the center are usually concentrated in one VLAN. No user nodes are allowed in this VLAN to better protect sensitive host resources. In a distributed network environment, we can divide VLANs by organization or department settings. All servers and user nodes in each department are in their respective VLANs.

The connections within a VLAN are switched, while the connections between a VLAN and a VLAN are routed. Currently, most switches, including the DEC MultiSwitch 900 widely used in the customs, support the RIP and OSPF International Standard routing protocols. If you have special requirements, you must use other routing protocols such as CISCO's VPN or IS-IS that supports DECnet. You can also use an external multi-Ethernet port router to replace the switch, implements routing between VLANs. Of course, in this case, the routing forwarding efficiency will decrease.

Both switch-type hubs and VLAN switches are centered on the exchange technology. They are effective in controlling broadcast and preventing hackers, however, it also brings troubles to some intrusion monitoring and protocol analysis technologies based on broadcast principles. Therefore, if such an intrusion monitoring device or protocol analysis device exists in the LAN, You must select a special switch with the SPANSwitch Port Analyzer function. This type of switch allows the system administrator to map all or some Packet Exchange ports to a specified port and provide it to intrusion monitoring devices or protocol analysis devices connected to this port. In the external network design of Xiamen customs, the author selects Cisco's Catalyst series switches with the SPAN function, which not only benefits the exchange technology, it also makes the original Sniffer protocol analyzer "Hero useful ".

Related Articles]

• How to ensure the security of Wireless LAN

• Wireless LAN security skills

• Five basic points of Wireless LAN security settings