Details about layer-3 Switch physical security policies

There are many things worth learning about layer-3 switches. Here we mainly introduce the anti-virus capabilities of layer-3 switches, and the anti-virus capabilities of layer-3 switches are also very powerful, especially when network attacks flood, ensuring security is the most important aspect for network devices. Currently, computer networks face two types of threats: one is the threat to information in the network, and the other is the threat to devices in the network. There are many factors that affect the computer network, mainly network software vulnerabilities and "backdoors". These vulnerabilities and defects are exactly the first choice for hackers to attack.

Most of these attacks are caused by imperfect security measures. The "backdoors" of the software are all set by the software company's design programmers for their convenience. Once the "backdoors" are opened, the consequences will be unimaginable. In fact, the security policy of the layer-3 switch can also prevent viruses. Next we will introduce in detail how to use the security policy of the layer-3 Switch to prevent viruses. The security policies of computer networks are divided into physical security policies and access control policies.

1. Physical Security Policy

Physical security policies aim to protect hardware entities and communication links such as computer systems, network servers, and printers from natural disasters, man-made damages, and line-up attacks; verify the user's identity and permissions to prevent unauthorized operations. Ensure that the computer system has a sound environment for electromagnetic compatibility.

2. Access Control Policy

Access control is the main policy for network security prevention and protection. Its main task is to ensure that network resources are not illegally used or accessed. It is also an important means to maintain network system security and protect network resources. Security policies include inbound access control, network permission control, directory-level security control, attribute security control, network server security control, network monitoring and lock control, and network port and node security control.. All security policies must work with each other to protect the network. However, access control is one of the most important core policies to ensure network security.

The main source of virus intrusion is the backdoor of the software ". When packet filtering is set at the network layer, a certain number of Information Filtering tables should be created first. Information Filtering tables are built based on the information of the headers they receive. The packet header contains the packet source IP address, destination IP address, transmission protocol type (TCP, UDP, ICMP, etc.), Protocol source port number, protocol destination port number, connection request direction, and ICMP packet type. When a data packet meets the rules in the filter table, the data packet is allowed to pass. Otherwise, the data packet is not allowed to pass. This type of firewall can be used to prohibit external and illegal users from accessing internal services. However, packet filtering technology cannot identify information packages that are in danger. It cannot process application-level protocols or UDP, RPC, or dynamic protocols. According to the anti-virus requirements of each LAN, establish a LAN anti-virus control system and set targeted anti-virus policies.

VLAN Division

1. a VLAN based on a layer-3 switch can resolve conflicting domain, broadcast domain, and bandwidth issues for the LAN. VLAN can be divided based on the network layer. There are two solutions: one is divided by Protocol (if there are multiple protocols in the network; the other is based on the network layer address (the most common is the subnet segment address in TCP/IP.

You can also create a VLAN using the same policy as managing routes. VLAN is divided by IP subnet, IPX network number, and other protocols. A workstation of the same Protocol is divided into a VLAN. The layer-3 switch checks the Ethernet frame title domain of the broadcast frame and displays the protocol type. If a VLAN of the Protocol already exists, it is added to the source port, otherwise, create a new VLAN. This method not only greatly reduces the workload of manually configuring VLANs, but also ensures that users can freely add, move, and modify VLANs. Sites on different vlan cidr blocks can belong to the same VLAN, and sites on different VLANs can also be on the same physical network segment.

There are also some disadvantages of using the network layer to define VLANs. Compared with the form of MAC address, VLAN based on the network layer needs to analyze the address formats of various protocols and convert them accordingly. Therefore, a layer-3 switch that uses network layer information to define a VLAN is inferior to a layer-3 switch that uses data link layer information in terms of speed.

2. Enhanced Network Security

Broadcast on a shared-bandwidth LAN will inevitably cause security issues, because all users on the network can monitor the services that flow through. Users can access the broadcast packets on the network segment as long as they insert any active port. The security mechanism provided by VLAN can restrict access by specific users, control the size and location of broadcast groups, and even lock the MAC address of Network members, this restricts the use of networks by users and network members without security permission.

Set the access control list

First, develop different strategies based on the needs of each organization, such as file transmission and games. Before developing a policy, we should first understand what kind of file is transmitted by which port on the computer. There are about three types of ports: Recognized ports (0-1023): they are closely bound to some services. Usually the communication between these ports clearly indicates a service protocol. For example, port 80 is always HTTP Communication, and port 110 is pop3 communication.

Registered ports (1024-49151): They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used for many other purposes. For example, many systems process dynamic ports starting from around 1024. Dynamic and/or private ports (49152-65535): theoretically, these ports should not be allocated to the service. In fact, machines usually allocate dynamic ports from 1024. But there are also exceptions: SUN's RPC port starts from 32768.