Resolve risks by setting a vswitch

Broadband Network access private switches are generally directly connected to user terminals. Once a user terminal is infected with the worm virus, the virus will seriously consume bandwidth and the capital of the private switch, and even cause network paralysis, this scene has long been used to Slammer and shock wave events.

What security risks does a broadband access switch face after all? How can we resolve these risks? Next we will remind you one by one.

Vswitch risks

Using packet capture tools, routes often capture large-volume abnormal packets. On the one hand, they consume network bandwidth, and on the other hand, they consume the capital of network equipment, affecting the normal operation of the network.

Unicast abnormal packets: Most unicast traffic is sent to the Gateway. The gateway device forwards or discards these packets based on the route table.

For a private IP address, a layer-3 vswitch or vro of the public network will automatically lose the unicast traffic. If a user has obtained a public IP address, the unicast traffic will be forwarded and announced, thus affecting the network with greater limitations.

Taking the shock wave virus as an example, the infected host only needs to monitor the network availability, and an attack transmission thread will be started, and the attack address will be randomly generated from time to time for attack.

In the severe phase of the shock wave, the network speed is obviously slow, some access layer switches and some small routers are even disintegrated, and the CPU utilization rate of the center layer-3 switch reaches 100%, the operator has to accept the ICMP packet to cope with the problem.

Broadcast exception message: broadcast is a required method to complete some peace talks. The broadcast packet will be sent to all hosts in a specific network segment. Each host will handle the received packets and make a response or a loss decision, the consequence is that both network bandwidth consumption and host functions are affected.

Application port isolation skills, users can restrict the broadcast packets only to the uplink port, such as can reduce the impact on the link and host of the network segment, but cannot deal with the impact on the formation of the Convergence layer and the central layer equipment.

If multiple sub-divisions are located in one VLAN at the convergence or the central device, the broadcast traffic will be returned to other cells through the upper-layer device, in this way, the link bandwidth of these cells is continuously occupied and the host functions are affected. This equipment method was widely used in the broadband network at that time.

Multicast exception message: the multicast information originally serves only local users in the network, and its target address is the host requesting to participate in the multicast group in the network. Some hosts do not request to participate in multicast groups. These multicast texts should not be forwarded to these hosts. However, in reality, these hosts still receive multicast information. Why did the Group broadcast text be forwarded to the host that did not request to participate?

Originally, in order to complete multicast, the L2 Switch uses GMRP multicast registration or IGMPSnooping to maintain a dynamic multicast table, then, the multicast packets are forwarded to the multicast group to form a member-related port to complete layer-2 multicast in the VLAN. If IGMPSnooping is not running, the multicast packets are broadcast on layer-2, this is the reason for the large number of multicast.

With the further popularization of broadband networks and the gradual addition of video usage, multicast skills will be more widely used. At that time, abnormal multicast traffic will not only appear on the second layer of the network, the route is also routed to the whole multicast tree. With the large video traffic, it is difficult to distinguish between normal traffic and abnormal traffic. Therefore, it is more and more difficult to control multicast.

In short, the use of LAN is likely to be used by viruses. If abnormal traffic is not limited, the network bandwidth and network equipment will be consumed in capital. Therefore, it is particularly important to add intelligence to user-oriented L2 switches and isolate problems within the minimum limits.

Countermeasures to resolve risks

By using the traffic control function of a vswitch, we can limit the abnormal traffic passing through the port to certain limitations. For example, a Cisco switch has a port-based traffic control function that can complete storm control, port maintenance, and port security.

Storm Control can reduce the network slowdown caused by unicast, broadcast, Or multicast packets. After a threshold value is set for the traffic of different varieties, when the port traffic reaches the set value, the switch enables traffic control and even disables the port. Port maintenance is similar to port isolation. Ports with port maintenance function are set to not exchange any traffic.

Port Security is a port-level access restriction for unauthorized addresses. Coincidentally, Huawei switches supply traffic control, broadcast storm rate-based ratio, and other port control functions. The traffic restraint function is used to temporarily stop sending data packets between the switch and the switch when congestion occurs to prevent packet loss.

The broadcast storm can be used to limit the large volume of broadcast traffic and discard the broadcast traffic exceeding the set value.

However, the traffic control function of a vswitch can only limit the speed of all types of traffic through the port, and limit the abnormal traffic of broadcasting and multicast to certain limits, however, it is impossible to distinguish between normal traffic and abnormal traffic. Moreover, it is hard to set a suitable threshold.

If you want to further restrict packets, you can use ACL (Access Control List ). The ACL application IP address, TCP/UDP port, and so on are used to filter packets in and out of the switch. Based on the Preset conditions, the packets are forwarded or congested.

Cisco and Huawei vswitches support IPACL and MACACL. Each type of ACL identifies the supported specification patterns and extensions. The ACL of the standard scheme is filtered based on the source address and the upper-layer negotiation type. The extended scheme ACL is filtered based on the source address, target address, and upper-layer negotiation type.

After dividing the different network traffic, you can control the abnormal traffic identification. The abnormal unicast traffic is controlled by IP packets and fields, the abnormal packets are controlled by the ethereframe and multicast packets are controlled by the destination IP address segment.

In addition to these restraint tactics, network administrators often need to pay attention to abnormal network traffic, locate the source host with abnormal traffic in real time, and eliminate the problem.