Security Assurance comprehensive analysis of the meaning of layer-3 Security Switch

The security switch mainly uses the access control list to implement the security function of the packet filtering firewall. It enhances the security protection capability and is the first choice for small and medium-sized enterprises. Vswitches play an important role in the enterprise network, usually the core of the entire network. In the network era where hackers are intruding into the cloud and the virus is raging, the core security switch also takes responsibility for network security.

Therefore, Security switches must have the performance of professional security products, and security has become a must for network construction. As a result, the security switch came into being. It integrates security authentication, ACL (AccessControlList, access control list), firewall, intrusion detection, and even anti-virus functions. network security really needs to "arm your teeth"

Meaning of layer-3 Security Switch

The most important role of a vswitch is to forward data. In the case of hacker attacks and virus intrusion, The vswitch must be able to maintain its efficient data forwarding rate without being disturbed by attacks, this is the most basic security function required by the vswitch. At the same time, as the core of the entire network, vswitches should be able to differentiate and control permissions for users who access and access network information. More importantly, vswitches should also work with other network security devices to monitor and block unauthorized access and network attacks.

802.1x Enhanced Security Authentication

In traditional LAN environments, as long as there are physical connection ports, unauthorized network devices can access the LAN, or unauthorized users can access the network through devices connected to the LAN. This poses potential security threats to some enterprises. In addition, in schools and smart community networks, network billing is involved, so it is also important to verify the legality of user access. IEEE802.1x is a good medicine to solve this problem. It has been integrated into a layer-2 smart switch to complete access security review for users. 802.1x is a newly standardized LAN access control protocol that complies with the IEEE802 protocol set. It is called Port-based access control protocol. Based on the advantages of IEEE802 LAN, it provides a method to authenticate and authorize users connected to the LAN, so as to accept access from legitimate users and protect network security.

802.1x protocol and LAN are seamlessly integrated. 802.1x uses the physical features of the switched LAN architecture to implement device authentication on the lanport. During the authentication process, the lanport either acts as the authenticator or the requester. When the lanport is used as the authenticator, you must first authenticate the lanport before the user needs to access the corresponding service through the port. If the authentication fails, access is not allowed. When the lanport is used as the requester, the lanport is responsible for submitting an access service application to the authentication server. Port-based MAC locking only allows trusted MAC addresses to send data to the network. Data streams from any untrusted device are automatically discarded to ensure maximum security. In 802.1x protocol, only the following three elements can be used to complete port-based access control user authentication and authorization.

1. Client. Generally, it is installed on your workstation. When you need to access the Internet, activate the client program and enter the necessary username and password. The client sends a connection request.

2. Authentication System. In the Ethernet system, the authentication switch is used to upload and release user authentication information, and to open or close the port based on the authentication result.

3. Authentication Server. Check the identity (user name and password) sent by the client to determine whether the user has the right to use the network service provided by the network system, the switch is enabled or the port is closed according to the authentication result.

Traffic Control

The traffic control technology of the Security Switch limits abnormal traffic flowing through the port to a certain range, so as to prevent the bandwidth of the switch from being abused without limit. The traffic control function of the security switch can control abnormal traffic to avoid network congestion.

Anti-DDoS

Once a company suffers a large-scale distributed denial-of-service attack, it will affect the normal network usage of a large number of users, seriously or even cause network paralysis, and become the biggest headache for service providers. A Security Switch uses special technologies to prevent DDoS attacks. It can intelligently detect and block malicious traffic without affecting normal services, so as to prevent the network from being threatened by DDoS attacks.

A virtual LAN is an essential function of a security switch. A VLAN can implement a limited broadcast domain on a layer-2 or layer-3 switch. It can divide the network into independent areas and control whether these areas can communicate. VLANs may span one or more switches and are independent of their physical locations. Devices communicate with each other as if they were in the same network. VLANs can be formed in various forms, such as ports, MAC addresses, and IP addresses. VLANs Restrict unauthorized access between different VLANs, And you can set the IP/MAC Address binding function to restrict unauthorized network access.

Firewall function based on access control list

The Security Switch uses the access control list ACL to implement the security function of the packet filtering firewall, enhancing the security defense capability. The access control list was previously used only on the core router. In a security switch, the access control filtering measures can be implemented based on the source/Target switch slot, port, source/Target VLAN, source/Target IP address, TCP/UDP port, ICMP type or MAC address. ACL not only allows network administrators to set network policies, but also allows or denies control over individual users or specific data streams. It can also be used to enhance network security shielding, hackers cannot find a specific host on the network to detect the attack.

Intrusion detection IDS

The IDS function of the security switch can detect the reported information and data stream content, and perform targeted operations when detecting network security events, these actions that respond to security events are sent to the vswitch for precise port disconnection. To achieve this linkage, the security switch must support authentication, Port Mirroring, forced stream classification, process count control, port lookup, and other functions.

Equipment redundancy is also important

Physical security, that is, redundancy, is the guarantee for safe network operation. No manufacturer can ensure that its products do not fail, but whether the product can be quickly switched to a good device in case of a fault is a matter of concern. Redundant devices, such as the backup power supply, backup management module, and redundant port, can ensure that the backup modules and network operations are immediately assigned even if the device fails.

Deployment of Security Switches

The emergence of Security switches greatly enhances the security of the network at the vswitch level. A security switch can be configured at the core of the network, just like the Cisco ipvst6500 modular core switch, which places security functions at the core. In this way, security policies can be configured on core switches to achieve centralized control and facilitate monitoring and adjustment by network administrators. In addition, the core switches have powerful capabilities, and security performance is a very expensive task. The core switch can do its best to do this.

Placing a security switch on the network access layer or aggregation layer is another option. In this way, the core of the security switch is to put power down to the edge, and then implement the performance of the security switch on each edge, blocking intrusion and attacks and suspicious traffic out of the edge, ensure the security of the entire network. In this way, security switches need to be deployed on the edge. Many manufacturers have launched security switches for edge or aggregation layers. They build a solid security line around the core just like a bastion host. Security switches sometimes cannot be alone. For example, the PPPoE authentication function requires support from the Radius server. In addition, some other switches can interact with intrusion detection devices, you need support from other network devices or servers.