Three methods to double vswitch and vro Security

Vswitches and vrouters are important devices in the network and are widely used. Here we mainly explain three methods to make our vswitches and vrouters more secure. Traditional network security technology focuses on system intrusion detection, anti-virus software or firewall. How is internal security? In the network security structure, switches and routers are very important, and each layer in the layer-7 network must be secure.

Many vswitches and vrouters have rich security functions. You need to know what to do, how to work, how to deploy them, and the entire network is not affected when a layer of problems occurs. The vswitch and vro are designed to be safe by default and are in the security setting status at the factory. The special operation settings are activated only when the user requires them. All other options are disabled, to reduce risks, the Network Administrator does not need to know which options should be disabled. During initial logon, the password is required to be changed, the password's term option and the number of logon attempts are limited, and stored in encrypted mode. Accounts (Maintenance Accounts or backdoors) within a time limit do not exist.

Switches and routers must be safe when power is down, hot start, cold start, and IOS, hardware, or a module fails to be upgraded, in addition, after these events, the security should not be compromised and the operation should be resumed. Due to logs, network devices should maintain a safe and accurate time through the Network Time Protocol. The names of connections managed through the SNMP protocol should also be changed.

Defend against DoS Attacks

Starting from availability, vswitches and vrouters must be able to withstand Denial-of-Service Dos attacks and maintain availability during the attack. Ideally, they should be able to respond to attacks and block attack IP addresses and ports. Each event is immediately reflected and recorded in the log, and they can also identify and respond to worms. The use of FTP, HTTP, TELNET, or SSH in vswitches and vrouters has code vulnerabilities. After the vulnerability is discovered, the vendor can develop, create, test, and release upgrade packages or patches.

Role-based management gives administrators the minimum program permission to complete tasks, allows assignment of tasks, and provides checks and balances. Only trusted connections can be managed. Management permissions can be granted to devices or other hosts. For example, management permissions can be granted to certain IP addresses and specific TCP/UDP ports. The best way to control management permissions is to assign sub-permissions before authorization, which can pass authentication and account servers, such as remote access services, Terminal Services, or LDAP services.

Remote Connection Encryption

In many cases, administrators need to remotely manage vswitches and routers, which can only be accessed from public networks. To ensure the security of Management transmission, encryption protocol is required. SSH is the standard protocol for all remote command line settings and file transmission. for WEB-based systems, SSL or TLS protocols are used, LDAP is usually a communication protocol, while SSL/TLS encrypts the communication. SNMP is used to discover, monitor, and configure network devices. SNMP3 is a secure version that ensures authorized communication. Setting up logon control can reduce the possibility of attacks, set the number of logon attempts, and respond to such scans. Detailed logs are very effective when detecting attempts to crack passwords and port scans.

The security of the configuration files of vswitches and vrouters cannot be ignored. Generally, the configuration files are stored in a safe location. In the case of chaos, you can take out the backup files, install and activate the system, restore to the known status. Some vswitches are integrated with the intrusion detection function. Some support port ing allows administrators to select monitoring ports.

Virtual Network role

A Virtual Local Network VLAN is a finite broadcast domain on the second layer. It is composed of a group of computer devices. Generally, it has more than one LAN and may span one or more LAN switches, it is independent of their physical locations. Devices communicate with each other as if they were in the same network. This allows administrators to divide networks into several small pieces that can be managed and run well, simplify the tasks of logging, moving, changing devices, users, and permissions. VLANs can be formed in various forms, such as the switch port, MAC address, IP address, protocol type, DHCP, 802.1Q flag, or user-defined. These can be deployed independently or in combination. After a user passes the authentication process, the VLAN authentication technology authorizes the user to enter one or more VLANs. Firewalls can control access between networks. They are most widely used in traditional routers and multi-layer switches, also known as ACLs. Firewalls differ mainly in the depth of packet scanning, is there end-to-end direct communication or proxy?

In the access control between networks, the routing filtering measures can be based on the source/Target swap slot or port, source/Target VLAN, source/Target IP address, or TCP/UDP port, ICMP type, or MAC address. For some vswitches and vrouters, the dynamic ACL standard can be created after the user passes the authentication process, just like the Authenticated VLAN, but on the third layer. It is useful when an unknown source address needs to be connected to a known internal target. The current network needs to be designed to be secure at all levels. by deploying the Security Settings of vswitches and routers, enterprises can use traditional security technologies to create strong and secure systems at all layers.