How to make the network indestructible switch security six
Source: Internet
Author: User
KeywordsSecurity
How to filter the user communication, secure and effective data forwarding? How to prevent illegal users and ensure the application of network security? How to carry out safety network management, find out the security of illegal users, illegal acts and remote management information in time? Here we summarize 6 recent switch market in some popular security features, I hope to help. L2-L4 Layer Filter Now most of the new switches can be established by the rules of the way to achieve a variety of filtering requirements. There are two modes of rule setting, one is Mac mode, according to the user needs based on the source Mac or the purpose of the MAC effective data isolation, the other is the IP mode, you can through the source IP, destination IP, protocol, source application port and destination application port filtering data packets ; The established rule must be attached to the appropriate receive or transfer port, then when the switch receives or forwards data, the packet is filtered according to the filtering rules, and the decision is forwarded or discarded. In addition, the switch makes logical operation of the filtering rules through hardware "logic and non-gate", realizes the filtering rules, and does not affect the data forwarding rate at all. 802.1X Port based access control in order to prevent illegal users from accessing the LAN and ensuring the security of the network, the port-based access Control protocol 802.1X is widely used in both wired LAN and WLAN. For example, the new generation of switches, such as ASUS ' newest gigax2024/2048, supports not only 802.1X local, RADIUS authentication, but also 802.1X dynamic VLAN access, which is based on VLANs and 802.1X, Users who hold a user account, regardless of where they are connected to the network, will exceed the original 802.1Q based on the Port VLAN restrictions, always connected with this account designated VLAN group, this function not only for the network of mobile users of the application of resources to provide a flexible and convenient, but also to ensure the security of network resources application In addition, the gigax2024/2048 switch also supports the 802.1X guest VLAN function, in the 802.1X application, if the port specifies the Guest VLAN entry, the access user under this port if authentication fails or no user account, will become guest The members of the VLAN group can enjoy the corresponding network resources in this group, which can also open a minimum of resources for some groups of network applications and provide a maximum peripheral access security for the entire network. The flow control of the flow control (traffic) switch can prevent the abnormal load of switch bandwidth caused by broadcast packets, multicast packets and unicast packets with incorrect destination address, and can improve the overall efficiency of the system and keep the network safe and stable operation. SNMP v3 and SSH Security Network management SNMP V3 presents a new architecture that centralizes the various versions of SNMP standardsTogether, and then strengthen the network management security. The security model recommended by SNMP V3 is a user-based security model, the USM. USM for network management message encryption and authentication is based on the user, specifically what protocol and key encryption and authentication by the user name (Usernmae) authoritative engine identifier (Engineid) to determine (recommended encryption protocol Cbcdes, authentication protocol hmac-md5-96 and hmac-sha-96), providing data integrity, data source authentication, data confidentiality, and message time limits through authentication, encryption and time limits, effectively preventing unauthorized users from modifying, disguising, and eavesdropping on management information. As for remote network management via Telnet, the Telnet service has a fatal weakness-it transmits usernames and passwords in clear text, so it is easy for someone with ulterior motives to steal passwords and be attacked, but when communicating with SSH, the username and password are encrypted. It effectively prevents the eavesdropping on the password, and facilitates the remote security Network management of the administrators. The Syslog logging function of the syslog and watchdog switches can transmit the expected information of the system error, System configuration, state change, status periodic report, System exit and so on to the log server, which is based on the information to master the operation condition of the equipment, and find the problem early. Timely configuration settings and troubleshooting, to ensure the safe and stable operation of the network. Watchdog by setting a timer, if the timer does not reboot within the interval set, an internal CPU reboot instruction is generated to enable the device to reboot, which will enable the switch to automatically reboot in case of emergency or unexpected circumstances, and ensure the operation of the network. Dual-image files Some of the latest switches, like a S U sgigax2024/2048 also have dual-image files. This feature protects the device in exceptional circumstances (firmware upgrade failure, etc.) to still start running normally. The file system is Majoy and mirror two parts to save, if a file system damage or interrupt, another file system will rewrite it, if two file systems are damaged, the device will clear two file systems and rewrite the factory defaults to ensure the system is safe to start running. In fact, the recent emergence of some of the switch products in the security design of most of the kung fu-layers of fortification, filtering, to do everything possible to the maximum extent of unsafe factors excluded. The vast number of enterprise users can take full advantage of these network security settings, a reasonable combination of matching, you can maximize the protection of the network on the increasing proliferation of various attacks and violations, I hope your corporate network from this can also be more stable security. "Related article" the core of the network is a full understanding of the Switch Vulnerabilities "editor: Zhao TEL: (010) 68476636-8001" to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) Title Party(0 Votes) passing (0 Votes) Original: How to make the network indestructible switch safety six return to network security home page
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.