Application point of view: describes the basic functions of the core route Switch

We know that the core route switch is an important forwarding device in the network environment, and the original security features cannot meet the needs of users. In recent years, China's information construction has developed rapidly, bandwidth is getting wider and wider, and the network speed is several times faster. The transmission traffic of E-Mail between networks is increasing exponentially, and IP speech, video, and other technologies greatly enrich network applications.

However, while the Internet is narrowing down the distance between people, viruses and hackers are also not invited. The intelligence of viruses, the rapid variation and reproduction, the "Dummies" of hacking tools, and the flood trend make the enterprise's information system vulnerable, they are at risk of paralysis or even permanent damage at any time. In this situation, enterprises have to strengthen security protection for their own information systems and expect a thorough and permanent security protection system. However, security is always relative, and security measures are always passive. No enterprise's security system can be truly guaranteed by 100%.

Research and Analysis of the virus principle and the Development of intrusion defense technology show that a single anti-virus software often makes network security inadequate, network security cannot be achieved by a single device or technology. Under the recently widely-promoted security policies such as "soft and hardware integration" and "internal and external correspondence", as the backbone network equipment, Core routing switches naturally shoulder the heavy responsibilities of building network security defense lines.

The vswitch itself must be more secure

The core route switch is actually a computer optimized for forwarding data packets, but the computer may be attacked, such as illegally obtaining control of the switch, resulting in network paralysis and DoS attacks, for example, several worms mentioned above. In addition, vswitches can generate rights maintenance, route protocol maintenance, ARP, route tables, maintain routing protocols, process ICMP packets, monitor vswitches, these methods may be used by hackers to attack switches.

The core route switch is mainly used for Fast Packet forwarding, emphasizing forwarding performance. With the wide interconnection of LAN and the openness of TCP/IP protocol, network security becomes a prominent problem. Sensitive data and confidential information in the network are leaked and important data devices are attacked, as an important forwarding device in the network environment, the core router switch's original security features cannot meet the current security requirements. Therefore, traditional switches need to increase security.

In the opinion of network equipment manufacturers, switches that enhance security are upgraded and improved for common switches. In addition to general functions, this core route switch also provides security policy functions that are not available to common switches. Based on network security and user business applications, this type of switch can implement specific security policies, restrict unauthorized access, and conduct post-event analysis to effectively ensure the normal development of users' network services. One way to achieve security is to embed various security modules in the existing vswitch. More and more users want to add functions such as firewall, VPN, data encryption, and identity authentication to the vswitch.

Vswitches enable easy Network Security Control

A vswitch with enhanced security is more intelligent and secure than a common vswitch. In terms of system security, the core route switch implements a security mechanism in the overall architecture from the core to the edge of the network, that is, it encrypts and controls Network Management Information through specific technologies; in terms of access security, a secure access mechanism is adopted, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. In addition, many vswitches also add hardware-based security modules. Some vswitches with Intranet security functions better curb the internal network security risks that flood with WLAN applications. Currently, the following security technologies are commonly used in vswitches.

Traffic Control Technology

Limit the abnormal traffic through the port to a certain range. Many vswitches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold.

Access Control List ACL) Technology

The ACL controls the access input and output of network resources to prevent unauthorized access to network devices or use it as an attack springboard. An ACL is a rule table. The switch executes these rules in sequence and processes each packet that enters the port. Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network.

Currently, the industry generally believes that security should be distributed throughout the entire network. intranet-to-Internet security must be addressed through professional security devices such as firewalls, and switches must also play a role in protecting users. Currently, the vast majority of users are active in solving security issues through vswitches. Nearly 75% of users intend to take security measures for vswitches in practice in the future, hoping to reinforce vswitches distributed across the network to achieve security goals.

"Security" requires an outstanding Architecture

A perfect product must first have an outstanding architecture design. Currently, many core routing switch products adopt a fully distributed architecture. They use powerful ASIC chips for high-speed route searches and use the longest matching and packet-by-packet forwarding methods for data forwarding, this greatly improves the forwarding performance and scalability of the core route switch.

DCRS-7600 series IPv6 10g Core routing switch in addition to the use of the distributed architecture design, but also has a very good security function design, can effectively prevent attacks and viruses, it is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for Ethernet Metro development. Its S-ARP Security ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep Anti-scanning) function can automatically monitor a variety of malicious scanning behavior, alarm or take other security measures, for example, prohibit network access, this feature can be a lot of unknown new viruses in the large outbreak before; S-ICMP Security ICMP) function can effectively prevent PING-DOS attacks, flexible prevention of hackers using ICMPUnreachable to attack third-party behavior; Security Intelligence S-Buffer function and software IP traffic impact function can prevent distributed DOS attacks DDOS attacks) through intelligent monitoring and adjustment of the packet data Buffer and IP packet queue traffic directed to the CPU, the core route switch is safe and sound under DDOS attacks.

The core protection of the switch engine CPU can effectively prevent various illegal protocol attacks from paralyzing the switch engine of core devices; key Protocol green channel function can ensure normal, legal, and reasonable speed of key control packets STP, MSTP, RIP, OSFP, BGP, multicast protocol, dual-Engine board heartbeat among others) in the case of heavy-traffic business, it is not overwhelmed and fast processing is not interrupted. The advanced LPM technology can resist the "Shock Wave" virus, "zeroday" virus, and "SQLslammerwarm" virus; port trust mode can detect illegal DHCPServer, illegal RadiusServer, and so on. Only the trusted port can access these devices to ensure network security.