Security switches are worth learning a lot. Here we mainly introduce the comprehensive analysis of the basic functions of security switches. In recent years, China's informatization construction has developed rapidly and bandwidth has become wider and wider, the network speed has increased several times. The transmission traffic of E-Mail between networks has increased exponentially, and IP speech, video, and other technologies have greatly enriched network applications.
However, while the Internet is narrowing down the distance between people, viruses and hackers are also not invited. The intelligence of viruses, the rapid variation and reproduction, the "Dummies" of hacking tools, and the flood trend make the enterprise's information system vulnerable, they are at risk of paralysis or even permanent damage at any time. In this situation, enterprises have to strengthen security protection for their own information systems and expect a thorough and permanent security protection system. However, security is always relative, and security measures are always passive. No enterprise's security system can be truly guaranteed by 100%.
Research and Analysis of the virus principle and the Development of intrusion defense technology show that a single anti-virus software often makes network security inadequate, network security cannot be achieved by a single device or technology. Under the recently widely-promoted security policies such as "soft and hardware integration" and "internal and external correspondence", security switches, as the backbone network equipment, naturally shoulder the heavy responsibilities of building a network security defense line.
The vswitch itself must be more secure
A security switch is actually a computer optimized for forwarding data packets, but a computer may be attacked. For example, illegal access to control of a security switch may paralyze the network and DoS attacks on the other hand, for example, several worms mentioned above. In addition, vswitches can generate rights maintenance, route protocol maintenance, ARP, route tables, maintain routing protocols, process ICMP packets, monitor vswitches, these methods may be used by hackers to attack switches. Traditional Security switches are mainly used for Fast Packet forwarding, emphasizing forwarding performance. With the wide interconnection of LAN and the openness of TCP/IP protocol, network security becomes a prominent problem. Sensitive data and confidential information in the network are leaked and important data devices are attacked, as an important forwarding device in the network environment, security switches cannot meet current security requirements. Therefore, traditional switches need to increase security.
In the opinion of network equipment manufacturers, security-enhancing security switches are upgraded and improved for common switches. Apart from general functions, this type of security switch also has the security policy function that General switches do not have. Based on network security and user business applications, this type of switch can implement specific security policies, restrict unauthorized access, and conduct post-event analysis to effectively ensure the normal development of users' network services. One way to achieve security is to embed various security modules into existing security switches. More and more users want to add functions such as firewall, VPN, data encryption, and identity authentication to the security switch.
Vswitches enable easy Network Security Control
Vswitches with enhanced security are more intelligent and secure than common security vswitches. In terms of system security, vswitches implement security mechanisms in the overall architecture from core to edge of the network, that is, they encrypt and control network management information through specific technologies. In terms of access security, security Access mechanisms are used, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. In addition, many vswitches also add hardware-based security modules. Some vswitches with Intranet security functions better curb the internal network security risks that flood with WLAN applications. Currently, the following security technologies are commonly used in vswitches.
Traffic Control Technology
Limit the abnormal traffic through the port to a certain range. Many vswitches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold.
Access Control List ACL) Technology
The ACL controls the access input and output of network resources to prevent unauthorized access to network devices or use it as an attack springboard. An ACL is a rule table. The Security Switch executes these rules in sequence and processes each packet that enters the port. Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network.
Currently, the industry generally believes that security should be distributed throughout the entire network. intranet-to-Internet security must be addressed through professional security devices such as firewalls, and switches must also play a role in protecting users. Currently, the vast majority of users are active in solving security problems through security switches. Nearly 75% of users intend to adopt security measures for switches in the future, we hope to reinforce the security switches deployed throughout the network to achieve the security goal.
"Security" requires an outstanding Architecture
A perfect product must first have an outstanding architecture design. Currently, many security switch products adopt a fully distributed architecture. They use powerful ASIC chips for high-speed route searches and use the longest matching and packet-by-packet forwarding methods for data forwarding, this greatly improves the forwarding performance and scalability of the route switch.
In addition to the above distributed architecture design, the DCRS-7600 series IPv6 10-Gigabit route switch also has excellent security function design, which can effectively prevent attacks and viruses, it is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for Ethernet Metro development. Its S-ARP Security ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep Anti-scanning) function can automatically monitor a variety of malicious scanning behavior, alarm or take other security measures, for example, prohibit network access, this feature can be a lot of unknown new viruses in the large outbreak before; S-ICMP Security ICMP) function can effectively prevent PING-DOS attacks, flexibly prevents hackers from using ICMP Unreachable to attack third-party behaviors. The S-Buffer and software IP traffic impact prevention function can prevent distributed DOS attacks) through intelligent monitoring and adjustment of the packet data Buffer and IP packet queue traffic directed to the CPU, the core security switch is safe and sound under DDOS attacks.