Although numerous network security experts around the world have been developing solutions to DoS attacks for many years, the effect has not been achieved so far, because DoS attacks exploit the weakness of TCP protocol. DoS attacks use relatively simple attack methods to completely paralyze the target system and even damage the entire network. Therefore, Extreme Networks believes that only from the global perspective of the network should we take countermeasures at all levels of the inter-network infrastructure, including special measures at the LAN level, and perform necessary security settings on the network transmission layer, and install specialized DoS identification and prevention tools to minimize the loss caused by DoS attacks.
To establish such a comprehensive and systematic network security system, the network infrastructure must be an intelligent network with layer-3 switching and routing as the core. On this basis, provides comprehensive security policy management tools at least three levels, and supports professional security management software. Extreme Networks has always been a leader in layer-3 and multi-layer exchange technologies. It provides users with powerful bandwidth and speed while also providing a complete set of network management tools, in particular, Extreme Ware provides effective identification mechanisms and strong control measures for the most difficult-to-solve traffic-type DoS attacks.
Combining the most advanced layer-3 switching technology with a multi-layer security defense system is the best choice for users who seriously consider resisting DoS attacks. In addition, in the network design stage, the LAN and network transmission layers should be reasonably arranged.
At the LAN level, the system administrator can take a large number of preventive measures to prevent DoS attacks from affecting services. These preventive measures include maintaining solid overall management and security procedures, and implementing specific defense measures against various DoS attacks. Other methods related to a specific DoS attack type may include disabling or limiting specific services that may be damaged or secretly damaged. Unfortunately, these restrictions must also be weighed against the impact they may have on legitimate applications (such as using UDP as the transmission mechanism's Real Audio. If attackers can intimidate victims from using this vulnerability
IP service or legal application, so to some extent, these hackers have achieved their own goals.
Network Transmission Layer Problems
Although the measures taken by LAN administrators play a key role in the basic work of preventing and fighting DoS attacks, they must also implement some comprehensive measures at the network transmission layer, to effectively supplement the basic work.
Protect network data traffic
Effective protection of network data traffic involves a large number of complementary strategies, including multi-layer switching to achieve access control independent from the layer; custom filtering and "trusted neighbor" standards; control the network login access of unauthorized users.
Layer-independent line rate service quality (QoS) and Access Control Options
The emergence of a line-rate multi-layer switching system with configurable smart software, layer-independent QoS, and access control functions greatly improves network transmission facilities to protect data traffic integrity.
In network facilities based on traditional routers, if the authentication mechanism filters out counterfeit groups with internal addresses, the traffic must reach the vro edge and comply with the standards in the specific access control list. To maintain the access control list, this process is not only time-consuming, but also brings significant overhead to the overall performance of the router.
In contrast, the use of wire speed multi-layer switching systems allows flexible implementation of various policy-based access control standards, it uses many of the same mechanisms, these mechanisms are crucial for the effective implementation of QoS standards throughout the complex network facilities.
Although these multi-layer switching systems implement line rate switching on the second layer, they can seamlessly adopt QoS and access control standards from the first layer to the fourth layer and other sources.
This layer-independent access control capability achieves built-in flexibility and completely separates security decisions from Network Structure Decisions, allowing network administrators to effectively deploy DoS prevention measures, instead of using a sub-optimal routing or switching topology. As a result, network administrators and service providers can now seamlessly integrate policy-based control standards in the entire man, data center, or enterprise network environment, whether it is a complex router-based core service or a relatively simple layer-2 switching local loop. In addition, the standard lookup table and data traffic authentication decisions of line rate processing can effectively implement DoS response measures in the background, with little or no performance latency.
Customizable filtering and "trusted neighbor" mechanisms
Another advantage of smart multi-layer access control is that it can easily implement custom filtering operations, such as customizing System Response Control Based on specific standards. This method can prevent the network from being affected by DoS attacks and reduce the risk of discarding legal traffic due to negligence. Another advantage of layer-independent access control is that it can customize routing access policies and support the "trusted neighbor" Relationship between systems to manage and optimize data traffic between systems. In addition, the multi-layer switching technology provides multiple options to prevent unauthorized use of internal routing policies and prevent potential destructive activities.
The Extreme Ware (tm) package of Extreme Networks (r) allows ing and covering the 802.1p and DiffServ tags to implement the DiffServ function that is invisible to the outside. By using these policies, the system administrator can adjust the internal routing control policies for traffic from a specific adjacent system, rather than forcibly broadcasting the actual policies internally.
ExtremeWare provides an effective tool to prevent a new round of DoS attacks (known as QoS attacks) due to its ability to flexibly distinguish internal and external DiffServ and 802.1p standards.
Extreme Ware maintains an invisible internal DiffServ processing policy so that all Extreme switches can easily ignore, observe, or process any DiffServ flag received from a possible "untrusted neighbor.
Customize network login configuration
The adoption of network login mechanism plays a key role in reducing DoS attack vulnerabilities. Network login uses a unique user name and password to authenticate the user's identity before the user is authorized to enter or send group traffic, so as to prevent DoS attacks before authentication.
By using DHCP analog dialing technology using PPP, network login can terminate illegal access to the network edge, reducing any negative impact on network facilities.
The technical team members of Extreme Networks participated in the compilation of draft. By taking advantage of the existing standards included in the specifications, these network login mechanisms can control users' access to switches, minimize the risk of direct DoS attacks. At the same time, network login provides a robust mechanism for managing and tracking user connections and transactions within the enterprise or service provider network.
Protect network infrastructure
In addition to protecting network data traffic, it is equally important to prevent network infrastructure from DoS attacks and ensure reliability and fault tolerance. The key to protecting infrastructure is to maintain an independent access list, closely manage forwarding control and load balancing functions, and perform rigorous design tests to ensure system fault tolerance.