Ethernet switch Security Settings principles

At present, Ethernet switches play an important role in networking devices. Here we analyze the security settings of Ethernet switches, most of the new Ethernet switches can implement various filtering requirements by establishing rules. Rule settings can be set in two modes: MAC mode, which can effectively isolate data based on the source MAC or destination MAC, and IP Mode, data packets can be filtered by source IP address, destination IP address, protocol, source application port, and destination application port.

The established rules must be appended to the corresponding receiving or transmitting port. When the Ethernet switch receives or forwards data, it filters packets based on the filtering rules to determine whether to forward or discard the data. In addition, the Ethernet switch performs logical operations on the filtering rules through the hardware "logical and non-Gate" to determine the filtering rules, without affecting the data forwarding rate.

Port-Based Access Control for 802.1X

To prevent unauthorized users from accessing the LAN and ensure network security, Port-based access control protocol 802.1X is widely used in both wired LAN and WLAN. For example, Asus's latest GigaX2024/2048 and other new generation Ethernet switches not only support 802.1X Local and RADIUS verification methods, but also support 802.1X Dynamic VLAN access, that is, on the basis of VLAN and 802.1X, A user with a user account can access the specified VLAN group no matter where the user is connected in the network, this function not only provides flexible and convenient resources for mobile users in the network, but also ensures the security of network resource applications. In addition, the GigaX2024/2048 switch also supports the 802.1X Guest VLAN function, that is, in 802.1X applications, if the port specifies the Guest VLAN, if the access user under this port fails to authenticate or has no user account at all, it will become a member of the Guest VLAN group and can enjoy the corresponding network resources in this group, this function can also provide the minimum resources for some network application groups and provide the entire network. A peripheral access security.

Traffic control)

The traffic control of the switch can prevent abnormal bandwidth load of the Ethernet switch due to excessive traffic of broadcast data packets, multicast data packets, and unicast data packets with incorrect destination addresses, it also improves the overall efficiency of the system and ensures the safe and stable operation of the network.

SNMP v3 and SSH

The Network Management SNMP v3 introduces a new architecture that integrates the SNMP standards of different versions to enhance network management security. The security model recommended by SNMP v3 is based on the user's security model, that is, USM. USM encrypts and authenticates network management messages based on users. Specifically, what protocols and keys are used for encryption and authentication are all performed by the user name userNmae) the authoritative engine identifier EngineID) to determine the recommended encryption protocol CBCDES, authentication protocol HMAC-MD5-96 and HMAC-SHA-96), through authentication, encryption and time limit to provide data integrity, data source authentication, data confidentiality and message time limit services, this effectively prevents unauthorized users from modifying, disguising, and eavesdropping management information.

For remote network management via Telnet, the Telnet service has a fatal weakness-It transfers user names and passwords in plain text, so it is easy for others to steal passwords with ulterior motives, the user name and password are encrypted when SSH is used for communication. This effectively prevents password eavesdropping and facilitates remote security network management by network administrators.

Syslog and Watchdog

The Syslog function of the vswitch can send user-defined information such as system errors, system configurations, status changes, periodic status reports, and system exits to the log server, based on this information, network administrators can learn about the operation status of the device, detect problems early, and configure and set up and troubleshoot problems in a timely manner to ensure the safe and stable operation of the network.

Watchdog sets a timer. If the timer does not restart during the specified interval, an internal CPU restart command is generated to restart the device, this function enables the Ethernet switch to automatically restart in case of an emergency or unexpected situation to ensure network operation.

Dual-image files

Some of the latest Ethernet switches, such as a s u SGigaX2024/2048, also have dual-image files. This feature protects devices from firmware update failures in case of exceptions. The file system is saved in two parts: majoy and mirror. If one file system is damaged or interrupted, the other file system will overwrite it. If both file systems are damaged, the device clears the two file systems and overwrites them to the default settings when leaving the factory to ensure that the system runs safely.