Expert opinion-security becomes the basic function of the switch

In recent years, China's information construction has been rapid development, bandwidth is more and more wide, network speed turned several times, e-mail in the network Transmission Flow index growth, IP voice, video and other technologies have greatly enriched the network applications. However, the Internet to narrow the distance between people at the same time, the virus, hackers are not invited from. The intelligence of the virus, variety, rapid propagation, hacker tools, "fool" and flood-like flooding trend, making the enterprise's information system become vulnerable, at any time to face paralysis or even permanent damage to the risk. In this situation, enterprises have to strengthen the security of their own information systems, expect to get a thorough, once and for all safety protection system. However, security is always relative, safety measures are always passive, no enterprise's security system can get real 100% security guarantee.
　　
The research and analysis of virus principle and invasion and defense technology shows that single anti-virus software often makes the network security protection not perfect, the network security can not rely on single device, single technology to realize has become the consensus of the industry. In the "soft and hard combination", "internal and external" and other industry recently widely promoted by the security strategy, the switch as the backbone of the network equipment, naturally also shoulder the task of building network security defense.
　　
The switch itself is more secure
　　
The switch is actually a computer that is optimized for forwarding packets, but it is possible for the computer to be attacked, such as illegally acquiring control of the switch, causing the network to become paralyzed and, on the other hand, a Dos attack, such as the worm viruses mentioned earlier. In addition, the switch can be used for generating rights maintenance, routing protocol maintenance, ARP, routing table, maintenance routing protocol, processing ICMP packets, monitoring switches, which may become the means of hackers attacking the switch.
　　
Traditional switches are mainly used for fast forwarding of packets, emphasizing forwarding performance. With the wide interconnection of LAN, coupled with the openness of the TCP/IP protocol itself, network security has become a prominent problem, the network of sensitive data, confidential information was leaked, important data equipment was attacked, and the switch as an important network environment forwarding equipment, its original security features have been unable to meet the current security needs, As a result, traditional switches require increased security.
　　
In the opinion of network equipment manufacturer, the switch that strengthens security is the upgrade and consummation to the ordinary switch, besides having the general function, this kind of switch also has the security policy function that the ordinary switch does not have. From network security and User Service application, this kind of switch can realize specific security policy, restrict illegal access, analyze afterwards, and effectively guarantee the normal development of user Network Service. One way to achieve security is to embed a variety of security modules in existing switches. Now, more and more users are expressing the hope that the switch will add firewall, VPN, data encryption, identity authentication and other functions.
　　
Switch to easily implement network security control
　　
Security-enhanced switches are inherently aggressive and have higher intelligence and security protection than regular switches. In the system security aspect, the switch realizes the security mechanism in the network from the core to the edge whole structure, namely through the specific technology to the network management information encryption, the control, in the access security aspect, uses the safe access mechanism, including the 802.1X access authentication, the RADIUS/TACACST, MAC address testing and various types of virtual network technology. Not only that, many switches also increase the hardware form of the security module, some of the network security features of the switch to better curb the use of WLAN with the overflow of intranet security vulnerabilities.
　　
At present, the commonly used security technology in the switch mainly includes the following kinds.

Flow control Technology
　　
Limit the abnormal flow through the port to a certain range. Many switches have port-based flow control capabilities that enable Storm control, port protection, and port security. The flow control function is used to notify the other in case of congestion between switch and switch to temporarily stop sending packets to avoid loss of packets. Broadcast storm suppression can limit the size of broadcast traffic and discard the broadcast traffic exceeding the set value. However, the flow control function of the switch can only be a simple speed limit of all types of traffic through the port, the broadcast, multicast abnormal traffic limit to a certain extent, and can not distinguish which is normal flow, which is abnormal traffic. At the same time, how to set a suitable threshold is also difficult.
　　
Access Control List (ACL) technology
　　
ACLs ensure that network devices are not illegally accessed or used as a springboard for attacks by accessing input and output controls on network resources. ACLs are a list of rules in which the switches execute the rules and process each packet entering the port. Each rule either allows, or rejects, the packet through the properties of the packet (such as source address, destination address, and protocol). Because rules are processed in a certain order, the relative position of each rule is critical to determining what packets are allowed and disallowed to pass through the network.
　　
Now, the industry generally believe that security should be spread throughout the network, intranet to extranet security needs to be through the firewall, such as professional security equipment to solve, but also need the switch in the protection of users play a role. At present, the overwhelming majority of users to solve security problems through the switch to take a positive attitude, nearly 75% of users intend to in the future in the practice of the switch security measures, hope that through the reinforcement of the network of switches to achieve security objectives.
　　
"Security" requires an excellent architecture
　　
The perfect product has to have an excellent architecture design in the first place. Now, many switch products adopt the whole distributed architecture design, through the powerful ASIC chip for high-speed route lookup, using the longest matching, packet forwarding for data forwarding, which greatly enhance the routing switch forwarding performance and expansion capabilities.
　　
DCRS-7600 Series IPV6-Gigabit Routing switch In addition to the full distributed architecture design above, but also has a very good security function design, can effectively prevent attacks and viruses, more suitable for large-scale, more business, complex traffic access network, more suitable for the development of the city of Ethernet. Its s-arp (security ARP) function can effectively prevent Arp-dos attacks, anti-sweep (anti-scan) function can automatically monitor various malicious scanning behavior, the implementation of alarm or other security measures, such as the prohibition of network access, etc., this feature can be a lot of unknown new viruses to curb the outbreak before the large-scale S-ICMP (safe ICMP) feature can effectively prevent ping-dos attacks, flexible to prevent hackers exploit ICMP unreachable attack third party behavior , the security intelligence S-buffer function and the software IP flow impact-resisting function can prevent the distributed Dos Attack (DDoS attack) through the intelligent Monitoring and the adjustment packet data buffer and rushes to the CPU IP packet queue traffic, causes the core switch to be safe and sound under the DDoS attack.