Explains how Cisco Catalyst switches defend against worms

The following describes a unique solution on the Cisco Catalyst Switch to prevent the harm of the worm in a very economical, effective, and scalable way, this greatly saves a lot of company losses.

What makes the administrators of many service operators and Enterprise Networks A headache is not only the constant development and variants, but also the increasing damage caused by attacks. Although worms do not usually destroy any data, the direct and indirect damages caused by worms cause network and system congestion.

The computing resources of infected end systems are seriously affected, while virus transmission consumes a lot of link bandwidth, what's even more terrible is the network instability or even paralysis caused by the impact of basic network devices. Taking SQL Slammer as an example, the average packet loss rate is 20% in case of infection or transmission peaks.

The unstable network caused the bank's ATM machine to be unable to work, and the airline's ticketing system was paralyzed. In just two days, 0.3 million hosts were infected with SQL Slammer, the loss caused amounted to billions of dollars. Today, more and more enterprises are integrating key business applications, voice, video and other new applications into the IP network. A secure and reliable network is the key to the success of enterprise business.

The boundaries between the internal and external networks of enterprises are becoming increasingly vague, and the mobility of users is getting stronger and stronger. In the past, we thought that the secure internal lan has already posed a latent threat. It is hard to ensure that the virus will not be brought into our enterprise network, while the wide distribution of LAN and high-speed connection.

It is also likely to become a breeding ground for the rapid spread of worms. How should we deal with the new network security environment? How to Prevent Worms on our LAN and detect, track, and prevent them from flooding in time is a problem that every network manager is thinking about.

Maybe this is a very big proposition. In fact, it does need a systematic and collaborative security policy. From the network to the host, from the core layer to the distribution layer and the access layer, we need to adopt a comprehensive enterprise security policy to protect the entire network and the connected system.

In addition, even when a worm occurs, we need to take measures to minimize its impact and protect our network infrastructure to ensure stable network operation. This article describes a unique solution on a Cisco Catalyst Switch to prevent the harm of worms in a very economical, effective, and scalable way.

First, we need to understand the abnormal behavior of the worm and have the means to detect its abnormal behavior as soon as possible. When suspicious behavior is detected, you must be able to quickly locate the source, that is, track its source IP address, MAC address, login user name, connected access layer switch, and port number. To collect evidence and make a judgment, if it is a worm, it is necessary to respond in a timely manner, such as closing the port and processing the infected machine.

However, we know that the access layer Cisco Catalyst switches are deployed in each wiring room and provide edge access for Enterprise Desktop systems. Due to cost and management, we cannot place an IDS Device next to each access layer switch. Deploy IDS at the distribution layer or core layer.

For the distribution layer or core layer that collects hundreds of thousands of 7th Mbit/s/Ethernet traffic, the IDS that work on Layer 1 cannot process massive data, therefore, it is impractical to monitor all traffic without any choice. How can we find a targeted, effective, and economically scalable solution? You can use the security features and Netflow integrated by the Catalyst access layer switch!

Suspicious Traffic is detected. Using the network traffic statistics collected and output by Cisco Netflow, we can find that a single host sends a connection request that exceeds the normal number, this abnormal large amount of traffic is often a sign of a worm outbreak or network abuse.

Because the worm feature is that a large number of random IP addresses are scanned during the attack to find possible targets, resulting in a large number of TCP or ICMP streams. There is actually no payload information in the stream record. This is an important difference between Netflow and traditional IDS. A stream record does not contain high-level information. The advantage is that it can be processed by hardware at high speed and is suitable for busy high-speed LAN environments.

Generally, the Catalyst 4500 and the access layer Cisco Catalyst switches deployed on the core and distribution layers support hardware-based Netflow. Therefore, Netflow cannot perform in-depth analysis on data packets, but it has enough information to detect suspicious traffic and is not limited by the "0 day.

If properly analyzed and utilized, Netflow records are very suitable for early detection of worms or other network abuse behaviors. It is important to know the baseline of the traffic mode. For example, it is normal for a user to have 50-1000 connections at the same time, but if a user initiates a large number of (for example,) activity streams, It is abnormal.

Trace suspicious sources. Once suspicious traffic is identified, it is equally important to track the source (including the physical location and user ID ). In today's mobile environment, users can freely roam across the campus network. It is difficult to quickly locate users simply by knowing the source IP address. We also need to prevent counterfeit IP addresses. Otherwise, the detected source IP addresses will not help us trace the suspicious source. In addition, we need to not only locate the connection port, but also the login user name.

1. What are the advantages of all-optical switches and general switches?
2. Summarize the market status of high-end Switches
3. Study on the target Switch
4. PythonAndroid introduces the "Hidden Rules" of vswitch Security"
5. Ethernet switch configuration