Throughout the history of network development, from manageable to intelligent, from high performance to multiple applications, from single data transmission to voice/Image/Multi-media applications, etc. Today's network technology development speed and trend far exceeds people's expectations.
Network equipment manufacturers and integrators design considerate networks that meet the needs of users based on their different needs. However, regardless of the characteristics of the network, network security is always crucial, is an eternal theme. Because network security is an important guarantee for information applications.
Who will ensure network security?
With the development of network technology, a variety of network security application solutions have emerged for major network equipment manufacturers at home and abroad. From the firewall and intrusion detection system that guard against external attacksIDSTo the deployment of security switches to prevent internal attacks, from local network protection to global network defense, from passive prevention to active defense, etc., all of which are to better ensure network security.
According to an authoritative survey, in the current network environment,80%Attacks and unauthorized access come from the internal, because there are a large number of applications related to the enterprise business in the network, such as office automation,ERP, Multimedia teaching,EmailServer,WebTo fundamentally prevent internal attacks and illegal unauthorized access, you must first strengthen the security prevention and security management of the internal networks of enterprises and institutions, that is, you must use Security switches within the LAN.
From access to convergence to core, each layer of switches must have security mechanisms and defense policies, which are checked and controlled layer by layer to prevent unauthorized users from accessing the network, attackers can steal important network information, such as damaging the Email server and attacking the layer-3 gateway. This can paralyze the network, making it impossible for users on the network to send and receive emails.) legitimate users can reasonably use network resources, prevent legal users from unintentional, intentional, or malicious attacks on the network (such as malicious download of BT), prevent a large amount of consumption and possession of network bandwidth resources, Block network outlets, and make normal office teaching impossible.
According to the above analysis, we can see that in all these policy mechanisms and solutions, the deployment of security switches is always the first and crucial. It can be said that security switches are the lifeblood of security solutions. The vswitches of the ruijie network are designed and embedded with different security mechanisms and policies for different deployment locations in their network environments. Access Switch STAR-S2100 series is mainly deployed in the network access layer; and STAR-S3550 series and RG-S3750 series switches are mainly deployed in the convergence layer of the network, can give full play to the role of Three Layer Gateway.
Establish a security portal and strictly control access
Secure Access Switch STAR-S2100 series play a role in security portal, it must be able to prevent illegal users from accessing the network. STAR-S2100 series switches can provide different security access control policies according to the network scale and network application, such as 802.1x access control combined with the powerful RG-SAM System of ruijie network, can strictly control the access to users, it also ensures that users are consistent before, during, and after Internet authentication, so as to avoid unauthorized tampering with information such as MAC addresses and IP addresses after authentication for attacks.
In addition, the STAR-S2100 series has port hardware bound to the user IP address and MAC address, a variety of ACL control policies, you can flexibly control the user access according to the needs of the user network environment.
STAR-S2100 series with expert-level ACL, with "Deep application Recognition and Control" capabilities, the bandwidth speed limit and IGMP Multicast Source Port Check of time-based data streams are all processed by the FFP Processing Module Hardware integrated in the switch's internal advanced switch chip, the following security policy functions are implemented when data is forwarded across the entire line:
Control the access of legitimate users to network resources; control users' possession of network bandwidth information through malicious downloading through BT; Ensure priority transmission of important tasks such as voice and multimedia applications, and occupy reasonable Bandwidth Resources; illegal Multicast Source playback information and possession of network bandwidth resources are controlled to effectively ensure the rational operation and use of the network.
Use layer-3 forwarding to effectively prevent attacks
In the network, the roles of the aggregation layer switch and the core layer switch are different from those of the access switch. They assume that the gateway and layer-3 routes are forwarded to the network, unlike access switches, aggregation layer switches and core layer switches take on the burden of gateway and layer-3 route forwarding. Due to the serious impact and harm of IP scanning and DoS attacks on layer-3 switches, CPU processing in the switch is often at full capacity, resulting in a decline in the switch's processing capabilities, or even paralysis, and users cannot access the Internet normally.
In this regard, ruijie network convergence switch STAR-S3550 series and RG-S3750 switches, as well as core Routing Switch RG-S6500 series and RG-S6800E series, are using the industry's leading switching chip, it uses an advanced hardware layer-3 forwarding mechanism with the longest matching forwarding mode) to effectively combat malicious IP address scanning.
At the same time, the switch is embedded with security policies, such as internal anti-DoS attacks and anti-IP scanning mechanisms, to ensure that the packet forwarding function is not affected by IP scanning and attacks. The IGMP source port and source IP address check function prevents and controls illegal multicast sources, and controls access permissions for various hardware ACLs, such as expert-level ACLs and time ACLs, it guarantees the robust operation of the network.
Enhance level control to achieve global interaction
While providing security mechanisms, re network switches also consider the security of the switches themselves.
Switches are one of the checkpoints in the network. If all the checkpoints are attacked or even paralyzed, how can they control the checkpoints?
Re network switches support encrypted transmission of management information over SSH and SNMPv3, from access STAR-S2100 to aggregation STAR-S3550, RG-S3750 to core Backbone Routing Switch RG-S6500 series and RG-S6800E series, supports source IP address control for Telnet/Web access switches. This not only enhances the security of device network management, but also effectively avoids malicious attacks and controls devices.
In addition, it is particularly worth noting that, in order to facilitate the network switch security policy settings, ruijie network STAR-S2100 Series Access Security switches also support the automatic synchronous Security Policy issuing function. In concert with the "GSN global security network solution" of ruijie network, global interaction is achieved in the same network environment, so that every device in the network is playing a role in security protection.
To sum up, the vswitch security policy will develop towards automation, linkage and integration in the future. On the edge of the network, you must deploy access security switches. They will play the role of a network portal, starting from the access of each user to control and limit the behavior of network users.