Viewpoint: Quick Start vswitch basic knowledge

There are still many things worth learning about vswitches, especially some basic knowledge about vswitches. So I studied the precautions for using vswitches and shared them with you here. I hope they will be useful to you. In recent years, China's informatization construction has developed rapidly, bandwidth is getting wider and wider, the network speed has doubled, and the transmission traffic of E-Mail between networks has increased exponentially, IP voice, video, and other technologies greatly enrich network applications.

However, while the Internet is narrowing down the distance between people, viruses and hackers are also not invited. The intelligence of viruses, the rapid variation and reproduction, the "Dummies" of hacking tools, and the flood trend make the enterprise's information system vulnerable, they are at risk of paralysis or even permanent damage at any time. In this situation, enterprises have to strengthen security protection for their own information systems and expect a thorough and permanent security protection system. However, security is always relative, and security measures are always passive. No enterprise's security system can be truly guaranteed by 100%.

Research and Analysis of the virus principle and the Development of intrusion defense technology show that a single anti-virus software often makes network security inadequate, network security cannot be achieved by a single device or technology. Under the recently widely-promoted security policies such as "soft and hardware integration" and "internal and external correspondence", vswitches, as the backbone network equipment, naturally shoulder the heavy responsibilities of building a network security line of defense.

Basic vswitch knowledge: more secure the vswitch itself

A vswitch is actually a computer optimized for forwarding data packets, but a computer may be attacked, such as illegally obtaining control of the vswitch, resulting in network paralysis and DoS attacks, for example, several worms mentioned above. In addition, vswitches can generate rights maintenance, route protocol maintenance, ARP, route tables, maintain routing protocols, process ICMP packets, monitor vswitches, these methods may be used by hackers to attack switches.

Traditional switches are mainly used for Fast Packet forwarding, with emphasis on forwarding performance. With the wide interconnection of LAN and the openness of TCP/IP protocol, network security becomes a prominent problem. Sensitive data and confidential information in the network are leaked and important data devices are attacked, as an important forwarding device in the network environment, vswitches cannot meet the current security requirements. Therefore, traditional vswitches need to increase security.

In the opinion of network equipment manufacturers, switches that enhance security are upgraded and improved for general switches. In addition to general functions, such switches also have security policy functions that are not available for general switches. Based on network security and user business applications, this type of switch can implement specific security policies, restrict unauthorized access, and conduct post-event analysis to effectively ensure the normal development of users' network services. One way to achieve security is to embed various security modules in the existing vswitch. More and more users want to add functions such as firewall, VPN, data encryption, and identity authentication to the vswitch.

Basic vswitch knowledge: Easy Network Security Control for vswitches

A vswitch with enhanced security is more intelligent and secure than a common vswitch. In terms of system security, vswitches implement security mechanisms in the overall architecture from core to edge of the network, that is, they encrypt and control network management information through specific technologies. In terms of access security, security Access mechanisms are used, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. In addition, many vswitches also add hardware-based security modules. Some vswitches with Intranet security functions better curb the internal network security risks that flood with WLAN applications. Currently, the following security technologies are commonly used in vswitches.

Vswitch Basic Knowledge: Traffic Control Technology

Limit the abnormal traffic through the port to a certain range. Many vswitches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold.

Basic vswitch knowledge: Access Control List ACL) Technology

The ACL controls the access input and output of network resources to prevent unauthorized access to network devices or use it as an attack springboard. An ACL is a rule table. The switch executes these rules in sequence and processes each packet that enters the port. Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network.

Currently, the industry generally believes that security should be distributed throughout the entire network. intranet-to-Internet security must be addressed through professional security devices such as firewalls, and switches must also play a role in protecting users. Currently, the vast majority of users are active in solving security issues through vswitches. Nearly 75% of users intend to take security measures for vswitches in practice in the future, hoping to reinforce vswitches distributed across the network to achieve security goals.

Basic vswitch knowledge: "Security" requires excellent architecture

A perfect product must first have an outstanding architecture design. Currently, many vswitch products adopt a fully distributed architecture. They use powerful ASIC chips for high-speed route searches and use the longest matching and packet-by-packet forwarding methods for data forwarding, this greatly improves the forwarding performance and scalability of the route switch.

In addition to the above distributed architecture design, the DCRS-7600 series IPv6 10-Gigabit route switch also has excellent security function design, which can effectively prevent attacks and viruses, it is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for Ethernet Metro development. Its S-ARP Security ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep Anti-scanning) function can automatically monitor a variety of malicious scanning behavior, alarm or take other security measures, for example, prohibit network access, this feature can be a lot of unknown new viruses in the large outbreak before; S-ICMP Security ICMP) function can effectively prevent PING-DOS attacks, flexibly prevents hackers from using ICMP Unreachable to attack third-party behaviors. The S-Buffer and software IP traffic impact prevention function can prevent distributed DOS attacks) through intelligent monitoring and adjustment of the packet data Buffer and IP packet queue traffic directed to the CPU, the core switch is safe and sound under DDOS attacks.