How does one filter user communication to ensure secure and effective data forwarding? How can we block illegal users and protect network security applications? How can we conduct security network management to promptly discover illegal users, illegal behaviors, and the security of remote network management information? Here we have summarized six popular security settings in the vswitch market recently, hoping to help you.
L2-L4 layer filter
Most of the new vswitches can implement various filtering requirements by establishing rules. Rule settings can be set in two modes: MAC mode, which can effectively isolate data based on the source MAC or destination MAC, and IP Mode, data packets can be filtered through the source IP address, destination IP address, protocol, source application port, and destination application port. The established rules must be appended to the corresponding receiving or transmission port, when the port of the vswitch receives or forwards data, it filters packets according to the filter rules to decide whether to forward or discard the data. In addition, the vswitch performs logical operations on the filtering rules through the hardware "logical and non-Gate" to determine the filtering rules, without affecting the data forwarding rate.
Port-Based Access Control for 802.1X
To prevent unauthorized users from accessing the LAN and ensure network security, Port-based access control protocol 802.1X is widely used in both wired LAN and WLAN. For example, Asus's latest GigaX2024/2048 and other new generation switch products not only support 802.1X Local and RADIUS verification methods, but also support 802.1X Dynamic VLAN access, that is, on the basis of VLAN and 802.1X, A user with a user account can access the specified VLAN group no matter where the user is connected in the network, this function not only provides flexible and convenient resources for mobile users in the network, but also ensures the security of network resource applications. In addition, the GigaX2024/2048 switch also supports the 802.1X Guest VLAN function, that is, in 802.1X applications, if the port specifies the Guest VLAN, if the access user under this port fails to authenticate or has no user account at all, it will become a member of the Guest VLAN group and can enjoy the corresponding network resources in this group, this function can also provide the minimum resources for some groups of network applications and provide the most peripheral for the entire network. Security.
Traffic control)
Vswitch traffic control can prevent abnormal bandwidth load caused by excessive traffic of broadcast data packets, multicast data packets, and unicast data packets with incorrect destination addresses, and improve the overall efficiency of the system, to ensure secure and stable network operation.
SNMP v3 and SSH
The Network Management SNMP v3 introduces a new architecture that integrates the SNMP standards of different versions to enhance network management security. The security model recommended by SNMP v3 is based on the user's security model, that is, USM. USM encrypts and authenticates network management messages based on users. Specifically, what protocols and keys are used for encryption and authentication are obtained by the user name (userNmae) Authority engine identifier (EngineID) to determine (recommended encryption protocol CBCDES, authentication protocol HMAC-MD5-96 and HMAC-SHA-96), to provide data integrity, data source authentication, data confidentiality and message time limit services through authentication, encryption and time limit, this effectively prevents unauthorized users from modifying, disguising, and eavesdropping management information.
For remote network management via Telnet, the Telnet service has a fatal weakness-It transfers user names and passwords in plain text, so it is easy for others to steal passwords with ulterior motives, the user name and password are encrypted when SSH is used for communication. This effectively prevents password eavesdropping and facilitates remote security network management by network administrators.
Syslog and Watchdog
The Syslog function of the vswitch can send user-defined information such as system errors, system configurations, status changes, periodic status reports, and system exits to the log server, based on this information, network administrators can learn about the operation status of the device, detect problems early, and configure and set up and troubleshoot problems in a timely manner to ensure the safe and stable operation of the network.
Watchdog sets a timer. If the timer does not restart during the specified interval, an internal CPU restart command is generated to restart the device, this function enables the switch to automatically restart in case of an emergency or accident, ensuring network operation.
Dual-image files
Some of the latest vswitches, such as a s u SGigaX2024/2048, also have dual-image files. This feature protects the device from normal startup in case of exceptions (firmware upgrades failed, etc. The file system is saved in two parts: majoy and mirror. If one file system is damaged or interrupted, the other file system will overwrite it. If both file systems are damaged, the device clears the two file systems and overwrites them to the default settings when leaving the factory to ensure that the system runs safely.
In fact, some of the recently-used vswitch products have made great efforts in security design-layer fortification and filtering, and try every means to eliminate possible insecure factors to the greatest extent possible. If enterprise users make full use of these network security settings for a reasonable combination, they can prevent various attacks and violations on the network to the maximum extent, we hope that your enterprise network will be more secure and stable.