Introduction to L2 Switch Security

Many L2 switches can process packet streams from L2 to L4, which greatly improves the service quality and network security policies of vswitches, the security of the LAN and the internal network of the enterprise becomes the focus.

As the most widely used switch in the network, how can we develop its security features to effectively protect network access? Some organizations and vendors have also proposed their own security policies. For example, the multi-layer switch feature is widely used to improve network security and control bandwidth.

L2 Ethernet is the most important network for LAN access in most businesses and other organizations. Therefore, L2 Switch vendors constantly improve the intelligence of switches. This type of smart switch can search for data packets by IP address. These data packets exist in layer-3 or layer-4 networks.

Many L2 switches can process packet streams from L2 to L4, which greatly improves the service quality and network security policies of vswitches. These enhanced security features are included in BMCPowerTrix series switches.

In the opinion of network equipment manufacturers, switches that enhance security are upgraded and improved for general switches. In addition to general functions, such switches also have security policy functions that are not available for general switches. Based on network security and user business applications, this type of switch can implement specific security policies, restrict unauthorized access, and conduct post-event analysis to effectively ensure the normal development of users' network services.

One way to achieve security is to embed various security modules in the existing vswitch. Now, more and more users want to add firewall, VPN, data encryption, identity authentication and other functions to the L2 Switch. The following describes the security policies of several BMC L2 switches.

I. 802.1x Standard

As a security feature of LAN, 802.1x may still be unknown to many users. In addition, network designers and managers generally do not widely use such authorization standards. The reason is very simple. 802.1x depends on the Windows XP client. It is the only Windows desktop operating system that supports this technology.

The IEEE802.1x protocol is a standard used to authorize a network device to a customer. It replaces LAN directories, such as Microsoft's Active directories. Some security experts say this is a more effective measure to protect LAN security, because customers who cannot log on to directory servers can usually discover and use network resources, such as printers, there is no secure shared storage and access to the Internet.

Ii. Traffic Control Technology

Limit the abnormal traffic through the port to a certain range. Many L2 switches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value.

Iii. Access Control List (ACL) Technology

The ACL controls the access input and output of network resources to prevent unauthorized access to network devices or use it as an attack springboard. An ACL is a rule table. A L2 Switch executes these rules in sequence and processes each packet that enters the port.

Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network.

Iv. ARP Attack Protection Technology

ARP spoofing and ARPFlood attacks use the trust mechanism in the ARP Address parsing process to perform camouflage and spoofing attacks. As a result, some or all hosts in the network cannot access the network. ARP attack protection technology is based on the principle of various attack methods.

Provides a variety of anti-spoofing and anti-scanning technologies on L2 switches, for example, the BMC L2 Switch uses ARPGuard, Anti-arpscan, FreeARP transmission, and AM access management technologies to effectively defend against various ARP attacks.

V. VLAN Technology

Virtual LAN is a layer-2 Switch feature that people are very familiar. It is also a widely used security policy. A Virtual Local Area Network is an end-to-end logical network built using network management software on the basis of LAN switching. A VLAN is a logical subnet, that is, a logical broadcast domain. It can cover multiple network devices and allow network users in different geographic locations to join a logical subnet.

From a technical point of view, VLAN division can be based on different principles. There are generally three methods: 1. Port-based VLAN Division, 2. MAC address-based VLAN division, 3. Route-based VLAN division. For now, VLAN division mainly adopts the 1st and 3 methods mentioned above.

By using VLAN division principles such as route access list and MAC Address Allocation, you can control user access permissions and the size of logical network segments, and divide different user groups into different VLANs, this improves the overall performance and security of the switched network. And create a VLAN.

Broadcast isolation reduces the broadcast scope and controls the generation of broadcast storms. For Networks Using VLAN technology, a VLAN can be divided into logical network segments based on Department functions, object groups, or applications. This also makes network management simple and intuitive.

1. What are the advantages of all-optical switches and general switches?
2. Summarize the market status of high-end Switches
3. Study on the target Switch
4. PythonAndroid introduces the "Hidden Rules" of vswitch Security"
5. Ethernet switch configuration