Protects the network from DoS remote connections

Source: Internet
Author: User
Tags ldap
Article Title: Defending Against DoS remote connection makes the network more secure. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Traditional network security technology focuses on system intrusion detection, anti-virus software or firewall. How is internal security? In the network security structure, switches and routers are very important, and each layer in the layer-7 network must be secure. Many vswitches and vrouters have rich security functions. You need to know what to do, how to work, how to deploy them, and the entire network is not affected when a layer of problems occurs. The vswitch and vro are designed to be safe by default and are in the security setting status at the factory. The special operation settings are activated only when the user requires them. All other options are disabled, to reduce risks, the Network Administrator does not need to know which options should be disabled.
  
During initial logon, the password is required to be changed, the password's term option and the number of logon attempts are limited, and stored in encrypted mode. Accounts (Maintenance Accounts or backdoors) within a time limit do not exist. Switches and routers must be safe when power is down, hot start, cold start, and IOS, hardware, or a module fails to be upgraded, in addition, after these events, the security should not be compromised and the operation should be resumed. Due to logs, network devices should maintain a safe and accurate time through the Network Time Protocol. The names of connections managed through the SNMP protocol should also be changed.
  
   Defend against DoS Attacks
Starting from availability, vswitches and vrouters must be able to withstand Denial-of-Service Dos attacks and maintain availability during the attack. Ideally, they should be able to respond to attacks and block attack IP addresses and ports. Each event is immediately reflected and recorded in the log, and they can also identify and respond to worms.
  
The use of FTP, HTTP, TELNET, or SSH in vswitches and vrouters has code vulnerabilities. After the vulnerability is discovered, the vendor can develop, create, test, and release upgrade packages or patches.
  
Role-based management gives administrators the minimum program permission to complete tasks, allows assignment of tasks, and provides checks and balances. Only trusted connections can be managed. Management permissions can be granted to devices or other hosts. For example, management permissions can be granted to certain IP addresses and specific TCP/UDP ports.
  
The best way to control management permissions is to assign sub-permissions before authorization, which can pass authentication and account servers, such as remote access services, Terminal Services, or LDAP services.
  
   Remote Connection Encryption
In many cases, administrators need to remotely manage vswitches and routers, which can only be accessed from public networks. To ensure the security of Management transmission, encryption protocol is required. SSH is the standard protocol for all remote command line settings and file transmission. for WEB-based systems, SSL or TLS protocols are used, LDAP is usually a communication protocol, while SSL/TLS encrypts the communication.
  
SNMP is used to discover, monitor, and configure network devices. SNMP 3 is a secure version that ensures authorized communication.
  
Setting up logon control can reduce the possibility of attacks, set the number of logon attempts, and respond to such scans. Detailed logs are very effective when detecting attempts to crack passwords and port scans.
  
The security of the vswitch and vro configuration files cannot be ignored. Generally, the configuration files are stored in a safe location. In the case of chaos, you can take out the backup files, install and activate the system, restore to the known status. Some vswitches are integrated with the intrusion detection function. Some support port ing allows administrators to select monitoring ports. The role of a virtual network the Virtual Local Network VLAN is a finite broadcast domain on the second layer. It is composed of a group of computer devices and usually has more than one LAN, it may span one or more LAN switches regardless of their physical locations. Devices communicate with each other as if they were in the same network, allows administrators to divide networks into several small pieces that can be managed and run well, and simplify the tasks of renewing, moving, changing devices, users, and permissions.
  
VLANs can be formed in various forms, such as the switch port, MAC address, IP address, protocol type, DHCP, 802.1Q flag, or user-defined. These can be deployed independently or in combination.
  
After a user passes the authentication process, the VLAN authentication technology authorizes the user to enter one or more VLANs.
  
Firewalls can control access between networks. They are most widely used in traditional routers and multi-layer switches, also known as ACLS. Firewalls differ mainly in the depth of packet scanning, whether there is a Session through end-to-end direct communication or proxy.
  
In the access control between networks, the routing filtering measures can be based on the source/Target swap slot or port, source/Target VLAN, source/Target IP address, or TCP/UDP port, ICMP type, or MAC address. For some vswitches and vrouters, the dynamic ACL standard can be created after the user passes the authentication process, just like the Authenticated VLAN, but on the third layer. It is useful when an unknown source address needs to be connected to a known internal target.
  
The current network needs to be designed to be secure at all levels. by deploying the Security Settings of vswitches and routers, enterprises can use traditional security technologies to create strong and secure systems at all layers.
  
  
  
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.