Traditional network security technology focuses on system intrusion detection, anti-virus software or firewalls. How about internal security? In a network security construct, switches and routers are important, and each layer in a seven-tier network must be secure. Many switches and routers have a wealth of security features, to understand what, how to work, how to deploy, a layer of problems will not affect the entire network. Switches and routers are designed to be secure by default, and the factory is in a state of security, the special operation is activated when the user requires it, all other options are off to reduce the risk, and the network administrator does not need to know which options should be turned off.
It is mandatory to change the password at the initial logon, as well as the age limit option for the password and the number of logon attempts, and is stored in encrypted form. The account number (Maintenance account or back door) of the deadline will not exist. Switches and routers are losing power, hot start, cold start, upgrade iOS, hardware or a module must be safe in the event of failure, and should not endanger security and restore operation after these events, because the log, network devices should be in the network time protocol to maintain a safe and accurate time. The name of the managed connection through the SNMP protocol should also be changed.
Withstand Dos attacks
From usability, switches and routers need to withstand denial of service Dos attacks and remain available during an attack. Ideally they should be able to react when attacked, shielding attack IP and port. Each event responds immediately and is recorded in the log, and they also recognize and respond to worm attacks.
There can be code vulnerabilities in switches and routers using ftp,http,telnet or SSH, and vendors can develop, create, test, release upgrades or patches after a vulnerability is discovered.
role-based Management gives administrators the minimum program permission to complete tasks, allow assignment, provide checks and balances, and only trusted connections to manage stubborn ones. Administrative permissions can be assigned to a device or other host, such as administrative permissions that grant a certain IP address and a specific TCP/UDP port.
The best way to control administrative permissions is to authorize access to pre-split permissions, through authentication and account servers, such as remote access services, Terminal Services, or LDAP services.
Encryption for remote connections
In many cases, administrators need to remotely manage switches and routers, which are typically accessible only from the public network. In order to ensure the security of management transmissions, encryption protocols are required, SSH is the standard for all remote command-line settings and file transfers, web-based SSL or TLS protocol, LDAP is usually the protocol of communication, and SSL/TLS encrypts this communication.
SNMP is used to discover, monitor, and configure network devices, and SNMP3 is a sufficiently secure version to guarantee authorized communication.
Setting up login controls can mitigate the likelihood of an attack, set the number of attempts to log in, and respond to this scan. Detailed logs are useful when discovering attempts to crack passwords and port scans.
The security of the switch and router configuration files is also not negligible, usually the configuration file is kept in a secure location, in a messy situation, you can take out the backup file, install and activate the system, and restore to a known state. Some switches combine the capabilities of intrusion detection, some through port mapping support, allowing administrators to select a monitoring port.
Role of Virtual network
A virtual local network VLAN is a limited broadcast domain on the second tier, consisting of a set of computer devices, usually on one or more LANs, that may span one or more LAN switches, regardless of their physical location, as if they were communicating between the same network. Allows administrators to divide the network into manageable chunks that simplify the task of sik, moving, changing devices, users, and permissions.
VLANs can be formed in various forms, such as switching ports, MAC addresses, IP addresses, protocol types, dhcp,802.1q flags, or user customizations. These can be deployed individually or in combination.
The VLAN authentication technology authorizes the user to enter one or more VLAN after the user passes through the authentication process, this authorization is not gives the device.
Firewall can control the access between the network, the most widely used is embedded in the traditional routers and multilayer switches, also known as ACLs, firewalls are different mainly because they scan the depth of the packet is End-to-end direct communication or through the proxy, whether there is a session.
In access control between networks, routing filtering can be based on source/target switching slots or ports, source/target VLAN, source/Destination IP, or tcp/udp port, ICMP type, or MAC address. For some switches and routers, dynamic ACL standards can be created by the user after the authentication process, like a certified VLAN, but on the third tier. It is useful when an unknown source address requires a known internal target to be connected.
Today's network requirements are designed to be secure at all levels, and by deploying security settings for switches and routers, organizations can create strong, layered systems with traditional security technologies.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.