Security is the basic function of the core switch.

Source: Internet
Author: User

There are many things worth learning about core switches. Here we mainly introduce the basic functions of core switches. In recent years, China's informatization construction has developed rapidly and bandwidth has become wider and wider, the network speed has increased several times. The transmission traffic of E-Mail between networks has increased exponentially, and IP speech, video, and other technologies have greatly enriched network applications.

However, while the Internet is narrowing down the distance between people, viruses and hackers are also not invited. The intelligence of viruses, the rapid variation and reproduction, the "Dummies" of hacking tools, and the flood trend make the enterprise's information system vulnerable, they are at risk of paralysis or even permanent damage at any time. In this situation, enterprises have to strengthen security protection for their own information systems and expect a thorough and permanent security protection system. However, security is always relative, and security measures are always passive. No enterprise's security system can be truly guaranteed by 100%.

Research and Analysis of the virus principle and the Development of intrusion defense technology show that a single anti-virus software often makes network security inadequate, network security cannot be achieved by a single device or technology. Under the recently widely-promoted security policies such as "soft and hardware integration" and "internal and external correspondence", as the backbone network equipment, core switches naturally shoulder the heavy responsibilities of building a network security defense line.

The vswitch itself must be more secure

The core switch is actually a computer optimized for forwarding data packets, but a computer may be attacked, such as illegally obtaining control of the core switch, resulting in network paralysis and DoS attacks, for example, several worms mentioned above. In addition, the core switch can generate the right maintenance, route protocol maintenance, ARP, route table creation, route protocol maintenance, ICMP packet processing, monitoring switch, these methods may be used by hackers to attack switches.

Traditional switches are mainly used for Fast Packet forwarding, with emphasis on forwarding performance. With the wide interconnection of LAN and the openness of TCP/IP protocol, network security becomes a prominent problem. Sensitive data and confidential information in the network are leaked and important data devices are attacked, as an important forwarding device in the network environment, the core switch's original security features cannot meet the current security requirements. Therefore, traditional switches need to increase security.

In the opinion of network equipment manufacturers, switches that enhance security are upgraded and improved for general switches. In addition to general functions, such switches also have security policy functions that are not available for general switches. Based on network security and user business applications, this type of switch can implement specific security policies, restrict unauthorized access, and conduct post-event analysis to effectively ensure the normal development of users' network services. One way to achieve security is to embed various security modules in the existing vswitch. More and more users want to add functions such as firewall, VPN, data encryption, and identity authentication to the vswitch.

Vswitches enable easy Network Security Control

A vswitch with enhanced security is more intelligent and secure than a common vswitch. In terms of system security, vswitches implement security mechanisms in the overall architecture from core to edge of the network, that is, they encrypt and control network management information through specific technologies. In terms of access security, security Access mechanisms are used, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. In addition, many vswitches also add hardware-based security modules. Some vswitches with Intranet security functions better curb the internal network security risks that flood with WLAN applications. Currently, the following security technologies are commonly used in vswitches.

Traffic Control Technology

Limit the abnormal traffic through the port to a certain range. Many vswitches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold.

Access Control List ACL) Technology

The ACL controls the access input and output of network resources to prevent unauthorized access to network devices or use it as an attack springboard. An ACL is a rule table. The switch executes these rules in sequence and processes each packet that enters the port. Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network.

Currently, the industry generally believes that security should be distributed throughout the entire network. Security from the Intranet to the Internet must be addressed through professional security devices such as firewalls, core switches also need to play a role in protecting users. Currently, the vast majority of users are active in solving security issues through core switches. Nearly 75% of users intend to adopt security measures for switches in the future, we hope to reinforce vswitches distributed across networks to achieve security goals.

"Security" requires an outstanding Architecture

A perfect product must first have an outstanding architecture design. Currently, many core switch products adopt a fully distributed architecture. They use powerful ASIC chips for high-speed route searches and use the longest matching and packet-by-packet forwarding methods for data forwarding, this greatly improves the forwarding performance and scalability of the route switch.

In addition to the above distributed architecture design, the DCRS-7600 series IPv6 10-Gigabit route switch also has excellent security function design, which can effectively prevent attacks and viruses, it is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for Ethernet Metro development. Its S-ARP Security ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep Anti-scanning) function can automatically monitor a variety of malicious scanning behavior, alarm or take other security measures, for example, prohibit network access, this feature can be a lot of unknown new viruses in the large outbreak before; S-ICMP Security ICMP) function can effectively prevent PING-DOS attacks, flexibly prevents hackers from using ICMP Unreachable to attack third-party behaviors. The S-Buffer and software IP traffic impact prevention function can prevent distributed DOS attacks) through intelligent monitoring and adjustment of the packet data Buffer and IP packet queue traffic directed to the CPU, the core switch is safe and sound under DDOS attacks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.