Security issues for Ethernet Switches

Ethernet switch technology development trend in recent years, with the rapid development of enterprise data communication services and related fusion services, Ethernet switches, as an indispensable key equipment, have not only greatly increased the number, in addition, it is constantly improved in terms of quality and performance.

Enterprise information applications are moving towards broadband and convergence. In this context, the Traditional Ethernet switch that implements simple connections and data transmission has become a thing of the past. Looking at the current development trend, we found that the Ethernet switch is moving toward high-speed and intelligent.

First, speed is an important standard for measuring network performance, which has become an important direction for the development of Ethernet switches and other devices. From the first Mbit/s to Mbit/s, Ethernet is constantly meeting people's growing needs and bringing extraordinary experiences.

At present, the demand for bandwidth is rapidly increasing, such as the massive data transmission channels necessary for the rapid development of storage networks; a large number of high-bandwidth urban networks;

Bandwidth support for a wide range of broadband applications, data centralization for large financial institutions, and expansion of complex applications such as enterprise core businesses, ERP, and CRM. Today, Gigabit is the backbone and 10-Gigabit is the mainstream access structure, and will gradually transition to a 10-Gigabit backbone and 1-gigabit access structure.

The second is intelligence. Intelligence mentioned here includes not only intelligent management of switch devices, but also support for more and more intelligent services. With the urgent need to deploy new applications and integrate multiple services on the network, a single switch needs to have rich functions to provide more support. At the same time, complicated network environments make network governance more difficult, centralized network governance through intelligent switching devices not only simplifies governance steps, but also reduces deployment and maintenance costs.

With the rapid popularization of Ethernet switches, the security issues of Ethernet switches have been paid more and more attention. At present, we need to deal with the following aspects:

(1) broadcast storm attacks

Assume that an extremely malicious user can send large-volume broadcast data, multicast data, or the target MAC address is a random unicast data. When the switch receives the data, it will be forwarded in broadcast mode. If the switch does not

Supports traffic control over flood data, so the bandwidth of the network may be filled with the junk data, so that other users in the network cannot access the Internet normally.

Therefore, a vswitch must support speed limits on the flood data received from each port.

(2) Data attacks on the network

The malicious user can send high-traffic data to the router. The data is sent to the router through the vswitch and also occupies most of the bandwidth of the uplink interface, the Internet access speed of other users will also be very slow.

Therefore, the switch must limit the Inbound speed of each port. Otherwise, malicious users can attack the network where the port is located and thus affect all other users in the network.

(3) Massive MAC address attacks

Because the switch uses the MAC address as the index when forwarding data, if the destination MAC address of the datagram is unknown, it will forward the data in a flood way in the network. Therefore, malicious users can send a large amount of junk data to the network, and the source MAC address of the Data keeps changing, because the switch requires constant MAC address learning and the MAC table capacity of the switch is limited, when the MAC table of the switch is full, the original MAC address will be overwritten by the newly learned MAC address. In this way, when the switch receives the data sent from the router to a normal customer, because the customer's MAC record cannot be found, it will forward the data in the network in a flood way, this greatly reduces the forwarding performance of the network.

Therefore, a vswitch must be able to limit the number of MAC addresses that each port can learn. Otherwise, the entire network will degrade to a network similar to a HUB.

(4) MAC spoofing attacks

Malicious users paralyze the attack network, but also can change their MAC address to the MAC address of the router (called MAC-X), and then don't stop (do not need a lot of traffic, 1 per second is enough) to send to the switch, so that the switch will update the MAC-X record that the MAC-X is located on the port connected to the malicious user, at this time, when other users send data to the vro, The vswitch sends the data to the malicious user, so that the user who sends the normal data cannot access the Internet normally (likewise, all users in the network cannot access the Internet ).

Therefore, the vswitch should have the MAC and port binding function (that is, the MAC address of the vro should be configured statically on the vswitch). Otherwise, malicious users can easily cause the network to crash; or the switch needs to bind each port to the source MAC address of the data allowed to enter the network, so that malicious users cannot attack the network through MAC spoofing.

(5) ARP spoofing attacks

Malicious users can perform ARP spoofing attacks, that is, no matter which IP address they receive an ARP request, they immediately send an ARP response, in this way, the data sent by other users will also be sent to the MAC address of the malicious user. These users naturally cannot access the Internet normally.

Therefore, the switch should bind the port to the IP address, that is, if the received ARP request, ARP response, and port data are different from the bound IP address, the data can be discarded, otherwise, the network will be paralyzed.

(6) loop attacks

The user also installs a switch in his home, and deliberately connects both ends of a network cable to the switch to form a loop, and then connects the switch to the switch in the network using the network cable, because there is a loop in the entire network, MAC address learning in the network will be disordered, so that errors will occur when the switch forwards data, and the entire network will crash.

Therefore, the switch must have the loop detection function. When a port is found to have a loop, it must be disabled.

At the same time, although we still need to face so many security problems in the application of Ethernet switches, but now and in the future, as China's information network coverage continues to expand, its Popularization and Application will become more and more extensive. It is foreseeable that the Ethernet switch market is also gaining a strong momentum of development along with the continuous technological advances and increasing demand.