Security of Ethernet access network in broadband IP network

With the improvement of social informatization, information demand has been developed from simple data information to interactive multimedia information, from special service to digital, voice, image Unified service and integrated network. The traditional IP network has been unable to meet the needs of new business, the development of new business has created a "bottleneck." In this case, the broadband IP network will emerge. The so-called broadband IP is a real-time operation to ensure the quality of service IP network, a variety of broadband multimedia services can be directly in the broadband IP online operation. This broadband IP network is a real integrated service network, it can provide data, voice, video integrated transport business. In recent years, Broadband IP network technology has made a major breakthrough, IP over DWDM began to be used by commercial operating systems. Wide-area broadband IP backbone network bandwidth from dozens of Gbps to hundreds of Gbps development, will soon reach the tbps level. In recent years, the cable to the community, to the building 10-100mbps Ethernet access to the door system has become a new trend of broadband access network.
The current broadband IP network access network is basically based on broadcast technology Ethernet, the media Storage Control (MAC) protocol is the collision detection/carrier interception multi-channel Access Protocol (CSMA/CD). The basic principle of CSMA/CD is that each node on the network shares the same transport media, but only one of them can transmit legitimate data at the same time. Each node on the network receives each transmitted packet, decodes the data, and compares the destination address in the frame to the Mac, receives the data if it matches the address of the receiving workstation, and discards the packet if the node does not match. Preparing to send data on the network must first listen for cables to determine if there are other data that workstations must first listen for cables to determine if any other data is already being transmitted, and when the transfer media is idle, they can begin to transmit. When data is sent, they monitor the data that appears on the cable and compare it with the data being transmitted. This is necessary, because sometimes 2 or more workstations may happen to start transmitting data at the same time, in which case the data on the cable will be confused and unusable, which is the phenomenon of conflict. The workstations that are transferring data monitor their data, will notice the conflict and stop the transfer, and they will wait a random time to send the data again. This conflict detection mechanism actually limits the length of the network. The 2 nodes farthest apart must be close enough to allow them to detect conflicts, so the entire network length can be computed by the network clock, the transmission speed of the information on the media, and the shortest frame. The results of this calculation for traditional Ethernet, Fast Ethernet and Gigabit Ethernet are 5120m, 512m and 51.2m respectively. These theoretical data, in the actual network, in addition to the cable broadcast delay, network adapters, repeaters, hubs and other network devices will introduce delays.
The CSMA/CD protocol allows packets to be communicated between 2 nodes in any Ethernet collision domain on the network, not only for the network cards of the 2 nodes, but also for the network cards of any node on the same Ethernet conflict domain. Therefore, if you listen to any node on the Access Ethernet conflict domain, you can capture all the packets that occur on this Ethernet, unpack and analyze them, and steal the key information, which is the inherent security emergency of Ethernet.
At present, the security of Ethernet access network must be considered mainly for its MAC layer protocol, the solution has the following:
(1) Network segmentation
At present, the general use of switches as the center, routers for the boundary of the network pattern, so each port of the switch is a separate Ethernet conflict domain, the different Exchange port data communication is not for the third port visible. This is actually segmented the network by the port of the switch.
Network segmentation is usually considered as a basic method to control the network broadcast storm, but it is also an important measure to ensure the network security. The aim is to isolate illegal users from sensitive network resources, thereby preventing possible illegal interception.
(2) switching hubs in place of shared hubs
The risk of Ethernet interception persists after network segmentation of Ethernet central switches. This is because the network end user's access is often through the branch hub instead of the central switch, the most widely used branch hubs are usually shared hubs, so that when the user is communicating with the host, the packets between the 2 machines are listening to the other users on the same hub. At the same time, in addition to the security is not strong, network users can monitor the information of other users of the shortcomings, but also low transmission speed, can not avoid illegal users to access the Internet and other shortcomings.
Therefore, you should use a switched hub instead of a shared hub to send packets between only 2 nodes to prevent illegal listening. Of course, switched hubs cannot control the propagation of broadcast packets (broadcast Packet) and multicast packets (multicast Packet) across all ports in a switched hub.
(3) VLAN Division
In order to overcome the problem of Ethernet broadcasting, VLAN (virtual local Area network) technology can be used to turn Ethernet communication into point-to-point communication to prevent network interception. Each port of the switch is configured as a separate VLAN, enjoying a separate vid. Each user port is configured as a separate VLAN, with VLAN-enabled LAN switch for information isolation, and the user's IP address is bound to the port's VLAN number to ensure proper routing.
There are 3 main VLAN technologies: VLAN based on switch port, VLAN based on node MAC address and VLAN based on application protocol. Although the port based VLAN is not flexible, but it is more mature, the effect is remarkable and popular in practical application. The VLAN based on MAC address provides the possibility for mobile computing, but it also hides the hidden danger of the Mac fraud attack. The VLAN based on protocol is very ideal in theory, but the practical application is still immature.
In a centralized network environment, we typically centralize all the host systems in a single VLAN, where no user nodes are allowed, thereby protecting sensitive host resources better. In a distributed network environment, we can divide the VLAN according to the setup of the organization or department, all the servers and user nodes within each department are in their VLAN.
The connection between VLANs is implemented in exchange, and the connection between VLAN and VLAN is implemented by routing. At present, most of the exchanges support the RIP and OSPF international standards of the routing protocol, if there are special needs, you must use other routing protocols, but also with an external multiple Ethernet port router to replace the switch, to achieve the routing function between VLANs. Of course, in this case, the efficiency of routing forwarding will decrease.
In VLAN mode, the use of VLAN can isolate ARP, DHCP and other broadcast messages with user information, so that the security of user data is further improved. VLAN method solves the security problem of user data, but lacks the means to manage users, that is, the user can not authenticate and authorize.
(4) Ip+mac bundle to ensure the security of the network
VLAN isolation among all users, this feature maximizes the security of the network and user information, but the user's IP address or MAC address may be stolen or imitated, experienced hackers pure players can do so, the use of vlan+ip+ Mac bundles the way to authenticate and secure the network, which means that only the properly assigned IP address, the correct network interface card, and the uniqueness of the user connected to a particular port can obtain the service.
(5) User identity authentication method
In order to facilitate user roaming and provide user-level services, identity authentication and corresponding billing are required. Use PPPoE to combine the RADIUS protocol. Can authenticate the user identity, but the adoption of this technology results in the whole system not only high cost, but also serious network performance degradation. If DHCP is adopted, DHCP protocol has more broadcast overhead, and DHCP can make configuration management difficult for large Ethernet switched networks with more users. In addition, the user can not resolve the problem of configuring IP addresses. For optimal performance, other better protocols, such as an improved DHCP protocol, the Dhcp+radius protocol, are needed.
The broadband access network based on Ethernet technology is very different from the traditional Ethernet technology for computer LAN. It only borrows the Ethernet frame structure interface, the network structure and the working principle is completely different, it has the high information security, the telecommunication level network reliability, the formidable management function, and can guarantee the user the access bandwidth, These are the Ethernet access network needs to consider. The broadband access network based on network technology provides users with standard and network interface, which can be compatible with all terminals with standard Ethernet interface, and the user does not need to be equipped with new new card or protocol software, so it is a very inexpensive broadband accessing technology. The development of broadband metropolitan Area Network has a variety of situations due to its application complexity. The broadband IP metropolitan area Network (10GBE) is becoming the mainstream in the cable net straight frame structure. The optical Multi Service platform composed of DWDM optical switch (wavelength router) will be adopted for the broadband Metropolitan core network above tbps. Operators to build broadband metropolitan area Network, should be integrated analysis, and make choices, especially when using Ethernet as the main access network must consider security.