Six safety tips for two-tier switches

Source: Internet
Author: User
Tags file system hmac snmp switches syslog ssh

With the popularization and deepening of the network application, the requirement of the two-layer switch is not only limited to the data forwarding performance, service quality (QoS) and so on, the network security idea is becoming the important reference content of the group network product selection.

How to filter the user's communication and ensure the safe and effective data forwarding? How to prevent illegal users, protect the network security application? How to carry out security management, discover the security of illegal users, illegal acts and remote network management information in time? Here we summarize some of the popular security features in the 6 recent switch markets, Hope to help you.

One of the secrets of security: L2-L4 Layer Filtration

Most of the new switches can be used to establish rules to achieve a variety of filtering requirements. There are two modes of rule setting, one is Mac mode, according to the user needs based on the source Mac or the purpose of the MAC effective data isolation, the other is the IP mode, you can through the source IP, destination IP, protocol, source application port and destination application port filtering data packets; The established rule must be attached to the appropriate receive or transfer port, and when the switch is receiving or forwarding data, the packet is filtered according to the filtering rules to decide whether to forward or discard. In addition, the switch makes logical operation of the filtering rules through hardware "logic and non-gate", realizes the filtering rules, and does not affect the data forwarding rate at all.

Security Tip Two: 802.1X access control based on ports

In order to prevent illegal users from accessing the LAN and ensuring the security of the network, the port-based access Control protocol 802.1X is widely used in both wired LAN and WLAN. For example, the new generation of switches, such as ASUS ' newest gigax2024/2048, supports not only 802.1X local, RADIUS authentication, but also 802.1X dynamic VLAN access, which is based on VLAN and 802.1X, Users who hold a user account, regardless of where they are connected to the network, will exceed the original 802.1Q based on the Port VLAN restrictions, always connected with this account designated VLAN group, this function not only for the network of mobile users of the application of resources to provide a flexible and convenient, but also to ensure the security of network resources application In addition, the gigax2024/2048 switch also supports the 802.1X guest VLAN function, in the 802.1X application, if the port specifies the Guest VLAN entry, the access user under this port if authentication fails or no user account, will become guest The members of the VLAN group can enjoy the corresponding network resources in this group, which can also open a minimum of resources for some groups of network applications and provide a maximum peripheral access security for the entire network.

Security Secret Three: Flow control (traffic controls)

The traffic control of the switch can prevent the abnormal load of the switch bandwidth caused by broadcast packets, multicast packets and unicast packets with incorrect destination address, and it can improve the overall efficiency of the system and keep the network safe and stable operation.

Security Secret Four: SNMP v3 and SSH Security Network management

SNMP V3 proposes a new architecture, which brings together all versions of SNMP standards and strengthens the security of network management. The security model recommended by SNMP V3 is a user-based security model, the USM. USM for network management message encryption and authentication is based on the user, specifically what protocol and key encryption and authentication by the user name (Usernmae) authoritative engine identifier (Engineid) to determine (recommended encryption protocol Cbcdes, authentication protocol hmac-md5-96 and hmac-sha-96), providing data integrity, data source authentication, data confidentiality, and message time limits through authentication, encryption, and time limits, thereby effectively preventing unauthorized users from modifying, disguising, and eavesdropping on management information.

As for remote network management via Telnet, the Telnet service has a fatal weakness-it transmits usernames and passwords in clear text, so it is easy for someone with ulterior motives to steal passwords and be attacked, but when communicating with SSH, the username and password are encrypted. It effectively prevents the eavesdropping on the password, and facilitates the remote security Network management of the administrators.

The Secret of security five: Syslog and watchdog

The Syslog logging function of the switch can transmit the expected information of the system error, System configuration, state change, status periodic report, System exit and so on to the log server, which is based on the information of the manager to master the operation condition of the equipment, detect the problem early, and configure and set up the obstacle in time Ensure the safe and stable operation of the network.

Watchdog by setting a timer, if the timer does not reboot within the interval set, an internal CPU reboot instruction is generated to enable the device to reboot, which will enable the switch to automatically reboot in case of emergency or unexpected circumstances, and ensure the operation of the network.

Security Tip Six: dual-image files

Some of the newest switches, like a S U sgigax2024/2048, also have dual-image files. This feature protects the device in exceptional circumstances (firmware upgrade failure, etc.) to still start running normally. The file system is Majoy and mirror two parts to save, if a file system damage or interrupt, another file system will rewrite it, if two file systems are damaged, the device will clear two file systems and rewrite the factory defaults to ensure the system is safe to start running.

In fact, the recent emergence of some of the switch products in the security design of most of the kung fu-layers of fortification, filtering, to do everything possible to the maximum extent of unsafe factors excluded. The vast number of enterprise users can take full advantage of these network security settings, a reasonable combination of matching, you can maximize the protection of the network on the increasing proliferation of various attacks and violations, I hope your corporate network from this can also be more stable security.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.