Starting from the details to ensure the security of Enterprise multi-layer network switches

I was invited to evaluate the network security of some enterprises and found a strange phenomenon. Many network administrators prefer high-end devices and technologies for security design, but ignore some details and basic content. For example, enterprise-level firewalls are used, but the security of switches is not taken seriously. With the help of this platform, I suggest that enterprise network security should begin with details.

1. restrict user access through the access control list

By using the access control list to restrict management access and remote access, you can effectively prevent unauthorized access to management interfaces and Dos denial of service attacks. In fact, this configuration is very basic. For example, you can configure an access control list on an enterprise's edge router (a router connected to the Internet) and reject Ping commands from an Internet interface.

In addition, if an enterprise has a virtual LAN configuration, the access control list can be used with it to further improve the security of the virtual LAN. For example, you can set that only the network administrator can access a specific Virtual LAN. Another example is to restrict users' access to entertainment websites, online stock trading, online games, and other behaviors that may endanger Enterprise Network Security during work hours. The author believes that the access control list is a good security tool. Unfortunately, many network administrators may think it is too simple to ignore the existence of this technology. But I don't know, it is often more practical to be simple. Therefore, I suggest you study the access control list. Before buying a security device, consider whether you can use the access control list to meet security requirements. Do not purchase third-party security products to reduce network complexity.

2. configure system warning slogans to serve as warnings

When we go to a supermarket or bookstore, we often see the slogan "suspected headers have been installed in the market, please pay attention to yourself. This kind of slogan will give the thief a psychological warning. In fact, in the enterprise network switch security plan, you can also design a warning slogan to let attackers know how to leave.

The author believes that, for security or management purposes, configuring a system warning flag when a user logs on to the front line is a convenient and effective way to implement security and general policies. That is, a warning message is provided to the user before the user connects to the vswitch and enters the user name and password. It can be the purpose of the device, or it can be a warning message that warns users of unauthorized access. It is like warnings for "installing cameras" in supermarkets that serve as a warning for illegal access to users. Before a user officially logs on to the vswitch, the network administrator can explicitly point out the vswitch's ownership, usage, and security measures (which can be exaggerated as appropriate), access permissions, and protection policies (which can be exaggerated as well ). For example, the legality of the IP address used by the user will be verified. To serve as a warning.

3. configure a secure key for the switch

Currently, switches on the market usually use MD5 encryption for passwords. For example, taking Cisco's multi-layer switch as an example, you can use the enable secret command to enter the system's privileged mode and SET related passwords. However, although the password is encrypted, the encryption mechanism is not very complex. Generally, Dictionary attacks can be used to crack User-Defined passwords. Does this mean you do not need to set a password for the switch? This is a misunderstanding.

When setting the switch password, we can increase the complexity of the password to improve the difficulty of cracking. This is like a bank card password. In theory, the password can also be cracked through dictionary attacks. However, you only need to make the password more complex (for example, do not use the same number, birthday, or phone number as the password), and set the password policy (for example, the password will be locked after three consecutive errors ), this improves the security of the password.

This is also true for vswitches. Although it only uses the MD5 encryption mechanism, it can be cracked through dictionary attacks. However, we can still improve the complexity of passwords to prevent dictionary attacks from happening. You may know this truth. In the school's network security course, this is also a basic content. However, in actual work, many people have neglected its existence. I believe that you can add some special characters, such as punctuation marks, uppercase and lowercase letters, and numbers, to the vswitch password to configure a strong password.

Iv. Use CDP protocol as little as possible

CDP Cisco Discovery Protocol is an important protocol in Cisco network devices. It can disseminate detailed information about network devices. For example, in a multi-layer switching network, secondary Vlan and other dedicated solutions require the support of CDP protocol. Therefore, this protocol is enabled by default. However, our security personnel should note that this agreement will bring about a large security risk. We need to achieve a balance between security and practicality. Generally, we do not need to enable this Protocol on all switches and other network devices. Or, the protocol should be used as little as possible on the knife port.

For example, CDP is usually used only by administrators. Therefore, security personnel can disable the CDP protocol on each interface of the vswitch and only run the CDP protocol for management purposes. In general, CDP must be enabled on the interfaces of the vswitch and the IP phone connection.

Another example is to run the CDP protocol only between specified devices within the controlled range. This is mainly because CDP is a link-level protocol. Generally, the second-layer tunnel mechanism is not used for end-to-end propagation through the Wan unless it is used. This means that for Wan connections, the CDP table may contain information about the next hop router or vswitch provided by the server, rather than the remote router under the control of the enterprise. In short, do not run CDP on unsecure connections (generally, Internet connections are considered insecure.

In short, CDP is indeed useful in some aspects. However, from a security perspective, CDP protocol cannot be abused. Instead, the CDP protocol should be enabled on the necessary interfaces.

5. Note that SNMP is a double-edged sword

Like CDP, SNMP has always been controversial. I believe that the SNMP protocol is a double-edged sword. From a management perspective, many network administrators cannot do without the SNMP protocol. However, from a security perspective, there are indeed large security risks. This is mainly because the SNMP protocol is usually transmitted through plain text in the network. Even if SNMPV2C is adopted, it adopts the authentication technology. However, its authentication information is also composed of simple text characters. These characters are transmitted in plain text. This poses a hidden danger to the enterprise's network security.

In this case, the security management personnel should take appropriate measures to ensure the security of the SNMP protocol. The most common method used by the author is to upgrade the SNMP protocol and use the SNMPV3 version. In this version, you can set encryption for all transmitted data to ensure the security of communication traffic.

Secondly, you can combine the access control list mentioned above to enhance the security of the SNMP protocol. For example, in the access control list, the switch only forwards the IP addresses from the trusted Subnet or workstation (in fact, the IP addresses of the allowed subnets or workstation are defined in the access control list) the SNMP communication traffic passes through the vswitch. In general, the security of the SNMP protocol is guaranteed as long as these two points are achieved.

In addition, limiting link aggregation connections, disabling unnecessary services, and using less HTTP protocols are all details of enterprise network security management. Based on my experience, most enterprises can meet their security requirements as long as they grasp these details and do not need to purchase additional security settings. Of course, financial institutions such as banks have extremely high security requirements. Therefore, you need to purchase professional security equipment to complete these details.