Step 6: easily complete vswitch Security Settings

Source: Internet
Author: User
Tags hmac

Two vswitch security settings are available: one is the MAC mode and the other is the IP Mode. Both modes have different features and functions. How does one filter user communication to ensure secure and effective data forwarding? How can we block illegal users and protect network security applications? How can we conduct security network management to promptly discover illegal users, illegal behaviors, and the security of remote network management information? Here we have summarized six recently popular vswitch security settings in the vswitch market, hoping to help you.

L2-L4 layer filter

Most of the new vswitches can implement various filtering requirements by establishing rules. Vswitch security settings can be set in two modes: MAC mode, which can effectively isolate data based on the source MAC or destination MAC as needed, and IP Mode, data packets can be filtered through the source IP address, destination IP address, protocol, source application port, and destination application port. The established rules must be appended to the corresponding receiving or transmission port, when the port of the vswitch receives or forwards data, it filters packets according to the filter rules to decide whether to forward or discard the data. In addition, the vswitch performs logical operations on the filtering rules through the hardware "logical and non-Gate" to determine the filtering rules, without affecting the data forwarding rate.

Port-Based Access Control for 802.1X

To prevent unauthorized users from accessing the LAN and ensure network security, Port-based access control protocol 802.1X is widely used in both wired LAN and WLAN. For example, Asus's latest GigaX2024/2048 and other new generation switch products not only support 802.1X Local and RADIUS verification methods, but also support 802.1X Dynamic VLAN access, that is, on the basis of VLAN and 802.1X, A user with a user account can access the specified VLAN group no matter where the user is connected in the network, this function not only provides flexible and convenient resources for mobile users in the network, but also ensures the security of network resource applications. In addition, the GigaX2024/2048 switch also supports the 802.1X Guest VLAN function, that is, in 802.1X applications, if the port specifies the Guest VLAN, if the access user under this port fails to authenticate or has no user account at all, it will become a member of the Guest VLAN group and can enjoy the corresponding network resources in this group, this function can also provide minimum resources for some groups of network applications and provide the most Peripheral access security.

Traffic control)

Vswitch traffic control can prevent abnormal bandwidth load caused by excessive traffic of broadcast data packets, multicast data packets, and unicast data packets with incorrect destination addresses, and improve the overall efficiency of the system, to ensure secure and stable network operation.

SNMP v3 and SSH

The Network Management SNMP v3 introduces a new architecture that integrates the SNMP standards of different versions to enhance network management security. The security model recommended by SNMP v3 is based on the user's security model, that is, USM. USM encrypts and authenticates network management messages based on users. Specifically, what protocols and keys are used for encryption and authentication are all performed by the user name userNmae) the authoritative engine identifier EngineID) to determine the recommended encryption protocol CBCDES, authentication protocol HMAC-MD5-96 and HMAC-SHA-96), through authentication, encryption and time limit to provide data integrity, data source authentication, data confidentiality and message time limit services, this effectively prevents unauthorized users from modifying, disguising, and eavesdropping management information.

For remote network management via Telnet, the Telnet service has a fatal weakness-It transfers user names and passwords in plain text, so it is easy for others to steal passwords with ulterior motives, the user name and password are encrypted when SSH is used for communication. This effectively prevents password eavesdropping and facilitates remote security network management by network administrators.

Syslog and Watchdog

The Syslog function of the vswitch can send user-defined information such as system errors, system configurations, status changes, periodic status reports, and system exits to the log server, based on this information, network administrators can learn about the operation status of the device, detect problems early, and configure and set up and troubleshoot problems in a timely manner to ensure the safe and stable operation of the network.

Watchdog sets a timer. If the timer does not restart during the specified interval, an internal CPU restart command is generated to restart the device, this function enables the switch to automatically restart in case of an emergency or accident, ensuring network operation.

Dual-image files

Some of the latest vswitches, such as a s u SGigaX2024/2048, also have dual-image files. This feature protects devices from firmware update failures in case of exceptions. The file system is saved in two parts: majoy and mirror. If one file system is damaged or interrupted, the other file system will overwrite it. If both file systems are damaged, the device will clear the two file systems and rewrite them to the default switch security settings when leaving the factory to ensure that the system starts running safely.

In fact, some of the recently-used vswitch products have made great efforts in security design-layer fortification and filtering, and try every means to eliminate possible insecure factors to the greatest extent possible. If enterprise users make full use of the vswitch security settings and make reasonable combinations, they can prevent various attacks and violations on the network to the maximum extent, we hope that your enterprise network will be more secure and stable.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.