TIPS: improve the security of vswitch ports

Enterprise Network security involves all aspects. For a vswitch, the first choice is to ensure the security of the switch port. In many enterprises, employees can use a hub or other tools to increase an Internet port to multiple, or use their own laptop to connect to the enterprise's network. Similar situations will adversely affect enterprises' network security. In this article, I will talk about the Common Security Threats and Countermeasures of switch ports.

I. Common Security Threats

In enterprises, there are many acts that threaten vswitch ports. The following situations are summarized.

First, unauthorized user hosts are randomly connected to the enterprise's network. If an employee takes a computer from his home, he or she can unplug the network cable of a host without the Administrator's consent and plug it into the computer he or she brought. Connect to the enterprise network. This poses a great security risk. If an employee brings computers, the computer may be infected with viruses. In this way, the virus is transmitted through the internal network of the enterprise. Or illegally copying internal enterprise data.

Second, the hub and other devices are used without approval. In order to increase the number of network terminals, some employees will insert devices such as hubs and switches to the network interfaces of the Office without authorization. In this case, the traffic of the vswitch interface corresponding to this network interface increases, leading to a decrease in network performance. In the daily management of enterprise networks, this is also a kind of dangerous behavior.

In my daily work, I found that many network administrators do not pay much attention to the security of switch ports. This is a blind zone in their network security management. They have a wrong understanding of this. It is assumed that the switch is locked in the data center and there will be no major problems. In other words, the focus of network security is on firewall and other software, while the security of hardware such as switch ports is ignored. This is very fatal.

Ii. Main Countermeasures

From the above analysis, we can see that the security environment of switch ports is very weak. In this case, how can we enhance port security? How can we prevent unauthorized user hosts from connecting to the port of the switch? How can we prevent unauthorized users from inserting hubs, switches, and other devices into the office network interface? I have the following suggestions.

First, we should pay attention to it in terms of consciousness. The author believes that network administrators should pay attention to this awareness first. In particular, we need to eliminate the misunderstanding of hardware-light and software-heavy errors. In actual work, a reasonable security plan should be established. For example, a reasonable security policy should be set for the port of a vswitch, including whether to restrict the MAC address and number of hosts of the port connected to the vswitch. Strictly configure the security policy. In this case, the first step of vswitch port security is completed. According to the working principle of the vswitch, a forward filter database is available in the system, which stores MAC address and other related information. The port security policy of a vswitch ensures that only authorized users can access a specific port of the vswitch. Therefore, as long as the network administrator has this knowledge, the network administrator is fully capable of ensuring the port security of the switch.

Second, improve the port security from the technical point of view. For example, a common method is that a specific switch port can only connect to a specific host. For example, a user has taken a laptop from home. If you connect your company's network cable to this laptop, you will find that you cannot connect to the company's network. In this case, the two computers have different MAC addresses. This is because there is a condition in this port of the vswitch. Only a specific IP address can be connected to the network through this port. If the host is changed and you need to allow the host to connect to this port, You need to reset the MAC address settings of the switch. The advantage of this method is that it can be controlled. Only authorized hosts can connect to a specific port of the switch. Unauthorized users cannot connect. The defect is that the configuration workload is large. At the beginning of the period, you must configure the ports of each vswitch. If the host is changed or the network card is changed (for example, there are many damaged network cards) in the future, you need to reconfigure the network card. This will increase the subsequent workload. To limit the MAC address, use the switchport-security mac-address command. After using this command, you can allocate a single MAC address to each port of the switch. As mentioned above, to implement this restriction, the workload will be relatively large.

Third, restrict devices that can be connected. For the sake of client performance, we often need to limit the maximum number of hosts that a vswitch port can connect. If we can set this parameter to 1, only one host is allowed to connect to the port of the switch. In this way, you can avoid increasing the number of ports by using a hub or a switch. However, this policy is different from the preceding MAC address policy. For MAC address security policies, only one host can connect to the port. However, the host must match the MAC address before connection. However, the current limit policy does not require MAC address matching. That is to say, after you replace a host, you can still connect to the port of the switch. This restriction is obviously much looser than the above one. However, the workload will also be reduced a lot. To implement this policy, run the swichport-security maximun command. If this parameter is set to 1, only one host is allowed to connect to the port on the switch. This allows you to restrict access to switches, hubs, and other devices in disguise. However, it should be noted that if the user violates this situation, the port of the switch will be closed. That is to say, a host cannot connect to this port. In actual work, this may cause harm to the innocent. So pay special attention to it.

4. Use the sticky parameter to simplify management. In actual work, the sticky parameter is a very useful parameter. It can greatly simplify the configuration of MAC addresses. For example, after the enterprise has deployed the network, run the following switch-port-security mac-addres sticky command. Then the ports of the vswitch automatically remember the MAC address of the host currently connected. In this case, in the future, if the host is changed, the switch will reject the connection request of the host as long as its MAC address does not match the original host. This parameter provides security for static MAC addresses. The Administrator does not need to enter the MAC address of each port in the network. This simplifies the port configuration. However, manual configuration is still required if the host is adjusted or new. However, the configuration at this time is usually small and the workload is acceptable.

Finally, you must set the Maximun parameter to 2 If you connect both the PC host and the phone in the port of the switch. Because for the switch port, telephones and PCs belong to the same type of equipment. If you set the parameter to 1, a problem occurs. Pay special attention to this when setting port security policies in the integration solution of telephones and other devices. In actual work, many network administrators will keep up with each other in this area.

It can be seen that it is not very difficult to implement the port security of the switch, but the network administrator needs to have this idea. Then, the port security feature of the vswitch can be used to ensure the port security of the vswitch. The methods described above have their own characteristics. The operability and security are different. The network administrator needs to choose a solution based on factors such as the size of the company's network and security requirements. In short, as network security has gradually become a major concern for administrators, port security of vswitches must attract everyone's attention.