Use vswitch security measures: Build a strict Architecture

Use vswitch security measures: Build a strict architecture and master the following knowledge points of vswitch security measures. You only need to spend a few minutes to learn about vswitch security measures. Many security issues will also be mentioned in this article.

A perfect product must first have an outstanding architecture design. Currently, many vswitch products adopt a fully distributed architecture. They use powerful ASIC chips for high-speed route searches and use the longest matching and packet-by-packet forwarding methods for data forwarding, this greatly improves the forwarding performance and scalability of the route switch.

In addition to the above distributed architecture design, the DCRS-7600 series IPv6 10-ge route switch also has an outstanding design of switch security measures, which can effectively prevent attacks and viruses, it is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for Ethernet Metro development.

Its S-ARP Security ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep Anti-scanning) function can automatically monitor a variety of malicious scanning behavior, alarm or take other security measures, for example, prohibit network access, this feature can be a lot of unknown new viruses in the large outbreak before; S-ICMP Security ICMP) function can effectively prevent PING-DOS attacks, prevents hackers from using ICMPUnreachable to attack a third party.

The Security Intelligence S-Buffer function and the software IP traffic impact function can prevent distributed DOS attacks and DDOS attacks. through intelligent monitoring and adjustment of the packet data Buffer and IP packet queue traffic to the CPU, this ensures that the core switch is safe and sound under DDOS attacks.

The core protection of the switch engine CPU can effectively prevent various illegal protocol attacks from paralyzing the switch engine of core devices; key Protocol green channel function can ensure normal, legal, and reasonable speed of key control packets STP, MSTP, RIP, OSFP, BGP, multicast protocol, dual-Engine board heartbeat among others) in the case of high-traffic business, quick processing is not interrupted;

The advanced LPM technology can defend against the "Shock Wave" virus, "zeroday" virus, and "SQLslammerwarm" virus. The port trust mode can detect illegal DHCPServer and illegal RadiusServer, these devices can be connected only on a trusted port to Ensure network security.

The DCRS-7600 series can set the switch security measure policy based on the time period, the security settings change with time, automatically switch to different policies in different time periods; intelligent traffic control, traffic classification based on ACL, compared with the traditional classification methods based on switch port, ToS, DCSP, CoS, 802.1P, ACL-X is more precise and close to business classification, and security policy distribution is more flexible, it can be configured to any port, VLAN, and VLAN interface, which is extremely flexible.

The application-based business security management SecAPP enables the line rate business awareness function to instantly perceive the occurrence of various high-level application services. This process does not affect the forwarding performance of the switch, therefore, it is line-rate. The smart business policy function classifies various high-level application businesses based on preset policies to distinguish between legal, illegal, and restricted businesses.

Switch security measure in-depth business Control Based on ACL-X) function can be classification of the business to execute different switch security measures, here with the powerful ACL-X and QoS, implement flexible access control or traffic limit. BT is an application that makes people love and hate.

When downloading files, the user's bandwidth is excessively occupied, seriously affecting the processes of other network applications. SecAPP has the most direct effect on the restriction of BT, without affecting the forwarding performance of a vswitch, SecAPP can implement access control and traffic management for P2P applications such as BT and donkey, and control user bandwidth in a manageable manner.