Uses layer-3 switching security policies to defend against Network Viruses

Currently, computer networks face two types of threats: one is the threat to information in the network, and the other is the threat to devices in the network. There are many factors that affect the computer network, mainly network software vulnerabilities and "backdoors". These vulnerabilities and defects are exactly the first choice for hackers to attack.

Most of these attacks are caused by imperfect security measures. The "backdoors" of the software are all set by the software company's design programmers for their convenience. Once the "backdoors" are opened, the consequences will be unimaginable. In fact, the security policy of layer-3 switches can also prevent viruses. The following describes in detail how to prevent viruses by using the security policy of a layer-3 switch.

Computer network security policies are classified into physical security policies and access control policies.

1. Physical Security Policy

Physical security policies aim to protect hardware entities and communication links such as computer systems, network servers, and printers from natural disasters, man-made damages, and line-up attacks; verify the user's identity and permissions to prevent unauthorized operations. Ensure that the computer system has a sound environment for electromagnetic compatibility.

2. Access Control Policy

Access control is the main policy for network security prevention and protection. Its main task is to ensure that network resources are not illegally used or accessed. It is also an important means to maintain network system security and protect network resources. Security policies include inbound access control, network permission control, directory-level security control, attribute security control, network server security control, network monitoring and lock control, and network port and node security control.. All security policies must work with each other to protect the network. However, access control is one of the most important core policies to ensure network security.

The main source of virus intrusion is the backdoor of the software ". When packet filtering is set at the network layer, a certain number of Information Filtering tables should be created first. Information Filtering tables are built based on the information of the headers they receive. The packet header contains the packet source IP address, destination IP address, transmission protocol type TCP, UDP, ICMP, etc.), Protocol source port number, protocol destination port number, connection request direction, and ICMP packet type. When a data packet meets the rules in the filter table, the data packet is allowed to pass. Otherwise, the data packet is not allowed to pass. This type of firewall can be used to prohibit external and illegal users from accessing internal services. However, packet filtering technology cannot identify information packages that are in danger. It cannot process application-level protocols or UDP, RPC, or dynamic protocols.

According to the anti-virus requirements of each LAN, establish a LAN anti-virus control system and set targeted anti-virus policies.

VLAN Division

1. a vpc based on a vswitch can resolve conflicting domain, broadcast domain, and bandwidth issues for the LAN.

VLAN can be divided based on the network layer. There are two solutions: one is based on the protocol if there are multiple protocols in the network; the other is based on the network layer address, the most common is the subnet segment address in TCP/IP.

You can also create a VLAN using the same policy as managing routes. VLAN is divided by IP subnet, IPX network number, and other protocols. The workstation of the same Protocol is divided into a VLAN. The switch checks the Ethernet frame title domain of the broadcast frame and displays the protocol type. If the VLAN of the broadcast frame already exists, it is added to the source port. Otherwise, create a new VLAN. This method not only greatly reduces the workload of manually configuring VLANs, but also ensures that users can freely add, move, and modify VLANs. Sites on different vlan cidr blocks can belong to the same VLAN, and sites on different VLANs can also be on the same physical network segment.

There are also some disadvantages of using the network layer to define VLANs. Compared with the form of MAC address, VLAN based on the network layer needs to analyze the address formats of various protocols and convert them accordingly. Therefore, a vswitch that uses network layer information to define a VLAN is less efficient than a vswitch that uses data link layer information.

2. Enhanced Network Security

Broadcast on a shared-bandwidth LAN will inevitably cause security issues, because all users on the network can monitor the services that flow through. Users can access the broadcast packets on the network segment as long as they insert any active port. The security mechanism provided by VLAN can restrict access by specific users, control the size and location of broadcast groups, and even lock the MAC address of Network members, this restricts the use of networks by users and network members without security permission.

Set the access control list

First, develop different strategies based on the needs of each organization, such as file transmission and games. Before developing a policy, we should first understand what kind of file is transmitted by which port on the computer. There are about three types of ports:

Recognized ports 0-1023): These are closely bound to some services. Usually the communication between these ports clearly indicates a service protocol. For example, port 80 is always HTTP Communication, and port 110 is pop3 communication.

Registered ports 1024-49151): They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used for many other purposes. For example, many systems process dynamic ports starting from around 1024.

Dynamic and/or private ports 49152-65535): theoretically, these ports should not be allocated to the service. In fact, machines usually allocate dynamic ports from 1024. But there are also exceptions: SUN's RPC port starts from 32768. For example:

# These ACLs are to block virus attack These access control lists need to block virus attacks)

# You need to make sure all your expected network service are not blocked by these ACLs

You need to determine whether the access control list in the network service you need is blocked)

# These ACLs 'precedence are within 1001 ~ 1500 the access control list takes precedence over 1001-1500)

SQL Slammer/MS-SQL Server Worm Virus)

Create access-list udp1434-d-de udp destination any ip-port 1434 source any ip-port any deny ports any precedence 1001 create a data list as a udp1434-d-de and all packets from port 1434 take precedence over 1001)

# W32/Blaster worm Virus)

Create access-list udp69-d-de udp destination any ip-port 69 source any ip-port any deny ports any precedence 1011 create a data list for udp69-d-de udp, all data packets from port 69 take precedence over 1011)

Create access-list udp135-d-de udp destination any ip-port 135 source any ip-port any deny ports any precedence 1013 create a data list for udp135-d-de udp, all data packets from port 135 have priority over 1013)

Port isolation: Use the system-guard detection function of the switch, set the current maximum number of infected hosts to be detected, set parameters related to each address learning, and enable system-guard to enable system-guard detection, before using the firewall function, make sure that the priority configuration of the port is in the default state, that is, the priority of the port is 0, and the switch does not trust the cos priority in the message .)

System-guard detect-maxnum 5 sets the maximum number of infected hosts that can be detected currently)

System-guard detect-threshold IP-record-threshold record-times-threshold isolate-time

This command can be used to set the upper limit of address learning quantity, the upper limit of repeated detection times, and the isolation time .)

For example, after setting the maximum address learning quantity to 50, the maximum number of repeated detection times to 3, and the isolation time to 5, if the system detects the IP address of the source IP address three times in a row and learns more than 50 IP addresses, the system considers the source IP address to be under attack, do not learn the destination IP address in the packet from this source IP address within a 5-fold aging period.

Conclusion

With the development of computer technology and communication technology, computer networks will increasingly become an important means of information exchange in industry, agriculture, and national defense, and penetrate into all fields of social life. Therefore, recognizing Network Vulnerabilities and potential threats and adopting strong security policies will become very important for ensuring network security.