View how layer-3 vswitches are launching anti-virus attacks

Layer-3 switches are quite common, So I studied how layer-3 switches can attack the virus. Here I will share it with you, hoping it will be useful to you. Currently, computer networks face two types of threats: one is the threat to information in the network, and the other is the threat to devices in the network. There are many factors that affect the computer network, mainly network software vulnerabilities and "backdoors". These vulnerabilities and defects are exactly the first choice for hackers to attack.

Most of these attacks are caused by imperfect security measures. The "backdoors" of the software are all set by the software company's design programmers for their convenience. Once the "backdoors" are opened, the consequences will be unimaginable. In fact, the layer-3 Switch security policy also provides the function of preventing viruses. Next we will introduce in detail how to use the security policy of the layer-3 Switch to prevent viruses. The security policies of computer networks are divided into physical security policies and access control policies.

1. Physical Security Policy

Physical security policies aim to protect hardware entities and communication links such as computer systems, network servers, and printers from natural disasters, man-made damages, and line-up attacks; verify the user's identity and permissions to prevent unauthorized operations. Ensure that the computer system has a sound environment for electromagnetic compatibility.

2. Access Control Policy

Access control is the main policy for network security prevention and protection. Its main task is to ensure that network resources are not illegally used or accessed. It is also an important means to maintain network system security and protect network resources. Security policies include inbound access control, network permission control, directory-level security control, attribute security control, network server security control, network monitoring and lock control, and network port and node security control.. All security policies must work with each other to protect the network. However, access control is one of the most important core policies to ensure network security.

The main source of virus intrusion is the backdoor of the software ". When packet filtering is set at the network layer, a certain number of Information Filtering tables should be created first. Information Filtering tables are built based on the information of the headers they receive. The packet header contains the packet source IP address, destination IP address, transmission protocol type (TCP, UDP, ICMP, etc.), Protocol source port number, protocol destination port number, connection request direction, and ICMP packet type. When a data packet meets the rules in the filter table, the data packet is allowed to pass. Otherwise, the data packet is not allowed to pass. This type of firewall can be used to prohibit external and illegal users from accessing internal services. However, packet filtering technology cannot identify information packages that are in danger. It cannot process application-level protocols or UDP, RPC, or dynamic protocols. According to the anti-virus requirements of each LAN, establish a LAN anti-virus control system and set targeted anti-virus policies.

VLAN Division

1. a VLAN based on a layer-3 switch can resolve conflicting domain, broadcast domain, and bandwidth issues for the LAN. VLAN can be divided based on the network layer. There are two solutions: one is divided by Protocol (if there are multiple protocols in the network; the other is based on the network layer address (the most common is the subnet segment address in TCP/IP.

You can also create a VLAN using the same policy as managing routes. VLAN is divided by IP subnet, IPX network number, and other protocols. A workstation of the same Protocol is divided into a VLAN. The layer-3 switch checks the Ethernet frame title domain of the broadcast frame and displays the protocol type. If a VLAN of the Protocol already exists, it is added to the source port, otherwise, create a new VLAN. This method not only greatly reduces the workload of manually configuring VLANs, but also ensures that users can freely add, move, and modify VLANs. Sites on different vlan cidr blocks can belong to the same VLAN, and sites on different VLANs can also be on the same physical network segment.

There are also some disadvantages of using the network layer to define VLANs. Compared with the form of MAC address, VLAN based on the network layer needs to analyze the address formats of various protocols and convert them accordingly. Therefore, a layer-3 switch that uses network layer information to define a VLAN is inferior to a layer-3 switch that uses data link layer information in terms of speed.

2. Enhanced Network Security

Broadcast on a shared-bandwidth LAN will inevitably cause security issues, because all users on the network can monitor the services that flow through. Users can access the broadcast packets on the network segment as long as they insert any active port. The security mechanism provided by VLAN can restrict access by specific users, control the size and location of broadcast groups, and even lock the MAC address of Network members, this restricts the use of networks by users and network members without security permission.