How to set up secure switch system in switch security technology

The switch occupies an important position in the enterprise network, which is usually the core of the whole network. In this era of hacker intrusion and virus-ridden network, as the core of the switch is also taken for granted a part of the responsibility of network security. Therefore, the switch must have the professional security product performance, the security has become the network construction must consider the heavy middle. As a result of this, security switches are integrated with security authentication, ACLs (Access control list), firewall, intrusion detection and even antivirus functions, and the security of the network really needs to be "armed to the teeth." Security Switch three layer meaning switch the most important role is to forward data , in the hacker attack and virus intrusion, the switch to be able to continue to maintain its efficient data forwarding rate, without attack interference, this is the most basic security features required by the switch. At the same time, as the core of the whole network, the switch should be able to distinguish and control the users accessing and accessing the network information. More importantly, the switch should also be coordinated with other network security devices to monitor and block unauthorized access and network attacks. New features of security switches 802.1X Enhanced security certification in traditional LAN environment, as long as there is a physical connection port, unauthorized network equipment can be connected to the LAN, or unauthorized users can connect to the LAN through the network of devices. This poses a potential security threat to some businesses. In addition, in the school and the network of intelligent community, because it involves the network billing, so verifying the legality of user access is also very important. IEEE 802.1x is the remedy for this problem, has been integrated into the two-layer intelligent switch, complete the user's access security audit. The 802.1X protocol is a newly standardized LAN access control protocol that conforms to the IEEE 802 protocol set, which is called a port based access control protocol. Based on the advantages of IEEE 802 LAN, it can provide a means to authenticate and authorize the users connected to the local area network, and achieve the goal of receiving legitimate user's access and protecting network security. The 802.1X protocol is seamlessly integrated with the LAN. 802.1X utilizes the physical characteristics of the switched LAN architecture to achieve device authentication on the LAN port. During the authentication process, LAN ports either act as authenticator or act as requesters. In the case of authentication, LAN port should be authenticated before it needs the user to access the corresponding service through the port, and if authentication fails, it is not allowed to access; The LAN port is responsible for submitting the Access service request to the authentication server as the requester. A port based Mac lock allows only trusted MAC addresses to send data to the network. Data streams from any untrusted device are automatically discarded, ensuring maximum security. In the 802.1X protocol, only the following three elements are available to complete the user authentication and authorization of port based access control。 1. Client. Generally installed on the user's workstation, when users have access to the Internet needs, activate the client program, enter the necessary username and password, the client program will send a connection request. 2. Certification System. In the Ethernet system to authenticate the switch, its main role is to complete the user authentication information upload, release work, and according to the results of the certification to open or close the port. 3. Authentication server. Verify that the user has the right to use the network services provided by the network system by verifying the identity (username and password) sent by the client, and issuing a status of opening or maintaining the port shutdown according to the authentication results. The flow control technology of the flow control security switch restricts the abnormal traffic flowing through the port to a certain range, avoiding the unlimited misuse of the bandwidth of the switch. The flow control function of the security switch can control the abnormal traffic and avoid the network jam. Anti-DDoS Enterprise network in the event of large-scale distributed denial of service attacks, will affect the normal network use of a large number of users, serious and even caused the network paralysis, the service provider is the most headache attack. Security switches use specialized technology to protect against DDoS attacks, which can intelligently detect and block malicious traffic without impacting the normal business, thereby preventing the network from being threatened by DDoS attacks. VLAN virtual LAN is an essential function of secure switch. A VLAN can implement a limited broadcast domain on a two-tier or three-tier switch, dividing the network into a separate zone that can control whether these areas can be communicated. VLANs may span one or more switches, regardless of their physical location, and devices seem to communicate between the same network. VLANs can be formed in various forms, such as ports, MAC addresses, IP addresses, and so on. VLANs restrict unauthorized access between different VLANs, and you can set the Ip/mac address binding feature to restrict unauthorized network access for users. Firewall function security switch based on access control list the access control list ACL is used to realize the security function of packet filtering firewall and to enhance the ability of security prevention. Access control lists have previously been used only at the core router. In a secure switch, access control filtering can be implemented based on the source/target swap slot, port, source/destination VLAN, source/Destination IP, UDP port, ICMP type, or MAC address. ACLs can not only allow network managers to develop network policies, for individual users or specific data flow to allow or deny control, can also be used to enhance the network security shielding, so that hackers could not find a specific host on the network to detect, thus unable to launch attacks. Intrusion detection IDs Security switch IDs can be detected according to the report information and data flow content, in the discovery of network security incidents, the targeted operation, and the response to the security incident to the switch, the switch to achieve accurate port disconnect operation. achieve thisLinkage, the need for the switch to support authentication, port mirroring, forced flow classification, process control, port retrieval, and other functional equipment redundancy is also important physical security, that is, redundancy is the guarantee of network security operation. It is a matter of concern that no manufacturer can guarantee that its product will not fail and whether it can switch quickly to a good device in case of failure. Backup power supply, backup management module, redundant ports and other redundant devices can ensure that even in the case of equipment failure, immediately give back-up modules, security network operation. The presence of a security switch's security switch makes the network's security at the switch level much stronger. Security switches can be equipped at the core of the network, like Cisco Catalyst 6500, the modular core switch, the security features at the core to achieve. The advantage of this is that you can centrally configure security policies on core switches to centralize control and facilitate monitoring and tuning of network managers. And the core switches are powerful, security can be a very affordable work, the core switch to do this thing to do their best. Placing a security switch on the network's access layer or aggregation layer is another option. The way to have a secure switch is to decentralize the core to the edge, start implementing the performance of the security switch on each edge, and plug the intrusion and attack and suspicious traffic out of the perimeter to ensure the security of the entire network. This requires a security switch at the edge, and many manufacturers have introduced security switches for use at various edges or converging layers. Like a fortress, they build a strong security perimeter around the core. Security switches are sometimes not alone, such as the PPPoE authentication function requires the support of the RADIUS server, and other switches can be linked to intrusion detection equipment, you need other network equipment or server support. Upgrade of security switches there are a lot of new security switches on the market, they are born with some security features. So how can some old switches get a safe guarantee? In general, this problem is well solved for modular switches. The common solution is to insert a new security module on the old modular switch, such as Cisco Catalyst 6500 with Firewall module, intrusion detection IDs module and so on security modules; The digital 6610 switch is equipped with a PPPoE authentication module, which allows these "revolutionary "Solve the new problem. If the previously purchased switch is a fixed switch, some capable models need to be upgraded with firmware modularity to embed new security features. The prospect of a secure switch as the user's demand for a network environment grows, so does the need for security-enabled switches. Many users believe that a certain amount of investment in the security of the switch, the overall robustness and security of the network is worth the improvement. SpecialDon't be some industry users, their demand for the network is not connected. such as banks, securities and large enterprises, the network virus outbreak once or the invasion of the loss, enough to exceed the security switch on the additional investment. Security switches have become a new bright spot in the switch market. "Related articles" how to make the network indestructible switch security six teaches you how to set up a secure switching system. "Responsible Editor: Yutie TEL: (010) 68476606" Original: Switch security technology How to erect a secure switch system return to network security home