The strategy of preventing DOS attack on intranet

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Using three-layer exchange to establish a comprehensive network security system, the foundation must be a three-tier exchange and routing as the core of the intelligent network, with a sound three-layer security policy management tools.

LAN Layer

On the LAN layer, a lot of precautions can be taken. For example, although it is almost impossible to completely eliminate IP packet spoofing, network management can build filters, if the data with the source address of the intranet, then by restricting data input traffic, effectively reduce the internal counterfeit IP attacks. Filters can also restrict the flow of external IP packets, preventing fake IP Dos attacks as intermediate systems.

Other methods include shutting down or restricting specific services, such as restricting the UDP service to be used only for network diagnostics purposes within the intranet.

However, these restrictions may have a negative impact on legitimate applications, such as RealAudio that use UDP as a transport mechanism.

Network Transport Layer

The following control over the network transport layer can complement these deficiencies.

Line-Speed Quality of Service (QoS) and access control at the layer comes with the emergence of a wire-speed multi-layer switch with configurable intelligent software, layer QoS and access control, which improves the ability of network transmission devices to protect data flow integrity.

In traditional routers, authentication mechanisms, such as filtering fake groupings with internal addresses, require traffic to reach the edge of the router and match the criteria in a specific access control list. But maintaining access control lists is not only time-consuming, but also greatly increases the cost of routers.

In contrast, linear-speed multilayer switches are flexible to implement various policy-based access controls.

This level of access control capability makes the security decision completely separate from the network structure decision, so that the network administrator can effectively deploy DOS precautions without using suboptimal routing or switching topology. As a result, network administrators and service providers can seamlessly integrate policy-based control standards across a metropolitan, data center, or enterprise network environment, regardless of whether it is a complex router based core service or a relatively simple second-tier exchange. In addition, the wire-speed processing data authentication can be performed in the background, basically no performance delay.

Customizable filtering and "trusting neighbors → system"

Another advantage of Intelligent multilayer access control is that it can easily implement custom filtering, such as customizing the control granularity of the response to the system according to specific criteria. Multi-tier switching pushes packets onto specific QoS profiles for the specified maximum bandwidth limit, rather than making simple "discard" decisions for groups that might be Dos attacks. This way, you can prevent Dos attacks and reduce the risk of discarding legitimate packets.

Another advantage is the ability to customize the routing access policy, and to support "trusted neighbor" relationships between specific systems to prevent unauthorized use of internal routes.

Customizing the Network logon configuration

The network logon uses the unique username and the password, authenticates the identity before the user is allowed. The network login is submitted by the user's browser to the Dynamic Host Configuration Protocol (DHCP) to the switch, the switch captures the user identity, sends a request to the RADIUS server, authenticates, only after authentication, the switch allows the user to emit packet traffic flowing through the network.
You are looking at the article from Gm82 Official forum http://www.gm82.com