Network security no longer relies solely on a single device and a single technology to achieve has become an industry consensus. As the backbone equipment of the network, the switch naturally shoulders the important task of building a network security defense line.
From March 12 to March 29, we conducted a user survey on the security issues of the switch on the "Internet World" website. In the large number of reader feedback we received, we conducted statistics and analysis: 70% of users Have been attacked by worms such as Slammer and "Shockwave". The direct targets of these worms are usually PCs and servers, but the attacks are carried out through the network. Therefore, when these worms break out on a large scale, switches and routers will First implicated. Sampling analysis shows that nearly 50% of users report that Slammer, Shockwave and other worms have impacted the switch, and 36% of users' routers have been impacted. Only by restarting the switching routing device and reconfiguring the access control list can the user eliminate the impact of the worm on the network device.
Worms attack network equipment
The outbreak of worm virus causes the network throughput efficiency to decrease and slow down. If there is a bottleneck in the network, it will cause the network to stop or even break down. These bottlenecks may be line bandwidth, or the processing power of routers and switches, or memory resources. It should be pointed out that the routers and switches in the network have reached or are close to the line speed, and the internal network bandwidth often does not converge. In this case, the traffic generated by the virus attack will not cause a fatal blockage on the internal bandwidth of the LAN, but it is located at the network exit The router at the location and the Layer 3 switch at the core of the network have to handle most of the traffic, so they are the first to be attacked by worms. The access layer switch usually needs to be directly connected to the user terminal. Once the user terminal is infected with a worm, the virus attack will seriously consume bandwidth and switch resources, causing network paralysis. This phenomenon has been commonplace.
There are two main forms of worms impacting network devices: one is to block bandwidth and cause services to be unavailable; the other is to occupy CPU resources and cause downtime. Red codes, Slammer, Shockwave and other worms constantly scan IP addresses. It takes up a lot of bandwidth resources in a short time, causing network outlet congestion. There are several cases of downtime: First, ordinary Layer 3 switches all use the flow forwarding mode, that is, the first packet is sent to the CPU for processing, and the flow is established according to its destination address. Frequent flow establishment will consume CPU resources drastically. Worms The most important attack method of viruses is to send data streams non-stop, which is fatal to network devices that use the stream forwarding mode. Second, if there is a problem with the network planning, a large number of ARP requests will occur under the action of Slammer, which will also exhaust the CPU. Resources. As another example, the Slammer virus congested the link bandwidth between Layer 3 switches, resulting in the loss of routing protocol data packets (such as Hello packets), resulting in routing flapping throughout the network. A similar situation is the DoS attack launched on the switch CPU and other resources using switch security vulnerabilities. In the fifth issue of 2003, we focused on the security issues of routers. In this issue, we will focus on the security issues of switches.
Switches need to be more secure
The Ethernet switch is actually a computer optimized for forwarding data packets. But the computer may be attacked, such as illegally obtaining control of the switch, causing the network to be paralyzed. On the other hand, it will also be attacked by DoS, such as the aforementioned worms.
They all take advantage of some loopholes in the switch. General switches can be used to generate rights maintenance, routing protocol maintenance, ARP, build routing tables, maintain routing protocols, process ICMP messages, and monitor switches. These may all become means for hackers to attack switches.
The worm attack has caused network equipment manufacturers and users to pay attention to the security of switches. For the understanding of switch security, nearly 48% of users believe that the security of the switch means that the switch itself is resistant to attack and security, 31% of users think that the switch carries a security module, and 21% think that both . The vast majority of network equipment manufacturers believe that the security of the switch needs to be specially designed to improve the anti-attack ability and have certain security functions.
Traditional switches are mainly used for fast forwarding of data packets, emphasizing forwarding performance. With the extensive interconnection of local area networks and the openness of the TCP / IP protocol itself, network security has become a prominent problem. Sensitive data and confidential information in the network have been leaked, important data devices have been attacked, and switches are important in the network environment. The original security features of the forwarding device of the Internet cannot meet the current security requirements, so traditional switches need to increase security.
From the perspective of network equipment manufacturers, a switch that enhances security is an upgrade and perfection of a common switch. In addition to its general functions, such a switch also has a security policy function that ordinary switches do not. Starting from network security and user business applications, such switches can implement specific security strategies, prevent viruses and network attacks, limit illegal access, perform post-mortem analysis, and effectively ensure the normal development of user network services. One way to achieve security is to embed various security modules in existing switches. Different users have different needs. 25% of users want to add firewall, VPN, data encryption, identity authentication and other functions to the switch, 37% of users said they need to use security equipment directly, and 48% said they need both methods.
At this stage, due to the experience of being attacked, the vast majority of users have expressed strong interest in security-enhanced switches. 18% of users indicated that they would purchase within three months, and 29% would purchase within half a year. , 19% of users intend to purchase within a year, and only 34% of users said they would not consider it in the near future. At the same time, users also show a rational attitude towards the price of such a security-enhanced switch: 8% of users expect to be comparable to the price of traditional switches, 4% of users accept more than 20% of the price of traditional switches, and 88% The user accepts a price increase of 10% to 20%.
The enhanced security switch itself is resistant to attack, and has higher intelligence and security protection functions than ordinary switches. In terms of system security, the switch implements a security mechanism in the overall architecture of the network from the core to the edge, that is, encrypts and controls network management information through specific technologies; in terms of access security, it uses a secure access mechanism, including 802.1x Access authentication, RADIUS / TACACST, MAC address verification and various types of virtual network technologies, etc. Not only that, many switches also add a security module in the form of hardware, and some switches with internal network security functions better contain the hidden security risks of intranets that are flooding with WLAN applications. The current commonly used security technologies in switches include the following.
Flow control technology limits the abnormal flow through the port to a certain range. Many switches have port-based flow control functions that can achieve storm control, port protection, and port security. The flow control function is used to notify the other party to temporarily stop sending packets when congestion occurs between the switches to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the flow control function of the switch can only perform simple rate limiting on all types of traffic passing through the port, limiting the abnormal traffic of broadcast and multicast to a certain range, and cannot distinguish between normal traffic and abnormal traffic. At the same time, it is difficult to set an appropriate threshold.
Access Control List (ACL) technology ACL performs access input and output control on network resources to ensure that network devices are not illegally accessed or used as an attack springboard. An ACL is a table of rules. The switch executes these rules in order and processes each packet entering the port. Each rule either allows or rejects the packet based on the packet's attributes (such as source address, destination address, and protocol). Since the rules are processed in a certain order, the relative position of each rule is crucial to determine what kind of packets are allowed and not allowed to pass through the network.
The Secure Socket Layer (SSL) encrypts all HTTP traffic and allows access to the browser-based management GUI on the switch.
802.1x and RADIUS network login controls port-based access for authentication and accountability.
Source port filtering allows only specified ports to communicate with each other.
Secure Shell (SSHv1 / SSHv2) encrypts and transmits all data, ensuring secure CLI remote access on the IP network.
Secure FTP enables secure file transfer with the switch, avoiding unnecessary file downloads or unauthorized copying of switch configuration files.
However, security functions are not equal. Some switches have ACLs, but it is still useless if there are few ACLs supported by ASICs. Generally, the switch cannot handle illegal ARP (the source and destination MAC are broadcast addresses). Whether there will be routing fraud, spanning tree fraud attacks, 802.1x DoS attacks, and DoS attacks on switch network management systems are all potential threats faced by switches.
Linkage between switch and IDS
The traditional IDS system has always been controversial for four reasons: first, the false positive rate and the false negative rate are too high; second, there is no active defense ability, only passive defense; third, the lack of accurate positioning and processing mechanisms, only Identify the IP address, unable to locate the IP address; Fourth, the performance is generally insufficient, can not adapt to the switching technology and high-bandwidth environment, large traffic impact and multiple IP fragmentation may cause IDS paralysis or packet loss, easy to DoS attacks.
In the process of interviewing network equipment manufacturers, Cisco, Huawei 3Com, and Gangwan all mentioned the linkage of switches and IDS. It is believed that the linkage of switches IDS can overcome the deficiencies of IDS and achieve a win-win effect. As we all know, hackers and viruses rely on network platforms for attacks. Using IDS as a monitoring system and linking with switches can cut off the spread of hackers and viruses on the network platform and achieve unexpected security effects. Specifically, the linkage of IDS and switching equipment means that during operation, the switch reports various data flow information to the security device. IDS can detect the reported information and the content of the data flow. When a network security event is discovered, Carry out targeted operations and send these actions in response to security events to the switch, and the switch implements accurate port disconnection operations. To achieve this kind of linkage, the switch needs to support authentication, port mirroring, forced flow classification, process number control, port reverse checking and other functions, and also have wire-speed switching features. At present, a new generation of smart switches can realize linkage with IDS. Harbor FlexHammer5010 is such a product, it has multiple network identification binding and port anti-check function, to prevent network fraud, can help IDS system to accurately locate the attack point.
Experts believe that at present, the linkage between smart switches and IDS is a very practical and ideal solution that will not bring additional investment to users. However, in contrast to network equipment manufacturers who are optimistic about the switch and IDS linkage technology, the vast majority of users express their approval of this technology, but in practice, there are very few users who link the switch and IDS in practice. There are still obvious deficiencies in training and educating users on the comprehensive use of switches and IDS.
The trade-off between safety and efficiency
In our survey, the user's attention rate on switch security issues was as high as 97%. However, about 48% of users worry that enhancing the security function of the switch will affect the throughput efficiency of the network. 34% of users said that it does not matter. The users concerned about security and efficiency are mainly large and medium-sized enterprises.
Safety and efficiency are indeed contradictions. From a technical point of view, most traditional switches use software and rely on CPU processing power to provide security defense functions. As we all know, virus attacks have a greater impact on switch performance. When the network traffic reaches a certain level, the switch will be paralyzed and the network will be interrupted. However, for a switch that relies on hardware technology to implement a safety function, its processing capacity is fully redundant within the load range and does not affect performance. At the same time, functions such as data filtering, intelligent identification of attack sources, and strategy search are also implemented based on hardware, thereby ensuring that traffic caused by viruses does not affect the normal operation of the switch. When the traffic of virus packets is large to a certain degree and is an unknown type of virus, it may affect the normal services of the switch. Switching devices with self-protection functions can be set according to the priority. Offensive messages ensure that high-priority services are not interrupted and the system runs stably. From the above analysis, it can be seen that the switching equipment with advanced architecture can ensure safety and performance. For users who emphasize efficiency, it is best to choose switches that rely on hardware to implement security functions. â–
Product reviews
Cisco Catalyst 6500: Modular security design
Cisco integrates security modules in the switch, and companies can adopt different security measures and prevention technologies according to their needs. Catalyst 6500 series switches integrate IPSec VPN, firewall, intrusion detection, and multi-layer LAN, WAN, and MAN switching functions. For the Catalyst 6500 series, Cisco also designed the Cisco Secure Socket Layer (SSL) module to improve the performance and security of web applications and provide secure networking. If you integrate SSL with the Cisco Content Exchange Module (CSM), you will be able to accelerate traffic while offloading resources from the Web server, thereby providing a secure server load balancing solution.
HP Procurve SwTIch 5300xl: secure login
HP Procurve SwTIch 5300xl switch is a core product for small and medium-sized enterprises. It has a compact 4-slot or 8-slot modular form factor, provides 76.8G of switching capacity and 48Mpps of Layer 2 and Layer 3 forwarding performance. It uses source port filtering , 802.1x and RADIUS network login and other security technologies and functions, make the switch with high security
Huawei 3Com Quidway S3500: stop worms
Huawei 3Com's Quidway S3500 series of security and intelligent layer 3 switches provide comprehensive routing protocols, VLAN control, traffic exchange, and QoS guarantee mechanisms. It is suitable as an aggregation layer 3 switch that focuses on business management control and network security assurance capabilities. This series of equipment has a complete security control strategy, using a routing strategy based on the longest match and a packet-by-packet forwarding method to protect against worm attacks. In addition, the device also supports 802.1x and Web Portal authentication, binding through any combination of MAC, IP, VLAN, PORT, to prevent users from illegally accessing the network, supports multiple ACL access control strategies, and can set the user's access to network resources.
Nortel Alteon Application Switch: Defend against DoS attacks
Nortel Alteon Application Switch has intelligent traffic management functions and rich security features. Alteon application switch adopts virtual matrix switching structure and intelligent traffic management system, and has excellent application layer processing performance. Its basic application layer functions include server load balancing (SLB), intelligent content (layer 7) switching, and cache redirection (WCR) , Firewall and VPN gateway load balancing, etc. In addition, its advanced DoS defense can ensure the security of the server cluster and network system behind the application switch. More importantly, these security functions can work simultaneously with other traffic management applications.
Ruijie STAR-S2100: safe and intelligent
The STAR-S2100 series is an intelligent Gigabit switch independently developed by Ruijie Networks and customized for network aggregation access of various sizes. The STAR-S2100 series can provide intelligent flow classification and perfect quality of service (QoS) and multicast management features. It can implement flexible and diverse ACL access control and provide rich management through SNMP, Telnet, Web, and Console ports. Features. STAR-S2126G / S2150G provides end-to-end service quality, flexible and rich security settings and policy-based network management for all types of networks with excellent cost performance to meet the needs of high-speed, safe and intelligent applications.
Editor
The switch also needs to be armed
â– Song Lina
There is a phenomenon that is attracting the attention of network equipment manufacturers and users. Whether it is a hacker launching a DoS, DDoS attack, or a malicious worm outbreak, the switch is often impacted, eventually paralyzing and causing network interruption. A survey of switch users conducted by "Network World" showed that nearly 50% of users reported that switches had been impacted by worms such as Slammer and Shockwave.
Many enterprise network systems do not carry out security protection. As the core switch of the network, they naturally shoulder the task of building a network security defense line. Its security and robustness will directly affect the availability of the network. Taking the necessary security technology on the switch not only It can effectively relieve the safety pressure of other equipment, and can find and solve problems in time. For example, antivirus software is powerless against worms, the firewall's anti-findability is very weak, and intrusion detection software cannot detect internal intrusions. The switch can easily make up for the deficiencies of the above security devices. For security issues above the network layer, users can control the flow of the switch port to solve the problem. To deal with the Slammer worm, users can prevent it by prohibiting the use of UDP port 1434 on the switch.
A common view in the industry is that security should be distributed throughout the entire network. Security from the internal network to the external network needs to be solved by professional security equipment such as firewalls, and the switch also needs to play a role in protecting users.
At present, the vast majority of users take a positive attitude towards solving security problems through switches. Nearly 75% of users plan to take security measures on switches in practice in the future, hoping to achieve security goals by hardening switches throughout the network.
Phone Plug,Toolless Plug,Telephone Plug 4P4C,Rj45 Toolless Plug
Dongguan Fangbei Electronic Co.,Ltd , https://www.connectorfb.com