In recent years, China’s information construction has been rapid development, more and more wide-bandwidth, network speed turned over several times, E-Mail at the gateway of the exponential growth in transfer traffic, voice, IP, video and other technologies have greatly enriched network applications. However, the Internet at the same time to narrow the distance between people, viruses, hackers also will be uninvited.
Intelligent virus, variants, fool rapid propagation, hacking tools, plus flood flooding trend, making enterprise information system becomes fragile, ready to face the risk of paralysis or even be permanently damaged. In this situation, companies have to strengthen their own information system security protection, expects a thorough, once the security system. However, security is always relative, always passive security measures, no security system of an enterprise can be really 100 percent security guarantee.
Virus principle, Intrusion Defense technology development analysis showed that a single anti-virus software often makes network security is not perfect, network security can no longer rely on a single device, a single technology to achieve industry consensus has become. In the Flex, both inside and outside the respective other industry recently under widely to promote security policy, security switches as the network backbone equipment to build naturally shoulder the important task of network security defense.
switch itself but also to secure
Security switch is actually a packet forwarding optimized computer, but the computer may have been attacked, such as illegal gain control over security switch, bring down the network, on the other hand would also be DoS attacks, such as the previously mentioned Several worm.
In addition, the switch can be used for generating the right to maintenance, routing protocol maintenance, ARP, build routing tables, maintain routing protocol, ICMP packets are processed, monitor switches, these are likely to become a means of hacking the switch. Traditional security switch is mainly used for fast packet forwarding, emphasizing the forwarding performance.
With the wide interconnect LANs, plus TCP / IP protocol itself is open, network security has become a prominent issue in the network of sensitive data, confidential information was leaked, important data on the device is attacked, and secure network environment as an important switch forwarding device, its original safety features have been unable to meet current security needs, so traditional switches need to increase security.
Network equipment vendors opinion, strengthen the security of the security switch is to upgrade and improve the general switch, except with the general features, this switch also includes general security switches do not have the security policy features. The switch from network security and user service application departure, to achieve specific security policies to restrict unauthorized access, after the analysis, effectively guaranteeing the normal development of the user of network services.
A way to achieve security is embedded various security module in existing security switch. Now, more and more users have expressed hope that the security switch to increase the firewall, VPN, data encryption, authentication and other functions.
Switch easy network security control
Enhanced security Switch itself against attacks, security switch has a higher than normal intelligence, and security features. In the system security, the switches in the overall architecture of the network from the core to the edge of the implemented security mechanisms, namely through a specific technology to encrypt network management information, control; in access security, the use of secure access mechanisms, including 802.1x access authentication, RADIUS / TACACST, MAC address of the test as well as various types of virtual network technology. Moreover, many switches also increased the hardware in the form of security modules, some of the switches within the network has security features are better contain the flood of applications with the WLAN network security risks.
Currently, the switch commonly used security technologies include the following:
1. flow control abnormal traffic flow through the port is limited within a certain range. Many switches have port-based traffic control function can be achieved storm control, port protection and port security. Flow control function is used to switch between the switch and to notify each other when congestion occurs temporarily stop sending packets to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic exceeds a set value of broadcast traffic discarded.
However, flow switch control function can only flow through the port of all kinds of simple rate limiting, the abnormal broadcast and multicast traffic limited within a certain range, but can not distinguish between what is normal traffic, which is the abnormal traffic.
Security is dynamic, and we must continue to follow up and learning new safety technology, we must continue to arouse and refresh our information security awareness.
2. Access Control List (ACL) ACL technology to access network resources through input and output controls to ensure that network equipment is not being illegally accessed or used as a springboard for attacks. ACL is a rule table, security switches enforce these rules in the order, and the processing of each packet entering the port. Each rule either grants based on the attributes (such as source address, destination address and protocol) packets, or reject packets. Because rules are processed in a certain order, so that the relative position of each rule and are not permitted to determine what kind of data packets through the network is essential.
Now, the industry generally believe that security should be distributed throughout the network, the internal network to the external network security requires both through professional security device like a firewall to resolve, but also need to switch to play a role in protecting the user. Currently, the vast majority of users to resolve security issues through security switch hold a positive attitude, nearly 75% of users plan to in the future to take safety measures on the switch in practice, reinforced over the network hopes to achieve security objectives security switch.
3. security needs good architecture perfect product to have a good first architectural design. Now, a lot of security switches using fully distributed architecture design, through the powerful ASIC chip for high-speed routing lookup using longest match, by the way packet forwarding data forwarding, thus greatly improving the forwarding performance and expansion of routing switches ability.
In addition to the above fully distributed architecture design, the security switch also has a very good security features designed to effectively prevent attacks and viruses, more suitable for large-scale, multi-service, complex flow access network, more suitable for Ethernet Metro development.
Respond to the needs of mobile applications from the business sector, information security management personnel to actively respond, to guide the direction of big business to embrace innovative mobile application, but to ensure the safety of the use of new technologies.
S-ARP (security ARP) function can effectively prevent ARP-DOS attack
Anti-Sweep (anti-scan) function automatically detects malicious scanning behavior, the implementation of the police or take other security measures, such as prohibiting network access, this feature can be a lot of unknown new virus outbreaks before the curb;
S-ICMP (safety ICMP) function can effectively prevent PING-DOS attack, flexible to prevent hackers using ICMP Unreachable attack behavior of a third party;
Security intelligence functions of S-Buffer and software IP traffic impact prevents distributed DOS attack (DDOS attack) through intelligent monitoring and adjusting data packets toward CPU Buffer and queue the IP packet flow, so that the core security switches DDOS Under attack unharmed.
Application security switches in industrial areas
With the high degree of integration of industrialization and information technology development, industrial, enterprise-wide application of Internet-based network also will be expanded. Industrial control systems access network equipment, but also malicious software viruses, unauthorized access to attack industrial control systems create the possibility, and a serious threat to network security industry. According to the survey, the deployment of a factory industrial Ethernet switch, refineries, ports and other industrial organizations are more vulnerable to hacker attacks. Therefore, in the industrial field, the switch has a more extensive safety critical applications.