Focus on network switches to an impenetrable security

How to filter user communications, safe and effective protection of data transmitted «how to stop the illegal users, network security protection of« how to conduct security network management, network to detect unauthorized users, illegal acts and remote network management of information security? »Here we sum up the 6 recent switch market on the security settings of some popular features, we want to help.

L2-L4-filtering

Now most of the new switches can be through the establishment of the rules the way to achieve various filter demand. There are two rules set pattern, a pattern is the MAC, according to user needs based on the source or destination MAC MAC effective data isolation, and the other is IP model, can be the source IP, purpose IP, agreement, the source of port And the purpose of port filtering data packets, establishing a good rule must be attached to the corresponding receive or send port, when the switch this port to receive or transmit data, according to the packet filtering rules to filter, the decision was transmitted or discarded . In addition, the switch hardware "logic and non-door" rules of filtering logic operation, and filtering rules established, do not affect data transmitting rate.

802.1X port-based access control

In order to prevent unauthorized users on the LAN access, protection of network security, port-based access control agreements 802.1 X in both wired LAN or WLAN in have been widely used. Such as Asus, such as the latest GigaX2024/2048 not support a new generation of switching products 802.1 X of the Local, RADIUS authentication methods, and support for the Dynamic VLAN 802.1 X access, that is, VLAN and 802.1 X on the basis of holding a user Account of both the users of the network where access will exceed the original 802.1 Q under the restrictions of Port-based VLAN, and this always access the account designated VLAN group, not only for this function within the network of mobile users The application of resources to provide the convenience and flexibility, while safeguarding the security of network resources; In addition, GigaX2024/2048 switches also support the 802.1 X Guest VLAN function, that is, 802.1 X applications, if the designated ports of the Guest VLAN This port of access if the user authentication failure or simply no user account, it will become a Guest VLAN members of the group can enjoy this group of the corresponding network resources, which can also function as a network application of certain groups Open the minimum resources, and for the whole network has provided one of the most external access security.

Traffic control (traffic control)

The flow-control switches can be prevented because the broadcast data packets, and multicast packet for the wrong purposes address unicast packet data flow caused by excessive bandwidth switch the abnormal load, and improve the overall system performance, maintain security and stability of the network run .

SNMP v3 and SSH

SNMP v3 security network management system to the new structure, the various versions of the SNMP standard concentrated together, thereby enhancing network management security. SNMP v3 the proposed security model is based on the user's security model, that is USM. USM news for the network management is based on encryption and authentication of users, specifically what agreements and key encryption and authentication by the user name (userNmae) authority engine identifier (EngineID) to decide (recommended encryption protocol CBCDES , Authentication protocol HMAC-MD5-96 and HMAC-SHA-96), through certification, encryption and time frames to provide data integrity, data source authentication, data confidentiality and time limits on news services, so as to effectively prevent non-authorized users in the management of information changes, Camouflage and eavesdropping.

As for the Telnet through the remote network management, Telnet services are due to a fatal weakness - it's clearly the way to transfer user name and password, so very easy to steal passwords of people with ulterior motives, has been attacked, but to use SSH Communications, Both user name and password is encrypted, effectively prevent the password of the eavesdropping, network management personnel for the security of remote network management.

Syslog and Watchdog


Switch Syslog logging can be a system error, system configuration, status changes, state periodic reports, the system set out the expectations of users, such as information transmitted to the log servers, network management staff based on the information grasp the operation of equipment, early detection of problems, Timely configuration settings and exclusive barrier to protect the security and stability of the network running.

Watchdog to set a timer, set at intervals of not restart the timer, then generate a resumption of internal CPU instructions to restart the equipment, this feature can switch failure or accidents in emergency situations when Intelligent automatic restart, the protection of the network running.

Two-image file

Some of the latest switch, like ASU SGigaX2024/2048 also has dual image files. This feature of protective equipment in exceptional circumstances (firmware upgrade failure, etc.) can still start the normal operation. File system and the mirror at majoy two parts preserved, if a file system damage or disruption, and a rewrite of its file system will, if the two documents systems are damaged, the equipment will remove the file system and to rewrite the factory The default settings to ensure that the security system up and running.

In fact, the recent emergence of some switching products in the security design of most of the work under the foot - layers of security, steadily filtering, try every means possible to the greatest extent possible insecurity excluded. If the majority of business users to take full advantage of these network security set up functions, a reasonable mix with, you can maximize the network to prevent the spread of the growing variety of attacks and abuse, is willing to your corporate network can be more solid since then security.