【 Weak current College 】 smart communities how to set up switch system

Switch in occupies an important corporate network, is often at the core of the entire network. In the area of the hackers, virus raging network era, as a core switch is also granted to assume part of the network security. Therefore, a switch to a professional security product performance, security has become the network construction must consider the focus. Safety switch which came into being, in the switch integrated safety certification, the ACL (access control list AccessControlList), firewall, intrusion detection and anti-virus features, network security really need "armed to the teeth"

Safety switch three meanings

Switch is the most important role is the forwarding of data, hacker attacks and viruses, switch to be able to continue to maintain its highly efficient data forwarding rate and are not affected by the attacks, this is the switch needs the most basic security features. At the same time, the switch as the core of the entire network, you should be able to access and access network information to distinguish between users and permissions control. More importantly, the switch should also be combined with other network security devices, non-authorized access and network attacks by monitoring and blocking.

The new features of safety switches

802.1x strengthening security certification

In a traditional local area network environment, as long as there are physical connection port, unauthorized network devices can access a local area network, or an unauthorized user can connect to a local area network equipment into the network. This has caused to some potential security threats. In addition, the school as well as the intelligent community network, due to network billing, so verify the legitimacy of user access is also very important. IEEE802.1x is the solution to the problem of the sensibilities, has now been integrated into the second layer intelligent switch, complete the user access the security audit.

802.1x Protocol is just completed standardized set of protocols for a meet the IEEE802 local access control protocol, known as port-based access control protocol. It can use IEEE802 LAN advantage basis provide a way to connect to a local area network user authentication and authorization of means to achieve a legitimate user access, accepted to protect network security.

802.1x Protocol and LAN is seamless integration. 802.1x leverage Exchange physical characteristics of LAN infrastructure for LAN port on the equipment certification. In the certification process, the LAN ports or act as a certification, or play the requester. As an authenticator, a LAN port and in port by the need for users to access the corresponding service before the first certification, if authentication fails in access is not allowed; as the requester, the LAN port is responsible for submitting to the authentication server access services applications. Port-based MAC locking only allow trusted MAC address in the send data to the network. From any "no confidence" in the device data stream will be automatically discarded, thereby ensuring maximum security.

Agreement in 802.1x, only have the following three elements to complete port-based access control for user authentication and authorization.

1. the client. General installation on the user's workstation, when the user has the Internet needs to activate the client program, type the necessary username and password, the client will be sent the connection request.

2. the certification system. In the Ethernet system refers to authentication switch, its main role is to complete the user authentication information uploaded, release, and on the basis of the certification results open or close the port.

3. the certification server. Through the test client sent to the identity (your username and password) to identify whether the user has the right to use the network system provides network services, and on the basis of the certification issued to the switch to open or maintain the status of the port is closed.

Flow control

Safety switch for flow control technology to flow through the port of anomaly traffic restrictions within a certain scope, avoid switching bandwidth is unlimited abuse. Safety switch for the flow control feature to implement flow control to the exception, avoid network congestion.

Anti-DDoS

Enterprise network once subjected to large-scale distributed denial of service attacks that affect a large number of users of normal network use, serious or even paralysis, a network service providers the most headache attacks. Safety switch with specialized technology to protect against DDoS attacks, it could not affect the normal operations of the circumstances, intelligently detects and blocks malicious traffic, thereby preventing network from DDoS attacks.

Virtual LAN, VLAN

Virtual local area network is an essential function of the safety switch. VLAN can second-tier or three-layer switches on limited broadcast domains, it can put the network into an independent area, you can control whether to address these areas. VLAN may span one or more switches, and regardless of their physical location, the device seems to be on the same network communications. VLAN can be formed in various forms, such as port, MAC address, IP address, etc. VLAN restricts different VLAN between non-authorized access, and you can set the IP/MAC address binding limit user unauthorized network access.

Based on the access control list of the firewall features

Safety switch with ACL access control list to implement packet filtering firewall security features, enhanced security and protection capability. Access control list previously only in the core router to be used. In the security switch, and access control filtering measures can be based on source/destination Exchange slot, port, source/target VLAN, source/destination IP, TCP/UDP ports, and ICMP types or MAC address.

ACL not only allows network managers to develop network policies for individual users or specific data stream to allow or deny control can also be used to strengthen network security shield so that hackers can't find a specific host on the network for detection, to launch an attack.

Intrusion detection IDS

Safety switch IDS functionality can be reported to the information and data flow the content detection, see network security events, targeted action, and adds them to the security incident response action is sent to the switch, the switch to achieve accurate port disconnect operation. To implement this joint action, the need to switch to support authentication, port mirroring, forced flow classification, process control, port features such as anti-Cha

Equipment redundancy is important

Physical security is the redundancy is guaranteed safe operation of the network. Any vendor can guarantee that their products do not fail, but fails can quickly switch to a good device, is a concern. Backup power, backup management modules, redundant redundant equipment, such as the port is guaranteed even in the event of device failure, immediately give the backup module, run of network security.

The deployment of the safety switch

Safety switch, makes network switch this level of security capabilities. Safety switches can be equipped with a core network, as Cisco Catalyst6500 this modular core switch, the security features in the core. The advantage is you can in the core switch unified security policy configuration, do the centralized control and easy network management personnel monitoring and adjustment. And core switches are equipped with powerful capabilities, security performance is a lot of processing power, the core switch up the thing to do of it.

The safety switch is placed in the network access layer or convergence layer, is another option. It is equipped with a safety switch is the core of authority to the edge, at each edge began implementation of the safety switch performance, intrusion and attack and suspicious traffic jam on the edge, ensure the safety of the whole network. So you need an edge is equipped with safety switches, many manufacturers have introduced various edge or convergence layer using security switches. They are like one of the fortresses, built around the core stalwart defense of safety.

Safety switch sometimes cannot be supported, such as PPPoE authentication functionality requires a RADIUS server support, and other switches to and intrusion detection devices do linkage requires other network device or server support.

Safety switch upgrades

The current market has many new security switch, they are a factory was born with a number of security features. Then some old switch how can there be security protection. In General, for modular switch, the problem solved. Universal solution is in the old modular switch insert new security module, such as Cisco Catalyst6500 to firewall module, intrusion detection and security module IDS module; digital of 6610 switch equipped with PPPoE authentication module, directly into the old switch can let these "old revolution" to solve new problems.

If you previously purchased switch is fixed switches, some have the ability to model requires firmware by upgrading the firmware to implant new security features.

Safety switch foreground

As a user on the network environment of increasingly high demand, to have the security features of the switch. Many users think that spend a certain amount of investment in the safety switch, on the whole network robustness, and security improvements are worth it. In particular, some industry users, their network needs is not connected. Such as Bank, securities, and large enterprises, network a virus outbreak or intrusion losses, sufficient to exceed the safety switch of the extra investment. Safety switch has become the switch market to a new bright spot.