In recent years, my country's informatization construction has developed rapidly, with bandwidth becoming wider and network speeds increasing several times. The transmission traffic of E-Mail between networks has shown an exponential growth, and technologies such as IP voice and video have greatly enriched network applications. However, while the Internet is bringing people closer, viruses and hackers are also uninvited. The intelligence of viruses, rapid variants and reproduction, the "fool" of hacker tools and the flood-like flooding trend have made the enterprise's information systems fragile and face the risk of paralysis or even permanent damage at any time. Under this situation, enterprises have to strengthen security protection of their own information systems, hoping to obtain a thorough, once and for all security protection system. However, safety is always relative, and safety measures are always passive. No enterprise's security system can obtain truly 100% security guarantee.
Research and analysis on the development of virus principles and invasion defense technology shows that a single antivirus software often makes network security protection incomplete, and network security can no longer be achieved through a single device or a single technology. Under the security strategies that have been widely promoted in the industry recently such as "integration of soft and hard" and "corresponding internally and externally", switches, as the backbone network equipment, naturally shoulder the important task of building a network security defense line.
The switch itself must be more secure
A switch is actually a computer optimized for forwarding data packets, but the computer may be attacked, such as illegally obtaining control of the switch, resulting in network paralysis, and on the other hand, it will also be attacked by DoS, such as the aforementioned worm viruses. In addition, the switch can perform generation rights maintenance, routing protocol maintenance, ARP, routing table construction, maintenance of routing protocols, processing ICMSP messages, and monitoring switches. These may become means for hackers to attack switches.
Traditional switches are mainly used for fast forwarding of data packets, emphasizing forwarding performance. With the extensive interconnection of local area networks and the openness of the TCP/IP protocol itself, network security has become an outstanding problem. Sensitive data and confidential information in the network are leaked, and important data devices are attacked. As an important forwarding device in the network environment, the original security characteristics of the switch can no longer meet the current security needs, so traditional switches need to increase security.
In the view of network equipment manufacturers, a switch that strengthens security is an upgrade and improvement of ordinary switches. In addition to having general functions, such switches also have security policy functions that ordinary switches do not have. Starting from network security and user service applications, this switch can implement specific security policies, restrict illegal access, conduct post-event analysis, and effectively ensure the normal development of user network services. One way to achieve security is to embed various security modules in existing switches. Now, more and more users are expressing their desire to add firewall, VPN, data encryption, identity authentication and other functions to the switch.
Switches can easily implement network security control
The security-enhanced switch itself is resistant to attacks and has higher intelligence and security protection functions than ordinary switches. In terms of system security, the switch implements a security mechanism in the overall network architecture from the core to the edge, that is, encrypting and controlling network management information through specific technologies; in terms of access security, a secure access mechanism is adopted, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. Not only that, many switches have added hardware-type security modules, while some switches with intranet security functions have better curbed the intranet security risks that are flooding with WLAN applications.
Currently, the commonly used security technologies in switches mainly include the following types.
Flow control technology
Limit abnormal flow through the port to a certain range. Many switches have port-based flow control capabilities that enable storm control, port protection, and port security. The flow control function is used to notify the other party to temporarily stop sending data packets when congestion occurs between the switch to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic exceeding the set value. However, the switch's traffic control function can only simply limit the various types of traffic passing through the port, limiting the abnormal traffic of broadcast and multicast to a certain range, and it is impossible to distinguish which are normal traffic and which are abnormal traffic. At the same time, it is also difficult to set an appropriate threshold.
Access Control List (ACL) technology
ACL ensures that network devices are not illegally accessed or used as an attack springboard by controlling access to network resources. An ACL is a rule table that the switch executes in sequence and processes each packet entering the port. Each rule either allows or refuses packets to pass according to the attributes of the packet (such as source address, destination address, and protocol). Since rules are processed in a certain order, the relative position of each rule is essential for determining what packets are allowed and not allowed to pass through the network.
Now, the industry generally believes that security should be spread throughout the entire network, and the security from the intranet to the outside network needs to be solved through professional security equipment such as firewalls, and switches also need to play a role in protecting users. At present, the vast majority of users have a positive attitude towards solving security problems through switches. Nearly 75% of users plan to take security measures for switches in practice in the future, hoping to achieve security goals by strengthening switches spread across the network.
"Security" requires excellent architecture
A perfect product must first have an excellent architectural design. Nowadays, many switch products adopt a fully distributed architecture design, and use powerful ASIC chips to perform high-speed routing searches, and use the longest matching and packet-by-packet forwarding to perform data forwarding, which greatly improves the forwarding performance and expansion capabilities of routing switches.
In addition to adopting the above-mentioned fully distributed architecture design, DCRS-7600 series IPv6 10 Gigabit routing switch also has excellent security function design, which can effectively prevent attacks and viruses. It is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for the urban development of Ethernet. Its S-ARP (Secure ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep (Anti-Sweep) function can automatically monitor various malicious scanning behaviors, implement alarms or take other security measures, such as prohibiting network access, etc. This feature can curb many unknown new viruses before a large-scale outbreak; S-ICMP (Secure ICMP) function can effectively prevent PING-DOS attacks and flexibly prevent hackers from using ICMP Unreachable to attack third parties; secure and intelligent S-Buffer function and software IP traffic anti-impact function can prevent distributed DOS attacks (DDOS attacks) by intelligently monitoring and adjusting packet data buffers and IP message queue traffic rushing to the CPU, making the core switch safe and sound under DDOS attacks.
The CPU core protection of the switching engine can effectively prevent various illegal protocol attacks from causing the core device switching engine to be paralyzed; the green channel function of the key protocol can ensure that normal, legal and reasonable speed critical control messages (STP, MSTP, RIP, OSFP, BGP, multicast protocol, dual-engine board heartbeat, etc.) are not flooded under large traffic services, and are processed quickly without interruption; advanced LPM technology can resist "shockwave" virus, "zero day" virus, "SQL slammer warm" virus, etc.; the port trust mode can detect illegal DHCP Server, illegal Radius Server, etc., and can only access these devices on trust ports, thereby ensuring network security.
The DCRS-7600 series can set security policies based on time periods. The security settings move with time and automatically switch to different policies in different time periods. Intelligent traffic control can perform traffic classification based on ACL. Compared with the traditional classification methods based on switch ports, ToS, DCSP, CoS, and 802.1P, ACL-X is more refined and close to service classification; while the security policy distribution is more flexible, and can be configured to any port, VLAN, and VLAN interfaces, which is extremely flexible.
Application-based business security management SecAPP enables the function of linear service perception to instantly perceive the occurrence of various high-level application services, and this process does not affect the forwarding performance of the switch at all, so it is said to be linear. The intelligent business strategy function can classify various high-level application services according to the pre-set strategies to distinguish between legal services, illegal services, and restricted services; the deep service control (based on ACL-X) function can implement different security control measures for classified services. Here, we need to use powerful ACL-X and QoS to achieve flexible access control or traffic restrictions. BT is an application that makes people love and hate both. While telling the download of files, the user's bandwidth is over-occupied, seriously affecting the process of other network applications. SecAPP plays the most direct role in limiting BT. SecAPP can realize access control and traffic management of P2P application services such as BT and e-donkey without affecting the forwarding performance of the switch, and can manage the user's bandwidth.
IPv6 makes switches more secure
In recent years, IT technology has developed rapidly. The increasing demand for users and the demand for networks by more and more terminal devices has prompted the exhaustion of existing IPv4-type IP addresses. Data from relevant survey agencies show that there are about 4 billion IPv4 addresses available worldwide, and it is estimated that they will be allocated in the next five years; the situation in my country is even more serious, with Chinese netizens exceeding 80 million last year. As of the end of last year, the total IPv4 addresses applied for in my country were only about 60 million. Some industry experts have clearly pointed out that if the IP address problem is not solved, it will become a bottleneck in the development of my country and even the world's IT industry and other related industries. Therefore, IPv6 has become a panacea to solve the lack of IPv4 addresses.
The IPv4 protocol used by the existing Internet was originally designed for educational research networks and enterprise networks. Therefore, in the design of the protocol, the security of the network is rarely paid attention to, resulting in the limited security protection capabilities of the current Internet network itself. Many application systems are in a state of unprevention or rarely forbidden, with too many security risks, and the situation is becoming increasingly serious and complex. The current virus is no longer a traditional virus, but a cyber attack that combines hacking and virus characteristics. In 2003, system vulnerabilities became the focus of people's attention for the first time. At present, in addition to Microsoft's system vulnerabilities, there are a large number of vulnerabilities in certain types of routers, databases, Linux operating systems, mobile communication systems and many specific application systems, especially in key application systems, such as finance, telecommunications, civil aviation, power and other systems. Once the vulnerabilities are exploited by hackers, the consequences will be unimaginable.
With the continuous development of user needs and business, Internet security has become a prerequisite for realizing innovative business and profitable business models. Due to the shortage of IPv4 addresses, end-to-end security cannot be achieved. The solution is to use network address translation (NAT) technology, or use port multiplexing technology, or use private IP addresses to expand the usage rate of public IP addresses. The NAT method can be used well in the original client/server mode applications, but new applications increasingly rely on peer-to-peer communication. In addition, end-to-end addressing has become very important for online devices such as large-scale growing terminals. Since the NAT method cannot guarantee end-to-end communication, this restricts the development of many new businesses and seriously hinders the development of the Internet industry. Therefore, end-to-end security is the basic feature of future services. Only by achieving true end-to-end with the rich address space of IPv6 can we ensure the development of a variety of new businesses and the formation of mature business models of the next generation of Internet.
IPv6 provides sufficient security guarantees from the two levels of address management, allocation method and technology itself.
Address management and allocation method
IPv6's sufficient address space itself can provide a unique corresponding IP address for every user and every device and terminal. The lessons learned from Internet address allocation in the IPv4 era made us realize that even if there is a 128-bit address space, a good address management and allocation plan is still very critical.
technology
When designing the next generation Internet protocol (IPv6), IETF has added mandatory requirements for network layer security, specially designed the IPSec protocol, and stipulated that all IPv6 implementations must support IPSec. The IPSec protocol can also work in IPv4, but is optional in the implementation of IPv4.
IPv6 not only solves the problem of lack of IP addresses today, but also because it introduces authentication and encryption mechanisms, realizes identity authentication based on the network layer, and ensures the integrity and confidentiality of data packets. Therefore, it can be said that IPv6 realizes network layer security. Article entry: csh Editor in charge: csh
Research and analysis on the development of virus principles and invasion defense technology shows that a single antivirus software often makes network security protection incomplete, and network security can no longer be achieved through a single device or a single technology. Under the security strategies that have been widely promoted in the industry recently such as "integration of soft and hard" and "corresponding internally and externally", switches, as the backbone network equipment, naturally shoulder the important task of building a network security defense line.
The switch itself must be more secure
A switch is actually a computer optimized for forwarding data packets, but the computer may be attacked, such as illegally obtaining control of the switch, resulting in network paralysis, and on the other hand, it will also be attacked by DoS, such as the aforementioned worm viruses. In addition, the switch can perform generation rights maintenance, routing protocol maintenance, ARP, routing table construction, maintenance of routing protocols, processing ICMSP messages, and monitoring switches. These may become means for hackers to attack switches.
Traditional switches are mainly used for fast forwarding of data packets, emphasizing forwarding performance. With the extensive interconnection of local area networks and the openness of the TCP/IP protocol itself, network security has become an outstanding problem. Sensitive data and confidential information in the network are leaked, and important data devices are attacked. As an important forwarding device in the network environment, the original security characteristics of the switch can no longer meet the current security needs, so traditional switches need to increase security.
In the view of network equipment manufacturers, a switch that strengthens security is an upgrade and improvement of ordinary switches. In addition to having general functions, such switches also have security policy functions that ordinary switches do not have. Starting from network security and user service applications, this switch can implement specific security policies, restrict illegal access, conduct post-event analysis, and effectively ensure the normal development of user network services. One way to achieve security is to embed various security modules in existing switches. Now, more and more users are expressing their desire to add firewall, VPN, data encryption, identity authentication and other functions to the switch.
Switches can easily implement network security control
The security-enhanced switch itself is resistant to attacks and has higher intelligence and security protection functions than ordinary switches. In terms of system security, the switch implements a security mechanism in the overall network architecture from the core to the edge, that is, encrypting and controlling network management information through specific technologies; in terms of access security, a secure access mechanism is adopted, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. Not only that, many switches have added hardware-type security modules, while some switches with intranet security functions have better curbed the intranet security risks that are flooding with WLAN applications.
Currently, the commonly used security technologies in switches mainly include the following types.
Flow control technology
Limit abnormal flow through the port to a certain range. Many switches have port-based flow control capabilities that enable storm control, port protection, and port security. The flow control function is used to notify the other party to temporarily stop sending data packets when congestion occurs between the switch to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic exceeding the set value. However, the switch's traffic control function can only simply limit the various types of traffic passing through the port, limiting the abnormal traffic of broadcast and multicast to a certain range, and it is impossible to distinguish which are normal traffic and which are abnormal traffic. At the same time, it is also difficult to set an appropriate threshold.
Access Control List (ACL) technology
ACL ensures that network devices are not illegally accessed or used as an attack springboard by controlling access to network resources. An ACL is a rule table that the switch executes in sequence and processes each packet entering the port. Each rule either allows or refuses packets to pass according to the attributes of the packet (such as source address, destination address, and protocol). Since rules are processed in a certain order, the relative position of each rule is essential for determining what packets are allowed and not allowed to pass through the network.
Now, the industry generally believes that security should be spread throughout the entire network, and the security from the intranet to the outside network needs to be solved through professional security equipment such as firewalls, and switches also need to play a role in protecting users. At present, the vast majority of users have a positive attitude towards solving security problems through switches. Nearly 75% of users plan to take security measures for switches in practice in the future, hoping to achieve security goals by strengthening switches spread across the network.
"Security" requires excellent architecture
A perfect product must first have an excellent architectural design. Nowadays, many switch products adopt a fully distributed architecture design, and use powerful ASIC chips to perform high-speed routing searches, and use the longest matching and packet-by-packet forwarding to perform data forwarding, which greatly improves the forwarding performance and expansion capabilities of routing switches.
In addition to adopting the above-mentioned fully distributed architecture design, DCRS-7600 series IPv6 10 Gigabit routing switch also has excellent security function design, which can effectively prevent attacks and viruses. It is more suitable for large-scale, multi-service, and complex traffic access networks, and more suitable for the urban development of Ethernet. Its S-ARP (Secure ARP) function can effectively prevent ARP-DOS attacks; Anti-Sweep (Anti-Sweep) function can automatically monitor various malicious scanning behaviors, implement alarms or take other security measures, such as prohibiting network access, etc. This feature can curb many unknown new viruses before a large-scale outbreak; S-ICMP (Secure ICMP) function can effectively prevent PING-DOS attacks and flexibly prevent hackers from using ICMP Unreachable to attack third parties; secure and intelligent S-Buffer function and software IP traffic anti-impact function can prevent distributed DOS attacks (DDOS attacks) by intelligently monitoring and adjusting packet data buffers and IP message queue traffic rushing to the CPU, making the core switch safe and sound under DDOS attacks.
The CPU core protection of the switching engine can effectively prevent various illegal protocol attacks from causing the core device switching engine to be paralyzed; the green channel function of the key protocol can ensure that normal, legal and reasonable speed critical control messages (STP, MSTP, RIP, OSFP, BGP, multicast protocol, dual-engine board heartbeat, etc.) are not flooded under large traffic services, and are processed quickly without interruption; advanced LPM technology can resist "shockwave" virus, "zero day" virus, "SQL slammer warm" virus, etc.; the port trust mode can detect illegal DHCP Server, illegal Radius Server, etc., and can only access these devices on trust ports, thereby ensuring network security.
The DCRS-7600 series can set security policies based on time periods. The security settings move with time and automatically switch to different policies in different time periods. Intelligent traffic control can perform traffic classification based on ACL. Compared with the traditional classification methods based on switch ports, ToS, DCSP, CoS, and 802.1P, ACL-X is more refined and close to service classification; while the security policy distribution is more flexible, and can be configured to any port, VLAN, and VLAN interfaces, which is extremely flexible.
Application-based business security management SecAPP enables the function of linear service perception to instantly perceive the occurrence of various high-level application services, and this process does not affect the forwarding performance of the switch at all, so it is said to be linear. The intelligent business strategy function can classify various high-level application services according to the pre-set strategies to distinguish between legal services, illegal services, and restricted services; the deep service control (based on ACL-X) function can implement different security control measures for classified services. Here, we need to use powerful ACL-X and QoS to achieve flexible access control or traffic restrictions. BT is an application that makes people love and hate both. While telling the download of files, the user's bandwidth is over-occupied, seriously affecting the process of other network applications. SecAPP plays the most direct role in limiting BT. SecAPP can realize access control and traffic management of P2P application services such as BT and e-donkey without affecting the forwarding performance of the switch, and can manage the user's bandwidth.
IPv6 makes switches more secure
In recent years, IT technology has developed rapidly. The increasing demand for users and the demand for networks by more and more terminal devices has prompted the exhaustion of existing IPv4-type IP addresses. Data from relevant survey agencies show that there are about 4 billion IPv4 addresses available worldwide, and it is estimated that they will be allocated in the next five years; the situation in my country is even more serious, with Chinese netizens exceeding 80 million last year. As of the end of last year, the total IPv4 addresses applied for in my country were only about 60 million. Some industry experts have clearly pointed out that if the IP address problem is not solved, it will become a bottleneck in the development of my country and even the world's IT industry and other related industries. Therefore, IPv6 has become a panacea to solve the lack of IPv4 addresses.
The IPv4 protocol used by the existing Internet was originally designed for educational research networks and enterprise networks. Therefore, in the design of the protocol, the security of the network is rarely paid attention to, resulting in the limited security protection capabilities of the current Internet network itself. Many application systems are in a state of unprevention or rarely forbidden, with too many security risks, and the situation is becoming increasingly serious and complex. The current virus is no longer a traditional virus, but a cyber attack that combines hacking and virus characteristics. In 2003, system vulnerabilities became the focus of people's attention for the first time. At present, in addition to Microsoft's system vulnerabilities, there are a large number of vulnerabilities in certain types of routers, databases, Linux operating systems, mobile communication systems and many specific application systems, especially in key application systems, such as finance, telecommunications, civil aviation, power and other systems. Once the vulnerabilities are exploited by hackers, the consequences will be unimaginable.
With the continuous development of user needs and business, Internet security has become a prerequisite for realizing innovative business and profitable business models. Due to the shortage of IPv4 addresses, end-to-end security cannot be achieved. The solution is to use network address translation (NAT) technology, or use port multiplexing technology, or use private IP addresses to expand the usage rate of public IP addresses. The NAT method can be used well in the original client/server mode applications, but new applications increasingly rely on peer-to-peer communication. In addition, end-to-end addressing has become very important for online devices such as large-scale growing terminals. Since the NAT method cannot guarantee end-to-end communication, this restricts the development of many new businesses and seriously hinders the development of the Internet industry. Therefore, end-to-end security is the basic feature of future services. Only by achieving true end-to-end with the rich address space of IPv6 can we ensure the development of a variety of new businesses and the formation of mature business models of the next generation of Internet.
IPv6 provides sufficient security guarantees from the two levels of address management, allocation method and technology itself.
Address management and allocation method
IPv6's sufficient address space itself can provide a unique corresponding IP address for every user and every device and terminal. The lessons learned from Internet address allocation in the IPv4 era made us realize that even if there is a 128-bit address space, a good address management and allocation plan is still very critical.
technology
When designing the next generation Internet protocol (IPv6), IETF has added mandatory requirements for network layer security, specially designed the IPSec protocol, and stipulated that all IPv6 implementations must support IPSec. The IPSec protocol can also work in IPv4, but is optional in the implementation of IPv4.
IPv6 not only solves the problem of lack of IP addresses today, but also because it introduces authentication and encryption mechanisms, realizes identity authentication based on the network layer, and ensures the integrity and confidentiality of data packets. Therefore, it can be said that IPv6 realizes network layer security. Article entry: csh Editor in charge: csh