Switches introduction of six security Settings in the application

Switches introduction of six security Settings in the application

L2 - L4 layer filter

Now the new switches are mostly can through the establishment of rules to realize all kinds of filtration needs. Rules set has two modes, one kind is MAC mode, can according to user needs on the basis of MAC source or destination MAC effectively isolate data, the other is a TCP/IP model, can through the source IP, destination IP, agreements, source port and destination port filter data packet; Establish good rules must be attached to the corresponding receiving or transmitting port, when switch this port to receive or transmit data, according to the filtering rules to filter packets, decision is forward or discard. In addition, switch through hardware "logic and gate" logic operation was carried out on the filtering rules, realize the filtering rules to determine, completely will not affect the data transfer rate.

802.1 X port based access control

In order to prevent illegal users access to LAN, guarantee the security of the network, access control protocol based on port 802.1 X no matter in the wired LAN or WLAN has been widely used. Such as asus latest GigaX2024/2048 of a new generation of switch products not only support 802.1 X way of Local, RADIUS authentication and support 802.1 X Dynamic VLAN access, namely on the basis of VLAN and 802.1 X, holds the user in a user account no matter where in the network access, will go beyond the limitations of the original based on port under 802.1 Q VLAN, always within the specified VLAN group access to this account, this feature is not only for the application of network of mobile users on the resource provides a flexible convenience, at the same time, guarantee the security of network resource application; In addition, GigaX2024/2048 switches also support 802.1 X Guest VLAN function, namely in 802.1 X applications, if the port specifies the Guest VLAN, under this port access to the user if authentication failed or no user accounts, will be the Guest VLAN group members, can enjoy the corresponding network resources of this group, this kind of function also can open a minimum for the network application of certain groups of resources, and to the entire network provides a most peripheral access security.

Flow control (traffic control)

Switches, flow control can prevent because of broadcast packets, multicast packets and due to the destination address wrong unicast packet data switch bandwidth caused by abnormal load flow rate is too high, and can increase the efficiency of the system of the whole, to keep the network safe and stable operation.

SNMP v3 and SSH

Safety net tube SNMP v3 put forward a new architecture, each version of the SNMP standard together, to enhance network security. SNMP v3 recommended security model is based on the user‘s security model, namely the unsharp mask. The unsharp mask for encryption and authentication of network news is based on the user, specifically is to use what agreement and the key for both encryption and authentication of the user name (userNmae) authority identifier (EngineID) to determine the engine (recommended encryption protocol CBCDES, HMAC - MD5-96 authentication protocol and HMAC - SHA - 96), the time limit through authentication, encryption and provide data integrity, data authentication, data confidentiality and time limit of news service, thus effectively prevent unauthorized users to the management information modify, camouflage and hacking.

As for through Telnet remote network management, as a result of Telnet service have a fatal weakness of it in the form of plaintext transfer user name and password, so it is easy to have ulterior motives to steal passwords, attacked, but when using SSH to communication, user name and password are encrypted, and effectively prevent the password hacking, facilitate the network management personnel for the security of the remote network management.

Syslog and Watchdog

Switch Syslog logging can be system error, system configuration, status changes, status report on a regular basis of expectations set by the user, system exit information transmitted to the log server, network management personnel according to these information to grasp equipment operation state, found the problem as early as possible, in a timely manner configuration setting and debugging, guarantee the safe and steady operation.

Watchdog by setting a timer, if the set time interval timer not restart, then generates an internal CPU restart command, the device to restart, this function can make the switch when in emergency fault or accident cases intelligent automatic restart, the operation of the safety net.

Double image file

Some of the latest industrial switches, like the A S U SGigaX2024/2048 also has double image file. This function protection equipment in exceptional cases (firmware upgrade failure, etc.) still can be up and running normally. File system is divided into two parts as a mirror and majoy preservation, if a file system damage or disruption, another file system will rewrite, if both the file system damage, the equipment can remove two file systems and re-written to factory default Settings, ensure the security of the system is up and running.