Shulou(Shulou.com)06/01 Report--

Ensuring the security of campus network devices is as important as designing a network with high availability. If there are security vulnerabilities, it will seriously threaten the normal operation of the company's business.

Most industries or enterprises focus on security from outside the enterprise and for the upper layer of the OSI model. Network security usually focuses on edge routing devices and implements packet filtering based on layer 3 and layer 4 headers, ports, stateful packet detection, and so on. Campus network access layer devices and layer 2 communication security are often ignored.

According to statistics, 80% of the security * comes from internal *. Therefore, the security of access devices in the campus network has to be carefully considered.

The common layer 2 security * * is MAC layer * *, VLAN***, spoofing * * and switch devices * *. The detailed * * classification and * * methods are shown in the table below.

* * Classification

* method

* description

Defense measures

MAC layer *

MAC address flooding

Data frames with unique and invalid source MAC addresses are flooded to the switch, consuming the switch's CAM table space, thus preventing legitimate hosts from generating new entries for MAC addresses, and traffic destined for invalid hosts is flooded to all ports

Port security

MAC address VLAN access control list

VLAN***

VLAN Jump

VLAN ID,*** devices that change packets encapsulated in Trunk links can send or receive packets from different VLAN, bypassing three layers of security

Enhance the configuration of Trunk and the negotiation status of unused ports.

Put unused ports into the public VLAN

Public VLAN equipment

Between *

Even devices in a public VLAN need to be protected one by one, especially in service provider segments that provide equipment to multiple customers

Implement private VLAN (PVLAN)

Cheat *

DHCP depletion and

DHCP deception

* the device can use up the available address space on the DHCP server within a period of time, or disguise itself as a DHCP server in the middleman.

DHCP snooping

Spanning tree spoofing

* the device is disguised as the root bridge in the STP topology. If it is successful, the person can see all kinds of data frames.

Actively configure active and standby root Devic

Enable root guard

MAC deception

* the device is disguised as the MAC address of the legitimate device in the current CAM table, so that the switch sends data frames destined for the legitimate device to the * * device.

DHCP snooping

Port security

ARP deception

* the device deliberately forges ARP responses for legitimate hosts. The MAC address of the device becomes the layer 2 destination address of the data frame sent by the legitimate network device.

Dynamic ARP detection

DHCP snooping

Port security

Switch equipment security

CDP modification

The information sent through CDP is in clear text and is not encrypted. If the CDP message is intercepted by the user, the whole network topology information can be obtained.

Disable CDP on all unintended ports

SSH and

Telnet***

Telnet packets can be viewed in clear text

SSH can protect packets, but there are still security issues in version 1

Use SSH version 2

Use Telnet with VTY ACL

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.