Senior network administrator teaches you how to protect the network security of LAN

The current local area network basically uses Ethernet based on broadcast technology. The communication packets between any two nodes are not only received by the network cards of these two nodes, but also at any node on the same Ethernet. Intercepted by your network card. Therefore, as long as the hacker accesses any node on the Ethernet to listen, it can capture all the data packets that occur on the Ethernet and unpack and analyze it to steal key information. This is the inherent security risk of Ethernet . In fact, many free hacking tools on the Internet take Ethernet snooping as their most basic means.

LAN security

At present, there are the following solutions to ensure the safety of the local area network:

1. Network segmentation

Network segmentation is generally regarded as a basic means of controlling network broadcast storms, but it is also an important measure to ensure network security. Its purpose is to isolate illegal users and sensitive network resources from each other, thereby preventing possible illegal interception. Network segmentation can be divided into physical segmentation and logical segmentation.

At present, most local LANs mostly adopt the network structure with switches as the center and routers as the border. The access control function and the three-layer switching function of the central switch should be focused on, and the two methods of physical segmentation and logical segmentation should be comprehensively applied to achieve Local area network security control. For example, the commonly used intrusion detection function of DEC MultiSwitch 900 is actually a MAC address-based access control, which is the above-mentioned physical segmentation based on the data link layer.

2. Replace the shared hub with a switching hub

After segmenting the central switch of the local area network, the danger of Ethernet interception still exists. This is because the end users of the network often access the branch hub instead of the central switch, and the most widely used branch hub is usually a shared hub. In this way, when the user communicates with the host computer, the data packet (called Unicast Packet) between the two machines will still be intercepted by other users on the same hub. A very dangerous situation is: the user TELNET to a host, because the TELNET program itself lacks encryption, every character typed by the user (including user name, password and other important information) will be sent in clear text Provides an opportunity for hackers.

Therefore, the switching hub should be used instead of the shared hub, so that unicast packets are only transmitted between the two nodes, thereby preventing illegal interception. Of course, the switching hub can only control unicast packets but not broadcast packets (Multicast Packet). Fortunately, the key information in broadcast packets and multicast packets is much less than unicast packets.

3. VLAN division

In order to overcome the broadcast problem of Ethernet, in addition to the above methods, VLAN (Virtual Local Area Network) technology can also be used to turn Ethernet communication into point-to-point communication to prevent most of the intrusion based on network listening.

There are currently three main VLAN technologies: VLANs based on switch ports, VLANs based on node MAC addresses, and VLANs based on application protocols. Although the port-based VLAN is a little less flexible, it is relatively mature and has a significant effect in practical applications, and it is very popular. VLANs based on MAC addresses provide possibilities for mobile computing, but they also have the potential to suffer from MAC fraud attacks. The protocol-based VLAN is ideal in theory, but the actual application is not yet mature.

In a centralized network environment, we usually concentrate all the host systems in the center into a VLAN, and no user nodes are allowed in this VLAN, so as to better protect sensitive host resources. In a distributed network environment, we can divide VLANs according to the settings of institutions or departments. All servers and user nodes in each department are in their own VLANs and do not interfere with each other.

The connection within the VLAN is implemented by switching, and the connection between the VLAN and VLAN is implemented by routing. At present, most switches (including the widely adopted DEC MultiSwitch 900) support two international standard routing protocols, RIP and OSPF. If you have special needs, you must use other routing protocols (such as CISCO's EIGRP or IS-IS that supports DECnet), or you can use an external multi-Ethernet router to replace the switch to achieve routing between VLANs. Of course, in this case, the efficiency of routing forwarding will be reduced.

Both switching hubs and VLAN switches are based on switching technology. They are quite effective in controlling broadcasting and preventing hackers, but at the same time they also cause some intrusion monitoring technology and protocol analysis technology based on broadcasting principles. Therefore, if there is such an intrusion monitoring device or protocol analysis device in the LAN, a special switch with SPAN (SwitchPort Analyzer) function must be selected. This kind of switch allows the system administrator to map all or some of the data packets of the switch port to the designated port and provide it to the intrusion monitoring device or protocol analysis device connected to this port. In the design of an external network, I chose the Catalyst series switch with SPAN function of Cisco Company, which not only obtained the benefits of switching technology, but also made the original Sniffer protocol analyzer "a hero."

WAN security

Since most WANs use the public network for data transmission, the possibility of information being intercepted and utilized during WAN transmission is much greater than that of local area networks. If there is no special software to control the data, as long as you use the "Packet Inspection" tool software that is freely downloaded from the Internet, you can easily intercept and decipher the communication data.

Therefore, measures must be taken to ensure that when sending and receiving information on the wide area network:

â‘  Other than the sender and receiver, no one else can know (privacy);

â‘¡ No tampering during transmission (authenticity);

â‘¢ The sender can confirm that the receiver is not fake (non-camouflage);

â‘£The sender cannot deny his sending behavior (non-repudiation).

In order to achieve the above security purposes, WAN usually adopts the following security solutions:

1. Encryption Technology

The basic idea of ​​encrypted network security technology is not to rely on the security of data channels in the network to achieve the security of the network system, but to ensure the security and reliability of the network by encrypting the network data. Data encryption technology can be divided into three categories, namely symmetric encryption, asymmetric encryption and irreversible encryption.

Among them, the irreversible encryption algorithm does not have the problem of key storage and distribution, and is suitable for distributed network systems, but its encryption calculation is quite considerable, so it is usually used in the case of limited data volume. Passwords in computer systems are encrypted using irreversible encryption algorithms. In recent years, with the continuous improvement of the performance of computer systems, the application of irreversible encryption algorithms has gradually increased. Commonly used are MD5 of RSA Company and SHS of National Bureau of Standards. CISCO routers, which are widely used in some systems, have two password encryption methods: Enable Secret and Enable Password. Among them, Enable Secret uses MD5 irreversible encryption algorithm, so there is no cracking method (unless dictionary attack method is used). The Enable Password uses a very fragile encryption algorithm (that is, simply XOR and OR the password and a constant), and there are at least two types of cracking software. Therefore, it is best not to use Enable Password.

2. VPN technology

The core of VPN (Virtual Private Network) technology is the use of tunnel technology, which encrypts and encapsulates the data of the enterprise private network and transmits it through the virtual public network tunnel, thereby preventing the theft of sensitive data. VPN can be established on the Internet, service provider's IP, frame relay or ATM network. Enterprises establish VPN through the public network, just like the establishment of the internal network through their own private network, enjoy higher security, priority, reliability and manageability, but its establishment cycle, investment and maintenance costs are greatly reduced It also provides the possibility for mobile computing. Therefore, once the VPN technology was launched, it became popular all over the world.

However, it should be noted that many core protocols of VPN technology, such as L2TP and IPSec, have not yet formed a common standard. This makes interoperability between different VPN service providers and VPN devices a problem. Therefore, enterprises must carefully choose VPN service providers and VPN equipment when selecting VPN network construction models.

3. Identity authentication technology

For users accessing the headquarters intranet from outside dial-up, due to the risks posed by using the public telephone network for data transmission, their security must be more strictly controlled. A common practice is to use identity authentication technology to verify the identity of dial-up users and record complete log logs. The more commonly used identity authentication technologies include TACACS + proposed by Cisco and industry standard RADIUS. In the design of the external network mentioned above, I chose Cisco's Cisco Secure ACS V2.3 software for RADIUS authentication.

Extranet security

The author refers to the construction of extranets, which usually refers to the interconnection with the Internet and the interconnection with external enterprise users. No matter what kind of external network, Internet protocol family based on TCP / IP is generally adopted. The openness of the Internet protocol suite itself greatly facilitates the networking and interconnection of various computers, and directly promotes the rapid development of network technology. However, due to the neglect of security issues in the design of early network protocols and the anarchy of the Internet in its use and management, the security of the Internet itself has been threatened, and hacker incidents have occurred frequently.

Threats to external network security are mainly manifested in unauthorized access, impersonating legitimate users, destroying data integrity, interfering with the normal operation of the system, using the network to spread viruses, and wiretapping.

Extranet security solutions mainly rely on firewall technology, intrusion detection technology and network anti-virus technology. In the actual external network security design, the combination of the above three technologies (ie firewall, intrusion detection, network anti-virus) is often adopted. The latest version of NAI's three-host adaptive dynamic firewall Gauntlet Active Firewall. The firewall product integrates Gauntlet Firewall, CyberCop Scanner, CyberCop Monitor, WebShield for Firewall and other suites. It integrates firewall technology, intrusion detection technology and network anti-virus technology, and closely integrates each other to complement each other with high cost performance.