How to secure Switches and Routers

Traditional network security technologies focus on systems intrusion detection, anti-virus or firewall software. What about internal security? Network security configuration, the switches and routers is very important, in the ISO networks model, in each layer must be safe, many switches and routers have security features rich, to understand what, how they work, how to deploy, a Layer will not affect the entire network. Switches and routers are designed to be secure by default, and are factory-set to a security setting. Special operational settings are activated when requested by the user, and all other options are turned off to reduce the risk, and network administrators do not need to know Which options should be turned off.

In the initial login will be mandatory to change the password, password aging options and limits the number of login attempts, and to encrypt stored. Deadline for the account (maintenance account or back door) is not there. Switches and routers in power-down, hot start, cold start, upgrading IOS , the case of a module or hardware failure must be safe, and after these events should not jeopardize the security and recovery operations because of the log, The network device should remain secure and accurate over the network time protocol. The name of the connection management via SNMP protocol should also be changed.

From the standpoint of availability, switches and routers need to be able to withstand Denial of Service (DoS) attacks and remain available during an attack. Ideally, they should be able to react when attacked, shielding attack IP and port. Each event is immediately reflected and recorded in the log, and they can also identify and respond to worm attacks.

Switches and routers used in FTP, HTTP, TELNET or SSH can have the code has loopholes , loopholes were found in the report, vendors can develop, create, test, release upgrades or patches.

Role-based administration gives the administrator the minimum program permissions to perform tasks, allows tasks to be assigned, provides checks and balances, and only trusted connections can manage stubs. Administrative rights can be granted to devices or other hosts, such as administrative rights that grant certain IP addresses and specific TCP / UDP ports.

The best way to control administrative privileges is to authorize access before entering permissions, through authentication and account servers, such as remote access services, terminal services, or LDAP services.
In many cases, administrators need remote management switches and routers, it is usually only available on the public network. SSH is the standard protocol for all remote command-line settings and file transfers. Web-based protocols use SSL or TLS. LDAP is usually the protocol for communication, while SSL / TLS encrypts this communication. .
SNMP is used to discover, monitor, and configure network devices. SNMP 3 is a sufficiently secure version to guarantee authorized traffic.
Establishing a login control can mitigate the possibility of an attack, setting the number of attempts to log in, and responding to such a scan. Detailed logs that the attempt to crack the password when port scans and is very effective.
Switch and router configuration file security can not be ignored, usually the configuration file is stored in a safe location, in the case of confusion, you can remove the backup file, install and activate the system to restore to a known state. Some switches incorporate intrusion detection capabilities, some supported through port mapping, allowing administrators to select monitoring ports. The role of the virtual network The virtual local network VLAN is a limited broadcast domain on the second layer, consisting of a group of computer devices, usually located on more than one LAN, possibly across one or more LAN switches irrespective of their physical location , The devices appear to communicate across the same network, allowing the administrator to divide the network into manageable small chunks that simplify the task of stinging, moving, changing devices, users, and permissions.
VLAN can be formed in various forms, such as switch port, MAC address, IP address, protocol type, DHCP, 802.1Q logo or user-defined. These can be deployed individually or in combination.
After the user passes the authentication process, the user is authorized to enter one or more VLANs. The authorization is not granted to the device.
Firewalls can control access between networks, the most widely used is embedded in traditional routers and multilayer switches, also known as ACLs, the main difference is that they scan the firewall packet depth, end to end direct communication or through the agent , Whether there is session.
In network-to-network access control, the route filtering action can be based on source / destination switch slot or port, source / destination VLAN, source / destination IP, or TCP / UDP port, ICMP type, or MAC address. For some switches and routers, the dynamic ACL standard can be created after the user passes the authentication process, just like an authenticated VLAN, but on the third layer. It is useful when an unknown source address is required to join a known internal destination.
Now the network requirements are designed to be safe at all levels. By deploying switch and router security settings, enterprises can create robust, secure systems at all levels with traditional security technologies.