Network equipment isolation technology
Isolation technology by classifying the application protection systems have different security needs, thereby contributing to the greater risk of application systems and other applications isolation, achieve the purpose of security protection.
among them:
- Isolation techniques typically achieved by isolation device.
- Equipment can be isolation network equipment, it can be a special isolation device.
Network device
network devices including hubs, switches, routers, three switches, were subjected to the following brief.
- Hub
hub only synchronization, amplification and shaping effect, will not change the data transmission process, the data transmission in a short frame, debris can not effectively transmit data processing functions, not guarantee the integrity of data transmission and correctness. - Switch
switch can identify the MAC address connected nodes on the network, and put them in a place called the MAC address table. Switch the data transfer direction is determined via the port - Routers
, gateways, routers belonging to a network layer network device for connecting a plurality of separate logical networks. The router has its own operating system, running a variety of network layer protocols (such as IP protocol, IPX, AppleTalk, protocols, etc.) for realizing functions of the network layer. The site also has the role of both the role of isolation - Three switches
three switches is a conventional switch router combined with conventional network devices, both conventional switching functions can be accomplished port switch, but also performs a routing function portion router.
Isolation Technology
-
Hub isolation technology
hub operate at the physical layer, the physical signal just a simple amplification, only if the network to isolate from the hub, and can not play a good role, because the information will be transmitted through the hub in a broadcast manner broadcast on the network, the information could be attacker eavesdropping. -
Switch isolation
switch operates in a data link layer, in addition to amplify the signal, it may be transmitted through a data port, the switch can accomplish functions: flow control, the sequence of frames, error checking, network topology, physical ed site.
There are many port switch, it may be transmitted through a specific port of the data, the attacker only to avoid data acquired by a simple eavesdropping, the play switch isolation greater than the hub to the advantageous effects. Through the switch, we can be divided VLAN, we can make some of the ports of the switch belonging to a particular subnet, the communication can not be performed between different subnets.
VLAN division methods are:
(1) port-based VLAN partition
(2) MAC address based VLAN
(3) network layer based VLAN assignment
(. 4) is divided according to the IP multicast VLAN. -
Router isolation technology
router (Router) routing function includes a host, a network connecting a plurality of network devices or network segments.
The main function of the router comprises:
(1) the interconnection network: router supports various LAN and WAN interfaces, primarily for interconnecting the LAN and WAN, to achieve different networks communicate with each other.
(2) Data processing: providing a packet filtering, packet forwarding, priority, multiplexing, encryption, compression, and firewall functions.
(3) Network Management: providing a router configuration management, performance management, fault management and traffic control functions.
Routers work at the network layer, so the router isolation effect is much larger than before the introduction of two kinds.
Router isolation technology are as follows:
(1) network interconnection
(2) Network Management
(3) Data processing
Different network management router belonging to a single region, different port on the router may be isolated from the other regions, as we can control the router's routing table in order to determine whether a message from one area to another can be regional spread.
Different network management router belonging to a single region, different port on the router may be isolated from the other regions, as we can control the router's routing table in order to determine whether a message from one area to another can be regional spread. The above router includes three ports, different regions with different port, if controlled by the routing table, the different regions will not be able to access each network and play the role of isolation.
Two forms of network router isolated
- Router component as the only security
that the whole network is implemented by a router with isolated, relatively switches, hubs, can provide a higher level of security features. But as the only safety components for network isolation have drawbacks:
the default configuration (1) of the router is not enough to consider security. Generally speaking, the router requires some advanced configuration to achieve some preventive attacks. In addition, the router a lot of security policies are often based on the command line, the higher the probability of configuration errors.
Audit function (2) of the router using the inconvenience. Compared with the specialized audit system or firewall, many route itself is not strong audit analysis, a description of the log, abnormal events can not be standardized. - Router as part of the security component
in a comprehensive security architecture, work with other security components, such as firewalls, how to work:
(1) the entire security system, typically a router device as a mask, to perform simple packet filtering Features.
(2) At the same time, work with the firewall router, a firewall to perform deep packet inspection complicated processing.
Router to work with the other security components in the embodiment, the router is the first pass to protect the internal network, and the other security components (e.g., a firewall) security mark will follow.
