Analysis of the Customs LAN LAN security
LAN basically using the current broadcast Ethernet technical basis, communication data packets between any two nodes, only two nodes is received online, as also in any node on the same Ethernet online and so cuts, so long as the hacker access to any node on an Ethernet network to listen, you can capture all packets joy occur on the Ethernet, unpack them analysis to steal critical information, which is an Ethernet network inherent security risks.
In fact, hackers on the Internet many free tools such as SATAN, ISS, NETCAT etc., regarded as its most basic Ethernet listening means.
Currently, the LAN security solutions are the following:
1, the network segment
Network segmentation is generally considered an essential tool for network broadcast storm control, but in fact is an important measure to ensure the security of the network, the aim is to unauthorized users and isolated sensitive network resources with each other, thus preventing possible illegal interception , network segments can be divided into physical and logical sub-section in two ways.
Currently, the Customs LAN mostly used to switch the center, the border router for the network structure, should focus on mining center switch access control functions and three switching capabilities, integrated application of physical and logical sub-section two methods to achieve LAN security. For example: commonly used in the customs system DEC MultiSwtch 900 intrusion detection, access control is actually based on the MAC address, i.e. a physical segment based on the data link layer after this.
2, instead of switching hub shared hub
After the center of the LAN switch network segment, the Ethernet listening danger still exists, it is because the network is often the end-user access through a branch exchange hub rather than the center, and the most widely used branch of the hub is usually shared hub. Thus, when a user performs data communication with the host computer, the data packets between two machines (referred to as unicast packets Uncast Packet) will still be listening to other users on the same hub, a very dangerous situation is: user TELNET to a host, TELNET program itself due to the lack of encryption, each user type a character (including key information user names, passwords, etc.), will be sent in the clear, which provides an opportunity for hackers.
Because some, should be shared instead of switching hub hub, so unicast packets sent between two nodes, thereby preventing the illegal interception, of course, the switching hub can only control unicast packets and broadcast packets can not control (Broadcast packet) and multicast packets (multicast packet), Fortunately, the broadcast packets and key information within the multicast packet, much less than unicast packets.
3, VLAN division
In order to overcome the problem of broadcasting the Ethernet, in addition to the above methods, you can also use VLAN (virtual local area network) technology, Ethernet communications into a point to point communication, to prevent the most basic network listener invasion.
VLAN Technology currently there are three: switch port based VLAN, MAC address-based VLAN and the node application protocol-based VLAN. Port-based VLAN although less impressive flexibility, but is more mature, in the practical application results are obvious and popular. MAC address-based VLAN provides the possibility for mobile computing, but also suffered MAC hidden risks of fraud attacks. The protocol-based VLAN, very good in theory, but practical application has not yet mature.
In the centralized network environment, we usually focus on the center of all the host system to a VLAN, the VLAN where this does not allow any user node in order to better protect sensitive host resources. In a distributed network environment, we can set up by agencies or departments to divide the VLAN, all servers and user nodes within the various departments in their respective VLAN, and do not intrusive.
Internal connection using the exchange VLAN implemented, the connection between the VLAN and VLAN routing is implemented. Currently, most of the switches (including DEC MultiSwatch 900 internal customs commonly employed) support both RIP and OSPF routing protocols to international standards. If there is a special need, must use other routing protocols (such as CISCO EIGRP or support DECnet-IS-IS), can also be used multiple Ethernet interfaces instead of external switches, routing between the VLAN to realize, of course, under case, routing forwarding efficiency will decline.
Whether switching hub or VLAN switches are based on switching technology as the core, they control the broadcast. Are based on switching technology as the core, they control the radio, to prevent hackers quite effective, but also to some analysts monitoring technology and protocol-based intrusion broadcasting principles of technical trouble. Therefore, how the existence of such local area network intrusion device or protocol analysis equipment, we must use a special switch with SPAN (Switch Port Analyzer) function. The switch allows the system administrator to exchange all or some packet data port mapped to the specified port, provided to the port connected to the intrusion monitoring device or protocol analysis equipment. The author in Xiamen Customs extranet design, we have selected Cisco's Catalyst series switches SPAN feature, both to get the benefits of switching technology, and also allows existing Sniffer protocol analyzer "hero have its uses."
In addition to these prevent outside hackers security, enterprise data security is also very important, LAN monitoring is the internal corporate data secure an effective measure that can be computer conduct record, keyloggers, remote control, and specifically see Ping32 LAN Manager software modules.