At present, the local area network is basically used to broadcast the technology-based Ethernet, and the communication data packets between the two nodes are not only received for the two nodes of NIC, but also for any of the same Ethernet. The network card is intercepted. Therefore, as long as the hacker is listened to any of the Node on Ethernet, it can capture all packets that occur on this Ethernet, which is unpacking, thus stealing critical information, which is the security hidden danger inherent in Ethernet. .
In fact, many free hacking tools on the Internet, such as Satan, ISS, Netcat, etc., all the Ethernet listening as its most basic means.
Currently, there are several solutions for local area security solutions:
1. Network segmentation
Network segments are often considered a basic means to control network broadcast storms, but it is also an important measure to ensure network security. Its purpose is to isolate illegal users from the sensitive network resources, prevent possible illegal listening, and network segments can be divided into physical segments and logical sections.
At present, most of the local area network of the customs uses a switch-centric, router-based network pattern, and the access control function and three-layer exchange function of the center switch are focused. Safety Control of LAN. For example, the intrusion detection function of the DEC MultiSwitch 900 commonly used in the customs system is actually an access control based on the MAC address, that is, the above-described physical segmentation based on the data link layer.
2. Instead of shared hub in exchange hub
The danger of Ethernet listening is still present after network segmentation of the center switches of the LAN. This is because the access of the network end user is often through the branch hub instead of the center switch, and the most widely branch hub using the most widely used branch hub is usually shared hub. Thus, when the user performs data communication with the host, the data packets between the two machines (called the unicast package unicast packet) are still listened by other users on the same hub. A very dangerous situation is: User Telnet to a host, because the Telnet program itself lacks encryption function, the user is typed in each character (including important information such as username, password), will be empty, this Provide opportunities to hackers.
Therefore, the shared hub should be replaced by a switched hub, which is only transmitted between two nodes, thereby preventing illegal listening. Of course, the switched hub can only control the unicast package and cannot control the Broadcast Packet and multicast packet. Fortunately, the key information in the broadcast package and the multicast package is far less than the unicast package.
3. VLAN division
In order to overcome the broadcast problem of Ethernet, in addition to the above method, VLAN (virtual local area network) technology can also be used to change Ethernet communication into point-to-point communication, prevent most of the network-listening invasion.
There are three main VLAN technology: the VLAN based on the switch port, the VLAN based on the node MAC address and the VLAN based on the application protocol. Although the port-based VLAN is slightly flexible, it is mature, and the effect is significant and popular in practical applications. The VLAN based on the MAC address provides the possibility for mobile computing, but it also hides the hidden dangers of Mac fraud. Based on the protocol-based VLAN, theoretically ideal, but actual applications are not yet mature.
In a centralized network environment, we usually focus on all host systems in the center to a VLAN, and no user nodes are allowed in this VLAN, thereby better protecting sensitive host resources. In a distributed network environment, we can divide VLANs according to the organization or department. All servers and user nodes inside each department are in the respective VLANs, mutually invading. The connection inside the VLAN uses a switch implementation, while the connection between the VLAN and the VLAN uses a route implementation. Currently, most switches (including DEC MULTISWITCH 900 in the customs) support two international standards of RIP and OSPF. If there is a special need, you must use other routing protocols (such as Cisco's EIGRP or IS-IS Support IS-IS), you can also use an external multi-Ethernet port router instead of the switch to implement the routing function between the VLAN. Of course, in this case, the efficiency of routing forwarding will decline.
Whether it is a swap hub or a VLAN switch, it is the core of exchange technology. They are in controlling broadcasts, prevent hackers from being quite effective, but also bring trouble to some intrusion monitoring technology and protocol analysis techniques based on broadcast principles. Therefore, if there is such an intrusion monitoring device or protocol analysis device in the local area network, a special switch with a SPAN (Switch Port Analyzer) must be selected. Such a switch allows the system administrator to map all or some of the exchange ports to the specified port, providing an intrusion monitoring device or protocol analysis device that is connected to this port. In the design of the Xiamen Customs, the author selected the Cisco's SPAN-functional Catalyst series switch, which has both the advantage of exchange technology, but also enables the original Sniffer protocol analyzer "Heroes."