LAN security
LAN technology refers to the characteristics shared by network resources, and more and more local area networks are applied to office buildings, office areas, as a small range of internal networks. However, due to the broadcast mode in the local area network, if all the packets can be listened to a certain broadcast domain, hackers can analyze the packets, then the information transfer of this broadcorn domain will be exposed to hackers. The LAN has adopted some basic measures to protect. Let's introduce it separately:
Preparatory knowledge - broadcast technology:
When we learn network technology, often encounter "Broadcast" concept, such as IP address broadcast, ARP (AddressResolutionProtocol address resolution protocol) broadcast, broadcast channel, etc.
"Broadcast" has different specific meaning in different contexts, although the meaning of its surface is the same, to broadcast messages on channels that support broadcast, so that all recipients can receive this message (more exactly Say, it is handled this message). Therefore, only on the broadcast channel, such as Ethernet, we can involve the above.
All host send messages on the broadcast channel are taking broadcast transmission, allowing host processing on the same network segment. This is the lowest form of broadcast, which is stored in the data link layer of TCP / IP. This broadcast is a way to handle messages on Ethernet (also most LAN), and its broadcast message can span the repeater, but cannot cross the bridge and routers. We often say that the broadcast domain (or conflict domain) is a broadcast of this form. ARP / RARP Broadcast is a mechanism for obtaining a MAC address of the target IP address. Believer belongs to the broadcast on the TCP / IP network layer. This broadcast can spread across the bridge, but cannot span the router. IP address broadcast (such as broadcast address 202.120.127.255), this broadcast can span router, but this is also a major form of broadcasting a broadcast storm.
The concept of broadcasting varies with the network architecture level, we must strictly distinguish the context.
Basic measures for local area network security:
Network segmentation
Network segmentation is an important measure to ensure safety, and its guidance thinking is to isolate the illegal users from network resources to limit the illegal access to the user's illegal access. Network segmentation can be divided into two ways of physical segments and logic:
Physical segmentation generally refers to the network from a physical layer and a data link layer (the first layer and the second layer in the ISO / OSI model) into several network segments, and each network segment cannot communicate with each other. Currently, many switches have certain access control capabilities that enable physical segments for the network. Logic segmentation refers to segmenting the entire system on a network layer (the third layer in the ISO / OSI model). For example, for TCP / IP networks, networks can be divided into several IP subnets, each subnet must be connected via router, routing switches, gateways or firewalls, using these intermediate equipment (including software, hardware) security mechanisms. Control accesses between each subnet. During practical applications, physical segments are typically taken in combination with logic segments to achieve security control of network systems.
2. Implementation of Virtual Network (VLAN)
Virtual network technology is based primarily based on LAN exchange technology (ATM and Ethernet exchange) in recent years. Switching technology develops traditional broadcasting local area network technologies into connection-oriented technologies. Therefore, the network management system has the ability to limit the scope of the local area network without the need for a large router. Ethernet is essentially based on broadcast mechanism, but after application of exchanger and VLAN technology, it is actually converted to point-to-point communication unless the monitoring port is set, and there is no problem with monitoring and modification. The benefits of network security brought by the above operating mechanisms are obvious: information is only to the location that should arrive. Therefore, most of the intrusion means based on network monitors is prevented. Access control through the virtual network settings that cannot directly access the virtual network node directly outside the network node outside the virtual network. However, virtual network technology also brings new security issues: Devices that perform virtual network exchange are more complicated, thus being an attackable object. Invasion monitoring technology based on network broadcast principles requires special settings within the high speed switching network. Mac-based VLANs cannot prevent Mac spoofing attacks. The use of Mac-based VLAN will face attacks of counterfeit MAC addresses. Therefore, the division of the VLAN is best based on the switch port. But this requires the entire network desktop using the switching port or the network segment machine in which each switch port is the same VLAN. Division between virtual networks:
The purpose of the virtual network is to ensure the security of the system. Therefore, it can be divided according to the security of the system: the server system in the headquarters can be separately disposed of a VLAN, such as database servers, email servers, etc. You can also divide the virtual network in accordance with the institutional settings. If the network where the leadership is located separately as a Leader Virtual Network (LVLAN), other servants (or subordinate mechanisms) are used as a virtual network, and control between LVLANs and other VLANs. One-way information flows, that is, allows LVLAN to view information about other VLANs, other VLANs cannot access the LVLAN information. The connection within the virtual network is implemented, and the virtual network is implemented between the virtual network and the virtual network. Since the power of routing is limited, the one-way information flow between the LVLAN and other VLANs cannot be implemented, and a firewall can be set between the LVLAN and other VLANs as a security isolation device to control the information exchange between the virtual network and the virtual network.
In summary, whether the network segmentation is used to achieve a virtual network to a certain extent, the security of the LAN is protected.
