Internal network current LANs basically uses Ethernet-based Ethernet based Ethernet, any communication data packets between two nodes, not only for the two nodes of NIC, but also for anything on the same Ethernet A NIC is intercepted. Therefore, as long as the hacker is listened to any of the Node on Ethernet, it can capture all packets that occur on this Ethernet, which is unpacking, thus stealing critical information, which is the security hidden danger inherent in Ethernet. . A. LAN security in fact, many free hacking tools, such as Satan, ISS, Netcat, etc., all as its most basic means. Currently, there are several solutions for local area security solutions: 1. Network segmentation network segment is often considered a basic means of controlling network broadcast storms, but it is also an important measure to ensure network security. Its purpose is to isolate illegal users from the sensitive network resources, prevent possible illegal listening, and network segments can be divided into physical segments and logical sections. At present, most of the local area network of the customs uses a switch-centric, router-based network pattern, and the access control function and three-layer exchange function of the center switch are focused. Safety Control of LAN. For example, the intrusion detection function of the DEC MultiSwitch 900 commonly used in the customs system is actually an access control based on the MAC address, that is, the above-described physical segmentation based on the data link layer. 2. The danger of Ethernet listening is still present after the exchange hub replaces the center switches of the LAN for the local area network. This is because the access of the network end user is often through the branch hub instead of the center switch, and the most widely branch hub using the most widely used branch hub is usually shared hub. Thus, when the user performs data communication with the host, the data packets between the two machines (called the unicast package unicast packet) are still listened by other users on the same hub. A very dangerous situation is: User Telnet to a host, because the Telnet program itself lacks encryption function, the user is typed in each character (including important information such as username, password), will be empty, this Provide opportunities to hackers. Therefore, the shared hub should be replaced by a switched hub, which is only transmitted between two nodes, thereby preventing illegal listening. Of course, the switched hub can only control the unicast package and cannot control the Broadcast Packet and multicast packet. Fortunately, the key information in the broadcast package and the multicast package is far less than the unicast package. 3. In order to overcome the broadcast problem of Ethernet, in addition to the above method, the VLAN (Virtual LAN) technology can be used to change Ethernet communication into point-to-point communication to prevent most of network listening invasion. There are three main VLAN technology: the VLAN based on the switch port, the VLAN based on the node MAC address and the VLAN based on the application protocol. Although the port-based VLAN is slightly flexible, it is mature, and the effect is significant and popular in practical applications. The VLAN based on the MAC address provides the possibility for mobile computing, but it also hides the hidden dangers of Mac fraud. Based on the protocol-based VLAN, theoretically ideal, but actual applications are not yet mature. In a centralized network environment, we usually focus on all host systems in the center to a VLAN, and no user nodes are allowed in this VLAN, thereby better protecting sensitive host resources.
In a distributed network environment, we can divide VLANs according to the organization or department. All servers and user nodes inside each department are in the respective VLANs, mutually invading. The connection inside the VLAN uses a switch implementation, while the connection between the VLAN and the VLAN uses a route implementation. Currently, most switches (including DEC MULTISWITCH 900 in the customs) support two international standards of RIP and OSPF. If there is a special need, you must use other routing protocols (such as Cisco's EIGRP or IS-IS Support IS-IS), you can also use an external multi-Ethernet port router instead of the switch to implement the routing function between the VLAN. Of course, in this case, the efficiency of routing forwarding will decline. Whether it is a swap hub or a VLAN switch, it is the core of exchange technology. They are in controlling broadcasts, prevent hackers from being quite effective, but also bring trouble to some intrusion monitoring technology and protocol analysis techniques based on broadcast principles. Therefore, if there is such an intrusion monitoring device or protocol analysis device in the local area network, a special switch with a SPAN (Switch Port Analyzer) must be selected. Such a switch allows the system administrator to map all or some of the exchange ports to the specified port, providing an intrusion monitoring device or protocol analysis device that is connected to this port. In the design of the Xiamen Customs, the author selected the Cisco's SPAN-functional Catalyst series switch, which has both the advantage of exchange technology, but also enables the original Sniffer protocol analyzer "Heroes." WAN B. WAN Safety Due to the wide area network to use public network to perform data transmission, the possibility of interception and utilization when transmitting on wide area online is much larger than the local area network. If there is no dedicated software to control the data, you can easily intercept and decipher the communication data easily using the "package detection" tool software downloaded on the Internet. Therefore, a means must be taken so that it can be guaranteed when transmitting and receiving information on a wide area online: 1 In addition to the sender and reception, others are unknown (privacy); 2 Not tampered with (authenticity) during transmission; 3 Sending Energy can recognize that the recipient is not a counterfeit (non-assault); 4 senders cannot deny their own send behavior (unrecognizable). In order to achieve the above security purposes, WAN usually uses the following security solutions: 1. The basic idea of encrypting technology encryptable network security technology is not to rely on the security of data channels in the network to implement the security of network systems, but through encryption of network data to ensure network security and reliability. Data encryption technology can be divided into three types, namely, symmetrical encryption, asymmetric encryption, and irreversible encryption. There is no key storage and distribution problem without key storage and distribution, which is suitable for distributed network systems, but its encryption calculation is considerable, so it is usually used in the case of limited data volume. The password in the computer system is encrypted using the non-reversible degree algorithm. In recent years, with the continuous improvement of computer system performance, the application of irreversible intensive algorithms has gradually increased, such as RSA's MD5 and the US National Standards Bureau's SHS. Cisco routers widely used in customs systems, there are two password encryption methods: Enable Secret and Enable Password. Among them, the Enable Secret uses the MD5 irreversible algorithm, so that the crack method has not been found (unless using a Dictionary attack method). ENABLE Password uses a very fragile encryption algorithm (i.e. to simply perform a password to XOR and or or operations), at least two cracked software.
