Security Holistic View

Created: Mar 31, 2017 15:18:17Latest reply: Apr 7, 2018 23:12:40 1970 2 1 0

Security Holistic View

Network has been the most important tool for people's communication. The cyber security issue needs to be resolved urgently with the wide use of network. Playing an important role on the network, switches are prone to hackers' attacks. The primary job of a switch is switching. Therefore, cyber security protection measures applied to switches cannot compromise data forwarding. Data cannot be intercepted or modified during transmission. Cyber security has the following characteristics:

Ø   Confidentiality: When a switch stores, handles, and transmits data, the data will not be leaked to unauthorized users, entities, or procedures. That is, data is used by only authorized users.

Ø   Integrity: Data cannot be modified without permission. That is, network information will not be occasionally or intentionally deleted, modified, forged, unsequenced, or inserted during storage and transmission.

Ø   Availability: The given functions of a switch can be executed under the specified conditions and at the specified time or time period when the required external resources are ensured. Services are continuously available to meet the class-level service quality.

Security deployment of S series switches involves three planes:

Figure 1-1 Security deployment planes



1.         Management plane

The key is to ensure that the devices can be managed with permission. It specifies which user can log in to a switch and what operations the user can perform.

As shown in Figure 1-1, the security of management plane is reflected by administrator login.

Administrator login: The switch uses user name, password, and ACL to restrict user login rights. The STelnet login ensures secure login of administrator. The user level is configurable to control user operation rights.

2.         Control plane

The control plane controls forwarding based on CPU. The CPU is the commander that controls the operations of components. Therefore, the CPU is the prerequisite of device and protocol running. Similar to a computer, if a switch runs many applications, it may respond slowly. If many protocol packets are sent to the CPU, the CPU is busy and switch performance degrades, causing a service interruption. As the core component on a switch, the CPU is the attack target of unauthorized users.

Network attacks may cause a high CPU usage, but a high CPU usage may not be caused by network attacks. It may be caused by hardware failure, network flapping, or network loop. This article describes only the high CPU usage caused by network attacks. For other causes, see S Series Campus Switch Maintenance Guide.

To ensure the normal running of CPU, the switch uses the default CPCAR value to limit the rate of protocol packets sent to the CPU.

Figure 1-2 CPU defense



If the CPU usage is still high after CPCAR limiting is performed, perform the following steps:

Ø  Adjust the CPCAR value: Decrease the CPCAR value to reduce the number of protocol packets sent to the CPU.

Ø  Attack source tracing: Analyze the packets sent to the CPU, configure the threshold, and take punishment measurement on the packets exceeding the threshold, for example, drop packets, shut down interface, and configure blacklist.

3.         Forwarding plane

The forwarding plane searches for forwarding entries to instruct data forwarding, so there are two types of attacks targeting at the forwarding plane:

       Exhaust forwarding entries, causing a failure to learn the authorized users' entries and forward their traffic.

       Tamper with forwarding entries, causing the authorized users' traffic to be forwarded to an incorrect destination.

How does a switch defend against these attacks? The following describes the method of defending against Layer 2 and Layer 3 network attacks.

Ø  Layer 2 network

The core of Layer 2 forwarding table is the MAC address table. Forwarding data traffic needs to search the MAC address table. Therefore, the MAC address table is prone to attacks. Unauthorized users send a large number of packets to consume MAC address entries. When no MAC entry is found for a packet, the packet is broadcast. This consumes bandwidth and may cause broadcast storm. The switch protects the MAC address table by using the methods such as MAC address learning control, DHCP snooping, and storm suppression.

Ø  Layer 3 network

Layer 3 data forwarding depends on the ARP table and routing table. The entries in the routing table are generated by protocol negotiation, so they are difficult to attack. The ARP entries are generated by protocol packet exchange. Attackers can send a large number of protocol packets or faked protocol packets to attack the ARP table. Therefore, the ARP table must be properly protected in Layer 3 forwarding. The switch supports the measures such as ARP security, DAI/EAI, and IPSG to prevent such attacks.

The following sections describe the security features involving the management, control, and forwarding planes.

Security Issues - Issue 1 Security Holistic View
Security Issues - Issue 2 Management Plane Security
Security Issues - Issue 3 Control Plane Security
Security Issues - Issue 4 Forwarding Plane Security – Layer 2 Security
Security Issues - Issue 5 Forwarding Plane Security – Layer 3 Security



本帖最后由 交换机在江湖 于 2017-08-11 10:41 编辑
  • x
  • convention:

user_2790689     Created Mar 31, 2017 15:25:35 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

wissal  Visitor   Created Apr 7, 2018 23:12:40 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top