Hi,
Today, I'll be sharing some guidelines on how we can ensure security isolation on S5700 switches. It is generally a neglected area but it needs a focus as it secures overall network and ensure security compliance.
Switches comply with the three-layer three-plane security isolation mechanism of X.805. Data flows at different importance levels face different security threats which have different impacts on users. To avoid mutual impacts between data flows, three security planes are planned on switches.
Management plane: This plane focuses on the security of application and service data for management users; that is, security of operation, maintenance, and management information.
Control plane: Switches have to run various protocols to implement services. The services must be protected against attacks or spoofing.
Forwarding plane: Switches use the destination MAC addresses and destination IP addresses of packets to search for routes for forwarding the packets. Security measures must be taken in the forwarding paths to prevent attacks on switches and spreading of attack traffic over the IP network.
By isolating the control, management, and forwarding planes, switches can ensure that attacks on any of the planes do not affect other planes.
Security Hardening Principles
Security must be hardened continuously and can never be achieved once and forever. Any attempt to achieve permanent security using a single policy or through one-off security hardening configuration will fail.
Before carrying out security hardening, perform the following operations:
Fully understand service requirements: Security is always service-oriented. An appropriate security hardening policy can be developed only after the security protection requirements of the service system are clearly understood.
Evaluate risks comprehensively: Analyze security threats to the service system, identify weak points of the service system, balance the service system value against security hardening costs, and comprehensively evaluate security risks. Provide defense measures against unacceptable security risks. Treat acceptable risks as remaining risks, and periodically review them throughout the service system lifecycle to determine whether to reevaluate their risk levels.
Design a security hardening solution: Based on the comprehensive risk evaluation, design a solution that meets service requirements. Security is ensured by design, but not configuration. Every security hardening engineer should adequately understand this principle.
Implement security hardening policies: Before the implementation, evaluate the policy impact on services to prevent service loss.
After security hardening is complete, continuous monitoring and maintenance on the service system are required, which can help locate faults promptly, adjust security hardening policies, and ensure that the policies have taken effect as expected. To sum up, security hardening is a process requiring continuous improvement.
I hope you know the importance and basic principals to take care of in increasing security.
In case of any queries, please comment below.
Source: Hedex
