Industrial switch is a kind of efficient local area network, it is an important part of modern industrial automation production system, whether it is sensor data transmission, or production equipment control and so on, these need Ethernet to constitute the basic control network. This is one of the important reasons why industrial switch is used more and more widely in automated production.


  Bandwidth support for increasingly rich broadband applications; Data centralization of large financial institutions; Enterprise core business, ERP, CRM and other complex application expansion. Today, the mainstream structure, where gigabit is the backbone and gigabit is the access structure, will gradually transition to a structure where gigabit is the backbone and gigabit is the access structure.


  Along with the rapid popularity of industrial switches, its security issues are also increasingly concerned. At present, we should deal with the following aspects:


  1.Six security problems of industrial switches


  (1) Broadcast storm attack


  Users can transmit high-traffic broadcast data, multicast data, or unicast data whose destination MAC address is randomly constructed. When the switch receives such information, it sends it in the form of broadcast. If the switch is not compatible with the flow control of the flood database, the bandwidth of the network may be filled with such invalid data. Other users on the network cannot access the Internet properly.


  (2) Data information attacks the network


  

        A malicious user can send heavy traffic to the router through the industrial switch, which consumes most of the bandwidth of the uplink interface. As a result, other customers are slow to access the Internet.



  Therefore, the switch needs to limit the inbound direction speed of each port. Otherwise, a malicious user can attack his network and affect every other customer on the network.


  (3) Massive MAC address attack


  Industrial switches use MAC addresses as indexes when sending data. If the destination MAC address of a datagram is unknown, the packet is sent on the network in flood mode. Industrial switches need to learn MAC addresses constantly, and the MAC address table capacity of switches is limited. When the MAC address table of switches is full, the original MAC addresses will be covered by the newly learned MAC addresses. In this way, when receiving the information sent by routers to normal customers, the MAC address records of the customers cannot be found. In turn, it will be sent in the form of flooding across the network, which reduces the network's sending performance.


  (4) MAC spoofing attacks


  In order to crash the network, a malicious user can change his MAC address to the MAC address of the router (called Mac-X) and send it to the switch continuously (it does not require a lot of traffic, one per second is sufficient). In this way, the switch updates the record of Mac-X, thinking that it is on the port connected to the malicious client. In this case, when other users have data to send to the router, the switch will send this information to the malicious customer, so that the customer who sent the normal database can not access the Internet properly (similarly, every customer in the network can not access the Internet). The switch must have the MAC binding function (that is, the MAC address of the router must be statically configured on the switch). Otherwise, malicious users can simply crash the network. Or the switch needs to bind the source MAC address of each port allowed to access the network database, so that malicious customers cannot attack the network through MAC spoofing.


  (5) ARP spoofing attack


  No matter which IP address the ARP request is received, the system immediately sends an ARP reply. If the received ARP request, ARP reply, and port data are different from the bound IP address, the system discards the ARP request, ARP reply, and port data. Otherwise, the network crashes.


  (6) Ring attack


  Users also install a network switch in their homes, and deliberately connect both ends of a network cable to the network switch to form a loop line, and then use the network cable to connect the network switch to the switches in the network. As loop lines exist in all networks, the learning of MAC addresses in the network will be disrupted, and errors will occur when the network switch forwards data. The entire network would be paralyzed.


  The above is about the "industrial switch six security issues" all the content, thank you for reading, I hope to help you.