Six safty issues about industrial Ethernet switch

2017-02-23 Source:

ndustrial Ethernet is a high efficient LAN. It is an important part of modern industrial automation; no matter sensor data transmission, or production equipment control needs Ethernet to control the network. This is why industrial Ethernet switch more and more getting used in industrial Ethernet automation.

In modern industry, it usually adopts professional industrial Ethernet switch to define different Ethernet frame priority, so as to send the message as fast as it can.

From the trend of Ethernet switch technology recently, with the development of enterprises data communication, Ethernet switch play an important role in most of the field; the quality, performance keep on upgrading.

The technology keeps on upgrading, which means the function of industrial Ethernet stronger, automatic production procedure more fluent; it pushes the production efficiency with big step. 

Currently, in industrial Ethernet switch market, power and rail transit is the key application field, takes 70% market share. In China, there are around 50 active manufacturers in Ethernet switch market, it is growing fast. We can see that, more and more companies will start to enter into this field, the competition will be fierce. 
First of all, the speed is an important standard for network performance; it is also an important direction for Ethernet switches. The speed is from 100M/1000M to 10 Gigabit, it meets the requirement, bring people excellent experience.

Nowadays, the requirement on broadband is getting higher, such as huge data transmission channels, a mass of high broadband convergent MAN.  

Secondly, it is intelligence. The intelligence mentioned here is not only about switch intelligent management, but also to support more and more intelligent business mode. As the network new application and mix business requirement is impendent, unique switch needs more function to support more requirements. At the same time, intelligent switch devices manage the network together; this lower the maintain cost and installation. 

Together with the development of Ethernet switch, the safety is an important part. Currently, we have to face below situation:

Broadcast storm attack

If a malicious user allows to broadcast/multicast data in mass flow, or target MAC address is a wrong unitcast data, when the switch receives this data, it will broadcast and forward it. If the switch not supports flooding data flow control, the broadband of the network will be fulfilled by this rubbish data, and it makes the normal users unable to get to the Internet.

Therefore, the switch needs to support transmission rate limitation for each port about the flooding data. 

Data attacks network 

This malicious user is able to send big flow data to the router. This data is sent from switch to router, at the same time, it takes up most of the broadband from uplink port. With this, other users will have very slow Internet speed. 

Therefore, the switches need to limit speed rate for each port. Otherwise, malicious user is able to attack the network, and influence other users who use this network. 

A huge number of MAC address attack

When the switch forward data, it use MAC address as index; if the target MAC address of the data is unknown, the switch will broadcast and forward it in the network. In this situation, malicious user can send lots of rubbish data in network, and the source MAC address of the data keep on changing. Because the switch has to do MAC address learning non-stop, and the volume of the MAC table is limited, when the MAC table is full, the old MAC address will be covered by new MAC address. With this, when the switch receive the normal data from router, it can’t find the record of MAC table, the switch has to broadcast and forward it in network. This makes low efficiency on forwarding function.

Therefore, the switches need to limit the MAC address learning quantity for each port. Otherwise the whole network will act like a hub network. 

MAC spoofing attack

Malicious user in order to attack the network and make it crash, he is able to change his MAC address into the router’s MAC address(MAC-X), and then non-stop send to the switch(there is no need big flow, 1 pc/sec is enough). So the switch will update MAC-X record, thought that MAC-X is located in the port which connected with malicious user. At this moment, when other users send data to the router, the switch will send this data to the malicious user. With this, the user who send normal data can’t use Internet normally (The same, all the users from this network can’t use the Internet)

Therefore, the switches should support binding function between MAC and ports. Otherwise, malicious user can easily made the network crash; or the switches need to bind each port which allows access into the network with source MAC address. With this, the malicious user can’t use MAC cheating to attack the network. 

ARP spoofing attack

Malicious user is able to launch ARP Spoofing attack, which means no matter receives ARP request from whichever IP address, it will send ARP reply. With this, the data from other users will send to the MAC address from this malicious user, which makes the users can’t use the Internet normally. 

Therefore, the switches should support binding function between ports and IP addresses. If receive ARP request, ARP reply, when the port data is different from binding IP, the network will discard the data. Otherwise, the network will crash. 

Ring circuit attack

The user installed a switch, and then connected both end of the cable to the switch on purpose, so as to make ring circuit. After this, the user use cable to connect this switch with other switches from the network; this make the ring circuit in the whole network, so the MAC address learning in the network will in a mess; when the switches forward data, mistakes will be occur, the network will be crashed. 

Therefore, the switches should provides with ring circuit detect function. When there is a ring circuit in any ports, please close this port.