at-8500 l2+ switches and network security
DESCRIPTION
AT-8500 L2+ Switches and Network Security. Managed Fast Ethernet Switches with Denial of Service (DoS) Attack Protection. Agenda. The Security Issue AT-8500 Overview Market Applications Security in further detail DOS attack Prevention Security Tools QOS - PowerPoint PPT PresentationTRANSCRIPT
AT-8500 L2+ Switches and Network Security
Managed Fast Ethernet Switches with Denial of Service (DoS) Attack Protection
The Security Issue AT-8500 Overview Market Applications Security in further detail
– DOS attack Prevention– Security Tools
QOS 802.1s (MSTP) Q & A
Agenda
Network Security: What are the Issues?
Viruses and network attacks growing at an alarming rate:
– Volume of viruses increasing at 40% pa– New methods of spreading viruses– Companies experience approx. 38 attacks per week on average– Growing number of peer to peer, instant messaging programs
ands remote workstations open up new ways of spreading malicious code
Staff misuse accounts for 7% of total (DTI)– DoS attacks (accidental and deliberate)
A 25% increase over the past 12 months (Silicon.com)– The MS Blast worm was blamed for 33% of all infections in small
firms and 50% in larger companies
AT-8500 Overview
AT-8500 Layer 2 Managed Switch
(Aggregation/Edge/Wiring Closet) 1 RU Factor 19” Rack Mountable 10/100 Modular and 2 modular bays Medium to High port densities 16, 24 ,&
48 port configurations 16 Port AT-8516F SC/LC version for higher
distance deployments or added security Content Aware Switch provides more
intelligence at the edge for important applications (QOS and DOS prevention, ACLs)
Fully Managed Switch; SNMP, Secure Web (SSL) and Secure Telnet (SSH)
AT-8500 L2+ switches – One further layer of protection
Pre-programmed todetect six well known
dos attacks
Complements WANfirewall and
PC anti-virus measures
Data is encrypted for maximum security
Additional security features
• SSL and SSH
• 802.1x
• L2-L4 Access Control List
• Radius and TACACS+
Provides the abilityto deploy ‘Tiered Security’
to unsecured areas
Only authorisedindividuals can access
the network
Intelligent chip-setrecognises DOS attack
and restricts trafficto neutralise threat
8500 Educational Application Educational Concerns
Security – Just by their nature Educational Networks are very susceptible to machine compromises and intrusion
– DOS attack prevention– Implementing Effective Security
Policies
Multicast - Distance Learning Applications and Machine Imaging
– IGMP Snooping v1 and v2
Ease of management for mobile students
– Dynamic VLANs– Enhanced Stacking for large switch
deployments
Wiring ClosetClassroom
Computer Lab
Library & Multimedia
Administration
MDF
8500 Enterprise Application
Enterprise Concerns Security – Must protect integrity of
network and data, and ensure network uptime for productivity
– DOS attack prevention– Implementing Effective Security Policies
Redundancy – Network uptime critical – STP, RSTP, MSTP
QOS – VoIP, and other time sensitive services
– 802.1p and QOS
VLAN network segmentation– 802.1q, bridge network segments across
switch boundaries securely
Multicast Video Conferencing and shared white board applications
– IGMP Snooping v1 and v2
Management in the Wiring Closet– Enhanced Stacking
Wiring Closetdesktops
VoIP and Data (QOS)
Video and Multicast
MDF
8500 Financial Institution Application
Financial Institution Concerns
Security – preserve integrity of network to ensure maximum availability
– DOS attack prevention– Implementing Effective Security
Policies– STP, RSTP, MSTP– “Fiber to the Desktop” AT-8516F
SC/LC– VLAN 802.1q
Wiring ClosetDesktops
Account Data
File Servers
MDF
8500 Security – DOS attack prevention
Importance of a modern day secure network 2003 was a record year for Worms, Hacker Attacks, and
Viruses Experts already estimate that 2004 will surpass 2003
(already Mydoom made big headlines this year) Worms are predicated on the idea of self propagating code
specifically built with various intentions, mostly to cause harm and detriment to computers & networks. Popular use of worms are the propagation of DOS and DDOS Attacks
DOS attacks cost Millions of dollars each year are in terms of lost revenues, damaged reputation, and productivity
Every network is prone to being affected by DOS attacks, some more than other by their inherent structure and users.
There are many forms of securing networks, and mitigating the impact of DOS attacks and the spread of worms
Effective security means of preventing worms and stopping DOS attacks are through the creation of good Security Policies and these policies start at the edge of the network
Dos Attacks
DOS Attacks come in various forms and modes of operation– Overwhelming consumption of finite system resources so that
legitimate users cannot use them– Capitalizing on a system bug or flaw that will interrupt service or
bring the system down
Detect and Perform action– Implement algorithms to detect violations, once detected logging the
event, rate limit, or drop traffic
AT-8500 protects networks against the 6 most popular DOS style attacks
6 Most Common DOS Attacks
SYN-Flood – target machine: will suffer performance and may not be able to service real connections,
resulting in perceived downtime. – Sending machine: network will forward thousands of packets per second, impacting network
performance.
LAND – Target machine will crash or hang
IP Options– This attack will cause the target machine to crash
Teardrop– Target machine crashes
SMURF– Receiver: Attack will degrade network performance. Sender: may create bottlenecks in
small bandwidth pipes like T1s on senders network.
Ping of Death– Will cause device under attack to crash when attempting to reassemble oversized payload
Sample DOS Attack
Infected host
ping 255.255.255.255
SRC IP 63.25.21.5
192. 168.0.0/24
SYN-FloodSMURF
UDP FLOOD
1 2
3 4Source IP filter will prevent Spoofed ping packet
Echo replies will congest uplinks due to amplification
How to implement a Security Policy
Security Policy– Determine a level of security that is acceptable to protect the network while still providing a level of
acceptable service to users – Documentation and communication of written policies and procedures to direct and inform users of
acceptable usage and security practices– Technology that enforces that level of security
Tools that help administrators implement effective security policies for management and access:
– SSH & SSL Secure remote management of the switch Encrypts management session so that important information cannot be
snooped– Radius & TACACS+ Authentication
Provides user level Authentication and Accounting function– 802.1x
Limit access to who can and cannot enter the network– Port Security
Restrictions on MAC addresses learned per port– L2-4 ACLs
Enables Network Administrators to implement access lists to limit access to switch, usage, or any definable L2-4 criteria
– Logging Logs events and traps to systems or remotely via syslog
– Management Access Control Controls and limits management access to the switch via IP addresses
AT-8500 QOS End-to-End QOS Domain QOS enables you to prioritize traffic, reducing
latency and jitter exists two important functions in QOS system
– Classify Traffic– Perform Action
AT-8500 QOS– Classify traffic according to:
Flows (SA/DA and port numbers) Addresses (SRC/DEST IP Address, subnets) Protocols (TCP, UDP, HTTP, FTP, etc) VLANs
– Ingress perform the Following actions: Tag Packet Drop Traffic Rate Limit
– Egress AT-8500 Supports 4 Priority Queues and 2 Scheduling mechanisms
Queue Traffic WWR and Strict
AT-8500 QOS
AT-8500 QOS capabilities mark 802.1p priorities
– Based on broad classified traffic filters 802.1p priorities can be set for all 8 levels (but only 4 queues)
– Finer classification and definition of prioritized traffic mark IP TOS field
– Important to provide End-to-End QOS over layer 3 network– Can perform actions based on either field and translate from 802.1p
to IP TOS and vice and versa Strict and WRR Policies allow more flexibility in
Scheduling– Strict scheduling could be used to critical traffic such as network
control traffic, and de-prioritize ICMP and other non-critical network traffic
– WRR allows network administrator weight each of the 4 queues
MSTP
Multiple Spanning Tree Protocol Effective feature for large switch environments utilizing
complex or numerous VLAN configurations Much easier to manage such an environment using MSTP,
than STP or RSTP– Utilize 802.1q tagged ports efficiently throughout your network backbone
Supports multiple instances of Spanning Tree in a bridged domain
Features rapid convergence like RSTP Provides Flexibility to deploy VLAN where needed, and at
the same time provide L2 redundancy via back up links.– Configure 802.1p ports with pertinent and not all VLANs – Isolate VLANs to certain areas of the network and not over all switches
MSTP Example Configuration
VLAN 1, 2, 3STP - RSTP
VLAN 1
MSTI 1
VLAN 2
MSTI 2
VLAN 3
MSTI 3
MSTPForwardingBlocked
Old Spanning Tree 802.1D – STP
Allow all or block all VLANs coming from a port Slow Convergence
802.1w – RSTP Allow all or block all VLANs coming from a port
Non standard-based PVST Consumes too much CPU time and network bandwidth (with control traffic)
802.1s advantages: Eliminates all limitations mentioned above
IEEE 802.1s (Multiple Spanning Tree)
Summary
Main Points Security, Security, Security
– Help make your clients understand the importance of security policies, and how the AT-8500 can help enforce effective security policies at the edge.
– Check appendix for links on informative sites AT-8500 Layer 2+ with Layer 2-4 awareness
– Allow more effective security policies at the edge– End-to-End QOS
DOS Attack prevention– Protect against 6 common DOS style attacks– useful features to implement effective security policies
MSTP – More flexibility for large enterprises or layer 2 networks
8500 Competitive overview
• HP ProCurve 2626, 2626PWR and 2650• Cisco Catalyst 2950 24/48 ports• 3Com SuperStack 4400 24/48 ports and PWR• D-Link DES3526, 3550
Selling Against
HP ProCurve 2600 Models 2626: 24p 10/100+ 2SFP or 2 GIG 2626-PWR: 24p 10/100 POE+ 2 SFP or 2 GIG 2650: 48p 10/100+ 2 SFP or 2 GIG
Their Deficiencies Compared to Allied Telesyn
HP overview:Not “End-to-End” networking company HP ProCurve: L2 switch with IP “static routing” – No advanced L2+ features No DOS Attack protection and ACL No revenue generating Service feature (Ingress Rate Limiting)
Limited model selection: No model with Base FX port No model with modular uplink slot No DC model RPS for PWR models only
Selling Against
Cisco Catalyst 2950Models: 2950-24-SI: 24p 10/100 2950SX-24-SI: 24p 10/100+ 2 fixed 1000BaseSX 2950SX-48-SI: 48p 10/100+ 2 fixed 1000BaseSX
Their Deficiencies Compared to Allied Telesyn
Cisco Overview: Premium pricing both for Standard and Enhanced Image Cisco Catalyst 2950: The most expensive switch in its class No DOS Attack protection and ACL Only 64 VLANs supported No WRR No 802.1s, no 802.1w
Limited model selection: No model with Base FX port No model with modular uplink slot DC model is offered only on one model with 24 Base-TX port No POE version
Blocking Architecture Cat 2950 is based on Broadcom 5615 – each chip supports 24-TX ports + 1 GIG uplink channel8500 is based on BroadCom 5645 – non blocking architecture. Each cheap supports 24TX ports + 2.5GIG uplink channel
Selling Against
3Com Models:– 4400SE-24: entry level L2 only 24p 10/100 with 2
modules – 4400-24: L2/L4 24p 10/100 with 2 modules– 4400FX-24: L2/ L4 24p 100FX with 2 modules – 4400-PWR: L2/L4 24p POE 10/100 with 2 modules– 4400-48: L2/L4 48p 10/100 with 2 modules
Their Deficiencies Compared to Allied Telesyn
3Com overview: Focused on business consolidation and not on product creation Reveue dropping 3Com SuperStack: Expensive stacking support
–Requires optional stacking module and cable for each switch (list price: $450)– Limited to 192 ports per stack
No DOS Attack protection and ACL Limited feature sets
–No 802.1s (multiple Spanning Tree)
No Revenue-Generating Service Features No Ingress Rate LimitingLimited model selection: No DC model No pluggable optic support (GBIC or SFP)
Selling Against
D-LINKModels:
– 3526: 24p 10/100 with 2 combo GIG copper/ SFP – 3526DC: 24p 10/100 DC with 2 combo GIG copper/
SFP– 3550: 50p 10/100 with 2 combo GIG copper/ SFP
Their Deficiencies Compared to Allied Telesyn
D-Link overview: Traditionally more SOHO, SMB manufacturerD-Link 3500:No DOS Attack protection No Revenue Generating Service Features:
–No ingress Rate Limiting
Limited model selection: No POE versionNo model with base FX port
Summary
ATI AT-8500
Cisco Catalyst 2950
3Com III 4400
DLink 3500 HP ProCurve 2600
Category L2-4 Aware with DoS-Attack Protection
L2-4 Aware L2-4 Aware L2-4 Aware L2+ but No Dos Attack, no ACL. No rate limiting but static routing
Comparable Models
8524M and 8550GB/SP
- 24 or 48TX + 2 exp slots - Standard s/w -
2950SX-24-SI and 2950SX-48-SI - 24 or 48TX + 2 SX slots - Standard image
4400 with 24 or 48 ports - 24 or 48TX + 2 exp slots - Standard s/w
3500 with 24 or 48 ports 24 or 48TX + 2 SX slots or 2 1000T
Standard s/w
2626 and 2650 - 24TX or 48TX + 2 SX slots or 2 1000T - Standard s/w
S/W comments
- Only 1 s/w option available- Expansion modules are needed
- 2 s/w options available (SI & EI)- SI (standard image is comparable to S62)- Expansion modules not needed
- 2 s/w options available (standard & SE)- standard s/w is comparable to S62- 4400SE has less features than S62- Expansion modules needed
-Only 1 s/w option available- Expansion modules are not needed
- Only 1 s/w option available- Expansion modules are not needed
Q & A
Appendix A1 - ACL Parameters
<protocol> layer 3 protocol in frame header or layer 4 protocol in ip header
<ip> <wildcard> specifies a network address any can replace any <IP> <wildcard>
<precedence> precedence field in IP header <tos> Type of service field in IP header <icmp-type> for an icmp message <icmp-code> for an icmp code <icmp-message> for combined icmp message code <igmp-type> for an igmp message eq <port> destination port number in TCP/UDP header eq <protocol> ACL applicable to an application
protocol allowed no-<protocol> no application protocol allowed <time-range-id> ACL is only effective in specified time range
Appendix B1- Dos Attacks
SYN-Flood Attack Definition:
– A DOS Attack which attempts to overwhelm a system’s resources by tying up memory, by initiating half-open connections therefore denying connections to legitimate traffic.
Impact:– Two ways, target machine will suffer performance and may not be able to
service real connections, resulting in perceived downtime. Sending machine will forward thousands of packets per second, impacting machine performance and possible network performance.
Solutions:– These attacks use spoofed addresses, restricting the use of spoofed addresses
originating from switch ports. Setting a threshold for the number of SYN packets received in a specified amount of time. Violation will cause trap and port connections to be throttled.
Apendix B2- Dos Attacks
SMURF Attack Description:
– Sending spoofed packets to an IP broadcast address with an attempt to overwhelm the device whose address is being spoofed
Impact– Receiver: Attack will degrade network performance. Sender: may
create bottlenecks in small bandwidth pipes like T1s on senders network.
Solution:– Disable ICMP directed broadcasts on the network.– Senders networks should not allow packets with spoofed address in
SA leave network.
Appendix B3- Dos Attacks
Ping of Death Description
– Attempts to destabilize a network device by sending an ICMP Echo request with an oversized payload to fragment packet
Impact– Will cause device under attack to crash when attempting to
reassemble oversized payload
Solution– Sampling technique to sample streams of fragmented packets and
make sure they to not violate IP payload sizes.
Appendix B4- Dos Attacks
Teardrop Description
– Attack on capitalizes on venerable TCP/IP stack implementations that cannot handle overlapped IP fragments
Impact– Target machine crashes
Solution– Sampling algorithm that will check IP fragmented packets against
overlapping
Appendix B5- Dos Attacks
LAND Attack Description
– Targets implementations of TCP/IP that are vulnerable to packets using same IP SA/DA addresses
Impact– Target machine will crash or hang.
Solution– Filter all outgoing packets that have a source address from a
different network, and incoming packets that have a local source address
Appendix B6- Dos Attacks
IP Options Attack Description
– This attack attempts to overwhelm CPU with exceptions, by sending packets with bad IP options.
Impact– This attack will cause the target machine to crash
Solution– Set threshold for number of packets with IP options, and after the
rate of such packets crosses a certain threshold alert administrator.