Se
cu
ri
ty
Securit
y
Netw
ork Security
Network Security - Ensuring Information Availability
Multi-layered security
Providing a secure environment for the sharing of corporate information and broader online access requires a considered approach. When security is cohesively implemented in the
1) Network Infrastructure 2) Switch Management 3) Network Security Features 4) Network Access
the outcome is a resilient and reliable environment for access to online resources.
1) Network Infrastructure
The underlying network design is the starting point, providing a solid platform on which further switch features can secure network access and specific applications.
Dividing the LAN up into Virtual LANs (VLANs) reduces broadcast traffic on the network and simplifies management. VLANs group subsets of ports into virtual broadcast domains which are isolated from each other. This provides a scalable solution as the network grows, while limiting unnecessary traffic from using precious network bandwidth. It also allows management of network access, and application use to be controlled for different groups of users, who do not need to be located together physically. As data packets are marked as belonging to a specific VLAN, we can separate traffic into independent domains and the switch can manage it appropriately. As IP networking has found its way into an increasingly wide array of scenarios, Allied Telesis VLAN implementation has kept pace with advanced features to meet the security needs of different market segments.
Private VLANs
Private VLANs block traffic between hosts in that VLAN. This is perfect, for example, in a Hotel environment where guests in each room can be provided with Internet access, while traffic between rooms is disallowed for security. In conjunction with other advanced security features, private VLANs can be used to tightly manage Layer 2 security in a switched environment.
Nested VLANs
Nested VLANs are used to overlay a private Layer 2 network over a public Layer 2 network. This allows a customer’s LAN to spread to multiple locations in a city, as a second VLAN identifier is used to isolate customer traffic as it is tunnelled through the network Service Provider’s infrastructure.
Introduction
The advent of the Internet and the huge array of connected devices has led to an insatiable demand for access to
information when and where we need it. This has also changed the way we do business, with an ever increasing reliance on Information Technology resources and applications.
The security of these resources has become a principal concern for network administrators to ensure maximum availability of the corporate network and Internet access. The deployment of switched networks in the Enterprise provides high-speed access to applications and the sharing of information. Security on these switches is as important as that of servers and end user computer equipment. The switches are as integral to maintaining network security as they are to forwarding data.
There are a number of ways that the switching infrastructure maintains security in the modern network. Allied Telesis industry leading switching technology provides a comprehensive security suite and supports a multi-layered approach to safeguarding the network, users, and business critical information.
First, we will consider four areas where Allied Telesis switches can help ensure a reliable and secure network infrastructure, and then look at some common network attacks and how they are mitigated.
Netw
ork Security
Figure 1: Virtual customer networks over shared Ethernet infrastructure
building provides exceptional performance. Each tenant’s data Internet access.
SwitchBlade x908 Data Center AR750S Router Internet x900-24XT x600-24Ts VLAN 3 Tenant 1 VLAN 2 VLAN 3 VLAN 4 Tenant 2 Tenant 3 Tenant 4 Tenant 1 Tenant 2 Tenant 3 Tenant 4 VLAN C Service VLAN A Management VLAN B Sales x900-24XT
The tenant’s VLAN structure is encapsulated in a single QinQ VLAN for secure high speed access across their own ‘virtual’ network to other office space, the data center and Internet.
VLAN 3 Tenant 3
Netw
ork Security
Network Security - Ensuring Information Availability
Figure 2: Port Security 2) Secure Switch Management
On top of a securely designed environment is the need to manage the various devices that constitute the overall network. Allied Telesis switches have a number of secure management options.
An out of band Ethernet management port is provided to separate management access from network traffic. When remotely logging in to monitor or manage a switch, Secure Shell (SSH) access provides confidentiality and integrity of data. Switches can be further secured by disabling unused access services, for example, HTTP server and Telnet server.
Network management systems use Simple Network Management Protocol (SNMP) to communicate with network switches and other devices. Allied Telesis support of SNMPv3 provides secure access with authentication and encryption of management data. Additionally, the Allied Telesis Graphical User Interface (GUI) utilises SNMPv3 for protected access when using this visual tool for monitoring and management.
To provide a detailed audit trail in the event of a suspected security breach, or other problem, a Syslog server can be configured so switch log messages are stored in a central network repository.
3) Network Security Features
Allied Telesis switches provide numerous security features to enable a safe environment for sharing information. Let’s have a look at a few of these:
Port Security
The ability to limit the number of workstations that are able to connect to specific ports on the switch is managed with Port Security. If these limits are breached, or access from unknown workstations is attempted, the port can do any or all of the following - drop the untrusted data, notify the network administrator, or disable the port. Further to this, specific ports can be set to only allow network access at specific times of day. For example, as shown in figure 2, a school can keep tight control over network access and application availability for students.
Link aggregation 1 Gigabit link 10/100 link
Advanced port security options allow this school to control the times of day that access to online resources and the Internet is available
Servers x600 Internet 8000S 8000S 8000S 8000S AR415 Computer Lab Computer Lab Classroom Classroom Network access allowed between 8am and 4pm
"Allied Telesis security features provide a safe
environment for sharing information"
Netw
ork Security
1) STP Root Guard prevents a malicious user being able
to access inappropriate data on the network, by allowing the network administrator to securely enforce the topology of the spanning tree.
2) BPDU Guard similarly increases the security of STP by
allowing the network administrator to enforce the borders of the spanning tree, keeping the active topology predictable.
Storm Protection
Use storm protection to reduce adverse affects of any network loop that would potentially swamp the network. There are three facets that together protect the network from storms.
1) Loop detection monitors traffic for a return of a loop
detection probe packet and in the event of a problem can take a variety of actions including logging a fault, disabling a link, or disabling a port or VLAN.
2) Thrash limiting detects a loop if certain device hardware addresses are being rapidly relearned on different ports. In the event of a problem similar actions to loop detection can be taken.
3) Storm control limits the rate at which a port will forward broadcast, multicast or unknown unicast packets. This controls the level of traffic that a loop will cause to be flooded in the network.
Denial of Service (DoS) attack prevention
A DoS attack is an attempt to make online resources unavailable to users. There are a number of known DoS attacks that can be monitored, with detection options being to notify network administration and/or shut down the affected switch port.
DHCP Snooping
DHCP servers allocate IP addresses to clients, and the switch keeps a record of addresses issued on each port. IP Source Guard checks against this DHCP snooping database to ensure only clients with specific IP and/or MAC address can access the network. DHCP snooping can be combined with other features, like Dynamic ARP Inspection, to increase security in layer 2 switched environments, and also provides a traceable history, which meets the growing legal requirements placed on Service Providers.
Access Control Lists (ACLs) and Filters
Managing traffic volume and the types of traffic allowed on the network is essential to ensure a high performance, guard against unwanted traffic, and provide continuous access to important data. Allied Telesis powerful ACLs and filtering capability provide a mechanism for network traffic control, all handled in the switches' hardware so wire-speed performance is maintained.
Netw
ork Security
Network Security - Ensuring Information Availability
802.1x authenticated device MAC authenticated device Web authenticated device x600-24Ts Tri-authentication capable switch Policy and RADIUS Server
Policy Decision Point
Policy Enforcement Point
Access Requestor 4) Controlling Network Access
The security issues facing enterprise networks have evolved over the years, with the focus moving from mitigating outward attacks to reducing internal breaches and the infiltration of malicious software. This internal defence requires significant involvement with individual devices on a network, which creates greater overhead on network administrators. Allied Telesis lowers this overhead and provides an effective solution to internal network security by integrating advanced switching technology as a part of Network Access Control (NAC). In conjunction with NAC, Tri-authentication provides options for managing network access for all devices.
Network Access Control (NAC)
NAC allows for unprecedented control over user access to the network, in order to mitigate threats to network infrastructure. Allied Telesis switches use 802.1x port-based authentication in partnership with standards-compliant dynamic VLAN assignment, to asses a user’s adherence to network security policies and either grant
authentication or offer remediation. Furthermore, if multiple users share a port then multi-authentication can be used. Different users on the same port can be assigned into different VLANs, and so given different levels of network access. Additionally, a Guest VLAN can be configured to provide a catch-all for users who aren't authenticated.
Tri-authentication
Authentication options include alternatives to 802.1x port based authentication, such as web authentication to enable guest access, and MAC authentication for end points that do not have an 802.1x supplicant, as shown in figure 3. All three authentication methods - 802.1x, MAC-based and Web-based, can be enabled simultaneously on the same port (tri-authentication).
Strong Access Shield
By providing Tri-authentication, and integrating with NAC, Allied Telesis switches constitute a secure wall around the edge of your LAN, allowing no infected or rogue devices to get network access.
Netw
ork Security
increased mobility and the wide availability of various hacking tools, attacks can still occur from within the LAN itself. Let’s consider some of the more common information stealing and denial of service attacks and how the Allied Telesis switch security suite protects your LAN, preserving the safety of both your mission-critical applications and your productivity.
MAC flooding attack
Information stealing can be facilitated using a MAC flooding attack, which provides a source of accessible data. A malicious host sends packets from thousands of different bogus source MAC addresses, which fills the forwarding database. Once full, legitimate traffic is flooded and becomes widely accessible, as the switch does not have room to learn any more specific destination addresses in the forwarding database.
in the diagrams below. Configurable options when limits are breached are to drop the un-trusted data, notify the network administrator, or disable the port.
Address Resolution Protocol (ARP) spoofing attacks
Another form of information stealing attack is ARP spoofing. A malicious host sends a bogus reply to a network server, claiming to be a genuine host desiring information. Once the switch has an incorrect entry in its ARP table, the malicious host starts to receive data intended for the genuine recipient.
Allied Telesis switches use DHCP Snooping with ARP Security to protect your network from ARP spoofing attacks. All ARP replies from un-trusted ports are checked to ensure they contain legitimate network addressing information, safeguarding your network and ensuring online information reaches its intended destination.
MAC flooding defence
Port 3Port 2 Port 1
A B
A B
Traffic generated with bogus source MAC addresses
1
The switch’s MAC table is full of bogus MAC addresses. No room to learn any more, so all packets are treated
as unknown destination MAC and flooded
2
Traffic destined for B is also visible to C
3
Traffic flooded
MAC flooding attack
Port 3
Port 2 Port 1
When the MAC limit is reached, packets from
any further MACs are dropped
A B
Traffic destined for B is no longer flooded B A C B A C Traffic flooded
Configure a MAC learn limit on the switch’s edge ports
1
2 3
Netw
ork Security
Network Security - Ensuring Information Availability
VLAN hopping attacks
VLANs aim to provide a degree of network security via user segmentation. A malicious host wishing to gain access to an
unauthorised VLAN sends a tagged packet into the network with the VLAN identifier of the target VLAN, which typically the switch will forward to that VLAN. A variation on the VLAN attack is to send a double-tagged packet with the outer tag of the originating VLAN and an inner tag of the target VLAN. The switch will strip off the outer tag and pass the packet on to the target VLAN identified by the inner tag. Allied Telesis switches eliminate basic and double-tagged VLAN hopping attacks by using Ingress Filtering to drop all tagged packets, since workstations attached to edge ports should not send tagged packets into the network, as shown in the diagrams below.
Spanning Tree Protocol (STP) Attack
STP prevents loops in Layer 2 networks, while allowing path redundancy. Switch ports are designated as being either in a forwarding state or a blocked state. If a path becomes unavailable, the network responds by unblocking a previously blocked path to allow traffic to flow. In an STP attack, a malicious user sends an STP message (BPDU) which attempts to compromise the network topology, by forcing it to reconfigure.
Allied Telesis switches prevent spanning tree attacks by using BPDU guard on all edge ports, preventing bogus STP messages originating from a workstation.
Double-tag VLAN hopping attack
Attacker
Double-tagged packets sent with an outer tag of the local VLAN, and inner tag of the target VLAN
Victim Trunk
Target VLAN
Double-tagged packets sent with an outer tag of the local VLAN, and inner tag of the target VLAN
Tagged packets are dropped
Trunk
Target VLAN Configure the switch’s edge
ports with ingress filtering to accept ONLY untagged packets
Victim
Double-tag VLAN defence
802.1q,
802.1q
The switch strips off the first tag and
sends back out
Frame 802.1q, 802.1q 802.1q, Frame Attacker 1 2 3 1 2
Netw
ork Security
1) DHCP Starvation Attack
A malicious user inundating the DHCP server with countless requests from different bogus MAC addresses, results in the server running out of IP addresses. Genuine users are unable to gain a network address and therefore network access.
Allied Telesis switches use port security to stop malicious users sending multiple MAC addresses to the DHCP server, as shown in the diagrams below. Options are available for corrective action including notifying the network administrator and/or disabling the switch port of the offender.
2) DHCP Rogue Server Attack
A malicious user disguises himself as a DHCP server and responds to
response packets. If a rogue server is attached to an 'untrusted' port, its response packets will be dropped, rendering it useless.
Denial of Service (DoS) attacks
Keeping productivity high requires reliable network access, and there are a number of DoS attacks that can threaten to thwart information availability. Some of these target devices, causing them to reduce performance, while others attempt to send a storm of data at a specific victim, or consume online resources.
Allied Telesis switches are capable of mitigating all of these attacks using DoS defence, which for the majority of these attacks is implemented in the switch’s hardware, so does not affect network performance.
DHCP starvation attack
DHCP starvation defence
Port 2 Port 3 Port 1Attacker sends many different DHCP requests
with many source MACs
Server runs out of IP addresses to allocate to valid users DHCP Server Port 2 Port 3 Port 1
Attacker sends many different DHCP requests
with many source MACs
When the learn limit is reached, packets from any further MACs are dropped
Configure MAC learn limit on switch’s edge ports
DHCP Server 1 3 2 1 2
USA Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 European Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
www.alliedtelesis.com
© 2010 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C618-31022-00 RevA
About Allied Telesis Inc.
Allied Telesis is a world class leader in delivering IP/Ethernet network solutions to the global market place. We create innovative, standards-based IP networks that seamlessly connect you with voice, video and data services.
Enterprise customers can build complete end-to-end networking solutions through a single vendor, with core to edge technologies ranging from powerful 10 Gigabit Layer 3 switches right through to media converters.
Allied Telesis also offer a wide range of access, aggregation and backbone solutions for Service Providers. Our products range from industry leading media gateways which allow voice, video and data services to be delivered to the home and business, right through to high-end chassis-based platforms providing significant network infrastructure.
Allied Telesis' flexible service and support programs are tailored to meet a wide range of needs, and are designed to protect your Allied Telesis investment well into the future.
Visit us online at www.alliedtelesis.com.
Summary
Allied Telesis switches guarantee a reliable and secure network infrastructure. The fully featured security suite safeguards the network, as well as mitigating threats that would compromise user’s access to business critical resources and applications.
Network administrators can rest assured that the network is resilient and reliable, and business owners can expect reduced expense along with increased productivity.
Allied Telesis network security – ensuring information availability.
