1 / 33

AT-8500 L2+ Switches and Network Security

AT-8500 L2+ Switches and Network Security. Managed Fast Ethernet Switches with Denial of Service (DoS) Attack Protection. Agenda. The Security Issue AT-8500 Overview Market Applications Security in further detail DOS attack Prevention Security Tools QOS

gauri
Télécharger la présentation

AT-8500 L2+ Switches and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AT-8500 L2+ Switches and Network Security Managed Fast Ethernet Switches with Denial of Service (DoS) Attack Protection

  2. Agenda • The Security Issue • AT-8500 Overview • Market Applications • Security in further detail • DOS attack Prevention • Security Tools • QOS • 802.1s (MSTP) • Q & A

  3. Network Security: What are the Issues? • Viruses and network attacks growing at an alarming rate: • Volume of viruses increasing at 40% pa • New methods of spreading viruses • Companies experience approx. 38 attacks per week on average • Growing number of peer to peer, instant messaging programs ands remote workstations open up new ways of spreading malicious code • Staff misuse accounts for 7% of total (DTI) • DoS attacks (accidental and deliberate) • A 25% increase over the past 12 months (Silicon.com) • The MS Blast worm was blamed for 33% of all infections in small firms and 50% in larger companies

  4. AT-8500 Overview • AT-8500 • Layer 2 Managed Switch (Aggregation/Edge/Wiring Closet) • 1 RU Factor 19” Rack Mountable • 10/100 Modular and 2 modular bays • Medium to High port densities 16, 24 ,& 48 port configurations • 16 Port AT-8516F SC/LC version for higher distance deployments or added security • Content Aware Switch provides more intelligence at the edge for important applications (QOS and DOS prevention, ACLs) • Fully Managed Switch; SNMP, Secure Web (SSL) and Secure Telnet (SSH)

  5. AT-8500 L2+ switches – One further layer of protection Intelligent chip-setrecognises DOS attackand restricts trafficto neutralise threat Complements WANfirewall andPC anti-virus measures Pre-programmed todetect six well knowndos attacks Only authorisedindividuals can accessthe network Data is encrypted for maximum security Provides the abilityto deploy ‘Tiered Security’to unsecured areas • Additional security features • SSL and SSH • 802.1x • L2-L4 Access Control List • Radius and TACACS+

  6. Educational Concerns Security – Just by their nature Educational Networks are very susceptible to machine compromises and intrusion DOS attack prevention Implementing Effective Security Policies Multicast - Distance Learning Applications and Machine Imaging IGMP Snooping v1 and v2 Ease of management for mobile students Dynamic VLANs Enhanced Stacking for large switch deployments 8500 Educational Application Classroom Wiring Closet Computer Lab Library & Multimedia MDF Administration

  7. Enterprise Concerns Security – Must protect integrity of network and data, and ensure network uptime for productivity DOS attack prevention Implementing Effective Security Policies Redundancy – Network uptime critical STP, RSTP, MSTP QOS – VoIP, and other time sensitive services 802.1p and QOS VLAN network segmentation 802.1q, bridge network segments across switch boundaries securely Multicast Video Conferencing and shared white board applications IGMP Snooping v1 and v2 Management in the Wiring Closet Enhanced Stacking 8500 Enterprise Application desktops Wiring Closet VoIP and Data (QOS) Video and Multicast MDF

  8. Financial Institution Concerns Security – preserve integrity of network to ensure maximum availability DOS attack prevention Implementing Effective Security Policies STP, RSTP, MSTP “Fiber to the Desktop” AT-8516F SC/LC VLAN 802.1q 8500 Financial Institution Application Desktops Wiring Closet Account Data File Servers MDF

  9. 8500 Security – DOS attack prevention • Importance of a modern day secure network • 2003 was a record year for Worms, Hacker Attacks, and Viruses • Experts already estimate that 2004 will surpass 2003 (already Mydoom made big headlines this year) • Worms are predicated on the idea of self propagating code specifically built with various intentions, mostly to cause harm and detriment to computers & networks. Popular use of worms are the propagation of DOS and DDOS Attacks • DOS attacks cost Millions of dollars each year are in terms of lost revenues, damaged reputation, and productivity • Every network is prone to being affected by DOS attacks, some more than other by their inherent structure and users. • There are many forms of securing networks, and mitigating the impact of DOS attacks and the spread of worms • Effective security means of preventing worms and stopping DOS attacks are through the creation of good Security Policies and these policies start at the edge of the network

  10. Dos Attacks • DOS Attacks come in various forms and modes of operation • Overwhelming consumption of finite system resources so that legitimate users cannot use them • Capitalizing on a system bug or flaw that will interrupt service or bring the system down • Detect and Perform action • Implement algorithms to detect violations, once detected logging the event, rate limit, or drop traffic • AT-8500 protects networks against the 6 most popular DOS style attacks

  11. 6 Most Common DOS Attacks • SYN-Flood • target machine: will suffer performance and may not be able to service real connections, resulting in perceived downtime. • Sending machine: network will forward thousands of packets per second, impacting network performance. • LAND • Target machine will crash or hang • IP Options • This attack will cause the target machine to crash • Teardrop • Target machine crashes • SMURF • Receiver: Attack will degrade network performance. Sender: may create bottlenecks in small bandwidth pipes like T1s on senders network. • Ping of Death • Will cause device under attack to crash when attempting to reassemble oversized payload

  12. Sample DOS Attack SYN-FloodSMURF UDP FLOOD ping 255.255.255.255 SRC IP 63.25.21.5 192. 168.0.0/24 1 2 Infected host 3 4 Echo replies will congest uplinks due to amplification Source IP filter will prevent Spoofed ping packet

  13. How to implement a Security Policy • Security Policy • Determine a level of security that is acceptable to protect the network while still providing a level of acceptable service to users • Documentation and communication of written policies and procedures to direct and inform users of acceptable usage and security practices • Technology that enforces that level of security • Tools that help administrators implement effective security policies for management and access: • SSH & SSL • Secure remote management of the switch • Encrypts management session so that important information cannot be snooped • Radius & TACACS+ Authentication • Provides user level Authentication and Accounting function • 802.1x • Limit access to who can and cannot enter the network • Port Security • Restrictions on MAC addresses learned per port • L2-4 ACLs • Enables Network Administrators to implement access lists to limit access to switch, usage, or any definable L2-4 criteria • Logging • Logs events and traps to systems or remotely via syslog • Management Access Control • Controls and limits management access to the switch via IP addresses

  14. End-to-End QOS Domain QOS enables you to prioritize traffic, reducing latency and jitter exists two important functions in QOS system Classify Traffic Perform Action AT-8500 QOS Classify traffic according to: Flows (SA/DA and port numbers) Addresses (SRC/DEST IP Address, subnets) Protocols (TCP, UDP, HTTP, FTP, etc) VLANs Ingress perform the Following actions: Tag Packet Drop Traffic Rate Limit Egress AT-8500 Supports 4 Priority Queues and 2 Scheduling mechanisms Queue Traffic WWR and Strict AT-8500 QOS

  15. AT-8500 QOS • AT-8500 QOS capabilities • mark 802.1p priorities • Based on broad classified traffic filters 802.1p priorities can be set for all 8 levels (but only 4 queues) • Finer classification and definition of prioritized traffic • mark IP TOS field • Important to provide End-to-End QOS over layer 3 network • Can perform actions based on either field and translate from 802.1p to IP TOS and vice and versa • Strict and WRR Policies allow more flexibility in Scheduling • Strict scheduling could be used to critical traffic such as network control traffic, and de-prioritize ICMP and other non-critical network traffic • WRR allows network administrator weight each of the 4 queues

  16. MSTP • Multiple Spanning Tree Protocol • Effective feature for large switch environments utilizing complex or numerous VLAN configurations • Much easier to manage such an environment using MSTP, than STP or RSTP • Utilize 802.1q tagged ports efficiently throughout your network backbone • Supports multiple instances of Spanning Tree in a bridged domain • Features rapid convergence like RSTP • Provides Flexibility to deploy VLAN where needed, and at the same time provide L2 redundancy via back up links. • Configure 802.1p ports with pertinent and not all VLANs • Isolate VLANs to certain areas of the network and not over all switches

  17. MSTP Example Configuration VLAN 1 MSTI 1 Forwarding Blocked MSTP STP - RSTP VLAN 1, 2, 3 VLAN 2 MSTI 2 VLAN 3 MSTI 3

  18. Old Spanning Tree 802.1D – STP Allow all or block all VLANs coming from a port Slow Convergence 802.1w – RSTP Allow all or block all VLANs coming from a port Non standard-based PVST Consumes too much CPU time and network bandwidth (with control traffic) 802.1s advantages: Eliminates all limitations mentioned above IEEE 802.1s (Multiple Spanning Tree)

  19. Summary • Main Points • Security, Security, Security • Help make your clients understand the importance of security policies, and how the AT-8500 can help enforce effective security policies at the edge. • Check appendix for links on informative sites • AT-8500 Layer 2+ with Layer 2-4 awareness • Allow more effective security policies at the edge • End-to-End QOS • DOS Attack prevention • Protect against 6 common DOS style attacks • useful features to implement effective security policies • MSTP • More flexibility for large enterprises or layer 2 networks

  20. 8500 Competitive overview • HP ProCurve 2626, 2626PWR and 2650 • Cisco Catalyst 2950 24/48 ports • 3Com SuperStack 4400 24/48 ports and PWR • D-Link DES3526, 3550

  21. Selling AgainstHP ProCurve 2600  Models • 2626: 24p 10/100+ 2SFP or 2 GIG • 2626-PWR: 24p 10/100 POE+ 2 SFP or 2 GIG • 2650: 48p 10/100+ 2 SFP or 2 GIG

  22. Selling AgainstCisco Catalyst 2950 Models: • 2950-24-SI: 24p 10/100 • 2950SX-24-SI: 24p 10/100+ 2 fixed 1000BaseSX • 2950SX-48-SI: 48p 10/100+ 2 fixed 1000BaseSX

  23. Selling Against3Com  Models: • 4400SE-24: entry level L2 only 24p 10/100 with 2 modules • 4400-24: L2/L4 24p 10/100 with 2 modules • 4400FX-24: L2/ L4 24p 100FX with 2 modules • 4400-PWR: L2/L4 24p POE 10/100 with 2 modules • 4400-48: L2/L4 48p 10/100 with 2 modules

  24. Selling AgainstD-LINK Models: • 3526: 24p 10/100 with 2 combo GIG copper/ SFP • 3526DC: 24p 10/100 DC with 2 combo GIG copper/ SFP • 3550: 50p 10/100 with 2 combo GIG copper/ SFP

  25. Summary

  26. Q & A

  27. Appendix A1 - ACL Parameters • <protocol> layer 3 protocol in frame header or layer 4 protocol in ip header • <ip> <wildcard> specifies a network address any can replace any <IP> <wildcard> • <precedence> precedence field in IP header • <tos> Type of service field in IP header • <icmp-type> for an icmp message • <icmp-code> for an icmp code • <icmp-message> for combined icmp message code • <igmp-type> for an igmp message • eq <port> destination port number in TCP/UDP header • eq <protocol> ACL applicable to an application protocol allowed • no-<protocol> no application protocol allowed • <time-range-id> ACL is only effective in specified time range

  28. Appendix B1- Dos Attacks • SYN-Flood Attack • Definition: • A DOS Attack which attempts to overwhelm a system’s resources by tying up memory, by initiating half-open connections therefore denying connections to legitimate traffic. • Impact: • Two ways, target machine will suffer performance and may not be able to service real connections, resulting in perceived downtime. Sending machine will forward thousands of packets per second, impacting machine performance and possible network performance. • Solutions: • These attacks use spoofed addresses, restricting the use of spoofed addresses originating from switch ports. Setting a threshold for the number of SYN packets received in a specified amount of time. Violation will cause trap and port connections to be throttled.

  29. Apendix B2- Dos Attacks • SMURF Attack • Description: • Sending spoofed packets to an IP broadcast address with an attempt to overwhelm the device whose address is being spoofed • Impact • Receiver: Attack will degrade network performance. Sender: may create bottlenecks in small bandwidth pipes like T1s on senders network. • Solution: • Disable ICMP directed broadcasts on the network. • Senders networks should not allow packets with spoofed address in SA leave network.

  30. Appendix B3- Dos Attacks • Ping of Death • Description • Attempts to destabilize a network device by sending an ICMP Echo request with an oversized payload to fragment packet • Impact • Will cause device under attack to crash when attempting to reassemble oversized payload • Solution • Sampling technique to sample streams of fragmented packets and make sure they to not violate IP payload sizes.

  31. Appendix B4- Dos Attacks • Teardrop • Description • Attack on capitalizes on venerable TCP/IP stack implementations that cannot handle overlapped IP fragments • Impact • Target machine crashes • Solution • Sampling algorithm that will check IP fragmented packets against overlapping

  32. Appendix B5- Dos Attacks • LAND Attack • Description • Targets implementations of TCP/IP that are vulnerable to packets using same IP SA/DA addresses • Impact • Target machine will crash or hang. • Solution • Filter all outgoing packets that have a source address from a different network, and incoming packets that have a local source address

  33. Appendix B6- Dos Attacks • IP Options Attack • Description • This attack attempts to overwhelm CPU with exceptions, by sending packets with bad IP options. • Impact • This attack will cause the target machine to crash • Solution • Set threshold for number of packets with IP options, and after the rate of such packets crosses a certain threshold alert administrator.

More Related