1 / 63

White Paper D-Link’s End-to-End Security Solutions

White Paper D-Link’s End-to-End Security Solutions. D-Link HQ December, 2009. Agenda. Challenges of Today’s Networks D-Link’s End-to-End Security Solutions Gateway Security Endpoint Security Joint Security Application Examples. Challenges of Today’s Networks. Gateway Security Firewall

jredmond
Télécharger la présentation

White Paper D-Link’s End-to-End Security Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. White PaperD-Link’s End-to-End Security Solutions D-Link HQ December, 2009

  2. Agenda • Challenges of Today’s Networks • D-Link’s End-to-End Security Solutions • Gateway Security • Endpoint Security • Joint Security • Application Examples

  3. Challenges of Today’s Networks • Gateway Security • Firewall • IPS • AV Gateway How about Security Managementfor Infrastructure? IPS Firewall Core Switch DMZ Switch Switch Switch • PC Security • Personal Firewall • AV Software

  4. Loop Connection IP Conflict Worms ARP Spoofing Unauthorized Access Challenges of Today’s Networks Firewall Service unstable Core Switch DMZ Switch Switch Security breach Switch Performance downgrade Low manageability Business cost goes up!! Worm infection within Intranet

  5. Solution Evolution • The convergence • Ethernet Switch is no longer a device that provides connectivity only • Multicast, QoS, routing, and enhanced security etc. • Pushing the intelligence to the edge switches • D-Link’s innovative security approaches • Gateway Security • End Point Security • Joint Security

  6. Solution Evolution Enterprise Network • Joint Security • Gateway Security • Endpoint Security

  7. Endpoint Security Authentication 802.1X MAC-based Access Control Web-based Access Control, Captive Portal Compound Authentication Authorization Dynamic VLAN Assignment Guest VLAN Identity-driven VLAN/Security/QoS Traffic Control Traffic Segmentation Bandwidth Control Time-based ACL Node/Address Control Port Security IP-MAC-Port Binding Attack Mitigation L2~L7 ACL IP-MAC-Port Binding ARP Spoofing Prevention Broadcast Storm Control BPDU Attack Protection Gateway Security NetDefend IPS/UTM Firewall Joint Security D-Link ZoneDefense Microsoft NAP Support D-Link’s End-to-End Security Solutions

  8. Gateway Security Solution • NetDefend IPS/UTM Firewall Family • ICSA Labs Certified “Firewall Corporate” Security Product • Integrated Firewall/VPN Appliance • Multiple User-Configurable Ethernet/Gigabit Interfaces • Sufficient Security Features and Outstanding Performance • Unified Threat Management: • Intrusion Prevention Service (IPS) • Anti-Virus (AV) Protection • Web Content Filtering (WCF) • Bandwidth Management • Fault Tolerance • ZoneDefense • Unrestricted User Support

  9. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Traffic Control • Attack Mitigation

  10. Information Leakage Everyone can connect to your network without authorization! Hacking Incident Problem: Unauthorized Access • Traditionally security censorship takes place at perimeter • Intranet users can connect to network without permitted ERP System Financial Server Employee Malicious User Guest R&D Server • Lack of proper control on the RJ45 socket outlet • Lack of proper control for the wireless users • Client can easily go anywhere without authorization

  11. Solution for Unauthorized Access • D-Link’s Solution 1: • 802.1X Authentication • Web-based Access Control (WAC) / Captive Portal • When to use ? • Perform user authentication to realize the user identity control • The clients must be authenticated based on user login information, regardless of the user’s location or device. • Benefit : • Mobility : User can get their designated privilege no matter where they are, or the devices they use • Clientless: Easy to deploy, easy to use (WAC) • Better Security Management: Pushing the security control to the edge, all the clients must be authenticated before entering the network

  12. Solution for Unauthorized Access • D-Link’s Solution 2: • MAC-based Access Control (MAC) • When to use ? • For VoIP phone, printer, router, IP camera, AP devices which doesn’t have web browser, or 802.1X supplicant can’t be installed. • Stricter control for end user devices. Especially suitable for campus network, public sector, or enterprises that need device control. • All the clients are authenticated automatically and granted a specific role to the network • Benefit : • Clientless: Easy to deploy. Total transparent to clients • Device Management: Only allow legitimate devices to connect to the network

  13. Solution for Unauthorized Access D-Link’s Solution 3: Compound Authentication Can enable any authentication (802.1X/MAC/JWAC/WAC) on a physical port, or Can addIMPB with any of 802.1X/MAC/JWAC/WAC for stricter access control When to use ? When multiple clients are connected to a port and each uses different authentication When admin wants to enforce stricter authentication on a port Benefit : Flexible: allows clients connected under the same port to use different authentication Secure & granular access control: add IMPB to any authentication for attack prevention Web-based Access Control MAC-based Access Control IMPB + WAC Compound Authentication IMPB + 802.1X Access Control

  14. Requirement : Authentication Bypass Requirement : Authentication Bypass General users need to be authenticated Specific users such as the CEO can bypass the authentication D-Link Solution : Any Mode of Compound Authentication General users are authenticated by WAC Specific users are authenticated by MAC which is transparent CEO Sales 1.Configure the switch to authenticate clients by MAC or WAC. Passing anyone of them will result in successful authentication. 2.Sales MAC is not in MAC-based Access Control DB. WAC authentication page will pop up. Switch Authentication WAC 3.CEO MAC is in the MAC-based Access Control DB. MAC authentication will succeed and is transparent to the CEO. MAC

  15. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Traffic Control • Attack Mitigation

  16. The network is under granular control by segregating the traffic! Requirement: Authorization by user’s identity ERP system Financial server RD Accounting Sales R&D server • RD dep. is granted to access R&D server and internet only Guest • Accounting dep. is granted to access Financial server and ERP system only • Sales dep. is granted to access ERP system and internet only • Guest users can only connect to Internet

  17. Solution for Authorization by user’s identity • D-Link’s Solution: • Dynamic VLAN Assignment • Guest VLAN (Restricted network) • Identity (client)-driven Assignment • Bandwidth control for the port • 802.1p priority (Default value for the port) • ACL that delivers user identity control as set of services * • The identity-driven security policies provide appropriate access right for different users RADIUS Server Bandwidth parameter 802.1p priority parameter ACL Client attributes can be designated by the Radius server after successful authentication * Under development

  18. Solution for Authorization by user’s identity • D-Link’s Implementation: • Benefit : • Granular Access Control • User can get designated privilege with restricted right access • Allow guests to have limited network access on Guest VLAN • The users without permission will not impact enterprise normal traffic • Bandwidth & QoS Control • Various bandwidth allocation and prioritization can be set based on user identity *Under development

  19. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Traffic Control • Attack Mitigation

  20. Packet Storm Problem: Loop Connection • Users connect their own switches and cause loop unintentionallyor purposely • The loop can cause packet storm and overwhelm the whole system Loop

  21. Solution for Loop Connection • D-Link’s Solution: Loopback Detection ( LBD v4.0 ) • STP (Spanning Tree Protocol) Independent • Unmanagedswitches usually do not have Spanning Tree Protocol function • D-Link’s design can detect loop connections even when STP is absent • Flexible Settings for Loop Prevention • Port-based or • VLAN-based V1 V2 V1 V2 PC1 Loop Loop PC2 • 2. VLAN-based LBD • Block the traffic from the loop happening VLAN • without shutting down the trunking port. 1. Port-based LBD - Port shut down, no traffic is allowed

  22. Problem: IP Management • Auditing ProblemCurrent auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control. • IP Conflict Problem IP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers. Auditing Problem IP Conflict 192.168.1.1 00E0-0211-1111 192.168.1.200E0-0211-2222 IP Conflict 192.168.1.100E0-0211-3333

  23. Solution for IP Management • D-Link’s solution 1: IMP (IP-MAC-Port) Binding v3 (DHCP Snooping) • DHCP Snooping will automatically learn the IP and MAC address pairs and save them into the local Database. • Only the traffic with right address match in the White List can pass through the port DHCP Snooping Enabled 192.168.1.1 00E0-0211-1111 A Assigned by DHCP 192.168.1.200E0-0211-2222 B 192.168.1.100E0-0211-3333 C Address Learning ( IP is Manually configured by user ) White List

  24. Problem & Solution – Rogue DHCP Server • Problem: Users set up their own DHCP server • Impact: • Incorrect IP assignment • Disturb network connectivity • D-Link’s solution: DHCP Server Screening • Screen rogue DHCP server packets from user ports to prevent unauthorized IP assignment DHCP Server Normal DHCP assignment Sorry, you’re illegal DHCP Server Packet I’m DHCP Server Rogue DHCP Server PC1 PC2

  25. Port Security 1 192.168.1.1 00E0-0211-1111 192.168.1.200E0-0211.2222 2 • • • • • 192.168.1.600E0-0211-6666 6 Only 5 hosts per port are allowed for connection Requirement & Solution - Limiting No. of Users per Port • Requirement: Limiting Number of Users per Port • Often applied in ISP FTTH/ETTH or dormitory projects • MAC Flooding Attack • D-Link’s Solution: Port Security • D-Link’s port security feature can limit the number of hosts being learned on each port • Control the number of valid user based on purchased license.

  26. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Traffic Control • Attack Mitigation

  27. Requirement: Segregate End User Traffic • Requirement: Segregate End User Traffic • Used for enterprise environment • Users under a group can all connect to Internet or public servers but not to another user group • D-Link’s Solution: Asymmetric VLAN or Traffic Segmentation Internet Asymmetric VLAN Traffic Segmentation DIR-130 Mail/Portal/FTP Server Mail/Portal/FTP Server (VLAN 3) PC (VLAN 2) Port 2 Port 3 Port 1 Workstations (VLAN 1) Workstations Clients under different VLANs cannot talk to each other but can all connect to gateway/public server on a different VLAN Clients on each port cannot talk to each other but can all connect to gateway/public server

  28. Requirement: Segregate End User Traffic • Requirement: Segregate End User Traffic • Usually for ISP ETTH projects • Clients connecting to the same switch will have different broadcast domain, but can communicate with each other when needed • This can be achieved by Inter-VLAN routing, but it would consume IP addresses 24 ports Port 2 Port 24 Port 1 Gateway:150.1.1.1 Gateway:150.1.1.94 Gateway:150.1.1.5 Client IP:150.1.1.2 Client IP:150.1.1.6 Client IP:150.1.1.95 Subnet:150.1.1.4/30 Subnet:150.1.1.0/30 Subnet:150.1.1.93/30 Used up 4 x 24=96 IPs

  29. Requirement: Segregate End User Traffic • D-Link’s Solution: Traffic Segmentation + Proxy ARP • No IP address waste Enable Traffic Segmentation to segregate the broadcast domains Access Layer Switch Aggregation Layer Switch only use 24 IPs on a 24-port switch Enable Proxy ARP to allow IP communication between end users

  30. Requirement: P2P Traffic Management • Requirement: P2P Traffic Management • P2P applications eat up most of the bandwidth • Impact to normal usage or critical applications • D-Link’s Solution1: Flow-based Bandwidth Control by ACL • Limit the bandwidth of P2P UPLOAD • Control the bandwidth of the specific ingress UDP traffic to the switch Configure “Flow-based Bandwidth Control ” ACL to Edge Switch Web Server Internet P2P Client congestion Flow-based Bandwidth Control throttle the impact brought by P2P abusing P2P UPLOAD Normal Client Intranet P2P Client

  31. Requirement: P2P Traffic Management • D-Link’s Solution2: Per-Queue Bandwidth Control • Limit the bandwidth of P2P DOWNLOAD • Control the bandwidth of the specific egress UDP traffic Configure ACL To Classify UDP Traffic into Queue6 FTP Server Configure Per-Queue Bandwidth Control to Port 14 Internet P2P Client Port 14 congestion Per-Queue Bandwidth Control throttle the impact brought by P2P abusing P2P DOWNLOAD Intranet P2P Client Normal User

  32. Requirement: Limit the network access on a specific time range • Requirement: Limit the network access on a specific time range • Restrict employees’ or students’ access to a specific time range • D-Link’s Solution: Time-based ACL • ACL can be configured with the time profile such as Days ( Mon through Fri ) and Time ( AM9:00-PM7:00 )

  33. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Traffic Control • Attack Mitigation

  34. Problem: ARP Spoofing Attack • What is ARP Spoofing? • Hackers use faked ARP carrying the wrong MAC/IP information to cheat network devices • How ARP Spoofing attacks the networks?ARP spoofing as DoS: • Popular in Internet Café • Hacker pretends it is a server or a router, or cheats the clients to go to an non-existing router • The inter subnet connection and internet access of whole network will be impacted. Man in the middle: • Popular in business environment • Hacker cheats the victim PC that it is a router • Hacker cheats the router that it is the victim • All the traffic will be sniffed by hackers and users will never know

  35. Problem: ARP Spoofing Attack D-Link Solution: Gratuitous ARP A gratuitous ARP packet is a special ARP packet, in which both the source IP and destination IP are the sender’s IP address, the source MAC is the sender’s MAC address, and the destination MAC is the broadcast address FF:FF:FF:FF:FF:FF How Gratuitous ARP Broadcast recover the network: D-Link Switch periodically sends out Gratuitous ARP packets to all PCs on the network Upon Receiving Gratuitous ARP, all PCs will automatically update their own ARP table to the correct Switch’s MAC and IP

  36. Solution for ARP Spoofing Attack • D-Link’s Solution: IP-MAC-Port Binding • Establish the database of the relationship between the IP, MAC and port • Switch blocks the illegal access immediately once the mismatched ARP packet is found. Router IP MAC Port R r 26 A a 2 B b 12 C c 16 … … IP: R MAC: r You’re not Router You’re not PC-A I’m Router I’m PC-A Faked ARP IP: R MAC: c Faked ARP IP: A MAC: c PC-A PC-C PC-B IP: A MAC: a IP: C MAC: c IP: B MAC: b

  37. Solution for ARP Spoofing Attack D-Link’s Solution: ARP Spoofing Prevention An effective way to protect your router & servers Simpler setup than IMPB and consumes fewer ACL rules Users can input the IP and MAC of the Router or important Servers Switch will compare all inbound ARP Packets against configured MAC and IP Used to block the invalid ARP packets which contain fake gateway’s MAC and IP IP MAC R r S s Router IP: R MAC: r You’re not Router Server IP: S MAC: s I’m Router Faked ARP IP: R MAC: c PC-A PC-C PC-B IP: A MAC: a IP: C MAC: c IP: B MAC: b

  38. Problem: BPDU Attacks In a Service or Campus network, only STP-enabled ports will send BPDU packets to exchange topology information Edge port should not receive BPDU packets because they are connected to end stations or other networks BPDU Attacks occur when an edge port receives BPDU packets due to: Invalid network configuration Unauthorized device was inserted This can cause the whole Service Network to become unstable Unstable Network Edge Port Access Ring 168.95.0.x STP or any BPDU packets Edge Port Running STP

  39. Solution for BPDU Attacks D-Link’s Solution: BPDU Attack Protection Protects Switch’s port from participating in Spanning Tree or receiving BPDU packets from different Spanning Tree When a Switch’s edge port receives a BPDU packet, it can: Drop BPDU packet, Block all ingress traffic Shut down the port Edge Port Access Ring 168.95.0.x STP or any BPDU packets Edge Port Drop, Block, or Shutdown port Running STP

  40. Problem: Worm Propagation • What happens in the network when worms are propagating? • Broadcast Storm: • Worms use ARP request to scan the network trying to find the PC available to attack • The overall bandwidth of the network will be occupied by these ARP broadcast. • Switch Hanging up (L3 switch): • Switch CPU will be overwhelmed when there are too many ARP requests to the switch. • Worm keeps changing its IP address in ARP packets. This will flood the switch’s IP forwarding table switch immediately. • Once the IP forwarding table is full, the switch begins to route these local hosts via software, and it will result in high CPU utilization. Data overflow!! CPU overloading!!

  41. Solution for Worm Propagation • How to prevent the worm attack? Broadcast Storm Control:- Admin can set a threshold of the broadcast packet, which can prevent broadcast flooding. ACL based on user-defined packet content:- Admin may block suspicious packets with specific symptoms, such as MSBlaster or Nimda.D-Link Safeguard Engine:- Effectively protects the switch against virus infection or worm scanning.D-Link ZoneDefense:- Integrates D-Link firewalls and xStack switches to perform the proactive abnormal traffic blocking.

  42. Joint Security Solutions • D-Link ZoneDefenseTM • Microsoft NAP Support

  43. ZoneDefense Technology Challenge to Current Network Security • Traditional Firewalls have limited ports & performance, so L3 network switching still relies on L3 switches • Whenever there’s an infected mobile user • Current network security architecture can’t effectively prevent the virus/worm infection & outbreak Firewall L3 Core Switch Server Farm It will result in mutual infection between clients, and coming virus/ worm outbreak could even generate DoS attack to network devices

  44. Firewall Server Farm ZoneDefense Technology New Network Security Architecture • New high port density & high performance firewalls will be able to take over L3 switching and enable security policies between LANs • Whenever there’s an infected mobile user • New architecture will be able to stop the virus/ worm infection across LANs D-Link ZoneDefenseTM L3 Core Switch • Further, when Firewall detects virus/ worm activities, it will notify the access layer switches to block the suspected host to effectively stop further infection or virus/ worm outbreak in time

  45. Joint Security Solutions • D-Link ZoneDefenseTM • Microsoft NAP Support

  46. Microsoft NAP Support • Network Access Protection (NAP) • Policy enforcement platform technology led by Microsoft • Allows better network asset protection by enforcing compliance with system health requirement • Users can create customized health policies to: • Validate computer health before granting access • Update compliant computers automatically to ensure ongoing compliance • Confine non-compliant computers to a restricted network until they become compliant • Requirements to deploy NAP: • Server: Microsoft Server 2008 • Clients: Microsoft Windows Vista, Windows XP SP2 with NAP Client, Windows XP SP3 • Appliance: D-Link xStack Switch Series

  47. Microsoft NAP Support • Four Pillars in NAP: • Policy Validation • Authentication: Integrates with Active Directory to achieve identity-based network access control • Policy Enforcement: Network Policy Server (NPS) checks each NAP client’s health status • Example: Anti-Virus signature, Windows patch, personal firewall, etc. • Network Restriction • Restricts client access based on its health status: • If compliant, grants client access • If non-compliant, client is quarantined • Remediation • Provides quarantined client necessary updates • Once client becomes “healthy”, removes network restriction • Ongoing Compliance • Continually checks all clients in the network • Any change in client’s health status will result in network restriction

  48. Microsoft NAP Support • Microsoft NAP supports 5 kinds of Enforcement Clients (EC) • EAPhost (802.1X) NAP EC • VPN NAP EC • DHCP NAP EC • IPSec NAP EC • Terminal Server Gateway NAP • D-Link’s support on NAP ECs: • Enterprise Market • 802.1X NAP • VPN NAP (firewall function) • SMB Market • DHCP NAP • All D-Link xStack Switches support 802.1X NAP • All D-Link Switches are tested compliant for DHCP NAP • D-Link Business Access Points support 802.1X NAP

  49. Worms EAP Status User Name Password Token Host Integrity Rule Host Integrity Rule Status Status Anti-Virus On Anti-Virus On Anti-Virus Updated Anti-Virus Updated Personal Firewall On Personal Firewall On Service Pack Updated Service Pack Updated Patch Updated Patch Updated 802.1X NAP + ZoneDefense Scenario 802.1X Enforcement If Malicious Attack happened ! Wireless System Health Server Guest Microsoft Network Policy Server Compliant Scenario: Before connection, you should have username/password or token. After login, the system will check the compliance policy. If compliant, you are allowed to connect to the network Non-Compliant Scenario : If client’s patch is not updated, it just can go to remediation server, health server and network policy server Remediation Scenario : The client gets patch/virus pattern etc, To correct its health status Client Guest Access Scenario : Guests are assigned restrictive access right to the network DHCP Enforcer Server On-Demand Policy Manager Firewall informs xStack switch to block malicious attacker’s IP traffic Router xStack Switch NetDefend Radius Remediation NetDefend DHCP Kiosk Applications Mobile User Hackers Telecommuter UNPROTECTED NETWORKS Partner Thieves Integrated Client-to-Gateway Protection that Ensures Secure Network

  50. D-Link AP support for 802.1X NAP • D-Link Access Points bring 802.1X NAP capability to the wireless network • How it works • Same principle but extends 802.1X NAP to wireless clients • Extra value added from D-Link • Access Points from other vendors don’t necessarily support 802.1X NAP • D-Link Access Points work alongside xStack Switches to create a unified NAP environment • Benefit • No need to worry about 802.1X NAP compatibility issue for Access Point • Strict policy enforcement for both wired and wireless clients

More Related