1 / 70

D-Link Network Security Solutions

D-Link Network Security Solutions. Robertas Matusa. Security in D-Link Switching Environment. Authentication Authorization Traffic Control Node and Address Control ZoneDefense Network Access Protection. Authentication. Authentication. 802.1X Authentication MAC-Based Access Control

loan
Télécharger la présentation

D-Link Network Security Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. D-Link Network Security Solutions Robertas Matusa

  2. Security in D-Link Switching Environment • Authentication • Authorization • Traffic Control • Node and Address Control • ZoneDefense • Network Access Protection

  3. Authentication

  4. Authentication • 802.1X Authentication • MAC-Based Access Control • Web-Based Access Control

  5. 802.1X Authentication Mechanism • 802.1X Authentication Mechanism consists of three components • Authentication Server (RADIUS Server) : The Authentication Server validates the identity of the client and notifies the Authenticator. • Authenticator (Switch) : The Authenticator requests information from the client, verifies that information with the Authentication Server and relays a response to the client. • Supplicant (Client) : The client requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must run 802.1XCompliant Client Software (eg. Windows XP has embedded 802.1X supplicant). • Disadvantage of 802.1X • Even through 802.1X is a secure authentication method, the integration complexity of 802.1X supplicant agent and RADIUS server is always a challenge for deployment. It is not only costly, but also consuming resources for setup and maintenance.

  6. Non-802.1X Authentication Mechanism • On the other hand, non-802.1X method makes authentication deployment easier and more user-friendly. It can complement what 802.1X technology lacks and facilitate the deployment. This clientless mechanism is flexible and provides required security. • Benefits of non-802.1X Authentication Mechanism • Easy deployment (does not require client software) • Low TCO (RADIUS server maintenance, operation staff…) • More user-friendly (eg. MAC does not require users to input username and password during authentication) • There are demands in emerging solutions of non-802.1X authentication. Customers are looking for solutions which are easy to deploy, maintain and requires no extra client software. • D-Link develops comprehensive solutions for both 802.1X and non-802.1X environments to increase productivity without compromising the security of the network.

  7. IEEE 802.1X Definition • Define a client/server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The Authentication Server authenticates each client connecting to a switch port before the client has access to network resources. • D-Link’s Implementation • Port-Based 802.1X : Users have to be authenticated before accessing the network. The switch will unlock the port only after the user passes the authentication. • MAC-Based 802.1X : D-Link switch can perform authentication based on MAC addresses. Each switch port can authenticate multiple computers’ access credentials.

  8. 802.1X Components • Before a Client is authenticated, 802.1X access control allows only EAPOL traffic to pass through the port where the client is connected. After authentication is successful, normal traffic can pass through the port. • Three different roles in IEEE 802.1X: • Client • Authenticator • Authentication Server EAPOL Packet NIC Card Ethernet 802.3 Wireless Card, etc Network Port Access point Ethernet switch etc. AAA Server Any EAP Server Mostly RADIUS X NormalPacket

  9. 802.1X Device Role : Client • The device (workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and RADIUS server. • The Workstation must be running 802.1X-Compliant Client Software. Microsoft Windows XP operating system has embedded 802.1X supplicant.

  10. 802.1X Device Role : Authentication Server • The Authentication Server validates the identity of the Clients and notifies the Authenticator (switch) whether the Client is authorized or unauthorized to access the LAN. • RADIUS (Remote Authentication Dial-In User Service) operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and many RADIUS clients.

  11. 802.1X Device Role : Authenticator • The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server. It requests identity information from the Client, verifies that information with the Authentication Server and relays request / response messages (identity & challenge) between the Client and Authentication Server.

  12. 802.1X Authentication Process Workstation (Client) Switch (Authenticator) RADIUS Server (Authentication Server) EAPOL Start EAP Request/Identity RADIUS Access-Request EAP Response/Identity RADIUS Access-Challenge EAP Request/OTP RADIUS Access-Request EAP Response/OTP RADIUS Access-Accept EAP Success Port Authorized EAP Logoff RADIUS Account-Stop RADIUS Ack Port Unauthorized OTP – One Time Password

  13. Example: Port-Based 802.1X • All clients connected to the L2 Switch/Hub can pass through the Authenticator with Port-Based 802.1X once a client (James) is authenticated.

  14. Example: MAC-Based 802.1X • Each client needs to provide the correct individual username/password to pass the authentication so that it can access the network. • Note that the L2 Switch/Hub needs to support 802.1X pass-through. Otherwise, 802.1X packet (with dest MAC = 0180c2000003, inside IEEE reserved range 0180c2000001~0f) will be dropped and never reach the Authenticator. • MAC-Based 802.1X is one of D-Link’s advantages in 802.1X technology. Most competitors only support port-based 802.1X authentication.

  15. Port-Based 802.1X vs. MAC-Based 802.1X • Port-Based 802.1X • Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the Authenticator. • MAC-Based 802.1X • Once a port is authorized by a client, only this client can pass through the Authenticator.

  16. Authorization using 802.1X Guest VLAN • 802.1X Guest VLAN is used to implement (Guest) VLAN with limited access rights and features. • When this feature is enabled, all guest accounts or clients who are incompatible with 802.1X authentication will be directed to the guest VLAN when they try to access the switch.

  17. MAC Access Control (MAC) Overview • To control user’s access to the network. • Define whether a user is authorized to access the network by matching the user’s MAC address and store the MAC addresses to the database (local or external)

  18. Web-Based Access Control (WAC) Overview • D-Link xStack Switches can authenticate connected users when the users try to surf the Internet. • It is an authentication process which uses HTTP protocol.

  19. Web-Based Access Control (WAC) Overview

  20. WAC with Switch’s Local Database • 1. When you visit the web server • 2. A username/password dialog box will appear to ask for username/password

  21. WAC with Switch’s Local Database • 3. Once the user input the correct username and password, he passes the authentication. A “successful log in” message screen will appear. The web page will be re-directed to 10.10.10.101, as configured in this example. • 4. The authenticated user can access the network and has no limit to the web application.

  22. Web-Based Access Control Summary • WAC provides an easy-to-use authentication method based on HTTP protocol. Before passing authentication, all traffic with TCP protocol will be blocked. • WAC can utilize Local Database or RADIUS Database to store the authentication information. • With WAC, different users are assigned with different VLAN memberships. It can provide different service levels based on different username logins.

  23. Authorization

  24. Authorization • Most network administrators require authorization based on user identity. D-Link provides several features as follows: • Dynamic VLAN assignment • Guest VLAN with restricted network access • Client attribute assignment • Bandwidth control for the port • 802.1p priority • ACL is assigned to users with different profiles

  25. Authorization • Benefits of User Authorization: • Granular access control • Users get privilege with different access rights • Guests have limited network access on guest VLAN • Flexible bandwidth and QoS control • Bandwidth allocation and traffic prioritization can be set based on user identity • D-Link Implementations for User Authorization

  26. Identity-Driven VLAN • Identity-Driven VLAN describes the RADIUS server Dynamic VLAN Assignment definition (including VLAN ID and VLAN name). • This is applicable for all access control, such as, 802.1X, MAC-Based Access Control, Web-Based Access Control, and JWAC

  27. Identity-Driven QoS D-Link defines the “Identity-Driven QoS” features with the following two items • 802.1X Extension Bandwidth Assignment • If an 802.1X port is authenticated, the bandwidth assignment from the RADIUS server can overwrite the locally configured ingress or egress bandwidth of this port. • If the assigned bandwidth is invalid (lesser than 0 or greater than the maximum supported value), it will be ignored. The switch will adopt its local setting. • Zero (0) value means there is no bandwidth limit for the client. • When 802.1X is disabled, the original bandwidth configuration will be restored. • 802.1X Extension Priority Assignment • If an 802.1X port is authenticated, the priority from the RADIUS server can overwrite the locally configured 802.1p default priority of this port. • If the assigned priority is invalid (lesser than 0 or greater than 7), it will be ignored. The switch will adopt its local setting. • When 802.1X is disabled, the original 802.1p priority configuration will be restored.

  28. Traffic Control

  29. Traffic Control • Access Control List • Bandwidth Control • Traffic Storm Control

  30. L2-L7 Access Control List • D-Link Access Control List (ACL) filters network packets based on the following information: • Switch port • MAC address / IP address • Ethernet type / Protocol type • VLAN • 802.1p / DSCP • TCP / UDP port (Application type) • Packet payload (Application type)

  31. Guideline to Configure Access Profile • Analyze the filtering goal and determine whether to use Ethernet or IP Access Profile • Decide the filtering strategy • Deny some hosts and allow all - This strategy is suitable for the environment with few hosts / protocol ports / subnets which need to be filtered • Allow some hosts and deny all - This strategy is suitable for environment with few hosts / protocol ports / subnets which need to be allowed. The other traffic will be filtered. • Based on the strategy, determine what “access profile mask” are needed and create it. (correspond to “create access_profile” command) • Add “access profile rule” associated with the Mask. (correspond to “config access_profile” command) • Access profile rules are checked based on access_id number. The lower ID will be checked first. If there is no matching rule, packet will be permitted. • In a QoS environment, when the rule is matched, the 802.1p bits/DSCP can be replaced with new higher/lower priority before the packets are sent out.

  32. Access Profile Types • There are many types of Access Profile to support different conditions for filtering traffic into a switch.

  33. How to Count Mask • Switch Web GUI is an easy and convenient tool to count the Mask for mapping an ACL profile. • If Mask exceeds the range you assigned, a warning message will be prompted.

  34. Time-Based ACL config time 04Sep2007 17:00:00 Configure the Switch Time Profile config time_range Time_Range hours start_time 8:0:0 end_time 17:0:0 weekdays mon-fri create access_profile profile_id 2 ip source_ip_mask 255.255.255.0 tcp dst_port_mask 0xFFFF config access_profile profile_id 2 add access_id auto_assign ip source_ip 192.168.0.0 tcp dst_port 80 port 1 deny time_range Time_Range

  35. Configure Packet Content ACL • Create a Packet Content ACL Access Profile • Design of Packet Content ACL is to inspect any offset_chunk. • An offset_chunk is a four-byte block in hexadecimal format which is used to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of four offset_chunk. • Only one single profile of Packet Content ACL can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a switch. • Add Access Rule to the Access Profile and decide the Rule Action

  36. ARP Spoofing Attack Address Resolution Protocol (ARP) • ARP is the standard method for finding a host’s hardware address (MAC address) when only its IP address is known. This protocol is vulnerable as hackers can spoof the IP and MAC information in the ARP packets to attack the LAN (known as ARP spoofing). How ARP Spoofing attacks a network? • ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data frames on a LAN, modify the traffic, or stop the traffic (known as Denial of Service (DoS) attack). • The principle of ARP Spoofing is to send the fake, or spoofed ARP messages to an Ethernet network. • Generally, the aim is to associate the attacker’s or any random MAC address with the IP address of another node (such as the default gateway). Any traffic destined for that IP address will be redirected to the node specified by the attacker.

  37. ARP Spoofing Attack • IP spoofing is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP address. • The diagram shows a hacker within a LAN is initiating ARP spoofing attack.

  38. Prevent ARP Spoofing via Packet Content ACL • The DoS attack today is normally caused by ARP spoofing. D-Link managed switch can effectively mitigate it via its unique Packet Content ACL. • The basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination MAC information. There is a need for further inspections of ARP packets. To prevent ARP spoofing attack, D-Link switches uses Packet Content ACL to block invalid ARP packets which contain fake gateway’s MAC and IP binding.

  39. Bandwidth Control • Port-based Bandwidth Control • The port-based bandwidth control is a D-Link QoS feature which a network administrator can use to control upstream and downstream network access rate of a switch port. • Flow-based Bandwidth Control • The flow-based bandwidth control, on the other hand, is a application derived from the access control list feature. With the flow-based bandwidth control, a network administrator can conduct a granular bandwidth control over traffic flows in application basis.

  40. Node and Address Control

  41. Node and Address Control • Loopback Detection • Port Security • IP-MAC-Port Binding

  42. Loopback Detection (LBD) • STP is a common way to prevent loop in the network. However, it has limitation when detecting loop occurring at the same physical port. • LBD is a compulsory feature in Metro Ethernet application. Without LBD, a loop at an end user home may affect and bring down the whole network. • Advantages of D-Link LBD: • VLAN blocking capability • Auto-recovery design – when the loop is remove, the port can recover without administrator's interference.

  43. Differences between LBD v2.0 and LBD v4.0 • The main differences between STP Loopback Detection (LBD v2.0) and the latest LBD v4.0 are: • STP Independent • For LBD v2.0 – The STP Loopback Detection uses BPDU to detect the loop. It is necessary to enable STP to make this LBD feature works. • For LBD v4.0 – The Loopback Detection uses another packet (Multicast) type to detect the loop. It is a better solution than STP-Dependent method. • Optional Actions when loop occurs • Action 1: Shut down the port • Action 2: Shut down the individual VLAN with loop

  44. Two Actions of LBD v4.0 D-Link provides two selectable actions when loop occurs. • Shut down Port (Default setting) • This is the same as LBD v2.0 • Block the traffic from the VLAN where loop occurs, without shutting down the port • As the affected port is not shut down, there is no influence to the devices or members of other VLANs on the same port. • However, since the port is not shut down, the CPU will still receive the traffic including BPDU or ARP/Broadcast packets, which is high loading. • Therefore, we need to enable Safeguard Engine to protect the CPU.

  45. Port Security • To limit the number of users that have access to secured ports. • To control clients’ access to the secured port based on their physical addresses (MAC address) • Three modes of Port Security • Permanent – The locked addresses never age out even after the aging timer expires. • Delete on Timeout – The locked address will age out after the aging timer expires. If a link status change on the connected port, the MAC address learned on that port will be removed. The result is the same as the expiry of aging timer. • Delete on Reset – The locked addresses age out after the switch is reset. (Default setting)

  46. Problem Caused by Improper IP Management • Auditing Problem • Current auditing mechanism, such as syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the user without control. • IP Conflict Problem • IP conflict is the most common problem in today’s networks. Users change the IP address manually and cause conflict with other resources, such as other PCs, core switches, routers or servers.

  47. Solution to Improve IP Management • IP-MAC-Port Binding (IMPB) • To restrict unauthorized access or block ARP spoofing attacks on certain switch ports by comparing the pair of IP-MAC addresses with the database. • By using IP-MAC-Port Binding, all packets will be dropped by the switch when the MAC address, IP address and connected port are not in the address-binding list.

  48. Solution to Improve IP Management • There is a great demand for IMPB feature today. It can ease IP management and prevent ARP spoofing attack. • There are many ARP spoofing attack tools on the Internet today. Anyone can use such tool to attack the network easily. Therefore, administrators of larger networks, such as Campus and Metro Ethernet, are seeking for solutions to prevent such attack. • D-Link IMBP is a proven feature from the field and its comprehensive options can address most field challenges.

  49. D-Link IP-MAC-Port Binding • There are three IMPB modes. • ARP mode • ACL mode • DHCP mode • These three IMP modes are methods to build up the IMPB entries and to program those entries to the hardware tables. IMP is enabled in port basis. When IMP is enabled on the ports, the administrator needs to specify the port mode. • Strict mode: Port is blocked by default; the hosts must be authenticated to send traffic. • Loose mode: Port is enabled by default; the hosts can send traffic. When an invalid ARP is detected, the traffic will be blocked.

  50. Three Modes of IP-MAC-Port Binding • ARP Mode • This is the default configuration for IMP enabled ports. In ARP mode, if the switch identifies a legal host with valid ARP, the host’s MAC address will be programmed to L2 FDB with the action “allow”; otherwise, the host’s MAC address will be programmed to L2 FDB with the action “drop”. The security access control is based on Layer 2 MAC addresses. • ACL Mode • This provides a strict security for IP level traffic. If ACL mode is enabled, the static configured IMP entries with ACL mode will be programmed to the hardware ACL table. If ACL mode is disabled, the IMP entries will be removed from the hardware ACL table. This mode is not supported on switches which do not have hardware ACL and the IMP entries are programmed to L2 FDB only. Both ACL mode and ARP mode can co-exist in a switch. • DHCP Snooping Mode • This is used to build up IMP binding entries automatically. When DHCP snooping is enabled, the switch will snoop DHCP packets on IMP enabled ports. The switch will automatically build up IMPB entries and program them to L2 FDB and hardware ACL table (if ACL mode is enabled).

More Related