AT-8500 L2+ Switches and Network Security

Managed Fast Ethernet Switches with Denial of Service (DoS) Attack Protection

The Security Issue AT-8500 Overview Market Applications Security in further detail

– DOS attack Prevention– Security Tools

QOS 802.1s (MSTP) Q & A

Agenda

Network Security: What are the Issues?

Viruses and network attacks growing at an alarming rate:

– Volume of viruses increasing at 40% pa– New methods of spreading viruses– Companies experience approx. 38 attacks per week on average– Growing number of peer to peer, instant messaging programs

ands remote workstations open up new ways of spreading malicious code

Staff misuse accounts for 7% of total (DTI)– DoS attacks (accidental and deliberate)

A 25% increase over the past 12 months (Silicon.com)– The MS Blast worm was blamed for 33% of all infections in small

firms and 50% in larger companies

AT-8500 Overview

AT-8500 Layer 2 Managed Switch

(Aggregation/Edge/Wiring Closet) 1 RU Factor 19” Rack Mountable 10/100 Modular and 2 modular bays Medium to High port densities 16, 24 ,&

48 port configurations 16 Port AT-8516F SC/LC version for higher

distance deployments or added security Content Aware Switch provides more

intelligence at the edge for important applications (QOS and DOS prevention, ACLs)

Fully Managed Switch; SNMP, Secure Web (SSL) and Secure Telnet (SSH)

AT-8500 L2+ switches – One further layer of protection

Pre-programmed todetect six well known

dos attacks

Complements WANfirewall and

PC anti-virus measures

Data is encrypted for maximum security

Additional security features

• SSL and SSH

• 802.1x

• L2-L4 Access Control List

• Radius and TACACS+

Provides the abilityto deploy ‘Tiered Security’

to unsecured areas

Only authorisedindividuals can access

the network

Intelligent chip-setrecognises DOS attack

and restricts trafficto neutralise threat

8500 Educational Application Educational Concerns

Security – Just by their nature Educational Networks are very susceptible to machine compromises and intrusion

– DOS attack prevention– Implementing Effective Security

Policies

Multicast - Distance Learning Applications and Machine Imaging

– IGMP Snooping v1 and v2

Ease of management for mobile students

– Dynamic VLANs– Enhanced Stacking for large switch

deployments

Wiring ClosetClassroom

Computer Lab

Library & Multimedia

Administration

MDF

8500 Enterprise Application

Enterprise Concerns Security – Must protect integrity of

network and data, and ensure network uptime for productivity

– DOS attack prevention– Implementing Effective Security Policies

Redundancy – Network uptime critical – STP, RSTP, MSTP

QOS – VoIP, and other time sensitive services

– 802.1p and QOS

VLAN network segmentation– 802.1q, bridge network segments across

switch boundaries securely

Multicast Video Conferencing and shared white board applications

– IGMP Snooping v1 and v2

Management in the Wiring Closet– Enhanced Stacking

Wiring Closetdesktops

VoIP and Data (QOS)

Video and Multicast

MDF

8500 Financial Institution Application

Financial Institution Concerns

Security – preserve integrity of network to ensure maximum availability

– DOS attack prevention– Implementing Effective Security

Policies– STP, RSTP, MSTP– “Fiber to the Desktop” AT-8516F

SC/LC– VLAN 802.1q

Wiring ClosetDesktops

Account Data

File Servers

MDF

8500 Security – DOS attack prevention

Importance of a modern day secure network 2003 was a record year for Worms, Hacker Attacks, and

Viruses Experts already estimate that 2004 will surpass 2003

(already Mydoom made big headlines this year) Worms are predicated on the idea of self propagating code

specifically built with various intentions, mostly to cause harm and detriment to computers & networks. Popular use of worms are the propagation of DOS and DDOS Attacks

DOS attacks cost Millions of dollars each year are in terms of lost revenues, damaged reputation, and productivity

Every network is prone to being affected by DOS attacks, some more than other by their inherent structure and users.

There are many forms of securing networks, and mitigating the impact of DOS attacks and the spread of worms

Effective security means of preventing worms and stopping DOS attacks are through the creation of good Security Policies and these policies start at the edge of the network

Dos Attacks

DOS Attacks come in various forms and modes of operation– Overwhelming consumption of finite system resources so that

legitimate users cannot use them– Capitalizing on a system bug or flaw that will interrupt service or

bring the system down

Detect and Perform action– Implement algorithms to detect violations, once detected logging the

event, rate limit, or drop traffic

AT-8500 protects networks against the 6 most popular DOS style attacks

6 Most Common DOS Attacks

SYN-Flood – target machine: will suffer performance and may not be able to service real connections,

resulting in perceived downtime. – Sending machine: network will forward thousands of packets per second, impacting network

performance.

LAND – Target machine will crash or hang

IP Options– This attack will cause the target machine to crash

Teardrop– Target machine crashes

SMURF– Receiver: Attack will degrade network performance. Sender: may create bottlenecks in

small bandwidth pipes like T1s on senders network.

Ping of Death– Will cause device under attack to crash when attempting to reassemble oversized payload

Sample DOS Attack

Infected host

ping 255.255.255.255

SRC IP 63.25.21.5

192. 168.0.0/24

SYN-FloodSMURF

UDP FLOOD

1 2

3 4Source IP filter will prevent Spoofed ping packet

Echo replies will congest uplinks due to amplification

How to implement a Security Policy

Security Policy– Determine a level of security that is acceptable to protect the network while still providing a level of

acceptable service to users – Documentation and communication of written policies and procedures to direct and inform users of

acceptable usage and security practices– Technology that enforces that level of security

Tools that help administrators implement effective security policies for management and access:

– SSH & SSL Secure remote management of the switch Encrypts management session so that important information cannot be

snooped– Radius & TACACS+ Authentication

Provides user level Authentication and Accounting function– 802.1x

Limit access to who can and cannot enter the network– Port Security

Restrictions on MAC addresses learned per port– L2-4 ACLs

Enables Network Administrators to implement access lists to limit access to switch, usage, or any definable L2-4 criteria

– Logging Logs events and traps to systems or remotely via syslog

– Management Access Control Controls and limits management access to the switch via IP addresses

AT-8500 QOS End-to-End QOS Domain QOS enables you to prioritize traffic, reducing

latency and jitter exists two important functions in QOS system

– Classify Traffic– Perform Action

AT-8500 QOS– Classify traffic according to:

Flows (SA/DA and port numbers) Addresses (SRC/DEST IP Address, subnets) Protocols (TCP, UDP, HTTP, FTP, etc) VLANs

– Ingress perform the Following actions: Tag Packet Drop Traffic Rate Limit

– Egress AT-8500 Supports 4 Priority Queues and 2 Scheduling mechanisms

Queue Traffic WWR and Strict

AT-8500 QOS

AT-8500 QOS capabilities mark 802.1p priorities

– Based on broad classified traffic filters 802.1p priorities can be set for all 8 levels (but only 4 queues)

– Finer classification and definition of prioritized traffic mark IP TOS field

– Important to provide End-to-End QOS over layer 3 network– Can perform actions based on either field and translate from 802.1p

to IP TOS and vice and versa Strict and WRR Policies allow more flexibility in

Scheduling– Strict scheduling could be used to critical traffic such as network

control traffic, and de-prioritize ICMP and other non-critical network traffic

– WRR allows network administrator weight each of the 4 queues

MSTP

Multiple Spanning Tree Protocol Effective feature for large switch environments utilizing

complex or numerous VLAN configurations Much easier to manage such an environment using MSTP,

than STP or RSTP– Utilize 802.1q tagged ports efficiently throughout your network backbone

Supports multiple instances of Spanning Tree in a bridged domain

Features rapid convergence like RSTP Provides Flexibility to deploy VLAN where needed, and at

the same time provide L2 redundancy via back up links.– Configure 802.1p ports with pertinent and not all VLANs – Isolate VLANs to certain areas of the network and not over all switches

MSTP Example Configuration

VLAN 1, 2, 3STP - RSTP

VLAN 1

MSTI 1

VLAN 2

MSTI 2

VLAN 3

MSTI 3

MSTPForwardingBlocked

Old Spanning Tree 802.1D – STP

Allow all or block all VLANs coming from a port Slow Convergence

802.1w – RSTP Allow all or block all VLANs coming from a port

Non standard-based PVST Consumes too much CPU time and network bandwidth (with control traffic)

802.1s advantages: Eliminates all limitations mentioned above

IEEE 802.1s (Multiple Spanning Tree)

Summary

Main Points Security, Security, Security

– Help make your clients understand the importance of security policies, and how the AT-8500 can help enforce effective security policies at the edge.

– Check appendix for links on informative sites AT-8500 Layer 2+ with Layer 2-4 awareness

– Allow more effective security policies at the edge– End-to-End QOS

DOS Attack prevention– Protect against 6 common DOS style attacks– useful features to implement effective security policies

MSTP – More flexibility for large enterprises or layer 2 networks

8500 Competitive overview

• HP ProCurve 2626, 2626PWR and 2650• Cisco Catalyst 2950 24/48 ports• 3Com SuperStack 4400 24/48 ports and PWR• D-Link DES3526, 3550

Selling Against

HP ProCurve 2600 Models 2626: 24p 10/100+ 2SFP or 2 GIG 2626-PWR: 24p 10/100 POE+ 2 SFP or 2 GIG 2650: 48p 10/100+ 2 SFP or 2 GIG

Their Deficiencies Compared to Allied Telesyn

HP overview:Not “End-to-End” networking company HP ProCurve: L2 switch with IP “static routing” – No advanced L2+ features No DOS Attack protection and ACL No revenue generating Service feature (Ingress Rate Limiting)

Limited model selection: No model with Base FX port No model with modular uplink slot No DC model RPS for PWR models only

Selling Against

Cisco Catalyst 2950Models: 2950-24-SI: 24p 10/100 2950SX-24-SI: 24p 10/100+ 2 fixed 1000BaseSX 2950SX-48-SI: 48p 10/100+ 2 fixed 1000BaseSX

Their Deficiencies Compared to Allied Telesyn

Cisco Overview: Premium pricing both for Standard and Enhanced Image Cisco Catalyst 2950: The most expensive switch in its class No DOS Attack protection and ACL Only 64 VLANs supported No WRR No 802.1s, no 802.1w

Limited model selection: No model with Base FX port No model with modular uplink slot DC model is offered only on one model with 24 Base-TX port No POE version

Blocking Architecture Cat 2950 is based on Broadcom 5615 – each chip supports 24-TX ports + 1 GIG uplink channel8500 is based on BroadCom 5645 – non blocking architecture. Each cheap supports 24TX ports + 2.5GIG uplink channel

Selling Against

3Com Models:– 4400SE-24: entry level L2 only 24p 10/100 with 2

modules – 4400-24: L2/L4 24p 10/100 with 2 modules– 4400FX-24: L2/ L4 24p 100FX with 2 modules – 4400-PWR: L2/L4 24p POE 10/100 with 2 modules– 4400-48: L2/L4 48p 10/100 with 2 modules

Their Deficiencies Compared to Allied Telesyn

3Com overview: Focused on business consolidation and not on product creation Reveue dropping 3Com SuperStack: Expensive stacking support

–Requires optional stacking module and cable for each switch (list price: $450)– Limited to 192 ports per stack

No DOS Attack protection and ACL Limited feature sets

–No 802.1s (multiple Spanning Tree)

No Revenue-Generating Service Features No Ingress Rate LimitingLimited model selection: No DC model No pluggable optic support (GBIC or SFP)

Selling Against

D-LINKModels:

– 3526: 24p 10/100 with 2 combo GIG copper/ SFP – 3526DC: 24p 10/100 DC with 2 combo GIG copper/

SFP– 3550: 50p 10/100 with 2 combo GIG copper/ SFP

Their Deficiencies Compared to Allied Telesyn

D-Link overview: Traditionally more SOHO, SMB manufacturerD-Link 3500:No DOS Attack protection No Revenue Generating Service Features:

–No ingress Rate Limiting

Limited model selection: No POE versionNo model with base FX port

Summary

ATI AT-8500

Cisco Catalyst 2950

3Com III 4400

DLink 3500 HP ProCurve 2600

Category L2-4 Aware with DoS-Attack Protection

L2-4 Aware L2-4 Aware L2-4 Aware L2+ but No Dos Attack, no ACL. No rate limiting but static routing

Comparable Models

8524M and 8550GB/SP

- 24 or 48TX + 2 exp slots - Standard s/w -

2950SX-24-SI and 2950SX-48-SI - 24 or 48TX + 2 SX slots - Standard image

4400 with 24 or 48 ports - 24 or 48TX + 2 exp slots - Standard s/w

3500 with 24 or 48 ports 24 or 48TX + 2 SX slots or 2 1000T

Standard s/w

2626 and 2650 - 24TX or 48TX + 2 SX slots or 2 1000T - Standard s/w

S/W comments

- Only 1 s/w option available- Expansion modules are needed

- 2 s/w options available (SI & EI)- SI (standard image is comparable to S62)- Expansion modules not needed

- 2 s/w options available (standard & SE)- standard s/w is comparable to S62- 4400SE has less features than S62- Expansion modules needed

-Only 1 s/w option available- Expansion modules are not needed

- Only 1 s/w option available- Expansion modules are not needed

Q & A

Appendix A1 - ACL Parameters

<protocol> layer 3 protocol in frame header or layer 4 protocol in ip header

<ip> <wildcard> specifies a network address any can replace any <IP> <wildcard>

<precedence> precedence field in IP header <tos> Type of service field in IP header <icmp-type> for an icmp message <icmp-code> for an icmp code <icmp-message> for combined icmp message code <igmp-type> for an igmp message eq <port> destination port number in TCP/UDP header eq <protocol> ACL applicable to an application

protocol allowed no-<protocol> no application protocol allowed <time-range-id> ACL is only effective in specified time range

Appendix B1- Dos Attacks

SYN-Flood Attack Definition:

– A DOS Attack which attempts to overwhelm a system’s resources by tying up memory, by initiating half-open connections therefore denying connections to legitimate traffic.

Impact:– Two ways, target machine will suffer performance and may not be able to

service real connections, resulting in perceived downtime. Sending machine will forward thousands of packets per second, impacting machine performance and possible network performance.

Solutions:– These attacks use spoofed addresses, restricting the use of spoofed addresses

originating from switch ports. Setting a threshold for the number of SYN packets received in a specified amount of time. Violation will cause trap and port connections to be throttled.

Apendix B2- Dos Attacks

SMURF Attack Description:

– Sending spoofed packets to an IP broadcast address with an attempt to overwhelm the device whose address is being spoofed

Impact– Receiver: Attack will degrade network performance. Sender: may

create bottlenecks in small bandwidth pipes like T1s on senders network.

Solution:– Disable ICMP directed broadcasts on the network.– Senders networks should not allow packets with spoofed address in

SA leave network.

Appendix B3- Dos Attacks

Ping of Death Description

– Attempts to destabilize a network device by sending an ICMP Echo request with an oversized payload to fragment packet

Impact– Will cause device under attack to crash when attempting to

reassemble oversized payload

Solution– Sampling technique to sample streams of fragmented packets and

make sure they to not violate IP payload sizes.

Appendix B4- Dos Attacks

Teardrop Description

– Attack on capitalizes on venerable TCP/IP stack implementations that cannot handle overlapped IP fragments

Impact– Target machine crashes

Solution– Sampling algorithm that will check IP fragmented packets against

overlapping

Appendix B5- Dos Attacks

LAND Attack Description

– Targets implementations of TCP/IP that are vulnerable to packets using same IP SA/DA addresses

Impact– Target machine will crash or hang.

Solution– Filter all outgoing packets that have a source address from a

different network, and incoming packets that have a local source address

Appendix B6- Dos Attacks

IP Options Attack Description

– This attack attempts to overwhelm CPU with exceptions, by sending packets with bad IP options.

Impact– This attack will cause the target machine to crash

Solution– Set threshold for number of packets with IP options, and after the

rate of such packets crosses a certain threshold alert administrator.