Allied Telesis Layer 3 Switches manual Protecting against worms

Page 25

Protecting the user

zHow To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperability without NAT-T support

zHow To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperability with NAT-T support

zHow To Configure IPsec VPN Between Microsoft ISA Server 2004 and an Allied Telesyn Router Client

zHow To Create a VPN between an Allied Telesis and a SonicWALL router, with NAT-T

zHow To Create a VPN between an Allied Telesis and a NetScreen router

zHow To Troubleshoot A Virtual Private Network (VPN)

Protecting against worms

In the recent history of the Internet, the danger has shifted from viruses to worms. Viruses need humans to transfer them from system to system, for example, by downloading a program. Worms transfer themselves from system to system without human interaction. The most successful worms exploit Microsoft Windows vulnerabilities because of the prevalence of these operating systems. Commonly, a worm causes the same kind of damage to a system as a virus.

Worms and viruses generally exploit flaws in PC operating systems. There are no known worms that affect AlliedWare. In fact, you can configure Allied Telesis switches to protect your network PCs and servers from both internal and external attack from worms.

In an Allied Telesis switched network (where no hubs exist), the switches can forward or drop every packet on the basis of specific criteria. You can employ this packet inspection at no cost to network performance. Therefore, you can configure an Allied Telesis switch to check for packets that appear to exploit a TCP or UDP port that a known worm attacks.

An example of a worm that exploits a port-based vulnerability is the W32.Slammer worm. This worm caused significant denial of service problems several years ago. It propagates via UDP Port 1434, which is the port used by SQL server traffic. All network administrators should have patched their SQL Server 2000 systems against this worm, but we will use it as an example.

Blocking worms through classifier-based filters

On Rapier, Rapier i, AT-8800, AT-8700XL and AT-8600 Series switches, use classifier-based hardware filters to block traffic from a worm.

Configuration 1. Find out which UDP or TCP port the worm attacks.

2.Create a classifier to match traffic arriving at a target switch port, using that UDP or TCP port.

Target switch ports must not be attached to clients who legitimately need to access the UDP or TCP port.

3.Create a filter that uses the classifier and discards matching traffic.

Products

AT-8600 Series

AT-8700XL Series

Rapier i Series

Rapier Series

AT-8800 Series

Software Versions

All

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

25

Image 25
Contents Introduction ContentsEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a