Extreme Networks 15101 User Authentication and Host Integrity Checking, MAC Security, IP Security

User Authentication and Host Integrity Checking

Network Login and

Dynamic Security Profile

Network Login capability enforces user admission and usage policies. Summit X250e series switches support a comprehensive range of Network Login options by providing an 802.1x agent-based approach, a Web- based (agent-less) login capability for guests, and a MAC-based authentication model for devices. With these modes of Network Login, only authorized users and devices are permitted to connect to the network and be assigned to the appropriate VLAN. The Universal Port scripting framework lets you implement Dynamic Security Profiles which in sync with Network Login allows you to implement fine-grained and robust security policies. Upon authentication, the switch can load dynamic ACL/QoS for a user or group of users, to deny/allow the access to the application servers or segments within

the network.

Multiple Supplicant Support

Shared ports represent a potential vulner- ability in a network. Multiple supplicant capability on a switch allows it to uniquely authenticate and apply the appropriate policies and VLANs for each user or device on a shared port.

Multiple supplicant support helps secure IP Telephony and wireless access. Converged network designs often involve the use of shared ports (see Figure 4).

MAC Security

MAC security allows the lockdown of a port to a given MAC address and limiting the number of MAC addresses on a port. This

can be used to dedicate ports to specific hosts or devices such as VoIP phones or printers and avoid abuse of the port—an interesting capability specifically in environ- ments such as hotels. In addition, an aging timer can be configured for the MAC lockdown, protecting the network from the effects of attacks using (often rapidly) changing MAC addresses.

IP Security

ExtremeXOS IP security framework helps protect the network infrastructure, network services such as DHCP and DNS, and host computers from spoofing and man-in-the- middle attacks. It also helps protect the network from statically configured and/or spoofed IP addresses and builds an external trusted database of MAC/IP/port bindings so you know where the traffic from a specific address comes from for immediate defense.

Identity Management

Identity Management allows customers to track users who access their network. User identity is captured based on NetLogin authentication, LLDP discovery and Kerberos snooping. ExtremeXOS uses the information to then report on the MAC, VLAN, computer hostname, and port location of the user.

Host Integrity Checking

Host integrity checking helps keep infected or non-compliant machines off the network. Summit X250e series switches support a host integrity or endpoint integrity solution that is based on the model from the Trusted Computing Group. Summit X250e interfaces with Sentriant AG200 endpoint security appliance from Extreme Networks to verify that each endpoint meets the security policies that have been set and quarantines those that are not in compliance.

Network Intrusion Detection and Response

Hardware-Based sFlow Sampling

sFlow is a sampling technology that provides the ability to continuously monitor applica- tion-level traffic flows on all interfaces simultaneously. The sFlow agent is a software process that runs on Summit X250e and packages data into sFlow datagrams that are sent over the network to an sFlow collector. The collector gives an up-to-the- minute view of traffic across the entire network, providing the ability to trouble- shoot network problems, control congestion and detect network security threats.

Port Mirroring

For threat detection and prevention, Summit X250e supports many-to-one and one-to-many port mirroring. This allows the mirroring of traffic to an external network appliance such as an intrusion detection device for trend analysis or for utilization by a network administrator for diagnostic purposes. Port Mirroring can also be enabled across switches in a stack.

Line-Rate ACLs

ACLs are one of the most powerful components used in controlling network resource utilization as well as protecting the network. Summit X250e supports

1,024 centralized ACLs per 24-port block based on Layer 2, 3 or 4-header information such as the MAC, IPv4 and IPv6 address or TCP/UDP port.

Denial of Service Protection

Summit X250e can effectively handle DoS attacks. If the switch detects an unusually large number of packets in the CPU input queue, it will assemble ACLs that automat- ically stop these packets from reaching the CPU. After a period of time, these ACLs

Summit X250e offers multiple supplicant which helps provide per-MAC based authentication with dynamic VLAN allocation

Figure 4: Multiple Supplicant Support

are removed, and reinstalled if the attack continues. ASIC-based LPM routing eliminates the need for control plane software to learn new flows, allowing more network resilience against DoS attacks.

Secure Management

To prevent management data from being intercepted or altered by unauthorized access, Summit X250e supports SSH2, SCP and SNMPv3 protocols. The MD5 hash algorithm used in authentication prevents attackers from tampering with valid data during routing sessions.