420 likes | 604 Views
Business Solution Seminar 2008. xStack: Multiply Your Potential October – November 2008 D-Link Indonesia. Agenda. Challenges for Your Network D-Link Solutions Success Cases Why D-Link. Challenges for Your Network. Availability - Slow, unstable Security
E N D
Business Solution Seminar 2008 xStack: Multiply Your Potential October – November 2008 D-Link Indonesia
Agenda • Challenges for Your Network • D-Link Solutions • Success Cases • Why D-Link
Challenges for Your Network • Availability - Slow, unstable • Security - Virus infection, worm outbreak, intrusion, Trojan, hackers • Manageability - Ease of management, multi-vendors boxes • Performance - Upgrade, service classification, QoS, device efficiency
Security Breaches in Today’s Network Campus Network IP & MAC Addresses Management Are Hard to Realize! Data Center Core Core Core Man-in-the-Middle Attack Rogue DHCP Server ARP Spoofing Attack Loop Connection
Security Breaches in Today’s Network Enterprise Network Attack & Intrusion Rogue DHCP Server Worm Outbreak Un-Authorized Access
D-Link Solutions • Integrated Security - E2ES (End-to-End Security) • High Availability - From H/W to S/W, robust L2 to L3 design • QoS - Comprehensive traffic classification & prioritization • Manageability - Solutions designed for SMB & big enterprise/campus networks • Green Ethernet - Reduce IT costs and minimize the environmental impact • Affordability - Pay as your company grows
E2ES - End-to-End Security Solution • Joint Security • Gateway Security • Endpoint Security Enterprise Network
E2ES • D-Link’s End-to-End Security (E2ES) Solutions • D-Link innovates comprehensive security solutions aimed to providing end-to-end threat containment and security protection solutions, which consist of the following three components: • Gateway Security • D-Link Firewall IPS/UTM Firewall • Endpoint security • Enhanced security features on xStack • Joint Security • Microsoft NAP • D-Link ZoneDefense
E2ES • Gateway Security Solution • NetDefend IPS/UTM Firewall Family • ICSA Labs certified • Integrated Firewall/VPN appliance with Outstanding Performance • Unified Threat Management: • Intrusion Prevention Service (IPS) • Anti-Virus (AV) Protection • Web Content Filtering (WCF) • Anti-Spam • Joint Security with xStack Switch via unique ZoneDefense technology
Numerous security features are added to the xStack switch to achieve threat control and containment, ensuring that malicious traffic can be stopped at the edge of the network. Field proven from the success in ETTH/FTTB, campus networks and enterprise markets. E2ES • Endpoint Security Solution xStack Switch Endpoint Security
802.1x Authentication E2ES • Endpoint Security Solution • Port-based 802.1x Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch. • MAC-based 802.1x 1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC
Internet Port Based 802.1x Example: Port Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! port 1 Win2003 ServerRADIUS Server service L2 Switch/HUB Username: James Password: 123 User Pasword James 123 192.168.0.10 James Gary Ryan 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in • All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (James) is authenticated.
Internet MAC Based 802.1x Example: MAC Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! Win2003 Server RADIUS Server service L2 Switch/HUB Username: James Password: 123 User Pasword James 123 192.168.0.10 . . . . James Gary Ryan DES-3828 is only capable of learning up to 16 MAC address per port 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in • Each client needs to provide correct username/password to pass the authentication so that it can access the network • NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828.
Internet E2ES • Endpoint Security Solution MAC Based Access Control - Using Switch’s Local Database DI-804 DHCP Server and Gateway to Internet MAC Access Control Enabled Ports DES-3828 Found Matched MAC Address !!! No such MAC Address!!! L2 Switch or HUB Switch Local Database User 00-0F-B0-97-E7-C6 ARP Packet DHCP Packet MAC list Non 802.1x Client_1 00-0F-B0-97-E7-C6 Non 802.1x Client_2 00-15-F2-A9-0B-C2 • For those ports with “MAC Access Control” enabled are capable of authenticating up to 16 max entries of MAC addresses per physically port..
E2ES • Endpoint Security Solution Web-Based Authentication Web-Based Authentication (WAC) is a feature designed to authenticate a user when the user is trying to access the network via the switch. It’s an alternative port-based access control method besides IEEE802.1X. The authentication process uses HTTP protocol. When users would like to browse web screen (e.g., http://www.google.com) through the web browser (e.g., IE), and when the switch detects HTTP packets and this port is un-authenticated, the browser will pop out username/password screen to query users. If the user passes the authentication process, it means this port is authenticated, and user can access the network. Switch Role The switch can be the authentication server itself and do the authentication based on a local database, or aRADIUS client and perform the authentication process with remote RADIUS server.
DI-624 (10.10.10.10)DHCP Ip Pool10.10.10.50 – 10.10.10.100 Web Server IP: 10.10.10.101 Internet 10.10.10.11 10.10.10.13 10.10.10.12 Web-Based Authentication - Based on local database 2. Authentication ports(port 1-12) • Which web page • you want to redirect? user passJames 123 Will 456 …. ….. 10.10.10.1 3. Local Data Base(create users) Client PC1 Client PC3 Client PC2 Ports 1-12 are configured as web-authentication enabled ports. Every PC connected to those ports needs to pass the username/password authentication. After that, they can access the network. The username/password/VLAN database is stored in the switch itself in this example. Therefore, there is no RADIUS server in this example. Note: In current design, the max. entries of local database equals to number of switch ports. For example, DES-3828 supports 28 entries (I.e., max. 28 local users).
E2ES • Endpoint Security Solution D-Link IP-MAC-Port Binding(Address Binding) • IP-MAC-Port binding is enhanced from IP-MAC binding. The enhanced feature decides which port(s) will be allowed to receive the packets according to “IP-MAC” information. • All Packets will be dropped by a switch except it’s MAC Address, IP Address, and connected portentirely match the address-binding list.
ARP and ACL mode of IP-MAC-Port binding There are two modes “ARP mode” and “ACL mode” of D-Link IP-MAC-Port binding. • ARP Mode • Default setting is ARP mode.When you create an entry in the IP-MAC Port Binding record, the entry will belong to ARP mode. If a user create a entry in ARP mode, after that enable ACL mode, this created entry will not add to ACL rule. • ACL Mode • If a user enable ACL mode, the switch will create a ACL rule to map the IP-MAC Port Binding entry automatically.
Example 1 – Prevent ARP-Scan with ARP mode Client A IP: 192.168.0.10MAC : 00-C0-9F-86-C2-5C Server B IP: 192.168.0.11MAC : 00-50-18-21-C0-E1 Port 1 Port 25 Port 10 ARP Scan IP Address MAC Address Ports Mode --------------- -- ------------ ------------- --- ----- --------- 192.168.0.10 00-15-F2-A9-0B-C2 1-10 ARP • When a Switch detects ARP broadcast from port 10 and it doesn’t meet any entry in the IP-MAC Port Binding list, the Hacker PC will be blocked.
ARP Poisoning Switch FDB Table 1 PC 1 IP: 192.168.0.100MAC : 00-C0-9F-86-C2-5C 2 PC1 ARP Table Port 1 PC2 ARP Table Port 8 Port 24 ARP Request (dst: FF:FF:FF:FF:FF:FF) PC 2 IP: 192.168.0.1MAC : 00-50-18-21-C0-E1 Hacker PCIP: 192.168.0.2MAC : AA-BB-CC-DD-EE-FF 2 • ARP doesn’t have any authentication mechanism, therefore, any ARP Reply packet received by the device will force it update their ARP Cache!! • The poison packet which tells PC1 that he can find PC2 at the Hacker MAC AABBCCDDEEFF. • At the same time, it also tells PC2 that he can find PC1 at the Hacker MAC AABBCCDDEEFF. • At this point,the communication between PC1 and PC2 will through the Hacker PC and bypass the switch.
ARP Poisoning 2 Switch FDB Table PC 1 IP: 192.168.0.10MAC : 00-C0-9F-86-C2-5C PC1 ARP Table Port 1 PC2 ARP Table Port 8 Port 24 PC 2 IP: 192.168.0.1MAC : 00-50-18-21-C0-E1 Hacker PCIP: 192.168.0.2 (Spoofed)MAC : AA-BB-CC-DD-EE-FF • The traffic between PC1 and PC2 has been redirected to Hacker PC. The Hacker PC will redirect packets to the correct destinations. • If the Hacker PC didn't re-route packets, the communication between PC1 and PC2 will be interrupted until refresh theirs ARP table. • If there is no traffic between two PCs, after a timeout period, a dynamic entry in the ARP Table of the two PCs will be flushed out. For the reason, the Hacker PC must continue poisoning the two PCs at regular intervals.
Example 2 – prevent the APR Poison Attack (Man-in-the-Middle attack) with ACL mode Client A IP: 192.168.0.10MAC : 00-C0-9F-86-C2-5C Server B IP: 192.168.0.11MAC : 00-50-18-21-C0-E1 Port 1 Port 25 ARP ARP Port 10 ARP IP Address MAC Address Ports Mode --------------- -- ------------ ------------- --- ----- --------- 192.168.0.10 00-15-F2-A9-0B-C2 10 ARP • The Hacker PC keep quiet and keep listening ARP packet came from others PCs to structure its ARP table in term of thissubnet.
Example 2 – prevent the APR Poison Attack (Man-in-the-Middle attack) with ACL mode Client A IP: 192.168.0.10MAC : 00-C0-9F-86-C2-5C Server B IP: 192.168.0.11MAC : 00-50-18-21-C0-E1 Port 1 Port 25 Port 10 ARP Poisoning IP Address MAC Address Ports Mode --------------- -- ------------ ------------- --- ----- --------- 192.168.0.10 00-15-F2-A9-0B-C2 10 ACL • After the Hacker get Client A and Server B IP/MAC information, it will send the ARP Poisoning packet to attackthem, At the same time, a switch will detect the hacker and block a hacker PC.
D-Link Safeguard Engine Safeguard EngineTM is designed to enhance the robustness of new switches and it will increase overall network serviceability, reliability, and availability. The CPU of switch is designed to handle the control information like STP, SNMP, Web access ..etc. Also some specific network packets will be forwarded to CPU for processing like ARP broadcast, unknown DST unicast, IP broadcast .. etc. It turns out CPU is overloaded and not able to respond to those important tasks like management access, STP, SNMP polling SNMP Polling Spanning Tree BPDU packets IGMP snooping Web Mgm Access ARP broadcast Unknown DST unicast IP broadcast But nowadays networks are with blended threats like virus/ worm. Usually they will generate unexpected bulk “CPU interested” traffic [ like ARP broadcast ] during infection.
D-Link Safeguard Engine Safeguard EngineTM is designed to enhance the robustness of new switches and it will increase overall network serviceability, reliability, and availability. With D-Link Safeguard Engine, it will further identify & prioritize those ‘CPU interested’ traffic, to throttle those unwanted interruption and to protect the switch operation. It turns out CPU is overloaded and not able to respond to those important tasks like management access, STP, SNMP polling Thus with Safeguard Engine, D-Link Switch will show its robustness especially under virus infection or worm scanning. SNMP Polling Spanning Tree BPDU packets IGMP snooping Web Mgm Access ARP broadcast Unknown DST unicast IP broadcast But nowadays networks are with blended threats like virus/ worm. Usually they will generate unexpected bulk “CPU interested” traffic [ like ARP broadcast ] during infection.
Technology Brief • When CPU utilization is over Rising Threshold, the switch will enter Exhausted Mode to take the following actions (refer to the next slide). • On the opposite, CPU utilization is lower Falling Threshold, the Switch will leave Exhausted Modetocease Safeguard Engine function.
Technology Brief(Con.) Safeguard Engine Action
Loopback Detection • LBD v4.0: • STP (Spanning Tree Protocol) Independent • Flexible Settings for Loop Prevention • Port-based or • VLAN-based PC Wireless Guest Workstation Client UnmanagementSwitch Server xStack Switch NetDefend Applications DHCP Kiosk Loop Mobile User Hackers Telecommuter UNPROTECTED WAN Partner Thieves
What D-Link Joint Security Provides? An integrated total solution that provides Access Control & Real-time defense. Microsoft NAP Evaluation of security compliance before permitting connection. Quarantine and remediate non-compliance users. Identity-based network admission control. D-Link ZoneDefense Any malicious traffic detected by the NetDefend firewall will trigger the xStack switch to block them in real-time. ZoneDefense technology makes NetDefend firewall and xStack switch jointly work as a big virtual firewall system. NetDefend firewall is in charge of traffic inspection, and xStack switch performs wire-speed filtering at port level. E2ES • Joint Security Solution
Worm EAP Status User Name Password Token Host Integrity Rule Host Integrity Rule Status Status Anti-Virus On Anti-Virus On Anti-Virus Updated Anti-Virus Updated Personal Firewall On Personal Firewall On Service Pack Updated Service Pack Updated Patch Updated Patch Updated Updated 2008/May E2ES • Joint Security Solution -ZoneDefense • Joint Security Solution -NAP If any malicious attack happened ! 802.1x Enforcement Wireless System Health Server Guest Compliant Scenario: Before connection, you should have username/password or token. After login, the system will check the compliance policy. If compliant, you are allowed to connect to the network Non-Compliant Scenario : If client’s patch is not updated, it just can go to remediation server, health server and network policy server Microsoft Network Policy Server Remediation Scenario : The client gets patch/virus pattern etc, To correct its health status Guest Access Scenario: Guests are assigned with restrictive access rights to the network Client DHCP Enforcer Server On-Demand Policy Manager With D-Link ZoneDefense technology, NetDefend Firewall will automatically notify the xStack switch to block the infected host xStack Switch NetDefend Radius Remediation NetDefend DHCP Kiosk Applications Mobile User Hackers Telecommuter D-Link’s Joint Security Solution enables the integration of network security and PC endpoint security UNPROTECTED NETWORKS Partner Thieves
D-Link SIM Technology Manageability • Provides single IP address management of up to 32 switches without being limited to specific models, specialized cables, distance barriers, stacking methods, and prevents single point of failure. • Straight forward visualization without additional software installation.
D-View 6.0 NMS Manageability
Innovative “Green Ethernet” Technology • General trend towards making products more GREEN & eco-friendly. • Market pressure and legislative action for energy efficient networked equipment. • D-Link leads the industry by enabling unique “Green Ethernet” technology on networking. • Reduce power consumption without sacrificing performance or functionality by detecting link status and cable length, which brings the benefits of less heat dissipation, extended product life, and reduced operating cost. Green Ethernet
Success Case - Metro Ethernet In Russia, Greater China & Northern Europe regions Over 200k DES-3526 & 7k DES-3828 were sold as access switches Over 3k DGS/DXS-3300 & 4k DGS-3600 were sold as L3 distribution oraggregation switches D-Link’s Proven Success in the Past 2 Years DES-3528 is MEF 9 & 14 certified for EPL
Success Case – Corbina Telecom, Russia Interoperability • Comprehensive MIBs/ Logs • DHCP options • OSPF Routing Robustness Q o S • STP convergence • Against Virus/ Worm flood • AdvTraffic Classification • Comprehensive Bandwidth Control • Multicast optimization DXS-3326GSR DXS-3326GSR Security • IP-MAC-Port binding • Abnormal Traffic Control • Loopback Detection
1G Fiber 1G Copper 10G Stacking Success Case – Nittedal Multimedia, Norway DGS-3324SR Stackability • 40G Fault Tolerant Stacking • Virtual Chassis Core • OSPF & PIM-SM IPTV Streamers DES-3010G DGS-3324SR DES-3010G Q o S DGS-3324SR DGS-3324SR • AdvTraffic Classification • Comprehensive Bandwidth Control • Multicast optimization DXS-3326GSR DES-3010G DES-3010G
Updated 2008/Apr Success Case – Chiba University Hospital, Japan 10G Fiber 1G Fiber 10G Stacking Interoperability • Comprehensive MIBs/ Logs • OSPF Routing New Medical Building DGS-3600 Security • User Identity Control • Abnormal Traffic Control Data Center L3 Core Switches Medical Buildings DGS-3600 Stackability DGS-3600 Medical Dep. Robustness • Loopback Detection • Against Virus/ Worm flood
Success Case – Beau Rivage Resort & Casino, USA Analog Camera Recording Servers Recording Servers Analog Camera Digital Encoder Digital Encoder DGS-3324SR DGS-3324SR DGS-3324SR Live Monitor Backup Recording Servers
Complete Product Offerings xStack Series • 24/ 48 port • 10/100, Gigabit & 10G Ethernet • 19” rack mountable & Chassis • L2+/ L3+ • Full Management Featured • D-Link SIM Support • Complete Security Features • Comprehensive QoS Control • Safeguard Engine embedded • ZoneDefense with NetDefend Firewall DES/DGS-3000 Series Feature DES/DGS-1200 Series DES/DGS-1000 Series Std Managed Switch • 8/ 16/ 24/ 48 port • 10/100 & Gigabit Ethernet • 11”/ 19” rack mountable • CLI, Web, SNMP support • 802.1D/P/Q, RMON .. • Most cost effective mgm Swtich Web Smart Switch Unmanaged Switch • 16/ 24/ 48 port • 10/100 & Gigabit Ethernet • 19” rack mountable • Web manageable • Unmgm price with management features • 5/ 8/ 16/ 24/ 48 port • 10/100 & Gigabit Ethernet • Desktop size, 11”/ 19” rack mountable • Quality & Stable • Cable Diagnostic Support * * Available on DGS-1005/08/26/24D Network Complexity
Why D-Link • Comprehensive wired, wireless and security solutions • Enable the integration of network & PC/endpoint security • Carrier customers tested, field proven and affordable • Branch offices in 60+ countries, committed to global and local support