Data Center Aggregation/Core Switch
The proposed solution must provide a high-density chassis based switch solution that meets the requirements provided below. Your response should describe how your offering would meet these requirements. Vendors must provide clear and concise responses, illustrations can be provided where appropriate. Any additional feature descriptions for your offering can be provided, if applicable.
• Must offer a chassis-based switch solution that provides eight I/O module slots, two management module slots and four fabric module slots. Must support a variety of I/O modules providing support for 1GbE, 10GbE, 40GbE and 100GbE interfaces. Please describe the recommended switching solution and the available I/O modules.
• Switch must offer switching capacity up to 20.48 Tbps. Please describe the performance levels for the recommended switching solution.
• Switch system must support high availability for the hardware preventing single points of failure. Please describe the high availability features.
• It is preferred that the 10 Gigabit Ethernet modules will also be able to accept standard Gigabit SFP transceivers. Please describe the capability of your switch.
• Must support an N+1 redundant power supplies
• Must support N+1 redundant fan trays
• Must support a modular operating system that is common across the entire switching profile. Please describe the OS and advantages.
3. StrategicAsset Security Pivot …Why?Why?How?
Reduce millions of
logs to actionable
intelligence.
Complete Network,
Policy And Compliance
Solution.
Automated
correlation and
analytics
Router
IPS/IDS
Firewall
Switches
Servers
DMZ
VPN
Network Components
4. Rumor: green M & M’s
are an aphrodisiac?
Security like Candy?
hard candy
shell
originally designed
as a treat for
soldiers!
Caution: Extreme Metaphor
6. Do you have…
Is Your Firm’s Environment Secure?
Port scanning and remediation
Perimeter vulnerability scanning
Timely OS patching
Network-level DDOS detection and prevention
Auditing of all operator access and actions
Just-in-time elevations
Automatic rejection of non-background-check
employees to high-privilege access
Automatic account deletion
When employee leaves
When employee changes groups
When there is lack of use
Isolation between mail environment and
production access environment for all employees
Automated tooling for routine activities
7. Attack your security gap
What is your Pucker Factor?
kRisk Assessment
Commodity Threats
Breach (event)
SOC (time to detect)
IR (Time to Respond)
Analytics
Targeted (APT)
Intel (contain)
Pivot
identify Potential Risk (shiny Objects)
SIEM logs activity in the
XYZ Account compute environment.
intelligence to respond
what actions should
XYZ Account take
Logs or
Events
Analytics CAD Oracle Netflix
It is all
about
time
Bad Actor
8. Keep
Last building in
castle to fall
Moat / Main Gate
Outer perimeter controlling
castle access
Inner Perimeter
Stronghold, higher walls
create a containment area
between Inner & Outer Perimeters
Traditional Castle Defenses
9. Defense in Depth: A Cascade of Security Zones
Access Control
De-Militarized
Zone (DMZ)
Outer Perimeter
Internal Network
(Intranet)
Inner Perimeter
Stronghold
Mission
Critical
Systems
Internal
Firewall
Keep
Dynamic
State Tables
Dynamic
State Tables
Dynamic State
Tables
10. Search & Pivot - IPS
Internet
DMZ
IPS
IPS
Core
Network
IPS
IPS User
Net
workIDS
Management
Server
Broad Attacks
Multi-faceted Targeted Attacks
Commodity
Threats
Advanced Persistent
Threat (APT)
Worms & Bots
Advanced
Targeted Attacks
11. Use your network as a key part
of your Security Framework
Access
Visibility
Protection
Analytics
AutomationCommand
Control
Enforcement
Scout
Front lines
12. How can your networks be protected from your
own users? (NAC, BYOD, Identity)
Infections
persists because
End point
security fails
because
applications can
be manipulated
and
unintentionally
messed up.
Time Gap
between new
virus and virus
repair.
Endpoint Security
Identity alone
fails against
unauthorized
access but not
malware.
Identifies users
but not devices
Identity
Network security
alone fails
because firewalls
do not block legit
ports and VPNs can
not block legit
users.
Malware
signatures must be
known so detection
occurs after-the-
fact.
Network Security
Fails verses
Targeted
attack
Company
encrypted
tunnels can
nor be tested
Time on the
side of bad
actor
Multisector
14. Solution Benefits
Accurate User ID to IP
mapping to eliminate
potential attacks and
provide reliable, out of the
box user information to Palo
Alto
Improved security that
blocks/limits user access at
the point of entry without
impacting other users
More accurate network
mapping for dynamic policy
enforcement and reporting
Solution with Palo Alto Networks
15. Allow
Single
SSID/VLAN
Rate Limit
Contain
Multiple
VLANs
Deny
A port is what it is because what
or who is connected to it.
District
Owned
Approved
BYOD
Unapproved
BYOD
Directory
Unaware
Guest Device
Device?
Wireless
Web based
MAC
Wired
802.1x
Access?
Library
Gym
5ft from an
Acess Pt
Hall way
Classroom
Location?
Policy?
Application
Delivery in
Minutes
Guest
Student
Fac / Staff
Admin
User?
HTTP
Online Testing
Youtube
Twitter
Facebook
SIS
VDI
Application?
Weekends
Holidays
M–F
8 am–6 pm
Anytime
Time?
16. Policy
Components
Through Layer 4
Any device, location, application
if X + Y, then Z
“if ” user matches a
defined attribute or
value …
…. “then” place user
into a defined ROLE
Faculty
Student
Guest
Roles
Optimized
Performance
Services
Rules
Device
Level
Layer 1- L3
classification rule behavior
based upon L2, L3, and L4 packet
fields
Services are simply
Policy Manager
Containers for groups of
similar Rules.
17. Policy-based Networking (Guest Onboarding)
18
Policies can be
applied to the
entire network
with a single
click
Passive policies
for what-if
scenarios prior
to enforcing
Rules allow,
deny, rate
limit or contain
Built-in Access Control
+ Policy
+ACLs. CDPv2 & LLDP
+ Sampled Netflow
Layer 1- L3 Through Layer 4
IT Admin Employee Guest
Oracle VPNAdmin.
AllowHTTP
AllowHTTPS
AllowIPSec
AllowSAP
RateLimit
AllowPing
AllowTelnet
AllowEmail
AllowTFTP
AllowSNMP
AllowOracle
DenyBlast
18. Policy role-based administration
Through Layer 4
if X + Y, then Z
Centrally
Managed
Layer 1- L3
No Scripts
No Element Management
Can be applied to the
entire network with a
single click
19. Role Based Policy
Role Based Policy – Secure
Enterprise
1. User Role
(Guest/Finance/Engineering/Administr
ators)
2. User/Device authentication, policy
definition and Management
3. Rules & Services enforcement for
secured access
4. Secure Application Access
XoS delivers 1024
Authenticated
users per switch.
Built-in Access Control
+ Policy
+ACLs. CDPv2 & LLDP
+ Sampled Netflow
Layer 1- L3 Through Layer 4
20. if X + Y = ? then then Z
Role Based Policy –
Platform Scaling
X620
X440-G2
X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63 63 63 63 63
Rules per Role (Profile) Up to 440 Up to 952 Up to 952 Up to 952 Up to 952
Authenticated Users
/Switch
Up to 256 1024 1024 512 512
Authenticated Users /Port
Unlimited
up
to 256
Unlimited
up
to 1024
Unlimited
up
to 1024
Unlimited
up to 512
Unlimited
up
to 512
Unique Permit/Deny Rules 440 952 952 952 952
MAC Rules N/A 256 256 256 256
IPv6 Rules N/A 256 256 256 256
IPv4 Rules 256 256 256 256 256
L2 Rules 184 184 184 184 184
Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB* CoS MIB*
Actions
Quality of
Experience
Business
Services
Users /
Devices
21. Policy = Ethernet “like a Mux”
Through Layer 4Layer 1- L3
COS Capabilities:
802.1D Priority Marking
IP ToS Overwrite
Inbound Rate Limiting
Rate Shaping
COS is integrated with existing EXOS QOS
leveraging much of the existing
infrastructure.
22. QoS Components Application Awareness
ExtremeXOS®
End to End
Data
Path
signalingclassification Routing
Control
Plane
Policy Server
Admission
Control
Traffic
Conditioning
Scheduling Shaping
Outpout
I/F
23. L4 Networking
(Automated Policy for Control)
Layer 1: Physical
Layer 2: Data Link
Layer 3: Network
Layer 4: Transport
Device Identity, User
Identity, Virtual Machine
Identity, Application
Identity, etc…
Layer 7: Application
24. Transparent Authentication
Intranet
Mail
Servers
CRM
Active Directory Server
RADIUS Server
LDAP Server
User logs into the
Active Directory
domain with user
name and password
1
ExtremeXOS® network
“snoops” the Kerberos login
by capturing the user
name
2
Active Directory validates
and approves user
credentials
and responds to host
3 ExtremeXOS grants
network access based on
AD server response
4
Username IP MAC
Computer
Name
VLAN
Location
Switch Port #
John_Smith 10.1.1.101 00:00:00:00:01 Laptop_1011 1 24
Success
Summit
25. Role-based Access Control
0
Role Internet Intranet Mail CRM/Database VLAN
Unauthenticated Yes No No No Default
Contractor Yes Yes No No Default
Employee Yes Yes Yes Yes Default
Internet
Intranet
Mail
Servers
Data
Center
Active Directory Server
RADIUS Server
LDAP Server
Role Derivation
• Users are assigned to a “role” based on
their attributes (e.g. job function,
location, etc…)
• Roles contains dynamic policies that
control access to network resources
regardless location
Who is
John?
LDAP
Response
Match
Department =
EmployeeUser: John
Role: Employee
Resource Access = Permit All
Who is Alice?
LDAP
Response
Match
Company =
IBM
User: Alice
Role: Contractor
Resource Access = Deny Mail and CRM
No Authentication
Detected =
Unauthenticated Role
User: Bob
Role: Unauthenticated
Resource Access = Internet Only
Summit
26. Take IT configurable actions on
Extreme Networks switching
infrastructure
… a User or Device is
connects to the network…
If…
then...
Communicate with LDAP server
for user/device profile
Place Device or User into Role
Dynamically create an ACL
Rate limit device or user
Blacklist or de-blacklist
and/or
and/or
and/or
and/or
Send out email alert or
generate Syslog event
and/or
Auto provision Users and Devices
that connect to the network
Automation through Power
Management
Time of day = 5:00pm
Take IT configurable actions on
Extreme Networks switching
infrastructure
If…
then...
Disable POE Power to Wireless AP
Hibernate Chassis Line Card
and/or
Send out email alert or
generate Syslog event
and/or
27. Event based Triggers
0
Automation through
customized scripting:
Trigger Type Variables:
Device
User Authentication
Time based
EMS (Event Management System)
User Input
Values for
Respective
Variables:
Value x
Value y
Value z
…
Execute
Script
File
If the following events are
triggered…
… and matches the
following values
… then
execute the
corresponding
profile script
28. Time-of-Day Profiles
• Timer Triggered
• Applications
– Disable guest VLAN
access
– Shutdown wireless
service in closed
buildings
– Timed backup of
configurations,
policies, ...
– Timed check on
statistics
Trigger Condition
Device-Detect Specific device detected by the
system
Device-
Undetect
Specific device is no longer present or a
timeout has occurred. Port properties
return to a known state.
User-
Authenticated
Specified user authenticated
User-
Unauthenticat
ed
Specified authenticated user has been
unauthenticated.
Port properties return to a known state.
Timer-AT Timer scheduled to occur AT a
specified time has occurred
Timer-AFTER Timer scheduled to occur AFTER an
event or specified interval has
occurred. Can be a one-time
occurrence or can be reoccurring.
User-Request Profile was triggered remotely by the
administrator through the CLI
Events that Trigger Profiles
29. Automation through customized scripting
Trigger Type Variables:
Device
User Authentication
Time based
EMS (Event
Management System)
User Input Values for
Respective Variables:
Value x
Value y
Value z
…
Execute Script
File
If the following
events are
triggered…
… and matches
the following
values
… then execute the
corresponding profile
script
30. Role Based Policy – Platform Limits
Features X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63 63 63 63
Rules per Role (Profile) Up to 928 Up to 928 Up to 928 Up to 928
Authenticated Users /Switch 1024 1024 512 512
Authenticated Users /Port
Unlimited up
to 1024
Unlimited up
to 1024
Unlimited up
to 512
Unlimited up
to 512
Unique Permit/Deny Rules 928 928 928 928
MAC Rules 256 256 256 256
IPv6 Rules 256 256 256 256
IPv4 Rules 256 256 256 256
L2 Rules 184 184 184 184
Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB*
802.1X
Web
MAC
MUALogic
Chris: Filter ID Policy X
Chris: Filter ID Policy Y
Authentication
Method:
MAC
Authenticat
ion Method:
802.1X
Chris :802.1X Credentials
Chris :MAC Credentials
Chris :802.1X
Chris :MAC
Policy Profile YChris
MAC = A:A
Dynamic Admin Rule for Policy Y
(SMAC = A:A)
Multiple authentication agents
on the same port.
802.1X
EXOS Web Authentication
MAC Authentication
Multiple policy profiles per port.
Each Policy profile is assigned to
a subset of the traffic
Policy is applied to ingress traffic
based on user sourced it
Users/devices may be
implementing different auth
methods
31. Ideal Model - Authentication and Authorization
Intuitively, we want the protocol to behave “as if” a trusted third party collected the
parties’ inputs and computed the desired functionality
Computation in the ideal model is secure by definition!
Given a statement s, authentication answers the question “who said s?”
Given an object o, authorization answers the question “who is trusted to access o?”
“who” refers to a principal
Principal = Abstraction of “Who”
Secrecy
Integrity
A B
x1
f2(x1,x2)f1(x1,x2)
x2
[Goldreich-Micali-Wigderson 1987]
32. Wireless Threat Landscape
Why Are Wireless LANs Prone to Attack?
“Open air” No physical barriers to intrusion - Silent attacks
Standard 802.11 protocol, Well-documented and understood. Most common
attacks against WLAN networks are targeted at management frames
Unlicensed, Easy access to inexpensive technology
Wireless Access Outside of Physical/Wired Boundaries
Physical Security
Bad
Actor
Target NetStumbler
Kismet
AirSnort
WEPCrack
Tools of the trade
33. IP spoofing
Target
Friend
impersonation
A
10.10.10.1
B
B
134.117.1.60
It must be OK, my
friend sent it. Yum Yum
10.10.10.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
11.11.11.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
spoofed
Bad
Actor
Eavesdropping,
packet sniffing,
illegal copying
Better not to trust any
individual router Can
assume that some
fraction of routers is good,
but don’t know which
34. Session hijacking
Bad
Actor
Server a User b
reset
Server a
address
User b drops
connection
Target
Intercept
Exploit
Bad
Actor
Server a User b
user b
address
User b ignores
server
Malicious
commands
Bad
Actor
User b
Authorized
connection
Server a
Target
Internet is designed as a public network
Wi-Fi access points, network routers see all traffic
that passes through them
Routing information is public
IP packet headers identify source and
destination
Even a passive observer can easily figure out who
is talking to whom
Encryption does not hide identities
Encryption hides payload, but not
routing information
Even IP-level encryption (tunnel-
mode IPsec/ESP) reveals IP
addresses of IPsec gateways
35. Denial of service(DOS)
Server a
Target
Bad
Actor
Zombie
Zombie
Zombie
Zombie
Zombie
Observation: malicious
behavior need not involve
system call anomalies
Malicious code
communicates with
its master by
“piggybacking” on
normal network I/O
Hide malicious
code inside a
server
Hook into a
normal
execution
path
36. “who” gets access and “what” they can do
Control at each Switch Port or Access Point
Only Authorized users can get Network
Access
Unauthorized users can be placed into
“Guest” VLANs
Prevents unauthorized APs
Identity Based
Network Access
Unauthorized
Users/Devices
Authorized
Users/Devices
User Based Policies
Applied
(BW, QoS etc)
37. War Driving for open Frequency Range
Counter measures for Wireless Attacks
Anti-war driving software makes it more difficult for attackers to
discover your wireless LAN
Honeypots - Servers with fake data to snare intruders
FakeAP and Black Alchemy Fake AP, Software that makes fake
Access Points.
Use special paint to stop radio from escaping your building
Radio Frequency Based Threats
Client Mis-Association - Client-to-Client Connections Bypass
Infrastructure Security Checkpoints
Rogue Access Points - Employees Connect to an External WLAN, Creating Portal to Enterprise
Wired Network
Denial of Service Attacks - Malicious Hackers Disrupt Critical Business Services
Ad-hoc Wireless Networks - Employees Unknowingly Create Opening to Enterprise Network
Bad
Actor
Target
Ad-hoc
Networks
Mis-
association
Networks
Rogue
Networks
38. 802.1X
Web
MAC
MUALogic
Chris: Filter ID Policy X
Dave: Filter ID Policy Y
Authentication
Method:
MAC
Authentication
Method:
802.1X
Chris :802.1X Credentials
Dave :MAC Credentials
Chris :802.1X
Dave :MAC
RADIUS Server
Policy Profile X
Policy Profile Y
Dave
MAC = B:B
Chris
MAC = A:A
Dynamic Admin Rule
for Policy X (SMAC =
A:A)
Dynamic Admin Rule
for Policy Y (SMAC =
B:B)
Allows for assignment of multiple policy profiles per port.
Each Policy profile is assigned to a subset of the traffic received
Policy profile is applied to ingress traffic based on which user sourced it
Users/devices may be implementing different authentication methods
Multi-User Authentication (MUA)
39. Access Control Possibilities Authentication Messages
Data Messages
Edge Switch Authentication
Server
MAC Authentication RADIUS Encryption
Non-
Intelligent
Devices
MACbased
HTTPS Authentication (encrypted) RADIUS Encryption
Browser
Only
Client
Web-based
802.1X
Client
802.1X Authentication (PEAP/MD5/TLS/TTLS) RADIUS Encryption
802.1x-based
No Encryption No Encryption
No Encryption No Encryption
No Encryption No Encryption
Summit
Server
40. Whitelist Backlist
User or
Device
Identity Management
Increased visibility and management of device identities
Roles based on
LLDP parameters
Whitelists and
Blacklists
Roles based on
MAC, IP, Port
Whitelist
Allow all traffic
from and to the
identity
Blacklist
Deny all traffic
from the identity
Client / Device
Attributes
• MAC OUI
• MAC Address
• IP Address
SummitSummit
Blacklist
Whitelist
Whitelist
Users mapped to a whitelist based on user/MAC/IPv4
Creates ACL to permit all traffic
if match all {Ethernet-source-address 00:00:00:00:00:02;}
then {permit;}
Blacklist
Users mapped to a blacklist based on
user/MAC/IPv4
Creates ACL to block all traffic
if match all {Ethernet-source-address
00:00:00:00:00:02;} then {deny;}
Server
41. network
Access Control in OS
Assume secure channel from user
Authenticate user by local
password
Map user to her user ID + group IDs
Local database for group memberships
Access control by ACL on each
resource
OS kernel is usually the reference
monitor
Any RPC target can read IDs of its
caller
ACLs are lists of IDs
A program has IDs of its logged-in user
Port put in
forwarding mode
User logs in, MAC
Address
Detected
Authenticated
1
2
3
Radius
Server
42. Authentication
Authentication is identification and
assurance of origin of information
Unauthorized assumption of
another’s identity
Q: Who is the sender of the message?
(who might have been able to create it)
Q: Who is the sender of the message?
(who might have been able to modify it)
network
Integrity is prevention of
unauthorized changes
Intercept messages,
tamper, release again
f: ({0,1}*)K ({0,1}*)K
K inputs (one per party);
each input is a bitstring
K outputs
Functionality
MAC Learning 802.1x AuthWebbased Login
MAC Mask
Network Login Authenticator
Local Database
RADIUSAuthentication
Server
Authenticator
URL Hijacking
EAP/RADIUS
User / passwd
VLAN VSA
User / passwd
VLAN VSA
Port #
Supplicants
43. Port-based 802.1Q
Pros
Separate broadcast domains for trusted internal users and
untrusted guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from untrusted guest PCs
Untrusted guest users are unable to access private internal servers
Use of VLAN Trunking Protocol eases VLAN management
Cons
No measure to prevent untrusted guests from connecting to private ports
Misconfiguration of a port will provide trusted network access
Use of separate subnets leads to inefficient use IP address space
Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast
brute force, etc.
Summit
(Network Security (VLANs) for network and
user segregation
Server
44. “Network Login” captive
portal
Captive Portal Features
Fully customizable
formatting and content
HTTPS redirection and
capture
Internal and external
hosting
Logout on browser close
Login, welcome and
failed pages
Unbranded login pages
for concealment
Bad
Actor
Client Switch
IP
DHCP-Response (short lease)
DHCP-Request
HTTP Login-Prompt (redirected)
HTTP request to any external webserver address (for example www.yahoo.com)
RADIUS Access-Accept,
VLAN Assignment
RADIUS Access-RequestHTTP Username/Password
DHCP-Response
DHCP-Request
DHCP
Speed Bump
Login
DHCP
DHCP or static IP
RADIUS
Radius
Summit
45. captive portal
AAA Features - Using Hotspot Authentication
Bandwidth Management Policies
Dynamic VLAN Assignments
LDAP authentication support
RADIUS authentication and accounting
Time-based access policies
Time of day and day of week access policies
Web browser-based authentication
Web browser-based guest user admin
CoovaChilli (morphed from Chillispot)
http://coova.org/wiki/index.php/CoovaChilli
Uses RADIUS for access and accounting.
CoovaAP openWRT-based firmware.
Open Source
M0n0wall http://m0n0.ch/wall/
Embedded firewall appliance solution built
on FreeBSD.
http://m0n0.ch/wall/images/screens/service
s_captiveportal.png
Server
46. MAC Auth Other Non-802.1X-Capable Endpoints
Unsupported devices: Integrity and authentication: only someone who knows KEY can compute MAC for
a given message
For the devices like network printers, Ethernet-based electronics like environmental sensors,
cameras, wireless phones , etc.
One way: Media Access Control (MAC) address filtering. Usually implemented by permitting
instead of preventing.
Win 2K & XP allow easy change for MAC addresses. MAC address is not an authentication
mechanism…
Native Client Support EAP-PEAP EAP-TLS EAP-TTLS
XBOX 360 NO NO NO
XBOX One MAYBE MAYBE MAYBE
PlayStation 3 & 4 NO NO NO
Nintendo Wii / Wii U NO NO NO
KEY
KEY
message
MAC (usually based on a cryptographic
hash, aka “digest”)
message, MAC(KEY,message)
=
?
Recomputes MAC and verifies
whether it is equal to the MAC
attached to the message
47. WEP Keys (Static Keys)
1.) Laptop send authentication
Frame saying want to authenticate
2.) AP sends a challenge text
3.) Laptop encrypts challenge text
with shared key and returns
4.) AP compares encrypted text with its own
5.) AP sends Authentication frame back to the device
Given: both parties already know the same secret
Goal: send a message confidentially
Shared key authentication
Symmetric Encryption
48. WPA & WPA2 Personal Security
WPA replaces WEP with TKIP
WPA2 uses a stronger data
encryption method called AES-
CCMP instead of TKIP encryption.
Still uses PSK (Pre-Shared Key)
authentication. People may send
the key by e-mail or another
insecure method.
Cracking WPA
TLS GSS_API
Kerberos
PEAP
MS-CHAPv2
TLS
IKEMD5
EAP
PPP 802.3 802.5 802.11 Other…
method
layer
EAP
layer
media
layer
Summit
49. Summit
Port-based Network Access Control (PNAC).
1.) Device
asks to join.
2.) AP asks device to verify
identity becomes the
middleman for
authentication server.
3.) Device sends identity
to authentication server.
4.) Authentication server verifies
identity.
5.) Device can join wireless LAN.
1) Initialization On detection
of a new supplicant on the
switch port.
2) Initiation the authenticator
will periodically transmit
EAP-Request Identity
frames to a special Layer 2
address on the local
network segment.
3) Negotiation – The
authentication server sends
a Access-Challenge packet)
to the authenticator.
4) Authentication - If the
authentication server and
supplicant agree EAP-
Success message sent and
port set to the "authorized"
state.
IEEE 802.1X…Supplicant
Authenticator
802.1X Authentication progression
802.1x Header EAP Payload
RADIUS Header EAP PayloadUDP HeaderServer
50. Summit
Identity Based Network Services
IEEE 802.1X…
Supplicant
Authenticator
AAA Radius Server
802.1x Authentication Server Login + Certificate
Login Verified
Login Good! Apply Policies.
Verify Login and Check with
Policy DB IEEE802.1x
+ VLANS
+ VVID
+ ACL
+ QoS
Switch applies policies
and enables port.
Set port to enable
set port vlan 10
Authentication
Server
LDAP or Active
Directory Server
Login and Certificate Services
51. Summit
Comprehensive NAC Solution
IEEE 802.1X…
Supplicant
Authenticator
Login + Certificate
Login Verified
End user attempts to
access network
Initial access is blocked
Single-sign-on or web loginNAC Server gathers
and assesses
user/device information
Username and password
Device configuration and
vulnerabilities
Noncompliant device
or incorrect login
Access denied
Placed to quarantine
for remediation
Quarantine
Role
NAC Server
THE GOAL
Intranet/
Network
1
2
3a
3b
Device is compliant
Placed on “certified devices list”
Network access granted
Authentication
Server
LDAP or Active
Directory Server
Login and Certificate Services
52. Summit
EAPClient
AuthenticationServer
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
Certificate
Client Key exchange
Cert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
Authenticator
EAPOL Start
Native Client Support EAP-PEAP EAP-TLS EAP-TTLS
Windows 8 YES YES YES
Windows 7 / Vista / XP YES YES NO
Mac OS X YES YES YES
Linux YES** YES YES
iOS YES YES YES*
Android YES** YES YES
Chrome OS YES** YES YES**
Windows Phone 8.1 YES YES (rumored) UNK
Windows Phone 7/8 YES NO** NO
BlackBerry 10 YES YES YES
BlackBerry 7 YES YES YES
53. IKEv2 with EAP & Server Certificate
ResponderInitiator UDP/500
Client
IDi IDr
AAA
Server
KEi Ni KErNr
Authr
Server
RADIUS
EAP
Challenge
EAP
Identity
IDr Certr
EAP
Response
PSK
PSK
Prot.
Ver.
Packet
Type
Packet
Body...
PAE
Ethernet Type
Packet Body
Length
54. Distribution of Public Keys - certificate authority (CA)
Public announcement or public directory
Risks: forgery, tampering
Public-key certificate
Signed statement binding a public key to an identity
sigAlice(“Bob”, PKB)
Common approach: An agency responsible for certifying public keys
Browsers are pre-configured with 100s of trusted CAs
135 trusted CA certificates in Firefox 3
A public key for any website in the world will be accepted by the browser if certified by one
of these CAs
? private key
public key
public key
Bad
Actor
Given: Everybody knows public
key Only Bob knows the
corresponding private key
Goal: Laptop sends a “digitally signed”
message To create a valid signature, must
know the private key To verify a signature,
enough to know the public key
Summit
Authentication
Server
55. What Is NAC, Really?
Beyond “Who Is It? ” Goal:
Decide whether to grant a
request to access an object
Quarantine &
Enforce
Update &
Remediate
Scan &
Evaluate
Authenticate
& Authorize
Where is it coming from?
Who owns it?
What do you have?
What’s the preferred
way to check or fix it?
NAC Server is an IP passive
bump in the wire, like a
transparent firewall.
Guards control access to
valued resources
Resource
Authentication
Server
56. Network Access Control
NAC Client
Enforcement PointAccess Controlled
Subnet
Isolation
Network
NAC Server
allow QuarantineRemediate
CheckSummit
Authentication
Server
58. Fingerprint – Who、What、When、Where、How
Sigle SSID –
Multiple Topologies –
Multiple Solutions
Control traffic
Traffic type
and QoS
Control access
resources based on
Who, what,
when, where,
how …
Ensure compliance
Who
Where
When
What device type
How
59. Purview Everywhere (more than CoreFlow2)
Available Today
Standalone Application
Sensor
Core / DataCenter –
CoreFlow S/K Series
Future
Use IPFix and packet
mirroring in the Summits
X460s (future XoS16.2) looks
at 1st 15 packets for Deep
Packet.
Wireless - IdentiFi APs &
Controllers
60
Purview
CoreFlow
Wireless
Controller
Wireless
AP
Virtual
Network
Standalone
Access
Switches
60. Identity and Application
Awareness
Deep Packet
Inspection
SSL
Visibility
Application A
Application B
Employee A
Employee B Prohibited Application
Attack Traffic
Employee C Botnet Traffic
Good Application
Clean Traffic
Network Traffic
and Flows
Inbound Traffic
Outbound Traffic
Protection, visibility, and control
Regular client
SSL server1. ClientHello
2. ServerHello
(send public key)
3. ClientKeyExchange
(encrypted under public key)
Exchange data encrypted with new shared key
Summit
Authentication
Server
61. Logs
Events Alerts
Configuration
information
System
audit trails
External
threat feeds
E-mail and
social activity
Network flows
and anomalies
Identity
context
Business
process data
Malware
information
Now: Intelligence
•Real-time monitoring
•Context-aware anomaly
detection
•Automated correlation and
analytics
Then: Collection
•Log collection
•Signature-based detection
Log collection - threat landscape
62. Page 63
Host Integrity—Summary
Microsoft Network Access Protection (NAP)—(9/2006)
– Open framework—Major security vendors involved
– Integration and Testing in progress. Demonstrated at RSA 2/2006.
– Microsoft availability with Vista/Longhorn beta and XP/2003 Service Pack in the future
Network Access
Device
CLIENT
Microsoft
Quarantine Agent
Partner Health
Agent Network Policy
Server (IAS)
Partner Enforcement
Client
Partner and
Microsoft Servers
e.g. a/v, patch
policy
Microsoft Quarantine
Server
Switch, Access Point
VPN, 802.1X, IPsec
Quarantine VLAN
Clean-up
Host Integrity Check Fail
Servers
Virus Update
OS Patch Update
etc.
RADIUS
User Auth Host Integrity Action
Pass Pass Corporate VLAN
Pass Fail Put into Quarantine VLAN
Fail Pass Close Port
Fail Fail Close Port
63. SIEM
Correlation
A
CB
Logging Compliance
Forensics
• Maintain an adequate internal control structure
• Procedures for financial reporting.
• Assess the effectiveness of internal control structures
Sarbanes- Oxley - Publicly Traded Companies must
• Maintain administrative, technical and physical safeguards to
ensure integrity and confidentiality
• Protect against threats or hazards;
• unauthorized uses or disclosures
HIPAA - Patient Information, Firms Must:
• Build and maintain a secure network
• Protect and encrypt cardholder data
• Regularly monitor and test networks, including wireless
PCI - All Merchants Using Payment Cards, Must
64. Dynamic Security Policies
Conceptual View
1. Administrator configures user
group policies in Netsite.
Policy includes VLAN, 802.1p
priority, extension mapped to
user group
2. Netsite pushes policy
to switch
3. User logs on to the network
5. Policy is applied and switch
configures VLAN, 802.1p
priority and ACLs on the
port
4. RADIUS server returns policy
name for user
Netsite Server
RADIUS Server
65. IP Security
Conceptual View (Trusted DHCP)
DHCP Server
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
192.168.0.1
00:04:96:10:46:60
Rogue DHCP Server
Un-Trusted Ports
Block DHCP servers
Trusted Port
Allow DHCP servers
66. IP Security
Conceptual View (DHCP Snooping)
DHCP Server
Trusted Port
Un-trusted Ports
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
Uses DHCP snooping to
build trusted DHCP
binding table
67. IP Security
Conceptual View (Gratuitous ARP Protection)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
(1) Sends gratuitous ARP
"I have IP address 192.168.0.1
and my MAC address is ..:F2”
(2) ARP cache poisoned
192.168.0.1 →..:F2
(4) Sends Gratuitous ARP
“For IP address 192.168.0.1
the correct MAC address is
..:60”
(5) ARP cache restored
192.168.0.1 →..:60
(3) Detects invalid
ARP entry
68. IP Security
Conceptual View (IP Source Lockdown)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
(1) Sends traffic with
source IP address of
192.168.0.8
(2) Blocks traffic since
source IP addressed is
spoofed