Transcript Slide 1
AT-9424 Product Overview
Managed Gigabit Switch with Denial of Service (DoS) Attack Protection
Allied Telesyn AT-9424
Gigabit Ethernet Switch for the Edge
First security focused gigabit switch for the access edge
– – –
Detects and protects against 6 DoS attack variants Classifies and ACLs provide additional customizable security Also offers a competitive base feature set outside of security
•Available Now •24 10/100/1000 ports and 2 SFPs or GBICs in 1 RU •Part Number: AT-9424T/SP-10 & AT-9424T/GB-10
Newest Addition to Extensive Switch Portfolio
Layer 3 8600 Family Power over Ethernet 8800 Family 9624 TBD 8924 9800 Family 9900 Series SwitchBlade Enterprise and Service Providers needing:
•Large network applicability •High degree of traffic manipulation and management •Multiple redundancy options •Customizable script based actions for network management and security
Layer 2 Plus 8500 Family Power over Ethernet Layer 2 8000 Family 8300 Stackable Family 8400 Modular Chassis Small to Medium Enterprise needing:
•Simplified management •VoIP optimization •Security
Small to Medium Business needing:
•Low cost •Simple management •Connectivity for less than 1,000 users
Workgroup Wiring Closet Enterprise NSP Backbone NSP
AT-9424 – Target Markets
These organizations need gigabit and DoS attack protection – Have users that bring laptops in and out of the network making the network susceptible to hosting DoS attacks
AT-9424 the Gig Switch of Choice for:
Security Conscious Medium to Small organizations (50-1000 users) – The 9424 is the only switch in its class with attack detection and suppression – 54% of respondents to the Network Computing Reader Survey plan to invest more in security than in anything else SMEs and SMBs moving towards Gig-to-the-desk – Cost effective and more secure SMEs seeking a simple server aggregation switch – Rich quality of service (QoS) capabilities SMEs who want to eliminate distribution tier bottlenecks – Wirespeed gigabit switching in a compact formfactor
The Denial of Service Threat
A denial of service attack is a network infrastructure attack that is targeted towards: – – – Network equipment (routers, switches) Services (e-mail, file servers) Computers group (PCs)
Today IT attempts to address this issue in their WAN facing security hardware, but since this attack is coming from the inside the traffic is already clogging the network End Points LAN WAN Edge Internet X Host systems are often infected by spam email, web browsing and laptops used outside of the network.
Excess phony traffic from the DoS zombie clogs the network If the attack is successful it is a liability to the host network company
AT-9424 – Service Highlights
L2-L4 Intelligent Services Redundancy Advanced Security
Rate Limiting (Ingress & Egress) 8 hardware queues per port 802.1p for MAC-based QoS Layer 2, 3 and 4 classifiers DiffServ for IP-based Qos CoS to DSCP remarking QoS ACLs 802.1w Rapid STP 802.1s Multiple STP 802.1D Spanning Tree Redundant Power Supply Option 802.3ad Link Aggregation (LACP) •Attack Detection / Suppression •MAC Address Lockdown • Radius/ TACACS+ • SSHv2 & SSL •Port Security • 802.1x
AT 9424’s Layer 2-4 Intelligence
Layer 2
– 4 intelligence is: Looking deep into the packet layer and using
classifiers to take action.
Using Layer 2-4 Intelligence for security
• The ability to allow and disallow access to networks and network resources based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number
Using Layer 2-4 Intelligence for QoS
• The ability to prioritize and/or rate limit traffic based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number
Using Layer 2-4 Intelligence for management
• The ability to mirror traffic based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number
AT 9424’s Attack Detection and Suppression
AT 9424’s DoS-Attack Protection Feature • A firewall supplement not a firewall replacement • It is a cost-effective additional layer of security • It handles attacks that come from the inside and prevents them from clogging the network and affecting other services like VoIP
End Points LAN WAN Edge Internet
End Points LAN
Primary Application Example
Gigabit-to-the-Desk
WAN Edge Internet
Supporting Features –
802.1x
–
VLANs by MAC/Protocol/Subnet
–
ACLs
–
Rate limiting
–
Advanced QoS
–
Wire speed
s –
Attack detection and suppression
–
GARP / GVRP
–
Broadcast storm control
–
Port Security (MAC Lockdown)
–
IGMP Snooping
End Points
Servers
LAN
Other Application Examples
Server Aggregation
WAN Edge Internet
Supporting Features –
Rapid reconvergence (802.1w)
–
Automatic port fail-over
–
Link aggregation (LACP)
–
Optional Redundant Power Supply
–
QoS
–
SFPs
s –
Attack detection and suppression
–
VLANs by MAC/Protocol/Subnet
–
ACLs
–
Rate limiting
–
Broadcast storm control
End Points LAN
Other Application Examples
Access Switch Aggregation
WAN Edge Internet
Supporting Features –
Attack detection and suppression,
–
Multiple STP,
–
CoS to DSCP remarking
–
Rapid reconvergence (802.1w)
–
Link aggregation (LACP)
–
QoS,
s –
SFPs,
–
Optional Redundant Power Supply
–
ACLs
–
Rate limiting
–
Broadcast storm control
End Points LAN
Other Application Examples
Small Business Mini-core
WAN Edge Internet
Supporting Features –
Wirespeed Gigabit
–
QoS
–
link aggregation,
–
Optional Redundant Power Supply
–
Broadcast storm control
s –
Attack detection and suppression
–
VLANs by MAC/Protocol/Subnet
–
ACLs
–
Rate limiting
–
Bad cable detection
Most Compelling L2-4 Gigabit Switch
AT-9424
Everything you expect and more… – Attack detection and suppression – Advanced QoS capabilities – L2-4 intelligence for custom security, management and QoS control
Available SFP Modules
Product Name AT-SPSX AT-SPLX10 AT-SPLX40 AT-SPLX40/1550 AT-SPZX80/xxxx xxxx = Wavelengths: 1470, 1490, 1510, 1530, 1550, 1570, 1590, 1610 Speed
Gigabit Gigabit Gigabit Gigabit Gigabit
Distance
500m 10km 40km 40km 80km
Ports
MM Fiber SM Fiber SM Fiber SM Fiber SM Fiber
Available GBIC Modules
Product Name AT-G8T AT-G8SX-01 AT-G8LX10 AT-G8LX25 AT-G8LX40 AT-G8LX70 Speed
Gigabit Gigabit Gigabit Gigabit Gigabit Gigabit
Distance
100m 500m 10km 25km 40km 70km
Ports
Copper MM Fiber SM Fiber SM Fiber SM Fiber SM Fiber
AT-RPS3204
Redundant Power Supply Option
AT-9424 Feature Summary
Security
•Attack detection and suppression
(6 DoS variants)
•802.1x •Port security •TACACS+ •RADIUS Authentication and Accounting •ACLs by: packet type, IP address,
protocol, port number, MAC address and VLAN
•Unknown unicast/multicast blocking
Redundancy
•802.1D Spanning Tree Protocol •802.1w Rapid Spanning Tree •802.3ad Link-Aggregation (LACP) •Bad Cable Detection •Broadcast Storm Control •802.1s Multiple STP (compatible with
PVST+) QoS
•802.1p Class of service •Strict Priority and Weighted Round Robin •ToS •DiffServ •CoS to DSCP mapping / remarking •Ingress and egress rate limiting by port
and flow
•RFC 2236 IGMP Snooping (Ver. 2.0) •RFC 1112 IGMP Snooping (Ver. 1.0)
Scalability
•Switch cluster management •8-ports per trunk group
Management and Monitoring
•Web, CLI, Telnet, Serial •SNMP v1, v2c, v3 •RMON 1 •Port-Mirroring
(Groups: 1, 2, 3, 9)
•ASCII-based config file •Event Log •RFC951 BOOTP •RFC 1350 TFTP
VLANs
•Port-based VLAN (4096) •GARP/ GVRP •IEEE 802.1v VLAN Classification by
Protocol / IP Subnet
•Upstream forwarding only VLANs •802.1Q VLAN bridge •802.3ac VLAN 802.3x flow control tagging
extensions
Thank You
Competitive Positioning
AT-9424
Competitive Landscape
3com SuperStack 3 Switch 3824 3com SuperStack 3 Switch 3870 Cisco Catalyst 2970G-24TS HP ProCurve Switch 2824 Foundry EdgeIron 24GS (FES2402CF) Enterasys Matrix C1G124-24
24 10/100/1000 ports –4 SFP combo slots
Selling Against 3com SuperStack 3 Switch 3824
Their Deficiencies Compared to Allied Telesyn
No attack detection & suppression
No MAC address based VLANs
No VLAN classification by protocol or subnet
Not PVST+ compatible
No 802.1s support
No redundant power supply option
No access control lists
No SSL or SSH for management
No RADIUS accounting
No strict priority queuing
No rate limiting
No Telnet
No BootP support
24 10/100/1000 ports –4 SFP slots
Selling Against 3com SuperStack 3 Switch 3870
Their Deficiencies Compared to Allied Telesyn
No attack detection & suppression
No MAC address based VLANs
No VLAN classification by protocol or subnet
Not PVST+ compatible
No 802.1s support
Limited ACL capabilities
No CoS to DSCP mapping / remarking
No flow based rate limiting
No BootP support
Selling Against Cisco 2970G-24TS
24 10/100/1000 ports –4 SFP slots Their Deficiencies Compared to Allied Telesyn
They are priced at a premium
No attack detection & suppression
No MAC address based VLANs
No RADIUS accounting
20 10/100/1000 ports –4 SFP/TX combo ports
Selling Against HP ProCurve Switch 2824
Their Deficiencies Compared to Allied Telesyn No attack detection & suppression No CoS to DSCP mapping / remarking No MAC address based VLANs No VLAN classification by protocol or subnet No WRR queuing No access control lists No rate limiting Not PVST+ compatible
24 10/100/1000 ports –4 SFP combo slots
Selling Against Foundry EdgeIron 24GS (EIF24G-A)
Their Deficiencies Compared to Allied Telesyn Priced at a premium No attack detection & suppression No MAC address based VLANs No VLAN classification by protocol or subnet No 802.1s support No access control lists No RADIUS accounting No rate limiting No NTP or SNTP support No redundant power supply option
24 10/100/1000 ports –4 SFP combo slots
Selling Against Enterasys Matrix C1G124-24
Their Deficiencies Compared to Allied Telesyn
No attack detection & suppression
No MAC address based VLANs
No VLAN Classification by Protocol / IP Subnet
Not PVST+
No 802.1s (Multiple STP)
No switch cluster management
No RADIUS accounting
Limited ACL capabilities
No TACACS+
No CoS to DSCP Mapping / Remarking
No flow based rate limiting
No NTP or SNTP
No BootP support
Allied Telesyn AT-9424 Managed 24-port Gigabit Switch + 2 SFPs
Exceeding Expectations Attack Protection Advanced QoS Layer 2-4 Intelligence 24 x 10/100/1000 auto-sensing ports –2 unpopulated combo SFP slots (mini GBICs) Wirespeed, non-blocking performance –48-Gbps switching capacity –35.7-Mpps forwarding rate 1 Rack-mount Unit (RU) high form factor allows for rack space optimization 8 hardware queues RJ45 Consol port Ingress and egress rate limiting
Thank You
IEEE 802.1s (Multiple Spanning Tree)
Old Spanning Tree • 802.1D – STP • • Allow all or block all VLANs coming from a port Slow Convergence 802.1w – RSTP Allow all or block all VLANs coming from a port Non standard-based PVST Consumes too much CPU time and network bandwidth (with control traffic) 802.1s advantages: • Eliminates all limitations mentioned above
Image Source: NetworkWorldFusion, ‘802.1s solves architecture issues’ 08/04/03
IEEE 802.1s as Ethernet Services
802.1s with VLAN Services • Alternative to the Transparent LAN Services (aka Private Line Services) • • Ethernet is cheaper and more bandwidth efficient compared to TDM or ATM-based TLS Enables large “Flat” switched network for university campuses Department has offices around “Access Ring #1” only: vlan RED Department has offices around “Access Ring #1” & “Core Ring”: vlan BLUE Department has offices spanning across “All Rings”: vlan BLACK
Access Ring #1 Campus Core Ring Access Ring #2
IEEE 802.1x (Port-Based Network Access Control)
Prevents unauthorized use of network resources, such as: Bandwidth and Servers “Multi-Supplicant” and “Authenticator” modes are supported to allow indirect and direct host attachments Verified with all popular 802.1x clients, such as: Win-XP, Aegis Meeting House 8500 offers “Tiered Security” with 802.1x authentication and DoS-attack protecttion