Transcript Why D-Link
Business Solution Seminar 2008 xStack: Multiply Your Potential October – November 2008 D-Link Indonesia D-Link Confidential Agenda Challenges for Your Network D-Link Solutions Success Cases Why D-Link Challenges for Your Network Availability - Slow, unstable Security - Virus infection, worm outbreak, intrusion, Trojan, hackers Manageability - Ease of management, multi-vendors boxes Performance - Upgrade, service classification, QoS, device efficiency Security Breaches in Today’s Network Campus Network IP & MAC Addresses Management Are Hard to Realize! Data Center Core Core Core Man-in-the-Middle Attack Rogue DHCP Server ARP Spoofing Attack Loop Connection Security Breaches in Today’s Network Enterprise Network Attack & Intrusion Rogue DHCP Server Worm Outbreak Un-Authorized Access D-Link Solutions Integrated Security - E2ES (End-to-End Security) High Availability - From H/W to S/W, robust L2 to L3 design QoS - Comprehensive traffic classification & prioritization Manageability - Solutions designed for SMB & big enterprise/campus networks Green Ethernet - Reduce IT costs and minimize the environmental impact Affordability - Pay as your company grows E2ES - End-to-End Security Solution Joint Security Gateway Security Endpoint Security Enterprise Network E2ES D-Link’s End-to-End Security (E2ES) Solutions D-Link innovates comprehensive security solutions aimed to providing end-to-end threat containment and security protection solutions, which consist of the following three components: Gateway Security D-Link Firewall IPS/UTM Firewall Endpoint security Enhanced security features on xStack Joint Security Microsoft NAP D-Link ZoneDefense E2ES Gateway Security Solution NetDefend IPS/UTM Firewall Family ICSA Labs certified Integrated Firewall/VPN appliance with Outstanding Performance Unified Threat Management: Intrusion Prevention Service (IPS) Anti-Virus (AV) Protection Web Content Filtering (WCF) Anti-Spam Joint Security with xStack Switch via unique ZoneDefense technology E2ES Endpoint Security Solution Numerous security features are added to the xStack switch to achieve threat control and containment, ensuring that malicious traffic can be stopped at the edge of the network. Field proven from the success in ETTH/FTTB, campus networks and enterprise markets. xStack Switch Endpoint Security Authentication 802.1X Authentication Web-Based Access Control (WAC) MAC-Based Access Control (MAC) Authorization Dynamic VLAN Assignment Guest VLAN Identity Based VLAN/QoS Traffic control Traffic Segmentation Access Control List (ACL) Node/Address Control Port Security IP-MAC-Port Binding Attack Mitigation L2-L7 ACL IP-MAC-Port Binding Broadcast Storm control E2ES Endpoint Security Solution 802.1x Authentication Port-based 802.1x Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch. MAC-based 802.1x 1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC Port Based 802.1x Example: Internet Port Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! port 1 Win2003 Server Username: James Password: 123 L2 Switch/HUB RADIUS Server service 192.168.0.10 James Gary User James Pasword 123 Ryan 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (James) is authenticated. MAC Based 802.1x Example: Internet MAC Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! Win2003 Server Username: James Password: 123 James L2 Switch/HUB Gary RADIUS Server service Ryan .... 192.168.0.10 User James Pasword 123 DES-3828 is only capable of learning up to 16 MAC address per port 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in Each client needs to provide correct username/password to pass the authentication so that it can access the network NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828. E2ES Endpoint Security Solution MAC Based Access Control - Using Switch’s Local Database DI-804 DHCP Server and Gateway to Internet MAC Access Control Enabled Ports Internet DES-3828 No such Found Matched MAC MAC Address !!! Address!!! L2 Switch or HUB ARP Packet DHCP Packet Switch Local Database User 00-0F-B0-97-E7-C6 MAC list Non 802.1x Client_1 00-0F-B0-97-E7-C6 Non 802.1x Client_2 00-15-F2-A9-0B-C2 For those ports with “MAC Access Control” enabled are capable of authenticating up to 16 max entries of MAC addresses per physically port.. E2ES Endpoint Security Solution Web-Based Authentication Web-Based Authentication (WAC) is a feature designed to authenticate a user when the user is trying to access the network via the switch. It’s an alternative port-based access control method besides IEEE802.1X. The authentication process uses HTTP protocol. When users would like to browse web screen (e.g., http://www.google.com) through the web browser (e.g., IE), and when the switch detects HTTP packets and this port is un-authenticated, the browser will pop out username/password screen to query users. If the user passes the authentication process, it means this port is authenticated, and user can access the network. Switch Role The switch can be the authentication server itself and do the authentication based on a local database, or a RADIUS client and perform the authentication process with remote RADIUS server. Web-Based Authentication - Based on local database 2. Authentication ports (port 1-12) DI-624 (10.10.10.10) DHCP Ip Pool 10.10.10.50 – 10.10.10.100 Web Server Internet IP: 10.10.10.101 1. Which web page you want to redirect? user James Will …. 10.10.10.1 Client PC1 10.10.10.11 Client PC2 10.10.10.12 Client PC3 10.10.10.13 pass 123 456 ….. 3. Local Data Base (create users) Ports 1-12 are configured as web-authentication enabled ports. Every PC connected to those ports needs to pass the username/password authentication. After that, they can access the network. The username/password/VLAN database is stored in the switch itself in this example. Therefore, there is no RADIUS server in this example. Note: In current design, the max. entries of local database equals to number of switch ports. For example, DES-3828 supports 28 entries (I.e., max. 28 local users). E2ES D-Link IP-MAC-Port Binding (Address Binding) Endpoint Security Solution IP-MAC-Port binding is enhanced from IP-MAC binding. The enhanced feature decides which port(s) will be allowed to receive the packets according to “IP-MAC” information. All Packets will be dropped by a switch except it’s MAC Address, IP Address, and connected port entirely match the address-binding list. ARP and ACL mode of IP-MAC-Port binding There are two modes “ARP mode” and “ACL mode” of D-Link IP-MAC-Port binding. ARP Mode Default setting is ARP mode. When you create an entry in the IP-MAC Port Binding record, the entry will belong to ARP mode. If a user create a entry in ARP mode, after that enable ACL mode, this created entry will not add to ACL rule. ACL Mode If a user enable ACL mode, the switch will create a ACL rule to map the IP-MAC Port Binding entry automatically. Example 1 – Prevent ARP-Scan with ARP mode Client A Server B IP: 192.168.0.10 MAC : 00-C0-9F-86-C2-5C IP: 192.168.0.11 MAC : 00-50-18-21-C0-E1 Port 1 Port 25 Port 10 ARP Scan Port No. MAC Address Port 10 AA-BB-CC-DD-EE-FF Port 1 00-C0-9F-86-C2-5C Port 25 00-50-18-21-C0-E1 IP Address MAC Address Ports --------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 1-10 Mode --------ARP When a Switch detects ARP broadcast from port 10 and it doesn’t meet any entry in the IP-MAC Port Binding list, the Hacker PC will be blocked. ARP Poisoning Switch FDB Table IP Address MAC Address 192.168.0.1 AA-BB-CC-DD-EE-FF 2 PC 1 IP: 192.168.0.100 MAC : 00-C0-9F-86-C2-5C PC1 ARP Table 1 Port No. MAC Address Port 24 AA-BB-CC-DD-EE-FF Port 1 PC2 ARP Table IP Address MAC Address 192.168.0.100 AA-BB-CC-DD-EE-FF 2 Port 8 Port 24 PC 2 IP: 192.168.0.1 MAC : 00-50-18-21-C0-E1 ARP Request (dst: FF:FF:FF:FF:FF:FF) Hacker PC IP: 192.168.0.2 MAC : AA-BB-CC-DD-EE-FF ARP doesn’t have any authentication mechanism, therefore, any ARP Reply packet received by the device will force it update their ARP Cache!! The poison packet which tells PC1 that he can find PC2 at the Hacker MAC AABBCCDDEEFF. At the same time, it also tells PC2 that he can find PC1 at the Hacker MAC AABBCCDDEEFF. At this point, the communication between PC1 and PC2 will through the Hacker PC and bypass the switch. ARP Poisoning 2 Switch FDB Table IP Address MAC Address Port No. MAC Address 192.168.0.1 AA-BB-CC-DD-EE-FF Port 24 AA-BB-CC-DD-EE-FF Port 1 00-C0-9F-86-C2-5C Port 8 00-50-18-21-C0-E1 PC 1 IP: 192.168.0.10 MAC : 00-C0-9F-86-C2-5C PC1 ARP Table Port 1 PC2 ARP Table IP Address MAC Address 192.168.0.100 AA-BB-CC-DD-EE-FF Port 8 Port 24 PC 2 IP: 192.168.0.1 MAC : 00-50-18-21-C0-E1 Hacker PC IP: 192.168.0.2 (Spoofed) MAC : AA-BB-CC-DD-EE-FF The traffic between PC1 and PC2 has been redirected to Hacker PC. The Hacker PC will redirect packets to the correct destinations. If the Hacker PC didn't re-route packets, the communication between PC1 and PC2 will be interrupted until refresh theirs ARP table. If there is no traffic between two PCs, after a timeout period, a dynamic entry in the ARP Table of the two PCs will be flushed out. For the reason, the Hacker PC must continue poisoning the two PCs at regular intervals. Example 2 – prevent the APR Poison Attack (Man-in-theMiddle attack) with ACL mode ARP Client A Server B IP: 192.168.0.10 MAC : 00-C0-9F-86-C2-5C IP: 192.168.0.11 MAC : 00-50-18-21-C0-E1 Port 1 Port 25 ARP Port 10 IP Address MAC Address 192.168.0.10 00-C0-9F-86-C2-5C 192.168.0.11 00-50-18-21-C0-E1 ARP Port No. MAC Address Port 1 00-C0-9F-86-C2-5C Port 25 00-50-18-21-C0-E1 IP Address MAC Address Ports --------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 10 The Hacker PC keep quiet and keep listening ARP packet came from others PCs to structure its ARP table in term of this subnet. Mode --------ARP Example 2 – prevent the APR Poison Attack (Man-in-theMiddle attack) with ACL mode Client A Server B IP: 192.168.0.10 MAC : 00-C0-9F-86-C2-5C IP: 192.168.0.11 MAC : 00-50-18-21-C0-E1 Port 1 Port 10 IP Address MAC Address 192.168.0.10 00-C0-9F-86-C2-5C 192.168.0.11 00-50-18-21-C0-E1 Port 25 ARP Poisoning Port No. MAC Address Port 1 00-C0-9F-86-C2-5C Port 25 00-50-18-21-C0-E1 IP Address MAC Address Ports --------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 10 Mode --------ACL After the Hacker get Client A and Server B IP/MAC information, it will send the ARP Poisoning packet to attack them, At the same time, a switch will detect the hacker and block a hacker PC. D-Link Safeguard Engine Safeguard EngineTM is designed to enhance the robustness of new switches and it will increase overall network serviceability, reliability, and availability. It turns out CPU is overloaded and not able to respond to those important tasks like management access, STP, SNMP polling SNMP Polling The CPU of switch is designed to handle the control information like STP, SNMP, Web access ..etc. Also some specific network packets will be forwarded to CPU for processing like ARP broadcast, unknown DST unicast, IP broadcast .. etc. Spanning Tree BPDU packets IGMP snooping Web Mgm Access But nowadays networks are with blended threats like virus/ worm. Usually they will generate unexpected bulk “CPU interested” traffic [ like ARP broadcast ] during infection. ARP broadcast Unknown DST unicast IP broadcast D-Link Safeguard Engine Safeguard EngineTM is designed to enhance the robustness of new switches and it will increase overall network serviceability, reliability, and availability. It turns out CPU is overloaded and not able to respond to those important tasks like management access, STP, SNMP polling SNMP Polling With D-Link Safeguard Engine, it will further identify & prioritize those ‘CPU interested’ traffic, to throttle those unwanted interruption and to protect the switch operation. Thus with Safeguard Engine, D-Link Switch will show its robustness especially under virus infection or worm scanning. Spanning Tree BPDU packets IGMP snooping Web Mgm Access But nowadays networks are with blended threats like virus/ worm. Usually they will generate unexpected bulk “CPU interested” traffic [ like ARP broadcast ] during infection. ARP broadcast Unknown DST unicast IP broadcast Technology Brief When CPU utilization is over Rising Threshold, the switch will enter Exhausted Mode to take the following actions (refer to the next slide). On the opposite, CPU utilization is lower Falling Threshold, the Switch will leave Exhausted Mode to cease Safeguard Engine function. Item Description Rising Threshold •The user can set a percentage value <value 20-100> of the rising CPU utilization which will trigger the Safeguard Engine function. •Once the CPU utilization rises to this value of threshold, the Safeguard Engine mechanism will initiate. Falling Threshold •The user can set a percentage value <value 20-100> of the falling CPU utilization which will trigger the Safeguard Engine function to cease. •Once the CPU utilization falls to this value of threshold, the Safeguard Engine mechanism will shut down. Technology Brief(Con.) Safeguard Engine Action Action Limiting the bandwidth of receiving ARP packets Limiting the bandwidth of receiving IP broadcast packets Description The user can implement this action in two ways, one is StrictMode and the other is Fuzzy-Mode. When strict is chosen, the Switch will stop receiving ARP packets. When fuzzy is chosen, the Switch will minimize the bandwidth for ARP packets, by setting a acceptable bandwidth dynamically. The user can implement this action in two ways, one is StrictMode and the other is Fuzzy-Mode. When strict is chosen, the Switch will stop receiving all broadcast IP packets. When fuzzy is chosen, the Switch will minimize the bandwidth for broadcast IP packets, by setting a acceptable bandwidth dynamically. Loopback Detection LBD v4.0: Wireless Guest PC Client Server STP (Spanning Tree Protocol) Independent Flexible Settings for Loop Prevention • Port-based or • VLAN-based Workstation Unmanagement Switch Loop xStack Switch NetDefend Applications DHCP Kiosk Mobile User Telecommuter Partner Thieves Hackers E2ES Joint Security Solution What D-Link Joint Security Provides? An integrated total solution that provides Access Control & Realtime defense. Microsoft NAP Evaluation of security compliance before permitting connection. Quarantine and remediate non-compliance users. Identity-based network admission control. D-Link ZoneDefense Any malicious traffic detected by the NetDefend firewall will trigger the xStack switch to block them in real-time. ZoneDefense technology makes NetDefend firewall and xStack switch jointly work as a big virtual firewall system. NetDefend firewall is in charge of traffic inspection, and xStack switch performs wire-speed filtering at port level. Updated 2008/May E2ES Joint Security Solution -NAP -ZoneDefense If any malicious attack happened ! Wireless 802.1x Enforcement System Health Server Guest Compliant Scenario: Non-Compliant Scenario Remediation Scenario : : Guest Access Scenario: Before connection, you should Microsoft Network Policy Server Client Worm IfThe client’s notwith client gets is patch/virus Guests arepatch assigned have username/password or updated, it just can go to pattern etc, To correct its On-Demand restrictive access rights to token. After login, the system Policy Manager remediation server, health health status the network will check the compliance policy. server and With D-Linknetwork ZoneDefense If compliant, you are policy allowed to server technology, NetDefend connect to the network DHCP Enforcer Server Firewall will automatically notify the xStack switch to block the infected host xStack Switch NetDefend Radius Remediation NetDefend DHCP Kiosk Applications Mobile User Host Integrity Rule Status EAP Status Anti-Virus On D-Link’s Joint Security Solution User Name Anti-Virus Updated enables the integration of network Personal Firewall On Password and PC endpoint security security Service Pack Updated Token Patch Updated Telecommuter Partner Thieves Hackers Manageability D-Link SIM Technology Provides single IP address management of up to 32 switches without being limited to specific models, specialized cables, distance barriers, stacking methods, and prevents single point of failure. Straight forward visualization without additional software installation. Manageability D-View 6.0 NMS Green Ethernet Innovative “Green Ethernet” Technology General trend towards making products more GREEN & eco-friendly. Market pressure and legislative action for energy efficient networked equipment. D-Link leads the industry by enabling unique “Green Ethernet” technology on networking. Reduce power consumption without sacrificing performance or functionality by detecting link status and cable length, which brings the benefits of less heat dissipation, extended product life, and reduced operating cost. Success Case - Metro Ethernet D-Link’s Proven Success in the Past 2 Years In Russia, Greater China & Northern Europe regions Over 200k DES-3526 & 7k DES-3828 were sold as access switches Over 3k DGS/DXS-3300 & 4k DGS-3600 were sold as L3 distribution or aggregation switches DES-3528 is MEF 9 & 14 certified for EPL Success Case – Corbina Telecom, Russia Interoperability • Comprehensive MIBs/ Logs • DHCP options • OSPF Routing Robustness QoS • STP convergence • Against Virus/ Worm flood DXS-3326GSR DXS-3326GSR • Adv Traffic Classification • Comprehensive Bandwidth Control • Multicast optimization Security • IP-MAC-Port binding • Abnormal Traffic Control • Loopback Detection Deployment DXS-3326GSR – 1,700 pcs DES-3526 – 28,000 pcs Success Case – Nittedal Multimedia, Norway DGS-3324SR Requirement Build Triple Play Gigabit FTTH/ETTH Network for providing Data, VoIP, IPTV and VOD services for residential and business end-users Number of Users - 3000 Stackability • 40G Fault Tolerant Stacking • Virtual Chassis Core • OSPF & PIM-SM IPTV Streamers DES-3010G DGS-3324SR DES-3010G DXS-3326GSR DES-3010G DES-3010G QoS DGS-3324SR • Adv Traffic Classification • Comprehensive Bandwidth Control • Multicast optimization 1G Fiber 1G Copper 10G Stacking DGS-3324SR Deployment DGS-3324SR – 130 pcs DXS-3326GSR – 25 pcs DES-3010G – 750 pcs Updated 2008/Apr Success Case – Chiba University Hospital, Japan New Medical Building DGS-3600 10G Fiber 1G Fiber 10G Stacking Interoperability • Comprehensive MIBs/ Logs • OSPF Routing L3 Core Switches Security • User Identity Control • Abnormal Traffic Control Medical Buildings Stackability Fault Tolerant 40G Stacking Data Center DGS-3600 DGS-3600 Robustness • Loopback Detection • Against Virus/ Worm flood Medical Dep. Deployment DGS-3600 – 36 pcs DGS-3400 – 197 pcs Requirement Transmitting of high resolution medical imaging over network Send high volume of patient data electronically Request extremely high availability network Success Case – Beau Rivage Resort & Casino, USA Recording Servers Recording Servers Analog Camera Digital Encoder Analog Camera Digital Encoder DGS-3324SR DGS-3324SR Requirement Support digital video surveillance infrastructure A highly reliable, fail safe solution that could handle massive amounts of traffic of thousands of video streams 1,500+ Cameras 1,500+ multicast streams of real-time, high resolution video. 112 camera live monitoring OSFP + PIM-SM Deployment DGS-3324SR Live Monitor Deployment DGS-3324SR – 15+ pcs Backup Recording Servers Complete Product Offerings F e a t u r e xStack Series 24/ 48 port 10/100, Gigabit & 10G Ethernet 19” rack mountable & Chassis L2+/ L3+ Full Management Featured D-Link SIM Support Complete Security Features Comprehensive QoS Control Safeguard Engine embedded ZoneDefense with NetDefend Firewall DES/DGS-3000 Series DES/DGS-1200 Series DES/DGS-1000 Series Std Managed Switch • 8/ 16/ 24/ 48 port • 10/100 & Gigabit Ethernet • 11”/ 19” rack mountable Web Smart Switch • CLI, Web, SNMP support Unmanaged Switch • 16/ 24/ 48 port • 802.1D/P/Q, RMON .. • 5/ 8/ 16/ 24/ 48 port • 10/100 & Gigabit Ethernet • Most cost effective mgm Swtich • 10/100 & Gigabit Ethernet • 19” rack mountable • Desktop size, 11”/ 19” rack mountable • Web manageable • Quality & Stable • Unmgm price with management features • Cable Diagnostic Support * * Available on DGS-1005/08/26/24D N e t w o r k C o m p l e x i t y Why D-Link Comprehensive wired, wireless and security solutions Enable the integration of network & PC/endpoint security Carrier customers tested, field proven and affordable Branch offices in 60+ countries, committed to global and local support Q&A Thanks !!