Transcript Why D-Link
Business Solution Seminar 2008
xStack: Multiply Your Potential
October – November 2008
D-Link Indonesia
D-Link Confidential
Agenda
Challenges for Your Network
D-Link Solutions
Success Cases
Why D-Link
Challenges for Your Network
Availability
- Slow, unstable
Security
- Virus infection, worm outbreak, intrusion, Trojan, hackers
Manageability
- Ease of management, multi-vendors boxes
Performance
- Upgrade, service classification, QoS, device efficiency
Security Breaches in Today’s Network
Campus Network
IP & MAC Addresses
Management Are Hard to
Realize!
Data Center
Core
Core
Core
Man-in-the-Middle Attack
Rogue DHCP Server
ARP Spoofing Attack
Loop Connection
Security Breaches in Today’s Network
Enterprise Network
Attack & Intrusion
Rogue DHCP Server
Worm Outbreak
Un-Authorized Access
D-Link Solutions
Integrated Security
- E2ES (End-to-End Security)
High Availability
- From H/W to S/W, robust L2 to L3 design
QoS
- Comprehensive traffic classification & prioritization
Manageability
- Solutions designed for SMB & big enterprise/campus networks
Green Ethernet
- Reduce IT costs and minimize the environmental impact
Affordability
- Pay as your company grows
E2ES - End-to-End Security Solution
Joint Security
Gateway Security
Endpoint Security
Enterprise Network
E2ES
D-Link’s End-to-End Security (E2ES) Solutions
D-Link innovates comprehensive security solutions aimed to providing
end-to-end threat containment and security protection solutions, which
consist of the following three components:
Gateway Security
D-Link Firewall IPS/UTM Firewall
Endpoint security
Enhanced security features on xStack
Joint Security
Microsoft NAP
D-Link ZoneDefense
E2ES
Gateway Security Solution
NetDefend IPS/UTM Firewall Family
ICSA Labs certified
Integrated Firewall/VPN appliance with Outstanding Performance
Unified Threat Management:
Intrusion Prevention Service (IPS)
Anti-Virus (AV) Protection
Web Content Filtering (WCF)
Anti-Spam
Joint Security with xStack Switch via unique ZoneDefense technology
E2ES
Endpoint Security Solution
Numerous security features are added to the xStack switch to
achieve threat control and containment, ensuring that malicious
traffic can be stopped at the edge of the network.
Field proven from the success in ETTH/FTTB, campus networks
and enterprise markets.
xStack Switch Endpoint Security
Authentication
802.1X
Authentication
Web-Based
Access Control
(WAC)
MAC-Based
Access Control
(MAC)
Authorization
Dynamic VLAN
Assignment
Guest VLAN
Identity Based
VLAN/QoS
Traffic control
Traffic
Segmentation
Access Control
List (ACL)
Node/Address
Control
Port Security
IP-MAC-Port
Binding
Attack
Mitigation
L2-L7 ACL
IP-MAC-Port
Binding
Broadcast Storm
control
E2ES
Endpoint Security Solution
802.1x Authentication
Port-based 802.1x
Once a port is authorized by a client, the others users
connecting to the same port through hub or switch can pass
through the switch.
MAC-based 802.1x
1. Once a port is authorized by a client, only this client can
pass through the switch.
2. The switch is not only checking the username / password,
but also checking whether the max. MAC allowed is reached
or not. If reached, deny new MAC
Port Based 802.1x Example:
Internet
Port Based 802.1x
Enabled Ports 1-12
DES-3828
Username/Password
Confirmed !!!
port 1
Win2003 Server
Username: James
Password: 123
L2 Switch/HUB
RADIUS Server service
192.168.0.10
James
Gary
User
James
Pasword
123
Ryan
192.168.0.100
802.1x client
WinXP built-in
802.1x client
WinXP built-in
802.1x client
WinXP built-in
All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client
(James) is authenticated.
MAC Based 802.1x Example:
Internet
MAC Based 802.1x
Enabled Ports 1-12
DES-3828
Username/Password
Confirmed !!!
Win2003 Server
Username: James
Password: 123
James
L2 Switch/HUB
Gary
RADIUS Server service
Ryan
....
192.168.0.10
User
James
Pasword
123
DES-3828 is only capable of learning
up to 16 MAC address per port
192.168.0.100
802.1x client
WinXP built-in
802.1x client
WinXP built-in
802.1x client
WinXP built-in
Each client needs to provide correct username/password to pass the authentication
so that it can access the network
NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet
(dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by
switch, and therefore cannot reach DES-3828.
E2ES
Endpoint Security Solution
MAC Based Access Control
- Using Switch’s Local Database
DI-804
DHCP Server and
Gateway to Internet
MAC Access Control Enabled Ports
Internet
DES-3828
No such
Found
Matched
MAC MAC
Address !!!
Address!!!
L2 Switch or HUB
ARP Packet
DHCP Packet
Switch Local Database
User
00-0F-B0-97-E7-C6
MAC list
Non 802.1x Client_1
00-0F-B0-97-E7-C6
Non 802.1x Client_2
00-15-F2-A9-0B-C2
For those ports with “MAC Access Control” enabled are capable of authenticating up to
16 max entries of MAC addresses per physically port..
E2ES
Endpoint Security Solution
Web-Based Authentication
Web-Based Authentication (WAC) is a feature designed to authenticate a
user when the user is trying to access the network via the switch. It’s an
alternative port-based access control method besides IEEE802.1X.
The authentication process uses HTTP protocol. When users would like
to browse web screen (e.g., http://www.google.com) through the web
browser (e.g., IE), and when the switch detects HTTP packets and this port
is un-authenticated, the browser will pop out username/password screen
to query users. If the user passes the authentication process, it means this
port is authenticated, and user can access the network.
Switch Role
The switch can be the authentication server itself and do the
authentication based on a local database, or a RADIUS client and
perform the authentication process with remote RADIUS server.
Web-Based Authentication
- Based on local database
2. Authentication ports
(port 1-12)
DI-624 (10.10.10.10)
DHCP Ip Pool
10.10.10.50 – 10.10.10.100
Web Server
Internet
IP: 10.10.10.101
1. Which web page
you want to redirect?
user
James
Will
….
10.10.10.1
Client PC1
10.10.10.11
Client PC2
10.10.10.12
Client PC3
10.10.10.13
pass
123
456
…..
3. Local Data Base
(create users)
Ports 1-12 are configured as web-authentication enabled ports. Every PC connected to
those ports needs to pass the username/password authentication. After that, they can
access the network. The username/password/VLAN database is stored in the switch itself
in this example. Therefore, there is no RADIUS server in this example.
Note:
In current design, the max. entries of local database equals to number of switch ports. For example, DES-3828 supports
28 entries (I.e., max. 28 local users).
E2ES
D-Link IP-MAC-Port Binding
(Address Binding)
Endpoint Security Solution
IP-MAC-Port binding is enhanced from IP-MAC binding.
The enhanced feature decides which port(s) will be
allowed to receive the packets according to “IP-MAC”
information.
All Packets will be dropped by a switch except it’s
MAC Address, IP Address, and connected port entirely
match the address-binding list.
ARP and ACL mode of IP-MAC-Port binding
There are two modes “ARP mode” and “ACL mode” of D-Link
IP-MAC-Port binding.
ARP Mode
Default setting is ARP mode. When you create an entry in
the IP-MAC Port Binding record, the entry will belong to
ARP mode. If a user create a entry in ARP mode, after
that enable ACL mode, this created entry will not add to
ACL rule.
ACL Mode
If a user enable ACL mode, the switch will create a ACL
rule to map the IP-MAC Port Binding entry automatically.
Example 1 – Prevent ARP-Scan with ARP mode
Client A
Server B
IP: 192.168.0.10
MAC : 00-C0-9F-86-C2-5C
IP: 192.168.0.11
MAC : 00-50-18-21-C0-E1
Port 1
Port 25
Port 10
ARP Scan
Port No.
MAC Address
Port 10
AA-BB-CC-DD-EE-FF
Port 1
00-C0-9F-86-C2-5C
Port 25
00-50-18-21-C0-E1
IP Address
MAC Address
Ports
--------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 1-10
Mode
--------ARP
When a Switch detects ARP broadcast from port 10 and it doesn’t meet
any entry in the IP-MAC Port Binding list, the Hacker PC will be blocked.
ARP Poisoning
Switch FDB Table
IP Address
MAC Address
192.168.0.1
AA-BB-CC-DD-EE-FF
2
PC 1
IP: 192.168.0.100
MAC : 00-C0-9F-86-C2-5C
PC1 ARP Table
1
Port No.
MAC Address
Port 24
AA-BB-CC-DD-EE-FF
Port 1
PC2 ARP Table
IP Address
MAC Address
192.168.0.100
AA-BB-CC-DD-EE-FF
2
Port 8
Port 24
PC 2
IP: 192.168.0.1
MAC : 00-50-18-21-C0-E1
ARP Request (dst: FF:FF:FF:FF:FF:FF)
Hacker PC
IP: 192.168.0.2
MAC : AA-BB-CC-DD-EE-FF
ARP doesn’t have any authentication mechanism, therefore, any ARP Reply packet received
by the device will force it update their ARP Cache!!
The poison packet which tells PC1 that he can find PC2 at the Hacker MAC AABBCCDDEEFF.
At the same time, it also tells PC2 that he can find PC1 at the Hacker MAC AABBCCDDEEFF.
At this point, the communication between PC1 and PC2 will through the Hacker PC and
bypass the switch.
ARP Poisoning 2
Switch FDB Table
IP Address
MAC Address
Port No.
MAC Address
192.168.0.1
AA-BB-CC-DD-EE-FF
Port 24
AA-BB-CC-DD-EE-FF
Port 1
00-C0-9F-86-C2-5C
Port 8
00-50-18-21-C0-E1
PC 1
IP: 192.168.0.10
MAC : 00-C0-9F-86-C2-5C
PC1 ARP Table
Port 1
PC2 ARP Table
IP Address
MAC Address
192.168.0.100
AA-BB-CC-DD-EE-FF
Port 8
Port 24
PC 2
IP: 192.168.0.1
MAC : 00-50-18-21-C0-E1
Hacker PC
IP: 192.168.0.2 (Spoofed)
MAC : AA-BB-CC-DD-EE-FF
The traffic between PC1 and PC2 has been redirected to Hacker PC. The Hacker PC will
redirect packets to the correct destinations.
If the Hacker PC didn't re-route packets, the communication between PC1 and PC2 will be
interrupted until refresh theirs ARP table.
If there is no traffic between two PCs, after a timeout period, a dynamic entry in the ARP
Table of the two PCs will be flushed out. For the reason, the Hacker PC must continue
poisoning the two PCs at regular intervals.
Example 2 – prevent the APR Poison Attack (Man-in-theMiddle attack) with ACL mode
ARP
Client A
Server B
IP: 192.168.0.10
MAC : 00-C0-9F-86-C2-5C
IP: 192.168.0.11
MAC : 00-50-18-21-C0-E1
Port 1
Port 25
ARP
Port 10
IP Address
MAC Address
192.168.0.10
00-C0-9F-86-C2-5C
192.168.0.11
00-50-18-21-C0-E1
ARP
Port No.
MAC Address
Port 1
00-C0-9F-86-C2-5C
Port 25
00-50-18-21-C0-E1
IP Address
MAC Address
Ports
--------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 10
The Hacker PC keep quiet and keep listening ARP packet came from
others PCs to structure its ARP table in term of this subnet.
Mode
--------ARP
Example 2 – prevent the APR Poison Attack (Man-in-theMiddle attack) with ACL mode
Client A
Server B
IP: 192.168.0.10
MAC : 00-C0-9F-86-C2-5C
IP: 192.168.0.11
MAC : 00-50-18-21-C0-E1
Port 1
Port 10
IP Address
MAC Address
192.168.0.10
00-C0-9F-86-C2-5C
192.168.0.11
00-50-18-21-C0-E1
Port 25
ARP Poisoning
Port No.
MAC Address
Port 1
00-C0-9F-86-C2-5C
Port 25
00-50-18-21-C0-E1
IP Address
MAC Address
Ports
--------------- -- ------------ ------------- --- ----192.168.0.10 00-15-F2-A9-0B-C2 10
Mode
--------ACL
After the Hacker get Client A and Server B IP/MAC information, it will
send the ARP Poisoning packet to attack them, At the same time, a switch
will detect the hacker and block a hacker PC.
D-Link Safeguard Engine
Safeguard EngineTM is designed to enhance the robustness of new switches and it will
increase overall network serviceability, reliability, and availability.
It turns out CPU is overloaded and not
able to respond to those important tasks
like management access, STP, SNMP
polling
SNMP Polling
The CPU of switch is designed to handle the
control information like STP, SNMP, Web
access ..etc.
Also some specific network packets will be
forwarded to CPU for processing like ARP
broadcast, unknown DST unicast, IP broadcast ..
etc.
Spanning Tree BPDU
packets
IGMP snooping
Web Mgm Access
But nowadays networks are with blended threats like
virus/ worm. Usually they will generate unexpected
bulk “CPU interested” traffic [ like ARP broadcast ]
during infection.
ARP broadcast
Unknown DST unicast
IP broadcast
D-Link Safeguard Engine
Safeguard EngineTM is designed to enhance the robustness of new switches and it will
increase overall network serviceability, reliability, and availability.
It turns out CPU is overloaded and not
able to respond to those important tasks
like management access, STP, SNMP
polling
SNMP Polling
With D-Link Safeguard Engine, it will further identify &
prioritize those ‘CPU interested’ traffic, to throttle those
unwanted interruption and to protect the switch
operation.
Thus with Safeguard Engine, D-Link Switch will show
its robustness especially under virus infection or
worm scanning.
Spanning Tree BPDU
packets
IGMP snooping
Web Mgm Access
But nowadays networks are with blended threats like
virus/ worm. Usually they will generate unexpected
bulk “CPU interested” traffic [ like ARP broadcast ]
during infection.
ARP broadcast
Unknown DST unicast
IP broadcast
Technology Brief
When CPU utilization is over Rising Threshold, the switch will enter
Exhausted Mode to take the following actions (refer to the next slide).
On the opposite, CPU utilization is lower Falling Threshold, the
Switch will leave Exhausted Mode to cease Safeguard Engine function.
Item
Description
Rising Threshold
•The user can set a percentage value <value 20-100> of the
rising CPU utilization which will trigger the Safeguard Engine
function.
•Once the CPU utilization rises to this value of threshold, the
Safeguard Engine mechanism will initiate.
Falling Threshold
•The user can set a percentage value <value 20-100> of the
falling CPU utilization which will trigger the Safeguard
Engine function to cease.
•Once the CPU utilization falls to this value of threshold, the
Safeguard Engine mechanism will shut down.
Technology Brief(Con.)
Safeguard Engine Action
Action
Limiting the
bandwidth of
receiving ARP
packets
Limiting the
bandwidth of
receiving IP
broadcast
packets
Description
The user can implement this action in two ways, one is StrictMode and the other is Fuzzy-Mode.
When strict is chosen, the Switch will stop receiving ARP
packets.
When fuzzy is chosen, the Switch will minimize the bandwidth
for ARP packets, by setting a acceptable bandwidth dynamically.
The user can implement this action in two ways, one is StrictMode and the other is Fuzzy-Mode.
When strict is chosen, the Switch will stop receiving all
broadcast IP packets.
When fuzzy is chosen, the Switch will minimize the bandwidth
for broadcast IP packets, by setting a acceptable bandwidth
dynamically.
Loopback Detection
LBD v4.0:
Wireless
Guest
PC
Client
Server
STP (Spanning Tree Protocol)
Independent
Flexible Settings for Loop
Prevention
•
Port-based or
•
VLAN-based
Workstation
Unmanagement
Switch
Loop
xStack Switch
NetDefend
Applications
DHCP
Kiosk
Mobile User
Telecommuter
Partner
Thieves
Hackers
E2ES
Joint Security Solution
What D-Link Joint Security Provides?
An integrated total solution that provides Access Control & Realtime defense.
Microsoft NAP
Evaluation of security compliance before permitting connection.
Quarantine and remediate non-compliance users.
Identity-based network admission control.
D-Link ZoneDefense
Any malicious traffic detected by the NetDefend firewall will
trigger the xStack switch to block them in real-time.
ZoneDefense technology makes NetDefend firewall and xStack
switch jointly work as a big virtual firewall system. NetDefend
firewall is in charge of traffic inspection, and xStack switch
performs wire-speed filtering at port level.
Updated 2008/May
E2ES
Joint Security Solution -NAP
-ZoneDefense
If any malicious attack happened !
Wireless
802.1x Enforcement
System Health Server
Guest
Compliant
Scenario:
Non-Compliant
Scenario
Remediation
Scenario
: :
Guest
Access
Scenario:
Before connection, you should
Microsoft
Network Policy Server
Client
Worm
IfThe
client’s
notwith
client
gets is
patch/virus
Guests
arepatch
assigned
have username/password
or
updated,
it just
can
go to
pattern etc,
To correct
its
On-Demand
restrictive
access
rights
to
token.
After
login,
the
system
Policy Manager remediation server, health
health
status
the
network
will
check
the compliance policy.
server
and
With
D-Linknetwork
ZoneDefense
If compliant,
you
are policy
allowed to
server
technology,
NetDefend
connect to the
network
DHCP Enforcer
Server
Firewall will automatically
notify the xStack switch to
block the infected host
xStack Switch
NetDefend
Radius
Remediation
NetDefend
DHCP
Kiosk
Applications
Mobile User
Host Integrity Rule
Status
EAP
Status
Anti-Virus On
D-Link’s
Joint Security Solution
User Name
Anti-Virus
Updated
enables the integration of network
Personal Firewall On
Password and PC endpoint security
security
Service Pack Updated
Token
Patch Updated
Telecommuter
Partner
Thieves
Hackers
Manageability
D-Link SIM Technology
Provides single IP address management of up to 32 switches without
being limited to specific models, specialized cables, distance barriers,
stacking methods, and prevents single point of failure.
Straight forward visualization without additional software installation.
Manageability
D-View 6.0 NMS
Green Ethernet
Innovative “Green Ethernet” Technology
General trend towards making products more GREEN & eco-friendly.
Market pressure and legislative action for energy efficient networked
equipment.
D-Link leads the industry by enabling unique “Green Ethernet” technology
on networking.
Reduce power consumption without sacrificing performance or
functionality by detecting link status and cable length, which brings the
benefits of less heat dissipation, extended product life, and reduced
operating cost.
Success Case - Metro Ethernet
D-Link’s Proven Success in the Past 2 Years
In Russia, Greater China & Northern Europe regions
Over 200k DES-3526 & 7k DES-3828 were sold as access switches
Over 3k DGS/DXS-3300 & 4k DGS-3600 were sold as L3 distribution or
aggregation switches
DES-3528 is MEF 9 & 14
certified for EPL
Success Case – Corbina Telecom, Russia
Interoperability
• Comprehensive MIBs/ Logs
• DHCP options
• OSPF Routing
Robustness
QoS
• STP convergence
• Against Virus/ Worm flood
DXS-3326GSR
DXS-3326GSR
• Adv Traffic
Classification
• Comprehensive
Bandwidth Control
• Multicast optimization
Security
• IP-MAC-Port binding
• Abnormal Traffic Control
• Loopback Detection
Deployment
DXS-3326GSR – 1,700 pcs
DES-3526 – 28,000 pcs
Success Case – Nittedal Multimedia, Norway
DGS-3324SR
Requirement
Build Triple Play Gigabit
FTTH/ETTH Network for
providing Data, VoIP, IPTV and VOD services for
residential and business
end-users
Number of Users - 3000
Stackability
• 40G Fault Tolerant Stacking
• Virtual Chassis Core
• OSPF & PIM-SM
IPTV Streamers
DES-3010G
DGS-3324SR
DES-3010G
DXS-3326GSR
DES-3010G
DES-3010G
QoS
DGS-3324SR
• Adv Traffic Classification
• Comprehensive Bandwidth Control
• Multicast optimization
1G Fiber
1G Copper
10G Stacking
DGS-3324SR
Deployment
DGS-3324SR – 130 pcs
DXS-3326GSR – 25 pcs
DES-3010G – 750 pcs
Updated 2008/Apr
Success Case – Chiba University Hospital, Japan
New Medical
Building
DGS-3600
10G Fiber
1G Fiber
10G Stacking
Interoperability
• Comprehensive MIBs/ Logs
• OSPF Routing
L3 Core Switches
Security
• User Identity Control
• Abnormal Traffic Control
Medical Buildings
Stackability
Fault Tolerant 40G Stacking
Data Center
DGS-3600
DGS-3600
Robustness
• Loopback Detection
• Against Virus/ Worm flood
Medical Dep.
Deployment
DGS-3600 – 36 pcs
DGS-3400 – 197 pcs
Requirement
Transmitting of high resolution medical imaging over network
Send high volume of patient data electronically
Request extremely high availability network
Success Case – Beau Rivage Resort & Casino, USA
Recording Servers
Recording Servers
Analog Camera
Digital Encoder
Analog Camera
Digital Encoder
DGS-3324SR
DGS-3324SR
Requirement
Support digital video surveillance
infrastructure
A highly reliable, fail safe
solution that could handle massive
amounts of traffic of thousands of
video streams
1,500+ Cameras
1,500+ multicast streams of
real-time, high resolution video.
112 camera live monitoring
OSFP + PIM-SM Deployment
DGS-3324SR
Live Monitor
Deployment
DGS-3324SR – 15+ pcs
Backup Recording Servers
Complete Product Offerings
F e a t u r e
xStack Series
24/ 48 port
10/100, Gigabit & 10G Ethernet
19” rack mountable & Chassis
L2+/ L3+
Full Management Featured
D-Link SIM Support
Complete Security Features
Comprehensive QoS Control
Safeguard Engine embedded
ZoneDefense with NetDefend Firewall
DES/DGS-3000 Series
DES/DGS-1200 Series
DES/DGS-1000 Series
Std Managed Switch
• 8/ 16/ 24/ 48 port
• 10/100 & Gigabit Ethernet
• 11”/ 19” rack mountable
Web Smart Switch
• CLI, Web, SNMP support
Unmanaged Switch
• 16/ 24/ 48 port
• 802.1D/P/Q, RMON ..
• 5/ 8/ 16/ 24/ 48 port
• 10/100 & Gigabit Ethernet • Most cost effective mgm Swtich
• 10/100 & Gigabit Ethernet
• 19” rack mountable
• Desktop size, 11”/ 19” rack mountable
• Web manageable
• Quality & Stable
• Unmgm price with management features
• Cable Diagnostic Support *
* Available on DGS-1005/08/26/24D
N e t w o r k
C o m p l e x i t y
Why D-Link
Comprehensive wired, wireless and security solutions
Enable the integration of network & PC/endpoint security
Carrier customers tested, field proven and affordable
Branch offices in 60+ countries, committed to global and
local support
Q&A
Thanks !!