TechnetTechnet S.O.SS.O.SRed Segura con Switches DRed Segura con Switches D--LinkLink

Xavier CamposProduct Manager SP & PT

xavier.campos@dlink.esBarcelona, 14 de Julio de 2009

D-Link

Firewall

Server Farm

Core SwitchSwitch

Service unstable

Challenges of Today’s Networks

Loop Connection

Switch

Switch

IP Conflict

ARP

Worms

Performance downgradeLow manageability

Security breach

ARP Spoofing

Unauthorized Access

Worm infection within Intranet

Endpoint Security Solutions of xStack Switches

• Authentication

• Authorization

• Node/Address Control

• Attack Mitigation• Attack Mitigation

• Microsoft NAP Server

Problem: Unauthorized Access• Traditionally security censorship takes place at perimeter• Intranet users can connect to network without authorization

Financial Server

ERP System

R&D

Everyone can connect to your network without

authorization！！！！Malicious User

Guest

Information Leakage

Employee

R&D Server

• Lack of proper control on the RJ45 socket outlet

GuestHacking Incident

• Client can easily go anywhere without authorization

• Lack of proper control for the wireless users

Solution for Unauthorized Access

• D-Link’s Solution 1:� 802.1x Authentication� Web-based Access Control (WAC) [Captive Portal]� Web-based Access Control (WAC) [Captive Portal]

• When to use ?� Perform user authentication to realize the user identity control � The clients must be authenticated based on user login information, regardless

of the user’s location or device.

• Benefit :� Mobility : User can get their designated privilege no matter where they are, or � Mobility : User can get their designated privilege no matter where they are, or

the devices they use� Clientless: Easy to deploy, easy to use (WAC)� Better Security Management: Pushing the security control to the edge, all the

clients must be authenticated before entering the network

Solution for Unauthorized Access

• D-Link’s Solution 2:� MAC-based Access Control (MAC)

• When to use ?� For VoIP phone, printer, router, IP camera, AP devices which doesn’t have

web browser, or 802.1x supplicant can’t be installed.� Stricter control for end user devices. Specially suitable for campus network,

public sector, or enterprises that need device control.

• All the clients are authenticated automatically and granted a specific role to the networkthe network

• Benefit :� Clientless: Easy to deploy. Totally transparent to clients� Device Management: Only allow legitimate devices to connect to the network

Endpoint Security Solutions of xStack Switches

• Authentication

• Authorization

• Node/Address Control

• Attack Mitigation• Attack Mitigation

• Microsoft NAP Server

Requirement: Authorization by user’s identity

Financial server

ERP system

The network is under granular control by segregatin g the traffic!

server system

R&D server

Sales

Accounting

RD

server

Guest• RD dep. is granted to access R&D server and internet only

• Sales dep. is granted to access ERP system and internet only

• Guest users can only connect to Internet

• Accounting dep. is granted to access Financial server and ERP system only

Solution for Authorization by user’s identity• D-Link’s Solution:

� Dynamic VLAN Assignment� Guest VLAN (Restricted network access)

� Client Attribute Designation� Client Attribute Designation• Bandwidth control per port / per flow• 802.1p priority (default value per port)• ACL that delivers user identity control as set of services *

Radius ServerBandwidth parameter

802.1p priority parameter

ACL

• The identity-based security policies provide appropriate access right for different users

* Under development

ACL

Client attributes can be designated by the Radius server after successful authentication

Endpoint Security Solutions of xStack Switches

• Authentication

• Authorization

• Node/Address Control

• Attack mitigation• Attack mitigation

• Microsoft NAP Server

Problem: Loop Connection

• Users connect their own switches and cause loop unintentionally or purposely• The loop can cause packet storm and overwhelm the whole system

PacketStorm

Loop

Solution for Loop Connection• D-Link’s Solution: Loopback Detection ( LBD v4.0 )

� STP (Spanning Tree Protocol) Independent• Unmanaged switches usually do not have Spanning Tree Protocol

function• D-Link’s design can detect loop connections even when STP is absent

V1

V1 V2

V2

• D-Link’s design can detect loop connections even when STP is absent

� Flexible Settings for Loop Prevention• Port-based or• VLAN-based

1. Port-based LBD- Port shut down, no traffic is allowed

2. VLAN-based LBD- Block the traffic from the loop happening VLAN

without shutting down the trunking port.

V1

PC1

PC2

V2

LoopLoop

Loopback Detection Scenario

INTERNET

enable loopdetectconfig loopdetect recover_timer 60 interval 10 mode port-based

Loopback

192.168.0.2/24

192.168.0.1/24

INTERNETconfig loopdetect recover_timer 60 interval 10 mode port-based config loopdetect trap bothconfig loopdetect ports 1-10 state enable

Loop

Occurred

Loopback

Detection

client

client

Problem: IP Management• Auditing Problem

Current auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control.meaningless if the IP can be changed by the users without control.

• IP Conflict ProblemIP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers.

192.168.1.100E0-0211-1111

IP ConflictAuditing Problem

00E0-0211-1111

192.168.1.200E0-0211-2222

192.168.1.100E0-0211-3333

Problem

IP Conflict

Solution for IP Management• D-Link’s solution 1:

IMP (IP-MAC-Port) Binding v3 (DHCP Snooping)

� IMP Binding v3 will automatically learn the IP and MAC address pairs and save � IMP Binding v3 will automatically learn the IP and MAC address pairs and save them into the local Database.

� Only the traffic with right address match in the White List can pass through the port

IMP Binding v3 Enabled

Assigned by DHCP

192.168.1.100E0-0211-1111

192.168.1.200E0-0211-2222

A

B

192.168.1.1 00E0-0211-1111 Port1

192.168.1.2 00E0-0211-2222 Port2

Address Learning

White List

192.168.1.100E0-0211-3333

( IP is Manually configured by user )

C

Problem & Solution – Rogue DHCP Server• Problem: Users set up their own DHCP server• Impact:

� Incorrect IP assignment� Disturb network connectivity

• D-Link’s solution: DHCP Server Screening� Screen rogue DHCP server packets from user ports to prevent

unauthorized IP assignment

DHCP Server

Sorry, you’re illegalNormal DHCP assignment

Rogue DHCP ServerPC1

PC2

I’m DHCP Server

DHCP Server Packet

Endpoint Security Solutions of xStack Switches

• Authentication

• Authorization

• Node/Address Control

• Attack Mitigation• Attack Mitigation

• Microsoft NAP Server

Problem: ARP Spoofing Attack• What is ARP Spoofing?

� Hackers use faked ARP carrying the wrong MAC/IP information to cheat network devices Router PC MAC = “attacker MAC” address

• How ARP Spoofing attacks the networks?ARP spoofing as DoS:� Popular in Internet Café� Hacker supplants a server or a router, or

cheats the clients to go to a non-existing router

� The inter subnet connection and internet access of whole network will be impacted.

Man in the middle:

Server

Man in the middle:� Popular in business environment� Hacker cheats the victim PC that it is a

router� Hacker cheats the router that it is the victim� All the traffic will be sniffed by the hacker

and users will never know

PC

Hacker

Router MAC = “attacker MAC” address

Broadcast spoofedMAC adress

Solution for ARP Spoofing Attack• D-Link’s Solution: IP-MAC-Port Binding

� Establish the database of the relationship between the IP, MAC and port � Switch blocks the illegal access immediately once the mismatched ARP

packet is found.

IP MAC PortR r 26A a 2B b 12C c 16……

packet is found.

RouterIP: RMAC: r

You’re not PC-AYou’re not Router

PC-AIP: AMAC: a

PC-BIP: BMAC: b

PC-CIP: CMAC: c

I’m PC-A Faked ARPIP: AMAC: c

I’m RouterFaked ARPIP: RMAC: c

Solution for ARP Spoofing Attack• D-Link’s Solution: ARP Spoofing Prevention

� An effective way to protect your router & servers� Simpler setup than IMPB and consumes fewer ACL rules

� Users can input the IP and MAC of the Router or important Servers� Switch will compare all inbound ARP Packets against configured MAC and IP

You’re not Router

IP MAC R rS s

� Switch will compare all inbound ARP Packets against configured MAC and IP� Used to block the invalid ARP packets which contain fake gateway’s MAC and

IPRouter

IP: RMAC: r

Server

Faked ARPIP: RMAC: c

I’m Router

PC-AIP: AMAC: a

PC-BIP: BMAC: b

PC-CIP: CMAC: c

ServerIP: SMAC: s

MITM Attack Scenario

INTERNETPublic FTP Server

ARP Scan

192.168.0.2/24

192.168.0.1/24

INTERNETPublic FTP Server

ARP Scan

ARP Poison

Routing (APR)

hacker

client

FTP Server

Cuenta Usuario: technetPassword: SOS

MITM Attack ScenarioRouter DIR-655 (192.168.0.1)

MAC: 00-1E-58-41-4C-E3

Switch: 192.168.0.2GW: 192.168.0.1

PC 1 ( Victim )IP: 192.168.0.10Default Gateway: 192.168.0.1MAC : 00:15:58:2A:EF:0A

Sniffer PCIP: 192.168.0.11 20 (Spoofed)MAC : 00-15-58-2A-E8-BD

config address_binding ip_mac ports 1-6,8-10 mode acl config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable strictconfig address_binding ip_mac ports 1-10 forward_dhcppkt enablecreate address_binding ip_mac ipaddr 192.168.0.10 mac_address 00-15-58-2A-EF-0A ports 1-10create address_binding ip_mac ipaddr 192.168.0.11 mac_address 00-15-58-2A-E8-BD ports 1-10 enable address_binding trap_logenable address_binding arp_inspectionconfig arp_spoofing_prevention add gateway_ip 192.168.0.1 gateway_mac 00-1E-58-41-4C-E3 ports 7

Endpoint Security Solutions of xStack Switches

• Authentication

• Authorization

• Node/Address Control

• Attack Mitigation• Attack Mitigation

• Microsoft NAP Server

• Advantage of Network Access Protection

� Authorized users may access systems from authorized endpoints

Microsoft NAP Support

� Authorized users may access systems from authorized endpoints

� Network Access Protection• Evaluating security compliance before connection permitted• Quarantine and remediation for non-compliance user• Identity-based network admission control

� Automatic endpoint remediation• Enforce policy before access is granted• Execute updates, programs, software services, etc.• Execute updates, programs, software services, etc.

NAP Illustration

Remediation Server

Corporate Network

Restricted Network

System Health Servers

Requesting access. Here’s my new health status

May I have access?Here’s my current health status

Should this client be restricted based on its health?

Ongoing policy updates to NPS Policy Server

Can I have updates?

Here you go

health status

Microsoft Network Policy Server

Client

xStack Series Switches

health status

You are given restricted accessuntil fix-up.

According to policy, the client is not up to date. Quarantine client and request it to update.

Client is granted access to full intranet

According to policy, the client is up to date

Grant access!!!

NAP 802.1X Flow Chart

Enable port-based 802.1X with Guest VLANon xStack Switch

Client stays in Guest VLAN

802.1X Authentication

Fail

Success

Remediation process completed

If client compliance status or company policy is changed

Yes

Client is assigned to Non-compliance VLAN

for remediation

Policy Compliance Check

Not Compliant CompliantClient is assigned to Compliance VLAN

Necessary Policies in 802.1X NAP Scenario

• There are 3 type of polices should be configured un der Network Policy Server, which is a component within Microsoft Windo ws Server 2008.

– Connection Request Policy• This policy determines which connection request is acceptable.• In 802.1X NAP scenario, only connection requesting from xStack Switch is

acceptable.

– Health Policy• System Health Validator (SHV) determines which element is needed when

validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on.

• Health Policy adopts SHVs to determine which criteria is healthy, passing all the SHV checks is considered healthy. SHV checks is considered healthy.

– Network Policy• Network Policy determines which action is going to take based on the health

status.

How to implement NAP

• Microsoft Active Directory– Install Active Directory Certificate Services

• Microsoft Windows Server 2008• Microsoft Windows Server 2008– Install Network Policy Server (new version RADIUS server) – Configure RADIUS setting, correlated with xStack– Configure polices, rules and actions

• Connection Request Policy • Health Policy ( System Health Validator )• Network Policy

• Microsoft Windows Vista or XP SP3 with NAP client• Microsoft Windows Vista or XP SP3 with NAP client– Enable NAP client enforcement feature

• D-Link xStack DES-3500, DES-3800, DGS-3200, DGS-3400 or DGS-3600 Series

– Configure RADIUS setting, correlated with Windows 2008

– Enable Port-based 802.1X with Guest VLAN

NAP Server Scenario

INTERNET

Administrator192.168.0.2/24

192.168.0.1/24

INTERNET

Authentication Server

(Windows Server 2008)client

192.168.0.3/24

192.168.0.14/24

NAP 802.1X ScenarioSW IP : 192.168.0.2/24

Client: 192.168.0.14/24AD/ NPS/Radius Server

192.168.0.3/24

Guest VLAN

VLAN 2

VLAN 3

The client is put in Guest VLAN originally. If it comply all requirement, the port connecting by the client will be transfer to Compliance VLAN (VLAN 2 in the example). Otherwise, the port is put in VLAN 3 and wait for remediation. After remediation, the port will be authenticated again and transfer to VLAN 2.

Before remediation

After remediation

Client in NoCumple VLAN VID3

Client in Cumple VLAN VID2

Before remediation

After remediation

DGS-3200-10 Configuration

# 8021X Command

enable 802.1xenable 802.1xconfig 802.1x auth_mode port_basedconfig 802.1x capability ports 1-4 authenticatorconfig 802.1x capability ports 5-10 none

# Setup Radiusconfig radius add 1 192.168.0.3 key secreto default

# Create two VLANs. One for Cumple (VLAN 2), another for NoCumple (VLAN 3)

config vlan default delete 7-8create vlan Cumple tag 2con vlan Cumple add untag 7 create vlan Nocumple tag 3con vlan NoCumple add untag 8

# Config System IP addressconfig ipif System ipaddress 192.168.0.2/24 vlan default state enable

# Guest VLAN configurationcreate 802.1x guest_vlan defaultconfig 802.1x guest_vlan ports 1-4 state enable

Network Access Protection - Resources

• Network Access Protection Web site– http://technet.microsoft.com/zh-tw/network/bb545879(en-us).aspx

• Introduction to Network Access Protection– http://www.microsoft.com/technet/network/nap/napoverview.mspx

• Network Access Protection Platform Architecture– http://www.microsoft.com/technet/network/nap/naparch.mspx

• Step By Step Guide: Demonstrate 802.1X NAP Enforcem ent in a Test Lab

– http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=enbba2-07605eff0608&displaylang=en

• Network Access Protection: Frequently Asked Questio ns– http://www.microsoft.com/technet/network/nap/napfaq.mspx

• Network Access Protection - TechNet Forums– http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads/

http://www.dlink.es

ftp://213.27.252.114User: technet

Password: SOS