19.) security pivot (policy byod nac)

Point of View Whitebaord

1

ControlAsk your networkFor Security

Extreme is the only company in the industry that takes an architectural approach to bringing products to market (from R&D to product release). Everything we do and create is a part of this Software Defined Architecture [SDA]. Wireless LAN, Wired LAN, Data Center -- It starts with highly reliable, high performance infrastructure. This is our heritage and we have always been outstanding at this: WiFi, Campus LAN all the way to the Data Center. (Ranging from your user to the applications they consume.)

ExtremeXOS -- On top of this, we use a single consistent and differentiated OS call EXOS. (next gen HW will run on EXOS). Lots of companies make high performance hardware, so to truly offer value added differentiation; we include an integrated layer of software into our architecture.Network Management & BYOD -- We fully integrate management across our entire portfolio. We are very proud that in only 5 months, NetSight became the management platform for the entire portfolio. This was an emphatic message to the market that we take a different approach aligned to our SDA. NetSight has a single, integrated database for all aspects of management. This streamlines operations, enables dynamic management and removes the manual aspect of correlating information. Application Analytics -- Purview offers application layer analytics, so you can understand what is happening on your network, you can optimize your environment, help increase productivity and measure adoption. Purview allows you to deliver both tactical and strategic information to make better more rapid business decisions.

Finally, we offer orchestration across the entire architecture. Whether that infrastructure is multi-vendor or not. Orchestration within the data center is available across virtualized workloads and consolidated storage and compute. Extreme is the only company in the industry committed to this type of integration, backward compatibility and openness to support technology partners and third party vendors. Many in the industry have grown through M&A, successfully so, however it has led to a portfolio with lots of products that are not integrated through management or orchestration. Each time you add a product, it increases your complexity with the introduction of a new disparate management tool.

111/13/2016Jeff Greens Point-of-View [email protected]

Security Threat Landscapeis a Changing

The US nuclear missile launch code was set at 00000000 for about 20 years, according to Dr. Bruce Blair, former Minuteman ICBM launch control officer and president of the World Security Institute. This began during the administration of President Kennedy, when he ordered that all nuclear missile sites be secured. The U.S. Commerce Departments National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity in early 2014. It outlined five (5) ways organizations with critical systems could protect themselves and their data from a cyberattack.

Before we explain how the Universal Port works, we should explain the reasoning and motivation behind the invention and development of this unique Extreme Networks differentiator. With the advent of converged networks, we realized that various devices needed QoS and VLANs configured differently on edge ports to sustain connectivity.

We also noticed that, in the course of a workday, more and more people were roaming around a facility moving from cube to conference room to specialized labs. When regulations were introduced and Access Control Lists were used to implement these regulations, we understood that Access Control Lists had to become dynamic. ACLs had to be deployed automatically (on a per user or user group basis) as users log in from different places on the network.

We also wanted an automated defense that really worked in engaged networks. We wanted our Automated Defense to engage as soon as the network detected something. For example, if a second MAC address appears on a security camera, the video signal is probably no longer trustworthy. We saw the need to be able to implement a policy to keep all traffic away from that port, and away from the video monitor display, because the video signal is suspect. Another option we considered was quarantining the traffic on that port to a protected security zone for analysis.

We needed Time of Day Policies, too. For example, in areas where wireless is deployed as a service to the public during business hours, we wanted to be able to turn off access automatically. Situations for these types of policies include wireless access in a coffee shop or a pubic library. Normally, in these types of environments, someone monitors in the network during the day to make sure that operations are smooth. In the evenings, when the business is closed, the service must be shut down. If this were done automatically, a specialist wouldnt have to shut down service at the end of the day and then enable service when business hours resume.

2Jeff Greens Point-of-View [email protected]

Strategic Asset

Security Pivot

People

Performance & Capacity

Flow-based Pkt Proc

Analytics

XoS

Why?Why?

How?

ControlDense WifiReduce millions of logs to actionable intelligence.Complete Network, Policy And Compliance Solution.Automated correlation and analytics

RouterIPS/IDSFirewallSwitchesServersDMZVPNNetwork Components

To sum-up the issues then, we basically see our clients wrestling with three core trends. Despite reports that show the majority of network beaches are due to a lack of basic hygiene efforts, there is a growing base of sophisticated attackers pursuing targets of choice in order to steal intellectual property, trade or national secrets, and you need the ability to detect and defend against these bad guys. Few people would disagree that everything is just getting more complex as capabilities brought about by the Internet invade all aspects of our corporate and personal lives. Almost nothing exists in a vacuum anymore. Considering resource constraints, the issue has transcended a lack of budget to also incorporate a lack of skill. Even if you have the funding to add necessary staff, it doesnt mean youre going to find any qualified applicants without conducting a broad-ranging search.

Traditional Networks were architected for traffic patterns that flowed primarily north-south (server to client). Virtualization and mobility have significantly increased east-west (server to server) traffic. A change is needed in network elements and architecture to effectively meet new these demands. Virtualization has changed the way applications are designed, deployed and licensed. Multitier or 3 tier network designs can add latency and may impact application performance and user experience.

First generation virtualization provided server partitioning through a hypervisor or hosted architecture; second-generation virtualization added management, capacity planning, P2V and other tools for consolidating production servers. VMware Infrastructure 3 unleashed a leap forward in virtualization by delivering systems infrastructure capabilities for entire farms of heterogeneous industry standard servers and storage independent of the underlying hardware or application/OS workloads.

As part of its network management capabilities, NetSight provides a wireless dashboard and reporting utility for gathering information specific to the wireless network. This dashboard reports on many facets of the wireless network from the channels and protocols in use, wireless bandwidth utilization, and the current status of the controllers and access points. A commonly used report is Top APs where an administrator can find out which APs have the highest utilization. Based on these types of reports, an administrator can be notified of high density areas where an additional AP may be most useful for grouping and load balancing of clients.


Rumor: green M & Ms are an aphrodisiac?

Security like Candy?hard candy shell originally designed as a treat for soldiers! Caution: Extreme Metaphor

Extreme Networks Security Risk Manager is an integral component of a complete security intelligence solution that can help security professionals stay ahead of advanced threats. The ability to proactively quantify risk from vulnerabilities, configuration errors, anomalous network activity and threats can help organizations prevent exploits that target high-value assets and data.

Extreme Networks Security Risk Manager correlates network topology information with data from Extreme Networks Security SIEM including asset configurations, vulnerabilities, network events and flow patterns. This provides valuable insights revealing, for example, which assets and vulnerabilities are causing the most risk, so IT staff can prioritize their remediation tasks. It can also help identify firewall and intrusion prevention system (IPS) misconfigurations that may allow attackers into the network and create inefficiencies in devices.Extreme Networks Security Risk Manager automates risk management functions in mission-critical areas, helping security professionals safeguard their organizations against an ever-growing spectrum of attacks, vulnerabilities and compliance mandates. On todays smarter planet, organizations require better visibility into their security policies, postures and practices than ever before, because instrumented, interconnected and intelligent businesses collect and use more information.Extreme Networks Security Vulnerability Manager can help organizations minimize the chances of a network security breach by using a proactive approach to finding security weaknesses and minimizing potential risks. It uses a proven vulnerability scanner to collect up-to-date results, but unlike other solutions, it leverages the capabilities of Extreme Networks Security Analytics Platform to present the data within the overall context of the network usage, security and threat posture.

Designed to consolidate results from multiple vulnerability scanners, risk management solutions and external threat intelligence resources, Vulnerability Manager operates like a centralized control center to identify key security weaknesses that need to be addressed to help thwart future attacks.4Jeff Greens Point-of-View [email protected]

LateralPersistenceFootholdTarget Threat IntelEscalateReport contextBreachForensicsLog analysis RemediateSearch for evidence (IOCs)SOCIRCall backAutomateGo Unnoticed While Roaming Freely on the NetworkValid User CredentialsPivot

Now What?

15:009:00

Whether the term used is "Advanced Persistent Threat (APT)," "advanced threat" or "state-sponsored threat actor," cyberattacks are increasing in sophistication and the amount of damage they can inflict. If an organization experiences an intrusion, it does not necessarily mean that they will experience a substantial loss of sensitive data. A critical time period exists during an attack - the period of time after the attacker has established a presence in the targeted environment, but before the attacker has been able to identify, access and exfiltrate key data. If an intrusion is detected before critical data is exfiltrated, the impact can be minimized. Organizations must develop capabilities not only to prevent successful attacks, but also to detect attacks in progress.

Extreme Networks Security Analytics Log Management analyzes all the data from various network and security devices, servers and operating systems, applications, and a wide assortment of endpoints to provide near real-time visibility into developing threats and to meet continuous compliance-monitoring requirements. With the Log Management flexible query engine, diverse log data is aggregated and correlated into actionable IT operations and security forensics to help identify patterns of attack, anomalies, access and use of confidential data and insider threats. There are two problems. Firstly, consider a 100,000 to 1 reduction ratio of events to correlated incidents. On the surface, this sounds impressive, but for companies generating 2 billion events per day (and you dont need to be a massive company to do that), it will leave that companys security team with 20,000 incidents per day to investigate. Traditional SIM correlation cant get the data reduced enough and of course Log Managers cant even get a 10,000 to 1 reduction ratio. Secondly, an exclusive reliance on event correlation assumes that the criminals intent on attacking your company will not figure out ways to disable or bypass logging infrastructure but thats practically their entire focus and you cant correlate logs that are not there!!! This limitation results in missed threats or a very poor understanding of the impact of a breach.Taking in data from wide spectrum of feeds (good SIEM that can bring things together' ) And continually adding context for increased accuracy. For security threat management the key challenge is to reduce millions of logs to actionable intelligence that identify key threats. Traditional first Gen SIEMs achieve this by leveraging correlation five failed logins followed by a successful login for example to identify suspected security incidents. Event correlation is a very, very important tool, but its not enough.


Do you have

Is Your Firms Environment Secure? Port scanning and remediationPerimeter vulnerability scanningTimely OS patchingNetwork-level DDOS detection and preventionAuditing of all operator access and actionsJust-in-time elevationsAutomatic rejection of non-background-check employees to high-privilege accessAutomatic account deletionWhen employee leavesWhen employee changes groupsWhen there is lack of useIsolation between mail environment and production access environment for all employeesAutomated tooling for routine activities

At this point, network administrators need more than firewalls, intrusion detection system/intrusion prevention system (IDS/IPS) solutions, and data leak prevention software for protection. Only by supplementing these technologies with solutions that record every network "movement" and perform post-attack analysis are organizations better protected. Never assume that a network security breach can't happen to you. No enterprise is immune to data security breaches. Governments and corporations alike need to have contingency plans in place to perform network forensics once a breach occurs. Network security is mostly designed to prevent attacks. But attacks continue to happen-the press is full of documented breaches-and most victims don't have the right equipment or policies in place to properly analyze a compromise once it occurs.

It's not enough to have a workforce trained in best cyber-security practices; it's also important to make sure your technological innovation is optimized to deflect network breaches. That includes installing current patches for the firewall and software applications. Anti-virus software should be in place and constantly updated as security threats change from day-to-day. Guests who are using a business's wireless network should not have access to internal systems.

Once your systems and procedures are in place, you have to constantly monitor how they are working, because new cyber threats develop very quickly. It's crucial that you set up a routine schedule to recheck three things on a regular basis. You must treat this as a task of high importance because a security breach can kill your business.

Networks are constantly under attack, whether it's the casual attention-seeker or a sophisticated and stealthy advanced persistent threat (APT). At this point, network administrators need more than firewalls, intrusion detection system/intrusion prevention system (IDS/IPS) solutions, and data leak prevention software for protection. Only by supplementing these technologies with solutions that record every network "movement" and perform post-attack analysis are organizations better protected.


Attack your security gap What is your Pucker Factor? kRisk AssessmentCommodity ThreatsBreach (event)SOC (time to detect)IR (Time to Respond)Analytics Targeted (APT)Intel (contain)Pivot

Response

Detect

identify Potential Risk (shiny Objects)

SIEM logs activity in the XYZ Account compute environment.

intelligence to respondwhat actions shouldXYZ Account take

Logs or Events

Analytics

CAD Oracle Netflix

It is all about time

Bad Actor

With Q1s SIEM platform as the foundation, IBM plans to tie together its database security, endpoint management, network security and application security offerings and bolster them with analytics capabilities to get more actionable data out of those systems. There is a fundamental change that is occurring in the security world where focus is moving from individual point products solving a particular job to something more expansive, Hannigan said. Extreme X-Force Threat Intelligence - Security Analytics portfolio, an integrated family of products that helps detect and defend against threats by applying sophisticated analytics to more types of data. In doing so, the platform helps identify high-priority incidents that might otherwise get lost in the noise. And you can extend these comprehensive analytics still further, using X-Force Threat Intelligence to augment security analytics capabilities by feeding its proprietary threat insights, including data on malware hosts, spam sources and anonymous proxies.

Tactical Approach Compliance-driven, ReactionaryRely on pattern matching to find specific instances of attacksRely on other add-on products like proxies and application firewallsTargets only certain types of broad attacksSolution provider obtains their research from third parties

Strategic Approach Intelligence-driven, ContinuousBlock entire classes of attacks, including mutationsProtect against user-focused & application-level attacksProtect against advanced malware & persistent threatsOffer industry-leading security research and developmentSeamlessly integrate with an entire portfolio of industry-leading security solutions


KeepLast building incastle to fall

Moat / Main Gate Outer perimeter controlling castle access

Inner Perimeter Stronghold, higher wallscreate a containment areabetween Inner & Outer Perimeters

Traditional Castle Defenses

8So what is the Universal Port? It is all about simplifying edge configuration. Although the Universal Port framework is more powerful and can be used for other applications such as automating general switch configuration, this presentation focuses on automating edge port configuration. The Universal Port is absolutely innovative. The flexible framework of the Universal Port enables the switch to take actions based on events. Extreme Networks has filed a patent application on this new approach in network automation. Where is the Universal Port? The Universal Port is embedded in all Extreme Networks switches that use the ExtremeXOS operating system with an Edge license or higher. It is available end-to-end, from the Summit X250e up to the BlackDiamond 10898 and 12804.How does it work? By leveraging ExtremeXOS CLI scripting capabilities, the Universal Port activates what we call Dynamic profiles based on trigger events. Dynamic profiles can be created and managed either manually with the ExtremeXOS CLI or through the Netsite Universal Port Manager. The Netsite Universal Port Manager is a simple-to-use GUI that supports editing and debugging, mass deployments and updates, and can also run audits on Universal Port profiles and modules in the network. The Universal Port trigger events currently supported are standards-based authentication, device discovery, and Time of Day. Whats so great about the Universal Port? Universal Port Dynamic profiles can be configured automatically based on who logs onto the network and what connects to the network. The Universal Port provides flexibility, saves configuration time, and can dramatically reduce configuration errors.Before the invention of the Universal Port, when devices were added, moved, or changed, IT personnel had to be available to place equipment, and then configure both the network port and the new device. This was tedious and expensive, typically took a long time, didnt support mobility and was error prone.

Jeff Greens Point-of-View [email protected]

Defense in Depth: A Cascade of Security ZonesAccess Control

De-MilitarizedZone (DMZ)

Outer Perimeter

Internal Network(Intranet)Inner Perimeter Stronghold

Mission CriticalSystems

InternalFirewallKeep

Dynamic State Tables



9Ordering, organizing helps to improve security. One way of organizing is the classification of documents an other way is the structuring of the network. Most companies distinguish several network zones, but there is no generally accepted zone definition or zone naming scheme. Typically companies distinguish as least three zones. There may be further specifically secured zones within the Intranet, which are protected against attacks from hosts on the Intranet. These zones contain mission critical systems or organizations with high security requirements (e.g. the police departement within a government organization). Internet (insecure zone): This zone is insecure by all practical purposes. It has no means of protecting the network from the others. The only security in this zone comes from the machine itself.Demilitarized Zone (DMZ): This zone is separated from the Internet by a first part of a firewall (typically a Filtering Firewall). It has usually those servers which are accessed frequently from the Internet (e.g. Company Web-Server, DNS with the address mapping of the public addresses, Mail-Server)3. Intranet (secure zone, trusted zone): This zone is separated from the DMZ by a second part of a firewall (typically a proxy server i.e. Application Level Firewall), which processes requests for connections from the internal network to the outside.

Before we dive into the mechanics of the Universal Port, lets clarify some terminology. Profiles should not be confused with policies. Policies are special cases for a profile. Typically a policy implies security. Our profiles are more powerful. For example, they provide capabilities for Voice over IP phones, such as the PoE budget, and include information like location information of a particular port that can be advertised to connecting devices. There are two types of profiles associated with the Universal Port: static and dynamic. Lets start with Static Profile. Static profiles are port profiles that include port settings, beginning with and including Access Control Lists, rate limiting, rate shaping, Quality of Service, VLAN, interface speed, PoE budget, etc. Static profiles are not limited to individual ports but can include system wide configuration changes. As default settings, Static profiles are NOT event driven. Static profiles are assigned to a port and are not specific to a device or a user. Static profiles are default settings or baselines for ports, leveraging ExtremeXOS scripting. Before ExtremeXOS scripting capabilities were introduced, to make a network change, an administrator either had to run a CLI session, edit a template to reflect the correct settings such as a port number and then cut and paste commands into a Telnet or console session.

Jeff Greens Point-of-View [email protected]

Search & Pivot - IPS

Internet

DMZIPSIPS

Core Network

IPS

IPSUserNetwork

IDS

Management ServerBroad AttacksMulti-faceted Targeted Attacks

CommodityThreatsAdvanced PersistentThreat (APT)Worms & BotsAdvancedTargeted Attacks

Brendan Hannigan, CEO of Q1 Labs, is betting his firms customers will want to get more out of their SIEM deployment. Hannigan, whose firm was acquired by IBM recently, is going to lead a new division that brings together all of IBMs security offerings. With Q1s SIEM platform as the foundation, IBM plans to tie together its database security, endpoint management, network security and application security offerings and bolster them with analytics capabilities to get more actionable data out of those systems. There is a fundamental change that is occurring in the security world where focus is moving from individual point products solving a particular job to something more expansive, Hannigan said.

APT actors frequently target the same victims over a period of months and sometimes years to acquire targeted information or to attack the target. In other cases, actors may find a victims environment or particular network unappealing for technical or political reasons, and will seek alternative approaches to acquire similar information or achieve the same effect. The commonality lies in the actors continued interest in obtaining information or perpetrating an attack that supports their goals, whether that requires changing victims, a sustained presence in a network, or another tactic.

Firewalls, IPS appliances and database and application servers generate heaps of data that can help organizations better understand the threats to their network and ultimately give CISOs the ability to make wiser security decisions. Its the need for a more powerful analytical engine to get value out of all that data that is driving large infrastructure vendors such as IBM and HP to acquire SIEM systems, according to analysts.

Tactical Approach Compliance-driven, ReactionaryRely on pattern matching to find specific instances of attacksRely on other add-on products like proxies and application firewallsTargets only certain types of broad attacksSolution provider obtains their research from third partiesPiece-part solution

Strategic Approach Intelligence-driven, ContinuousBlock entire classes of attacks, including mutationsProtect against user-focused & application-level attacksProtect against advanced malware & persistent threatsOffer industry-leading security research and developmentSeamlessly integrate with an entire portfolio of industry-leading security solutions


Use your network as a key part of your Security Framework

AccessVisibility ProtectionAnalytics

IDS/ IPS

NGFW

SIEM

Automation

Command Control

EnforcementScout

Front lines

We need to look at security today very differently than in the past. Previously, our defenses were built around the premise of stopping a set of known attacks by protecting our perimeters using a signature-based approach embedded in a firewall rule, an IPS, or even your endpoint protection solution. Our usage of technology has fundamentally changed and these are the key drivers. Todays attacks are targeted at your organization in a fashion that nobody has ever seen before. What that suggests is traditional approaches, while still important, are no longer sufficient. Part of what well talk about today is how can we apply new capabilities across all the veins of security technology to address applications and data being compromised. No one product can solve all these problems and even if you believe you are protected, there are new things coming like cloud and mobile, which make the Security problem even more complex.

Why is your network secure? Most customers would respond that goes something like this, I have the latest and best technology, I do regular vulnerability scans, I do an annual penetration test, and I am in compliance with my industrys security requirements and standards. At face value, that sounds like a solid answer and it appears that the IT Professional is taking the necessary steps to ensure that his companys network is secure. In reality, it is more likely that this answer is only partially correct. So how does an organization achieve truly effective cyber readiness?

Following suite with Google Play and iPhone App store, one can envision a new App Store for the DCs selling both User-Ex-as-a-Service and Admin-as-a-Service, opening up the services of that DC to the developer community to consume those services creating new and unique value for end-user consumers in whatever vertical that the Data Center is providing services for. This is bringing the iPhone/Android experience to the DC

No business is immune to cyber-attack and in fact, businesses should expect that its just a matter of time before an attacker succeeds. Vulnerability Manager helps you develop an optimized plan for addressing security exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help security teams gain the visibility they need to work more efficiently and reduce cost. Our SIEM solution helps prevent security breaches by discovering and highlighting over 70,000 known dangerous default settings, misconfigurations, software features and vendor flaws.

In spite of the efforts that IT Professionals across all industry verticals take to secure their networks, the widely accepted approach of deploying the latest technology, conducting vulnerability assessments, and following compliance checklists is not adequate. While each of the aforementioned components is important, they are generally applied independently and without operational context which means they are viewed as administrative functions. The notion that network security is an administrative issue is problematic because virtually every company relies on its network to conduct business operations


How can your networks be protected from your own users? (NAC, BYOD, Identity)

First the user attempts access to the network. Their access is initially closed until credentials and posture information is collected on the end-station. Once this information is collected, the NAC Server validates the credentials and evaluates the posture information and decides if the end station is compliant. If not, the user is quarantined and their access is separated from the network in order to be remediated. If the user is deemed compliant, then the device is placed on a certified devices list and network access is now granted.

We found that out corporate network infrastructure was vulnerable to virus or worm outbreaks from many sources some of which could be internal users. In the next section we will highlight some of the problem areas. NAC Integration provides the ability to forward DHCP traffic from a controller to a configured NAC server. When a controller is configured to be a topologys DHCP server, or a relay for a topology, and this feature is enabled, traffic is forwarded to the NAC server. The NAC Integration Options screen provides a list of NAC servers that will accept DHCP messages from the controller. A maximum of three address can be entered and only one address can be entered for each NAC Server. To stop DHCP forwarding, all configured NAC servers need to be deleted from the list. The screen lists the NAC Server, NAC Name and IP Address. The screen provides the ability to add a new server or delete an existing entry.

If we were to provide a more secure environment by improving each of the areas where we found gaps in the existing solution, we would start by deploying a more comprehensive endpoint security suite. This suite of software would have to include anti-virus, anti-spyware and host intrusion prevention capabilities. We would also change the corporate security policy to state that users were not allowed to disable any end point security protections. The deployed suite would have to be configurable in such a way to prevent end users from disabling any of the protections enabled. We would also deploy our existing personal firewall solution to every corporate workstation instead of only the VPN enabled laptops. Finally, we would develop a new employee education campaign to stress the importance of maintaining a secure corporate computing environment.

Improve Endpoint Security - Deploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilitiesDefine and enforce policies that do not allow end users to disable these protectionsDeploy personal firewall software to all computers, not only VPN enabled systemsDesign an employee education campaign stressing the importance of maintaining up to date security software definitions


What is a SOC, Ciso or Analyst?

SIEM - The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005. Describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data.

Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). The acronyms SEM, SIM and SIEM have been sometimes used interchangeably. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).

Log ManagementLog management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). LM covers log collection, centralized aggregation, long-term retention, log analysis (in real-time and in bulk after storage) as well as log search and reporting.

ChallengesAnalyzing Logs for Relevant Security IntelligenceCentralizing Log CollectionMeeting IT Compliance RequirementsConducting Effective Root Cause AnalysisMaking Log Data More MeaningfulTracking Suspicious User Behavior


Solution BenefitsAccurate User ID to IP mapping to eliminate potential attacks and provide reliable, out of the box user information to Palo AltoImproved security that blocks/limits user access at the point of entry without impacting other usersMore accurate network mapping for dynamic policy enforcement and reportingSolution with Palo Alto Networks

Converged networks, private clouds, public clouds, data center virtualization, virtual desktops, Bring Your Own Device (BYOD) and a host of other changes are transforming the way organizations use networks. Along with the potential for cost savings and increases in productivity comes a new set of security challenges. The best practice for securing this new environment requires fine-grained user and application level access control for networked data and resources. In order to provide this level of granularity a security solution must control all points of access into the network including: the Internet edge, wired access edge and wireless access edge as well as the interior perimeters of critical resources like data centers.

Old style firewalls that control access to data and other resources by IP address and well known port numbers are not well suited for todays environment where many web based applications share a common port. Nor are they flexible enough to permit one user access to an application such as peer to peer file sharing and deny another user access to the same application.

User logs into the network over wired or wirelessNetSight/ NAC applies config and vlan to userNetSight/ NAC informs FW of connected user so FW can apply policyFW monitors external user activityFW notifies NetSight/ NAC of suspicious User activity and blocks external accessNetSight/ NAC blocks internal user trafficRequirements

Software - ExtremeExtreme Networks NetSight 6.1 or above with Advanced LicenseExtreme Networks NAC 6.1 or aboveExtremeNetworksOneFabric Connect SoftwareHardware Any RFC3580 switch that can support at least MAC authentication (requires Kerberos or Web Registration via NAC), Kerberos Snooping or better 802.1x authentication

ServicesPS-OFCONNECTREMOTE Remote installation of the OneFabric Connect PS-OF-Connect-ESU On-Site installation of the Enterasys OneFabric Connect


Page 15Network Security Challenges

99.99 % Uptime

Is my edge under control? Wireless: Outside my BuildingVoIP: Ports Everywhere Lobby, Metro: Customer Premises EquipmentAre my users authorized?Are the devices clean?Are my resources protected from users?Are my users protected from each other?Is my network itself attack-safe?How do I update security and my network without impacting availability?Manage security at edge layer or core layer?Regulation compliance, data privacy ?


Allow

Single SSID/VLAN

Rate Limit

Contain

Multiple VLANs

DenyA port is what it is because what or who is connected to it.

DistrictOwned

Approved BYOD

Unapproved BYOD

Directory Unaware

Guest DeviceDevice?

Wireless

Web based

MAC

Wired

802.1xAccess?

Library

Gym

5ft from an Acess Pt

Hall way

ClassroomLocation? Policy? Application Delivery in Minutes

Guest

Student

Fac / Staff

AdminUser?

HTTP

Online Testing

Youtube

Twitter

Facebook

SIS

VDIApplication?

Weekends

Holidays

MF8 am6 pm

AnytimeTime?

This slide is designed to set the stage: Speak about transformative business changes occurring on a global scale. Connect CIOs to the business and the need to leverage technology to make better business decisions. Huge amount of data and apps can be daunting, but theres a ton of information flowing through every organization that is not being analyzed. Every business considers connectivity as a strategic need, yet few think of the network as a business asset.

Transition from this slide suggesting that Whats in the network can be a source of intelligence Its not just about speeds and feeds and bigger pipes lay the groundwork and get the audience thinking about this concept. In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from the applications. IT infrastructure has become a significant source of differentiation for companies in every industry. Without doubt, a companys mission critical applications are important in driving the business agility needed to enhance competitive advantage, profitability, and shareholder value. Yet many companies are still hamstrung by the legacy systems of the past which are rigid, difficult to manage, and very expensive. I'd like partners to know that this change is opportunity to reset decisions and customer solutions. Now there's choice between physical and virtual and how we can package those together. All sorts of clouds and micro services proliferate the IT landscape, the market is heating up for cloud management platforms that can simplify provisioning and management of those often disparate technologies.

The Open Networking Foundation and other SDN innovators recognized that some type of abstraction layer was needed to support hardware independence, and two major interoperability enablers have been developed: Table Type Patterns (TTPs) and flow objectives. These abstraction frameworks provide a foundation for full interoperability between OpenFlow v1.3-enabled switches -- including hardware-based switches--making it safe for network operators of all types to start investing in SDN built on such hardware.

This kind of interoperability is a major turning point for the OpenFlow protocol and SDN in general. Customers can now buy OpenFlow v1.3-enabled switches from different vendors to meet specific use cases or network requirements (for example, provider edge, enterprise core, or data center top-of-rack) and be assured theyll interoperate. Likewise, SDN applications and controllers no longer need to be written to specific hardware. Based on business needs, you can decide what you want in the forwarding plane and know it will work with the software and control structure above.

Two new abstraction frameworks ensure interoperability between OpenFlow v1.3-enabled hardware-based switches from different vendors. TTPs are an optional mechanism for enhancing usability of the OpenFlow protocol. Functioning like a control profile or OpenFlow template, a TTP explicitly describes a logical forwarding pipeline in OpenFlow terms. A controller and switch negotiate which TTPs to use at connection time, making it clear before run-time what OpenFlow messaging needs to be supported.


Policy ComponentsThrough Layer 4

Any device, location, application

if X + Y, then Zif user matches a defined attribute or value . then place user into a defined ROLEFacultyStudentGuest

RolesOptimizedPerformance

Services

RulesDevice Level

Layer 1- L3classification rule behavior based upon L2, L3, and L4 packet fields

Services are simply Policy Manager Containers for groups of similar Rules.

XYZ Accounts Event-Driven Expenses I also wanted to go through one of the other dynamics that a lot of enterprises confront as they think about the costs they incur on operational basis. I will call this the Cost to Chaos Ratio. We are all familiar with the idea that as chaos or change rates within a particular network go up, so do your costs. You have a lot of people moving around with adds, moves and changes, and you have new applications added to the network. If you are merging with other companies or doing acquisitions, the operational costs and ongoing design costs that you will confront in your network infrastructure will start to skyrocket. Monthly costs to complete adds, moves, and changes Estimated at $150 per change Users in the model move once every 2.5 years) Design Equity to help you lower these redesign and rebuild costs. Service rules can be defined and shared across multiple roles in the network. For instance, a base level of access can be defined in one spot and shared across multiple Roles. In addition to access permissions, service rules and roles can also define differing levels of Class of Service.

Roles are Business level groupings built to correspond to specific user types on the Network. Roles are named logically, i.e.: Administrator, Employee, Guest, Server, etc. The Network Administrator places end users or equipment (servers, printers, etc) into groups according to the way the network should treat their traffic. Roles may be assigned to end system in either one of two ways; statically or dynamically. A role can be assigned statically to an end system with an administrator explicitly configuring a role a specific switch port. A role can be dynamically assigned to an end system if the end system authenticates to the network.Rules are the individual granular policies that are enforced at the port level. Network Administrators decide what types of traffic they want to allow, deny, rate limit or prioritize, and use the Policy Manager GUI to create corresponding Rules. Services are simply Policy Manager Containers for groups of similar Rules. Grouping Rules allows the Network Administrator to apply rules in groups rather than as individual components. To support modularity of network resource provisioning with policy, services can be assigned to more than one role if the role demands the same set of network resources defined by the service.


Policy-based Networking (Guest Onboarding)18Policies can be applied to the entire network with a single clickPassive policies for what-if scenarios prior to enforcingRules allow, deny, rate limit or contain

Built-in Access Control+ Policy+ACLs. CDPv2 & LLDP+ Sampled Netflow

Layer 1- L3Through Layer 4IT AdminEmployeeGuestOracle VPNAdmin.

Allow HTTPAllow HTTPSAllow IPSecAllow SAPRate Limit Allow PingAllow TelnetAllow EmailAllow TFTPAllow SNMPAllow OracleDeny Blast

18NetSight policy management centralizes all the policies for users, applications, protocols, VLANs, ports, and data flows. It automates the definition, distribution, and enforcement of policy rules across the entire network. With an intuitive user interface, administrators can define policies once and then automatically enforce them on Enterasys policy enabled infrastructure devices. Unified wired/wireless policy management consolidates user access to protect IT services. Policy management defines global user policies, dynamically updates and continuously enforces policy across wired and wireless environments. Packets are inspected and filtered at the AP and admitted or blocked based on the users policy.

A centralized management system to centrally define policies for user access to both the wired and Wi-Fi networks. This provides consistency for the user regardless of how they may access the network and eliminates duplication of efforts for IT by being able to apply a single set of policies for both the wired and Wi-Fi networksPolicies should be dynamic in nature so that they can automatically change or adapt based on things like time-of-day, location, device type, user, and applicationA good PBNM system should configure and store the policy on a centralized management system but distributed it throughout the network for control

Since policies are configured centrally and distributed remotely the network can scale indefinitely without increasing the complexity of controlling user/device access. Additionally the flexibility of policies allows IT to quickly onboard new users, remove departing users, or quickly change existing user/device policy. How does it work? Policies are defined centrally and distributed throughout the network where they are applied against both wired and Wi-Fi users as they access the network. Jeff Greens Point-of-View [email protected]

Policy role-based administration

Through Layer 4

if X + Y, then ZCentrally Managed

Layer 1- L3

No ScriptsNo Element ManagementCan be applied to the entire network with a single click

Authentication is the ability to acquire and verify the appropriate credentials of a user or device (supplicant) attempting to gain access to the network. An visual representation of policys architecture with roles, services, and rules is shown in this figure for an example policy deployment in a higher education environment. In this example, four roles exits; Network Administrator, Faculty, Student, and Guest where each role defines a distinct set of network resources that are allocated to end systems when the role is assigned to port. As shown in this figure, the Faculty role is associated to the Administrative Protocols, Acceptable Use, and Legacy Protocols services.

Policy User/Device Authentication is integrated with EXOS NetLogin. The Following methods can be used for User/Device Authentication in version 16.1NetLogin will authenticate (802.1x, MAC, Web Auth) only then hand over to Policy for actions.Enables simple management of complex network policies including Quality of Service, Class of Service, authentication modes , RADIUS etc. port and global authentication settings for MAC-based, Web, & 802.1X authentication, RADIUS configuration

Each of these services contains a set of classification rules each of which implements multilayer traffic classification logic implemented at the port level to define a set of network resources. Therefore, when the Faculty role is assigned to a port, all traffic received on this port is manipulated by the classification rules defined in the Administrative Protocols, Acceptable Use, and Legacy Protocols services. So, an end system that is assigned the Faculty role will have any TFTP, Telnet, and SNMP traffic it generates discarded at the port of connection, as defined by the Administrative Protocols service, as well as DHCP Reply, RIP, OSPF, Apple, DECNet, and IPX, as defined by the Acceptable Use and Legacy Protocols services. Otherwise, all other traffic will be allowed on the network. 1911/13/2016Jeff Greens Point-of-View [email protected]

Role Based Policy

Role Based Policy Secure Enterprise

User Role (Guest/Finance/Engineering/Administrators)User/Device authentication, policy definition and ManagementRules & Services enforcement for secured accessSecure Application AccessXoS delivers 1024 Authenticated users per switch.

Built-in Access Control+ Policy+ACLs. CDPv2 & LLDP+ Sampled Netflow

Layer 1- L3Through Layer 4

Visibility, security, and intelligent control all through a single pane of glass. Only Extreme Networks can provide the most granular visibility in the industry, including per-port policy management, per-device layer 2-4 access control, QoS/priority, rate limit/shape, and much more. Authentication is the ability to acquire and verify the appropriate credentials of a user or device (supplicant) attempting to gain access to the network. The art of network management has been around as long as networks have been around. Network management systems, tools and methodologies will continue to evolve as the size and complexity of networks continue to grow. PBNM reduces the complexities of managing user/device network access by automating user/device rules for accessing the network and network resources. This frees up IT resources and eliminates complexity for the user. This is the fourth post on the topic of network management please stay tuned for additional posts on this subject.

Policy User/Device Authentication is integrated with EXOS NetLogin. The Following methods can be used for User/Device Authentication in version 16.1NetLogin will authenticate (802.1x, MAC, Web Auth) only then hand over to Policy for actions.In addition to the previous Authentication Methods, Multiple Authentication Method (Multi-Auth) as well as Multiple User Authentication(Multi-user) per port are supported

Policy is a unique functionality across the Extreme wired and wireless infrastructure. At a high level policy is built around the concepts of user or device roles and access rights that are permitted or denied. A role is a container that typically defines the current state of a device or logical business function. For instance, there may be a role called IT Administrator, in which its expected full access would be granted. There may also be a role called Quarantine in which the device is denied standard network access. Roles have a default level access which can be permitted or denied. However, more granular definitions can be defined and via service rules.

Ability to handle up to three distinct authentication methodsThe authentication method with the highest precedence will be appliedUsers identified by source MAC - Policy has a global scope on the device not tied to specific port on the device


if X + Y = ? then then ZRole Based Policy Platform ScalingX620X440-G2X450-G2X460-G2X670-G2X770Policy Profiles6363636363Rules per Role (Profile)Up to 440Up to 952Up to 952Up to 952Up to 952Authenticated Users /SwitchUp to 25610241024512512Authenticated Users /PortUnlimited up to 256Unlimited up to 1024Unlimited up to 1024Unlimited up to 512Unlimited up to 512Unique Permit/Deny Rules 440952952952952MAC RulesN/A256256256256IPv6 RulesN/A256256256256IPv4 Rules256256256256256L2 Rules184184184184184Rate LimitingCoS MIB*CoS MIB*CoS MIB*CoS MIB*CoS MIB*

Role-Based Policy with Extreme Control Policy ManagerCentrally-managed, global policy deployment based on user rolesCentralized Management via NetSight Policy ManagerBrings enhanced policy capabilities to the low end stackable switching line

Enables simple management of complex network policiesincluding Quality of Service, Class of Service, authentication modesport and global authentication settings for MAC-based, Web, & 802.1X authentication, RADIUS configuration

Apply fine-grained business rules to network traffic flowsEnforce network access by user, device, role, status, location, timeApplied pervasively, end-to-end, wired & wirelessImprove security at network access levelCentrally ManagedNo manual configurations per elementNo scripts requiredVLAN & SSID Independent


Policy = Ethernet like a Mux

Through Layer 4

Layer 1- L3COS Capabilities:

802.1D Priority Marking IP ToS Overwrite Inbound Rate Limiting Rate Shaping

COS is integrated with existing EXOS QOS leveraging much of the existing infrastructure.

Notice in the example, the Student role is associated to the same services as the Faculty role in addition to the Deny Faculty Server Farm Service. Therefore, while an end system assigned the Student policy role will be denied access to TFTP, Telnet, SNMP, DHCP Reply, RIP, OSPF, Apple, DECNet, and IPX from the Administrative Protocols, Acceptable Use, and Legacy Protocols services, any traffic destined to the IP address range used by the facultys server farm will also be discarded at ingress to the network, as defined by the Deny Faculty Server Farm service.

One of the fundamental precepts of policy is that at the time a customer configures a feature, we are guaranteeing the resources will be available in hardware and software to implement that feature. Policy is a feature that requires guaranteed availability and deterministic behavior. When a device supporting policy is acting as a stand-alone or is stacked with devices with identical capacities, it is straight forward to deploy Policy. This is true whether the deployment utilizes that feature 1 second later or 1 year laterResources are pre-allocated and remain allocated until such time as the feature is un-configured or otherwise disabledThis reservation of resources allows the network to be predictable and its behavior is deterministic

Typically configured through NetsightCOS is used to implement Quality of Service (QOS), where QOS can be defined as a mechanism to manage available bandwidth to achieve a desired traffic forwarding treatment.

EXOS enhancements.1p examination expanded to untagged as well as tagged /default .1p of port configurable for internal priority of untagged trafficCOS/QOS can now be applied to port-groups not only per portMeter usage is optimized using a internal meter map (1 rule for all ports w/same meter) to conserve resources instead of a meter ACL HW resource per port.


QoS Components Application Awareness

ExtremeXOSEnd to End

DataPath

signalingclassificationRoutingControlPlane

Policy Server

AdmissionControlTrafficConditioningSchedulingShapingOutpoutI/F

Priority-based Flow Control (PFC), or IEEE 802.1Qbb, allows network traffc to be controlled independently based on Class of Service. PFC allows network traffc that requires lossless throughput to be prioritized, while other traffc types that do not require or perform better without PFC can continue as normal. Todays networks must incorporate best-of-breed solutions at every layer of the network, regardless of which vendor you choose, allowing you to build a best-of-breed converged network. ExtremeXOS support of IEEE 802.1ab standards-based discovery protocol provides vendor-independent device discovery as well as tight integration with VoIP infrastructure and phones, including E911 ECS location, inventory information and fine-grained PoE budgeting and configuration of information such as VLANs and QoS tagging. LLDP not only simplifies deployment and locating of access devices, but it can also be used as a troubleshooting and firmware management tool.

IEEE 802.1 QoS follows a differentiated model with no resource reservation3 User priority bits were introduced in 1999(??) as part of 802.1Q Tag.Provides up to 8 straight priority levels similar to the differentiated service class selector PHB. Recently augmented (802.1ad) to support drop precedence in a number of possible ways7x1, 6x2, and 5x3 (five transmission classes with 3 discard levels)Brings 802.1 QoS very close to IP differentiated services

There are two primary schools to QoS Reservation ModeRequire signaling for resource reservationRequire per session state Usually includes defined servicesPossible to support applications with stringent requirement23Jeff Greens Point-of-View [email protected]

L4 Networking(Automated Policy for Control)

Layer 1: Physical

Layer 2: Data Link

Layer 3: Network

Layer 4: TransportDevice Identity, User Identity, Virtual Machine Identity, Application Identity, etcLayer 7: Application

Network managers Beyond the Static Network: User, Device, Location and Presence Awareness Extreme Networks moves beyond the traditional static network, enabling smart enterprises to proactively manage their business operations, maintain business continuity, and enhance user productivity and IT manageability while applying on-demand network performance for business critical applications.

Wide Key ACLs - This feature allows the use of a 362-bit double wide match key instead of a standard 181-bit single key to be used with match conditions. A wide match key allows you to add more match conditions to an ACL. It also allows matching on a full destination-source IPv6 address. The platforms that support this feature can operate either in wide mode or in the current single mode. A individual switch or module cannot be configured to operate in a mixed wide and single mode.

As an example of precedence among interface types, suppose a physical port 1:2 is a member port of the VLAN yellow. ACLs could be configured on the port, either singly or as part of a port list, on the VLAN yellow, and on all ports in the switch (the wildcard ACL). For all packets crossing this port, the port-based ACL has highest precedence, followed by the VLAN-based ACL and then the wildcard ACL.Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You specify the name of the dynamic ACL rule, the match conditions, and the actions and action-modifiers. You can configure a dynamic ACL to be permanent or nonpermanent. Permanent dynamic ACLs are stored in the running configuration and need to be saved to be persistent across system reboots. Non-permanent ACLs are just programed into the hardware directly and are not added to the running configuration. They are therefore not listed by the show configuration command. User-created access-list names are not case sensitive. The match conditions, actions, and action modifiers are the same as those that are available for ACL policy files. In contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI. More than one dynamic ACL can be applied to an interface, and the precedence among the dynamic ACLs can be configured when adding the dynamic ACL via the CLI. By default, the priority among dynamic ACLs is established by the order in which they are configured. Dynamic ACLs have a higher precedence than ACLs applied using a policy file.


Transparent Authentication

IntranetMail ServersCRM

Active Directory ServerRADIUS ServerLDAP Server

User logs into the Active Directory domain with user name and password1ExtremeXOS network snoops the Kerberos login by capturing the user name2Active Directory validates and approves user credentials and responds to host3ExtremeXOS grants network access based on AD server response4UsernameIPMACComputer NameVLANLocationSwitch Port #John_Smith10.1.1.10100:00:00:00:01Laptop_1011124

Success

Summit

What is Universal Port? This feature was originally created to provide automated provisioning for IP Telephones. With the ability to recognize phones from Avaya, Shoretel, Nortel, Cisco and Mitel, the module supports 65 percent of the IP handset market. Critical network parameters related to access control, network topology, power and bandwidth allocation, and Quality of Service (QoS) can be consistently configured on an event-driven basis, helping to reduce configuration errors and save time when installing or moving networked devices. In addition, the module can also configure the handsets themselves if they support the IEEE standard link-layer discovery protocol (LLDP). The result is one of the industry's most comprehensive, automated solutions solving tough handset deployment challenges However, the feature continues to evolve and has been expanded to provide similar functionality for many different types of network endpoints.

Simply put, Universal Port virtually eliminates the need for manually switch configuration as devices are added or moved within the network. This also improves security at the edge of the network by restricting access for unknown or unauthorized devices. A single policy can be defined and tested before rolling it out enterprise-wide. Further, Extreme Networks' Universal Port supports multiple device policies on a single port. For example, an Avaya IP Phone and a desktop connected to the Ethernet port on the phone will the phone will receive their own port policies, independent of one another. Extreme also is trying to build a community similar to the open-source model where organizations develop their own profiles and share them. Extreme will, from time to time, test and redistribute some or all of the user-submitted policies under a royalty-free license. Building community is a difficult task and Extreme must develop the tools--like a Wiki--around which a community can develop and grow.

Todays networks must incorporate best-of-breed solutions at every layer of the network, regardless of which vendor you choose, allowing you to build a best-of-breed converged network. ExtremeXOS support of IEEE 802.1ab standards-based discovery protocol provides vendor-independent device discovery as well as tight integration with VoIP infrastructure and phones, including E911 ECS location, inventory information and fine-grained PoE budgeting and configuration of information such as VLANs and QoS tagging. LLDP not only simplifies deployment and locating of access devices, but it can also be used as a troubleshooting and firmware management tool. LLDP is tightly integrated with the IEEE 802.1x authentication at edge ports. 25Jeff Greens Point-of-View [email protected]

Role-based Access Control0RoleInternetIntranetMailCRM/DatabaseVLANUnauthenticatedYesNoNoNoDefaultContractorYesYesNoNoDefaultEmployeeYesYesYesYesDefault

Internet

Intranet

Mail Servers

Data Center

Active Directory ServerRADIUS ServerLDAP ServerRole DerivationUsers are assigned to a role based on their attributes (e.g. job function, location, etc) Roles contains dynamic policies that control access to network resources regardless location

Who is John?LDAP ResponseMatch Department =EmployeeUser: JohnRole: EmployeeResource Access = Permit All

Who is Alice?LDAP ResponseMatch Company =IBMUser: AliceRole: ContractorResource Access = Deny Mail and CRM

No Authentication Detected =Unauthenticated RoleUser: BobRole: Unauthenticated Resource Access = Internet Only

Summit

Extreme is introducing a feature called Identity Manager. This feature allows customers to track users who access their network, based on username (which can be derived from several types of Netlogin authentication). A distinctive feature that we are adding is Kerberos snooping, which is the ability to transparently identify network users based on Windows Active Directory Domain login. The benefit of Kerberos snooping is that there is no interruption to the users workflow.

To help address the changing factors in todays network, Extreme is moving beyond the L4 limits to deliver an identity-aware network. Traditional networks identify users based on IP or MAC addresses and applications are identified based on L4 information, which is no longer accurate because L2, L3, and L4 information can be easily spoofed. Extremes vision is to deliver an identity-aware network to help identify users and applications independent of L2, L3, or L4 information. And by doing so, allows us to deliver network-based identity and access management. Once we derive the username, we can then map the username to the associated IP, MAC, VLAN, computer hostname, and port location of the user.

For example, in an Extreme networks infrastructure, when a user logs into a windows active directory domain, the Extreme switch will snoop the windows login (also known as Kerberos login process). A Kerberos login request gets sent to the Windows AD server, which contains the username. Extreme extracts the username and maintains it in our switch database, which we will then map it to the port, MAC, IP address, and VLAN. In the CLI example shown here, the Extreme switch has identified that a user decahedron has logged into the network via Kerberos. We can also get additional details of the user by identifying the domain name and hostname (which is the computer name) where the user logged into the network from. The network is no longer IP and MAC limited, instead the network is now identity-aware.

Extreme is comparing the five-year TCO of a network that uses Cisco for its core and distribution wired switching and Aruba for wireless access and POE access point switching for a school supporting between 4-5 thousand students. Aruba was chosen as they are the best known wireless brand versus Cisco and often considered to be less expensive. The Extreme Wireline switches include many features not found in Cisco IOS or NexusOS and the Extreme wireless features controllers that come free with the access points.


Take IT configurable actions on Extreme Networks switching infrastructure a User or Device is connects to the networkIfthen...

Communicate with LDAP server for user/device profilePlace Device or User into RoleDynamically create an ACLRate limit device or userBlacklist or de-blacklist

and/orand/orand/orand/orSend out email alert or generate Syslog event and/orAuto provision Users and Devices that connect to the networkAutomation through Power ManagementTime of day = 5:00pmTake IT configurable actions on Extreme Networks switching infrastructureIfthen...

Disable POE Power to Wireless APHibernate Chassis Line Card

and/orSend out email alert or generate Syslog event and/or

We looked at the details of the user authentication mechanism, now lets look at the overall picture for the Universal Port. On the left-hand side, you see the preparation phase, which only happens once when you roll out the network or define a policy for security. Preparation is often performed using the Netsite Universal Port Manager to push out profiles and assign profiles to edge ports. However, preparation can be done manually through the CLI, switch by switch. The right-hand side shows operations. The user logs onto the network. The switch passes the information up to the RADIUS server, the RADIUS server sends down the name of the policy as well as any additional ExtremeXOS variable settings or information in the user profile. This allows the switch to move the port into the right VLAN (for example an Engineering VLAN), configure Access Control Lists to specific servers or to specific application types such as enabling CVS access, or configure port interface speed as well as QoS for that port.

Cisco operations (labor) costs from Gartner (Debunking Myth of the single vendor network) at 33%Cisco higher operations costs due multiple OS and complexity, product inflexibility for MACs, limited automation, higher cost of labor (CCIE) Cisco requires 2 OS for solution: IOS and NexusSmartnet is based on percent of list, not discount price, so even if product is heavily discounted the recurring maintenance costs are higher. Cisco Smartnet taken from actual customer quote, with 10% discount for 5-year contractCisco and Extreme HW costs were taken directly from TME competitive analysis (did not include per product pricing) Cisco & Extreme Power calcs based on manufacturer stated watts and the following formula: Total watts x 24 x365 x $010 per Kw hr.Cisco and Extreme Wired pricing assumes 50% discount off list. Cisco and Aruba technologies both carry a premium price for the brandExtreme Operations: 15% -- 1/2 of Cisco as per ExtremeXOS use, flexibility, hitless operation & changesExtreme includes FW with AP purchase. Extreme Sparing: 15% is less than Cisco due to universal reuse of chassis modules and fixed switchesExtreme includes FW with AP purchase. Cooling calcs based on following formula: every $1 power requires $2 cooling (common industry rule of thumb) Power costs increase 5.2% year-over-year , but may be growingSparing: 17% is used is common calculation: source Network Strategy Partners Extreme and Aruba sparing and operations are both ~3% and 1.5% of capital, respectivelyExtreme APs have on-board controller included with no additional licensing. Aruba S3500 Edge switch does not current support a controller, listed as future feature & may required extra licensing. No provision has been made for Aruba controller redundancy, which may cost more for standby failover port licensing


Event based Triggers0Automation through customized scripting:

Trigger Type Variables:Device User AuthenticationTime basedEMS (Event Management System)User Input Values for Respective Variables:Value xValue yValue zExecute

Script File

If the following events are triggered and matches the following values then execute the corresponding profile script

Static & Dynamic Profiles - a special form of command script that runs when triggered by the events mentioned above. Profiles execute commands and use variables as do the scripts described in Using CLI Scripting. The primary difference is that a profile can be executed manually or automatically in response to switch events. Static & Dynamic Profiles - a special form of command script that runs when triggered by the events mentioned above. Profiles execute commands and use variables as do the scripts described in Using CLI Scripting. The primary difference is that a profile can be executed manually or automatically in response to switch events.

An visual representation of policys architecture with roles, services, and rules is shown in this figure for an example policy deployment in a higher education environment. In this example, four roles exits; Network Administrator, Faculty, Student, and Guest where each role defines a distinct set of network resources that are allocated to end systems when the role is assigned to port. As shown in this figure, the Faculty role is associated to the Administrative Protocols, Acceptable Use, and Legacy Protocols services.

Each of these services contains a set of classification rules each of which implements multilayer traffic classification logic implemented at the port level to define a set of network resources. Therefore, when the Faculty role is assigned to a port, all traffic received on this port is manipulated by the classification rules defined in the Administrative Protocols, Acceptable Use, and Legacy Protocols services. So, an end system that is assigned the Faculty role will have any TFTP, Telnet, and SNMP traffic it generates discarded at the port of connection, as defined by the Administrative Protocols service, as well as DHCP Reply, RIP, OSPF, Apple, DECNet, and IPX, as defined by the Acceptable Use and Legacy Protocols services. Otherwise, all other traffic will be allowed on the network.

Notice in the example, the Student role is associated to the same services as the Faculty role in addition to the Deny Faculty Server Farm Service. Therefore, while an end system assigned the Student policy role will be denied access to TFTP, Telnet, SNMP, DHCP Reply, RIP, OSPF, Apple, DECNet, and IPX from the Administrative Protocols, Acceptable Use, and Legacy Protocols services, any traffic destined to the IP address range used by the facultys server farm will also be discarded at ingress to the network, as defined by the Deny Faculty Server Farm service.


Time-of-Day Profiles

Timer TriggeredApplicationsDisable guest VLAN accessShutdown wireless service in closed buildingsTimed backup of configurations, policies, ...Timed check on statisticsTriggerConditionDevice-DetectSpecific device detected by the systemDevice-UndetectSpecific device is no longer present or a timeout has occurred. Port properties return to a known state.User-AuthenticatedSpecified user authenticatedUser-Unauthenticated Specified authenticated user has been unauthenticated. Port properties return to a known state.Timer-ATTimer scheduled to occur AT a specified time has occurredTimer-AFTERTimer scheduled to occur AFTER an event or specified interval has occurred. Can be a one-time occurrence or can be reoccurring.User-RequestProfile was triggered remotely by the administrator through the CLI

Events that Trigger Profiles

So far we have discussed dynamic device profiles using an authenticated device discovery mechanism, and user-based dynamic profiles using an authentication mechanism network login. Time is the third mechanism used to trigger the Universal Port..

Timers allow us to implement Time-of- Day profiles. Time-of- Day profiles can have various applications. For example, you could disable guest VLAN access after business hours, or you could shut down wireless service at a given time of the day or over the weekend or just connect a port to a networked alphanumeric panel to display the text Wireless access points being powered down some time before the actual shut down.

Time-of- Day profiles are flexible and are not limited just to dynamic profile CLI commands. They can use any command in the ExtremeXOS command line interface, as long as it is understood that the change is permanent. This implementation allows you to perform a timed backup of configurations, of policies, of statistics. Anything that needs to happen on a regular basis or at a specific time, can be incorporated. On the right side of the slide, you see a simple example of how to do a periodic configuration upload, once an hour. To execute, you create a profile that includes a CLI command shown as an upload command to a specific address with a file name. You attach this profile to a timer, using the command create upm timer, then activate the profile by configuring Timer values.

Lets summarize the trigger events that work with the Universal Port. For devices, we have Device-detect and Device-undetect, triggered by an LLDP packet when it shows up at the port and periodically transmitted LLDP packets that are not received anymore. LLDP timeout typically means a device has disappeared or stopped responding, i.e., not operational at the moment. The next set of trigger events is User-Authenticated and User-Unauthenticated. These events are triggered by any Network Login mechanism. Successful login triggers the User-Authenticated event and either explicit logout or sessions timing out trigger the User-Unauthenticated event. Timer-at and Timer-after can be set to a specific time of the day or a periodic event, for example, one-time after 15 minutes or at 1 hour intervals.The User-Request trigger is manual, requested by a user. CLI commands allow a user to trigger a static or a dynamic profile manually. For a dynamic profile, information for a particular event must be supplied. The device profile is manually triggered to provide information normally provided via LLDP. Starting with ExtremeXOS 12.0, this capability is also available via XML and is used by the Netsite Universal Port Manager when activating a profile from the Netsite GUI. For more information about this XML capability, refer to the XML training presentation.


Automation through customized scripting Trigger Type Variables:Device User AuthenticationTime basedEMS (Event Management System)User Input Values for Respective Variables:Value xValue yValue zExecute

Script File

If the following events are triggered and matches the following values then execute the corresponding profile script

Python v2.7.3 - Built in Python ShellThere are many open source .py scripts already available in the public domain which with small tweaks can be ported to EXOSEXOS Python Modules:CLI Supports expect like interactive mode to interface with EXOS CLISockets Raw (EXPKT), IPLogs - EMS Trace BuffersProcess Management EPMSession Management - AAATwo ways to run Python: Run to completion CLI scripts (EXOS 15.6.1)On Demand or Event Triggered (e.g.: run script woL.py, via UPM)Native Application (EXOS 15.7.1)Start Modes: on-demand, persistentEPM Managed : Ability to Start, Stop, Re-start, show, etc. Python Apps


Role Based Policy Platform Limits FeaturesX450-G2X460-G2X670-G2X770Policy Profiles63636363Rules per Role (Profile)Up to 928Up to 928Up to 928Up to 928Authenticated Users /Switch10241024512512Authenticated Users /PortUnlimited up to 1024Unlimited up to 1024Unlimited up to 512Unlimited up to 512Unique Permit/Deny Rules 928928928928MAC Rules256256256256IPv6 Rules256256256256IPv4 Rules256256256256L2 Rules184184184184Rate LimitingCoS MIB*CoS MIB*CoS MIB*CoS MIB*

802.1XWebMACMUA LogicChris: Filter ID Policy XChris: Filter ID Policy YAuthentication Method:MAC Authentication Method:802.1X Chris :802.1X CredentialsChris :MAC CredentialsChris :802.1XChris :MAC

Policy Profile Y ChrisMAC = A:ADynamic Admin Rule for Policy Y (SMAC = A:A)

Multiple authentication agents on the same port. 802.1XEXOS Web AuthenticationMAC AuthenticationMultiple policy profiles per port.

Each Policy profile is assigned to a subset of the traffic Policy is applied to ingress traffic based on user sourced itUsers/devices may be implementing different auth methods

In addition to the previous Authentication Methods, Multiple Authentication Method (Multi-Auth) as well as Multiple User Authentication(Multi-user) per port are supported. Ability to handle up to three distinct authentication methods. The authentication method with the highest precedence will be applied. Goal : Allow secure, multiple user access on a single physical interface.

Authentication logic not constrained by strict adherence to port-based access controlAbility to handle up to three distinct authentication methodsUsers identified by source MAC - Policy has a global scope on the device not tied to specific port on the deviceUsers identified by source MAC - Policy has a global scope on the device not tied to specific port on the device

Authentication is the ability to acquire and verify the appropriate credentials of a user or device (supplicant) attempting to gain access to the network. Policy User/Device Authentication is integrated with EXOS NetLogin. The Following methods can be used for User/Device Authentication in version 16.1. NetLogin will authenticate (802.1x, MAC, Web Auth) only then hand over to Policy for actions. Rule Capacity is effectively doubled when using COS.

Listed capacities are permit/deny rules ( Same capacity is supported for COS rules)Ex. 256 MAC permit/deny rules AND 256 MAC COS rules are supportedB5 Authenticated Users per Switch 4 x # of ports = 192C5 Authenticated Users per Switch 8 x # of ports = 384


Ideal Model - Authentication and AuthorizationIntuitively, we want the protocol to behave as if a trusted third party collected the parties inputs and computed the desired functionalityComputation in the ideal model is secure by definition!Given a statement s, authentication answers the question who said s?Given an object o, authorization answers the question who is trusted to access o?

who refers to a principal

Principal = Abstraction of WhoSecrecyIntegrity

AB

x1

f2(x1,x2)

f1(x1,x2)

x2[Goldreich-Micali-Wigderson 1987]

A protocol is secure if it emulates an ideal setting where the parties hand their inputs to a trusted party, who locally computes the desired outputs and hands them back to the parties. Principal and subject are both used to denote the active entity in an access operation - Scenario: user on a client workstation needs to authenticate to file server. User is a principal, User is authorized on file server to perform certain operations on certain file objects

Strawman modelInstall users public key on file serverUser holds private key on client workstation while logged inUser signs each RPC sent to file server using his private key

Authentication: Who sent a message?Authorization: Who is trusted?Principal abstraction of "who"PeopleLampson, GrayMachinesSN12672948, JumboServicesmicrosoft.com, ExchangeGroupsUTCS, MS-EmployeesPrincipal says statementsLampson says read /MSR/Lampson/fooMicrosoft-CA says Lampson's key is #7438Secure channel says messages (RPCs)Has known possible receiversHas known possible senders


Wireless Threat LandscapeWhy Are Wireless LANs Prone to Attack?Open air No physical barriers to intrusion - Silent attacks Standard 802.11 protocol, Well-documented and understood. Most common attacks against WLAN networks are targeted at management frames Unlicensed, Easy access to inexpensive technology Wireless Access Outside of Physical/Wired Boundaries Physical Security

Bad Actor

TargetNetStumblerKismetAirSnortWEPCrackTools of the trade

With ExtremeXOS scripting, we have much more advanced capabilities. Script variables enable us to abstract settings, the if-then-else construct allows differentiations based on the current situation, for-loops allow automation instead of replication. In other words, Static profiles provide the ability to create common templates to deploy on demand. Because configuration changes made from static profiles are saved in the configuration file, changes are permanent and remain after a reboot. Static is sometimes referred to as CLI Persistent Mode. Although static profiles are typically port profiles, they also can be used for system settings. Any CLI command can be used integrating ExtremeXOS scripting into the Universal Port CLI. Static profiles can be used to implement scripts to simplify complex configuration tasks. For example, static profiles can be used to configure features such as network login, LLDP, or a local user database for network login as a fallback, or even EAPS. Static profiles can even be used to do file uploads.

Why Are We Insecure? Of these, 87 are memory corruption vulnerabilities73 are in applications providing remote services13 in HTTP servers, 7 in database services, 6 in remote login services, 4 in mail services, 3 in FTP servicesMost exploits involve illegitimate control transfersJumps to injected attack code, return-to-libc, etc.Therefore, most defenses focus on control-flow security

Memory Exploits - Buffer is a data storage area inside computer memory (stack or heap) Intended to hold pre-defined amount of data If executable code is supplied as data, victims machine may be fooled into executing it. Code will self-propagate or give attacker control over machine Attack can exploit any memory operation Pointer assignment, format strings, memory allocation and de-allocation, function pointers, calls to library routines via offset tables Attacks need not involve injected code!


IP spoofing

ip spoofed packetTargetFrienddst: Targetsrc: FriendimpersonationA10.10.10.1 BB134.117.1.60It must be OK, my friend sent it. Yum Yum10.10.10.1Src_IP134.117.1.60dst_IPAny (>1024)Src_port80dst_port11.11.11.1Src_IP134.117.1.60dst_IPAny (>1024)Src_port80dst_port

spoofed

Bad ActorEavesdropping,packet sniffing,illegal copyingBetter not to trust any individual router Can assume that some fraction of routers is good, but dont know which

Privacy on Public NetworksAnonymity = the person is not identifiable within a set of subjectsYou cannot be anonymous by yourself!

Big difference between anonymity and confidentialityHide your activities among others similar activitiesUnlink ability of action and identity

For example, sender and his email are no more related after adversarys observations than they were beforeObservability (hard to achieve)Adversary cant even tell whether someone is using a particular system and/or protocol

Passive traffic analysisInfer from network traffic who is talking to whomActive traffic analysisInject packets or put a timing signature on packet flow

Compromise of network nodesAttacker may compromise some routersIt is not obvious which nodes have been compromisedAttacker may be passively logging traffic


Session hijacking

Bad Actor

Server a User b

resetServer a address User b drops connection

Target

Intercept

Exploit

Bad Actor

Server a User b

user b address User b ignores serverMalicious commands

Hi-jacked

Bad Actor

User b

Authorizedconnection

Server a

TargetInternet is designed as a public networkWi-Fi access points, network routers see all traffic that passes through themRouting information is publicIP packet headers identify source and destinationEven a passive observer can easily figure out who is talking to whomEncryption does not hide identitiesEncryption hides payload, but not routing informationEven IP-level encryption (tunnel-mode IPsec/ESP) reveals IP addresses of IPsec gateways

Problem Statement - Youre not actually solving the problem of nodes inserting themselves into critical routes, are you? A figure here to illustrate the problem would be goodAn attacker may inject bogus packets to consume the network resources, or insert itself into critical routesNo mature access control scheme or more complicated due to open media and dynamic topology Network model - All nodes come from one domain A nodes access to the network is controlled by a domain manager (i.e., key manager) Each node has a unique ID and a set of personal secret keysAttack model, Attackers inject packets to deplete the resources of node relaying the packets

Basic idea - And how does this solve your problem statement?Cryptography-oriented (using group key)Authenticate all the packets with a network-wide access control (group session) key.Any bogus packet that has incorrect authentication information will be filtered out immediately.As a result, illegitimate nodes will be excluded from communication (routes).

Key Synchronization, Problem statement - A key update message may fail to propagate. Thus, two legitimate user may simultaneously hold different session key (lack of key synchronization) Solution to Key Synchronization Exploit the stateless feature of the proposed stateless group key distribution schemeEach user buffers the key update message most recently receivedTransmit the buffered message to the other users that are using old session keys 3511/