Solutions for LAN and WAN Protection
Allied Telesis security features safeguard networks and mitigate attacks.
The increasing number of connected devices in today’s networks has created an insatiable demand for access to information, when and where we need it. This increasing reliance on IT resources and applications has changed the way we do business. Digital security is now a key concern for network administrators, who must ensure maximum availability of the corporate network and Internet access.
There are several ways to increase the robustness of your modern network. Allied Telesis uses industry-leading switching technology to provide a comprehensive security suite, which provides a multi-layered solution to safeguard the network and combat common threats.
This document discusses three ways in which Allied Telesis switches ensure a reliable and secure network infrastructure. It also looks at some common network attacks, and how these can be mitigated using Allied Telesis equipment.
1. Secure Device Management
AMF Plus restricted-login
Allied Telesis Autonomous Management Framework™ Plus (AMF Plus) is integrated into Allied Telesis devices running the AlliedWare Plus operating system. It automates and simplifies many tasks, with powerful features like centralized management, auto-backup, auto-upgrade, auto-recovery and more, providing plug-and-play networking with zero-touch recovery.
An AMF Plus area has a master and member nodes. By default, users logged in to any node on an AMF Plus network can manage any other node by using either working sets (a group of nodes able to be managed together) or AMF Plus remote login to access another device. If the access provided by this feature is too broad or contravenes network security restrictions, it can be limited by using atmf restricted-login, which changes the access so that:
- Users who are logged into non-master nodes cannot execute any commands that involve working-sets, and
- From non-master nodes, users can use remote-login, but only to log in to a user account that is valid on the remote device (via a statically configured account or RADIUS/ TACACS+). Users must also enter the password for that user account.
Once you have enabled atmf restricted-login, certain other commands that utilize the AMF Plus working-set command will operate only on the AMF Plus master, such as the atmf reboot-rolling and show atmf group members commands.
Boot Loader Security
The boot loader is effectively the BIOS of the switch. Boot loader security should be implemented to prevent unauthorized access to the boot loader, which will then require a password to access boot up options. This also prevents the possibility of circumventing passwords on the switch without the boot loader password.
NOTE: This renders the switch unconfigurable if passwords are lost.
SSH/Telnet
When remotely logging in to monitor or manage a switch, Secure Shell (SSH) access provides confidentiality and integrity of data by encrypting management sessions and is the recommended way to communicate with switches. Telnet and HTTP are other ways to communicate with the management interface of switches, however, these are not secure methods and it is recommended that they are disabled.
Syslog
To provide a detailed audit trail in the event of a suspected security breach or other problem, a Syslog server should be configured so switch log messages are stored in a central repository and available for later auditing or fault-finding.
Simple Network Management Protocol (SNMP)
Network management systems often use SNMP to communicate with network switches and other devices. Using SNMPv3 provides secure access with authentication and encryption of SNMP management data. This data can then be used to check the status of any device on the network. For example, link down, edge device (camera, PC, door access controller) offline, link utilization, and uptime. Any anomalies can be shown on a network map to aid in fault-finding.
2. Securing the WAN
Site-to-Site Virtual Private Networks (VPNs)
A firewall at business branch locations manages the connection to the Internet. The firewalls grant or restrict access to any type of online service or application. A site-to-site VPN established across the Internet will connect two branch offices together, and create a safe and encrypted connection to securely transport business data.
A site-to-site VPN uses the firewall to connect the entire branch office network in one location to the network in another—often connecting branch-office users to the head-office network. End-node devices in the branch office do not need VPN clients. because the firewall handles the connection. Most site-to-site VPNs connecting over the internet use IPSec for data encryption.
IPSec provides the following security services for traffic at Layer 3 (IP):
- Data origin authentication—identifying who sent the data
- Confidentiality (encryption)—ensuring that data has not been read in transit
- Connectionless integrity (authentication)—ensuring the data has not been altered in transit
- Replay protection—detecting packets received more than once, to help protect against Denial of Service (DoS) attacks
IPsec operation uses negotiated connections between peer devices (firewalls at each location). These connections are called Security Associations.
It is recommended that you no longer use DES, 3DES, MD5 (including HMAC variant), and Diffie-Hellman (DH) groups 1, 2 and 5. Instead, you should use AES, SHA and DH Groups 14 or higher—this is referred to as Next Generation Encryption (NGE), and is a lot more secure.
Recommended IPSec and IKE settings, as specified for certification by ICSA Labs, are:
- Encryption: AES-256
- Integrity: SHA-256
- DH group: 14 (2048 bits)
If needed, you can increase security by using SHA-512 or a higher DH group. However, be aware that changing the DH group will increase tunnel establishment time, which may be an issue if your network has a large number of tunnels.
SD-WAN
Expanding Wide Area Network (WAN) connections between offices can be expensive, and network management and troubleshooting is complex and time-consuming. Software Defined WAN (SD-WAN) lets business customers use existing physical branch office firewalls, and connect via low-cost Internet connections and VPNs. Vista Manager EX incorporates an SD-WAN orchestrator to let you create fully-managed multi-site networks, integrating links and optimizing application flows to the Internet and right across the enterprise VPN infrastructure.
SD-WAN offers several advantages over traditional WAN solutions:
- You can build higher-performance WANs using lower-cost and commercially-available Internet access. This lets you partially or entirely replace more expensive private WAN connection technologies, such as MPLS.
- To reduce costs and mitigate risks, you can select any type of WAN connectivity to lower costs without compromising security. Traffic can then be load-balanced across these VPN tunnels to make optimal use of available bandwidth.
- Dynamic path selection allows administrators to set performance thresholds for different applications. You can ensure that critical applications and data transfers always use the best path based on the quality (loss, latency and jitter) of the available VPN tunnels. For example, different quality settings can be configured for real-time applications such as voice and video conferencing, as opposed to data-transfer applications such as FTP.
- SD-WAN automatically uses the best VPN tunnel to send traffic based on performance metrics, meaning that the internet provider with the best/most reliable connection will be used in a resilient architecture.
3. Securing the LAN
Inter-switch connections
Allied Telesis Ethernet Protection Switched Ring (EPSRing™)
In distributed networks, switches often use fiber connections for inter-switch connectivity in a ring topology, so a method of protecting the network from loops is required. EPSRing enables high-speed ring-based networks with failover in as little as 50ms.
ESPRing sends out control packets on a control VLAN configured on the switch, and these packets are expected to make a complete loop of the ring to maintain its integrity. If the packets do not make a complete loop then the ring is deemed to be down, and a fault will be reported to the management platform. EPSRing will automatically send packets around the ring the other way, with near instant failover, providing a powerful solution for service providers meeting stringent service level agreements.
AMF Plus Secure Mode
AMF Plus Secure Mode improves the security of the AMF Plus network by reducing the risk of unauthorized access. It achieves this by:
- Adding an authorization mechanism before allowing a member to join an AMF Plus network.
- Encrypting all AMF Plus packets sent between AMF Plus nodes.
- Additional logging, which enables network administrators to monitor attempts to gain unauthorized access to the AMF Plus network.
When running in Secure Mode, the controllers and masters in the AMF Plus network form a group of certification authorities. A node may only join a secure AMF network once authorized by a master or controller. When enabled, all devices in the AMF Plus network must be running in Secure Mode, and unsecured devices cannot join.
NOTE: In AMF Plus Secure Mode, the atmf restricted-login feature is automatically enabled. This restricts the atmf working-set command to users that are logged in to an AMF master. This feature can’t be disabled independently of Secure Mode.
Active Fiber Monitoring (AFM)
AFM is built into many Allied Telesis switches, and constantly monitors the amount of light being received by the switch on fiber ports. If the light level changes, the system sends an alert that the fiber may have been tampered with, and can automatically shut down the link. AFM protects against fiber eavesdropping and prevents data theft.
VLAN Tagging Ingress Filtering
VLAN Tagging (802.1Q) is a method of forwarding logically separate VLAN data across network inter-connects. It does this by adding “tags” to the data. If the port is tagged for a set of VLANs, then a tagged packet will be accepted into the port only if it is tagged with the VLAN ID of one of the tagged VLANs configured on the port—otherwise the data will be dropped. So, if a switch is removed or a rouge switch inserted, unless the inserted switch is configured with the same parameters, all data will be dropped, and alerts will be sent to the management system that the link is offline—thus protecting the network.
Link Aggregation Control Protocol (LACP)
LACP is a method of aggregating multiple physical links into one higher bandwidth virtual connection. It can be configured on all switch uplink ports, and once configured will send out control packets to check the status of all links. If the switch does not receive the correct LACP information for a given link, it will prevent any data from using that link, and use the other link aggregation members instead. An alert is sent to the management system so the faulty link can be rectified.
Edge port security
Network Access Control (NAC)
NAC allows for unprecedented control over user/device access to the network, in order to mitigate threats to network infrastructure. Using 802.1x port-based authentication in partnership with standards-compliant dynamic VLAN assignment, it is regarded as the most secure way to restrict access to the network at port level.
NAC uses a RADIUS server to authenticate any user or device connected to a port with 802.1x configured. Edge ports are locked down and require the user device to ask for access, then the switch will negotiate between the device and the RADIUS server to check authentication credentials. If the device is granted access, the VLAN association for that device is issued to the switch from the RADIUS server, ensuring the device has the correct level of network access. This prevents unwanted access, as the device must provide the server with unique certificate information as well as username and password. Ports that are waiting to authenticate a client device using 802.1x are placed in an isolated VLAN.
Port Security
The ability to limit the number of workstations that can connect to specific ports on the switch is managed with Port Security. If these limits are breached, or access from unknown workstations is attempted, the port can do any or all of the following: drop the untrusted data, notify the network administrator, or disable the port. This means that a device cannot move from one port to another; if a device is changed it will not gain access to the network. Port security is not currently supported when used alongside 802.1x, as 802.1x locks a single MAC address (single client/workstation) to a port.
Dynamic Host Configuration Protocol (DHCP) Snooping
DHCP servers allocate IP addresses to clients, and the switch keeps a record of addresses issued on each port. IP Source Guard checks against the DHCP snooping database to ensure only clients with specific IP and MAC address can access the network.
DHCP snooping can be combined with other features, like Dynamic ARP Inspection, to increase security in Layer 2 switched environments. Additionally, you can add static entries to this database and configure a port to only accept access from a single device on a port, which will enable the edge ports to have the same functionality as port security with the added benefit of checking the IP address and VLAN settings. This prevents devices being moved around within the network and protects against rogue DHCP servers. It also provides a traceable user history, which meets the growing legal requirements placed on Service Providers.
VLAN Tagging Ingress Filtering
As well as managing data on inter-switch links as discussed earlier, ingress filtering protects edge ports by not allowing any VLAN tagged packets.
Secure configuration of Spanning Tree Protocol (STP)
STP is the most commonly used means of preventing loops in Layer 2 networks. There are two protection mechanisms that must be enabled to maximize robustness, as STP has no inbuilt security:
- STP Root Guard – prevents a malicious user from accessing inappropriate data on the network, by allowing the network administrator to securely enforce the topology of the spanning tree.
- BPDU guard – similarly increases the security of STP by allowing the network administrator to enforce the borders of the spanning tree, keeping the active topology predictable. BPDU Guard prevents any edge device (I.e. a camera, door access controller or PC) from being replaced with a switch by a malicious user trying to gain network access. If the edge switch sees STP packets on a link with this feature enabled, the link will be shut down to prevent unwanted access.
Storm Protection
Storm Protection reduces the adverse effects of any network loop that would potentially swamp the network. There are three facets that work together to protect the network from storms:
- Loop detection – monitors traffic for the return of a loop detection probe packet. In the event of a problem, it can take a variety of actions including logging a fault, alerting the network administrator or disabling a link.
- Thrash limiting – detects a loop if certain device hardware MAC addresses are being rapidly relearned on different ports. In the event of a problem, similar actions to those of loop detection can be taken.
- Storm control – limits the rate at which a port will forward broadcast, multicast or unknown unicast packets. This controls the level of traffic that a loop may cause to be flooded in the network.
Control Plane Prioritization (CPP)
CPP prevents the switch Control Plane (which looks after network management traffic) from becoming flooded in the event of a network storm or Denial of Service (DoS) attack, ensuring critical network control traffic always reaches its destination.
Denial of Service (DoS) attack prevention
A DoS attack is an attempt to make online resources unavailable to users. There are numerous known DoS attacks that can be monitored. When detected, the options are to notify network administration, and/or shut down the affected switch port.
Access Control Lists (ACLs) and Filters
Managing traffic volume and the types of traffic allowed on the network is essential to ensure high performance, guard against unwanted traffic and provide continuous access to important data. Powerful ACLs and filtering capability provide a mechanism for network traffic control, all handled in the switch hardware, so wire-speed performance is maintained.
Shutdown
All unused edge ports should be shut down to prevent unwanted network access. Additionally, shut-down ports should be placed into an isolated VLAN so if any were unintentionally left online, they would still be isolated from any network data.
4. Common network attacks
1. MAC flooding attack
What are MAC flooding attacks?
MAC flooding attacks facilitate information stealing by providing a source of accessible data. In a MAC flooding attack, a malicious host sends packets from thousands of different bogus source MAC addresses, which then fill the forwarding database. Once full, legitimate traffic is flooded and becomes widely accessible, as the switch does not have room to learn any more specific destination addresses in the forwarding database. The malicious user has essentially turned the switch into a low-intelligence pseudo-hub, allowing them to sniff all flooded traffic, thereby stealing data and passwords.
How do Allied Telesis switches protect you?
Allied Telesis switches provide two security measures to protect your LAN from MAC flooding attacks. The first is host authentication, whereby authenticating ports only accept traffic from the MAC addresses of authenticated hosts. The second is port security, which controls how many MAC addresses can be learnt on a specific port. When a limit is breached, the switch will take one of three user-configurable actions—drop the untrusted data, notify the network administrator, or disable the port while the intrusion is investigated.
2. Address Resolution Protocol (ARP) spoofing attacks
What are ARP spoofing attacks?
An ARP spoofing attack is another form of information-stealing attack. A malicious host sends an ARP reply to a host’s ARP request for a server. The hacker falsely claims to be that server by tying their own MAC address to the IP address owned by the server. The bogus ARP message then also adds an entry into the switch ARP table. When workstation A sends a message destined for server B, the bogus ARP entry diverts that message to hacker C. This enables the hacker to steal data and passwords.
How do Allied Telesis switches protect you?
Allied Telesis switches use DHCP Snooping with ARP Security to protect your network from ARP spoofing attacks. All ARP replies from untrusted ports are checked to ensure they contain legitimate network addressing information, safeguarding the network and the business.
3. VLAN hopping attacks
What is a basic VLAN hopping attack?
A malicious user in one VLAN gains unauthorized access to another VLAN by sending tagged packets into the network with the VID of the target VLAN. By default, many switches will simply look at the tag on the packet, and pass the packet to the corresponding VLAN, even if the ingress port is not a member of that VLAN.