Solutions for LAN and WAN Protection

The increasing number of connected devices in today’s networks has created an insatiable demand for access to information, when and where we need it. This increasing reliance on IT resources and applications has changed the way we do business. Digital security is now a key concern for network administrators, who must ensure maximum availability of the corporate network and Internet access.

There are several ways to increase the robustness of your modern network. Allied Telesis uses industry-leading switching technology to provide a comprehensive security suite, which provides a multi-layered solution to safeguard the network and combat common threats.

This document discusses three ways in which Allied Telesis switches ensure a reliable and secure network infrastructure. It also looks at some common network attacks, and how these can be mitigated using Allied Telesis equipment.

1. Secure Device Management

AMF Plus restricted-login

Allied Telesis Autonomous Management Framework™ Plus (AMF Plus) is integrated into Allied Telesis devices running the AlliedWare Plus operating system. It automates and simplifies many tasks, with powerful features like centralized management, auto-backup, auto-upgrade, auto-recovery and more, providing plug-and-play networking with zero-touch recovery.

An AMF Plus area has a master and member nodes. By default, users logged in to any node on an AMF Plus network can manage any other node by using either working sets (a group of nodes able to be managed together) or AMF Plus remote login to access another device. If the access provided by this feature is too broad or contravenes network security restrictions, it can be limited by using atmf restricted-login, which changes the access so that:

1. Users who are logged into non-master nodes cannot execute any commands that involve working-sets, and
2. From non-master nodes, users can use remote-login, but only to log in to a user account that is valid on the remote device (via a statically configured account or RADIUS/ TACACS+). Users must also enter the password for that user account.

Once you have enabled atmf restricted-login, certain other commands that utilize the AMF Plus working-set command will operate only on the AMF Plus master, such as the atmf reboot-rolling and show atmf group members commands.

Boot Loader Security

The boot loader is effectively the BIOS of the switch. Boot loader security should be implemented to prevent unauthorized access to the boot loader, which will then require a password to access boot up options. This also prevents the possibility of circumventing passwords on the switch without the boot loader password.

NOTE: This renders the switch unconfigurable if passwords are lost.

SSH/Telnet

When remotely logging in to monitor or manage a switch, Secure Shell (SSH) access provides confidentiality and integrity of data by encrypting management sessions and is the recommended way to communicate with switches. Telnet and HTTP are other ways to communicate with the management interface of switches, however, these are not secure methods and it is recommended that they are disabled.

Syslog

To provide a detailed audit trail in the event of a suspected security breach or other problem, a Syslog server should be configured so switch log messages are stored in a central repository and available for later auditing or fault-finding.

Simple Network Management Protocol (SNMP)

Network management systems often use SNMP to communicate with network switches and other devices. Using SNMPv3 provides secure access with authentication and encryption of SNMP management data. This data can then be used to check the status of any device on the network. For example, link down, edge device (camera, PC, door access controller) offline, link utilization, and uptime. Any anomalies can be shown on a network map to aid in fault-finding.

2. Securing the WAN

Site-to-Site Virtual Private Networks (VPNs)

A firewall at business branch locations manages the connection to the Internet. The firewalls grant or restrict access to any type of online service or application. A site-to-site VPN established across the Internet will connect two branch offices together, and create a safe and encrypted connection to securely transport business data.

A site-to-site VPN uses the firewall to connect the entire branch office network in one location to the network in another—often connecting branch-office users to the head-office network. End-node devices in the branch office do not need VPN clients. because the firewall handles the connection. Most site-to-site VPNs connecting over the internet use IPSec for data encryption.

IPSec provides the following security services for traffic at Layer 3 (IP):

1. Data origin authentication—identifying who sent the data
2. Confidentiality (encryption)—ensuring that data has not been read in transit
3. Connectionless integrity (authentication)—ensuring the data has not been altered in transit
4. Replay protection—detecting packets received more than once, to help protect against Denial of Service (DoS) attacks

Expanding Wide Area Network (WAN) connections between offices can be expensive, and network management and troubleshooting is complex and time-consuming. Software Defined WAN (SD-WAN) lets business customers use existing physical branch office firewalls, and connect via low-cost Internet connections and VPNs. Vista Manager EX incorporates an SD-WAN orchestrator to let you create fully-managed multi-site networks, integrating links and optimizing application flows to the Internet and right across the enterprise VPN infrastructure.

SD-WAN offers several advantages over traditional WAN solutions:

1. You can build higher-performance WANs using lower-cost and commercially-available Internet access. This lets you partially or entirely replace more expensive private WAN connection technologies, such as MPLS.
2. To reduce costs and mitigate risks, you can select any type of WAN connectivity to lower costs without compromising security. Traffic can then be load-balanced across these VPN tunnels to make optimal use of available bandwidth.
3. Dynamic path selection allows administrators to set performance thresholds for different applications. You can ensure that critical applications and data transfers always use the best path based on the quality (loss, latency and jitter) of the available VPN tunnels. For example, different quality settings can be configured for real-time applications such as voice and video conferencing, as opposed to data-transfer applications such as FTP.
4. SD-WAN automatically uses the best VPN tunnel to send traffic based on performance metrics, meaning that the internet provider with the best/most reliable connection will be used in a resilient architecture.

3. Securing the LAN

Inter-switch connections

Allied Telesis Ethernet Protection Switched Ring (EPSRing™)

In distributed networks, switches often use fiber connections for inter-switch connectivity in a ring topology, so a method of protecting the network from loops is required. EPSRing enables high-speed ring-based networks with failover in as little as 50ms.

ESPRing sends out control packets on a control VLAN configured on the switch, and these packets are expected to make a complete loop of the ring to maintain its integrity. If the packets do not make a complete loop then the ring is deemed to be down, and a fault will be reported to the management platform. EPSRing will automatically send packets around the ring the other way, with near instant failover, providing a powerful solution for service providers meeting stringent service level agreements.

AMF Plus Secure Mode

AMF Plus Secure Mode improves the security of the AMF Plus network by reducing the risk of unauthorized access. It achieves this by:

1. Adding an authorization mechanism before allowing a member to join an AMF Plus network.
2. Encrypting all AMF Plus packets sent between AMF Plus nodes.
3. Additional logging, which enables network administrators to monitor attempts to gain unauthorized access to the AMF Plus network.

When running in Secure Mode, the controllers and masters in the AMF Plus network form a group of certification authorities. A node may only join a secure AMF network once authorized by a master or controller. When enabled, all devices in the AMF Plus network must be running in Secure Mode, and unsecured devices cannot join.

NOTE: In AMF Plus Secure Mode, the atmf restricted-login feature is automatically enabled. This restricts the atmf working-set command to users that are logged in to an AMF master. This feature can’t be disabled independently of Secure Mode.

Active Fiber Monitoring (AFM)

AFM is built into many Allied Telesis switches, and constantly monitors the amount of light being received by the switch on fiber ports. If the light level changes, the system sends an alert that the fiber may have been tampered with, and can automatically shut down the link. AFM protects against fiber eavesdropping and prevents data theft.

VLAN Tagging Ingress Filtering

VLAN Tagging (802.1Q) is a method of forwarding logically separate VLAN data across network inter-connects. It does this by adding “tags” to the data. If the port is tagged for a set of VLANs, then a tagged packet will be accepted into the port only if it is tagged with the VLAN ID of one of the tagged VLANs configured on the port—otherwise the data will be dropped. So, if a switch is removed or a rouge switch inserted, unless the inserted switch is configured with the same parameters, all data will be dropped, and alerts will be sent to the management system that the link is offline—thus protecting the network.

Link Aggregation Control Protocol (LACP)

LACP is a method of aggregating multiple physical links into one higher bandwidth virtual connection. It can be configured on all switch uplink ports, and once configured will send out control packets to check the status of all links. If the switch does not receive the correct LACP information for a given link, it will prevent any data from using that link, and use the other link aggregation members instead. An alert is sent to the management system so the faulty link can be rectified.

Edge port security

Network Access Control (NAC)

NAC allows for unprecedented control over user/device access to the network, in order to mitigate threats to network infrastructure. Using 802.1x port-based authentication in partnership with standards-compliant dynamic VLAN assignment, it is regarded as the most secure way to restrict access to the network at port level.

NAC uses a RADIUS server to authenticate any user or device connected to a port with 802.1x configured. Edge ports are locked down and require the user device to ask for access, then the switch will negotiate between the device and the RADIUS server to check authentication credentials. If the device is granted access, the VLAN association for that device is issued to the switch from the RADIUS server, ensuring the device has the correct level of network access. This prevents unwanted access, as the device must provide the server with unique certificate information as well as username and password. Ports that are waiting to authenticate a client device using 802.1x are placed in an isolated VLAN.

Port Security

The ability to limit the number of workstations that can connect to specific ports on the switch is managed with Port Security. If these limits are breached, or access from unknown workstations is attempted, the port can do any or all of the following: drop the untrusted data, notify the network administrator, or disable the port. This means that a device cannot move from one port to another; if a device is changed it will not gain access to the network. Port security is not currently supported when used alongside 802.1x, as 802.1x locks a single MAC address (single client/workstation) to a port.

Dynamic Host Configuration Protocol (DHCP) Snooping

DHCP servers allocate IP addresses to clients, and the switch keeps a record of addresses issued on each port. IP Source Guard checks against the DHCP snooping database to ensure only clients with specific IP and MAC address can access the network.

DHCP snooping can be combined with other features, like Dynamic ARP Inspection, to increase security in Layer 2 switched environments. Additionally, you can add static entries to this database and configure a port to only accept access from a single device on a port, which will enable the edge ports to have the same functionality as port security with the added benefit of checking the IP address and VLAN settings. This prevents devices being moved around within the network and protects against rogue DHCP servers. It also provides a traceable user history, which meets the growing legal requirements placed on Service Providers.

VLAN Tagging Ingress Filtering

As well as managing data on inter-switch links as discussed earlier, ingress filtering protects edge ports by not allowing any VLAN tagged packets.

Secure configuration of Spanning Tree Protocol (STP)

STP is the most commonly used means of preventing loops in Layer 2 networks. There are two protection mechanisms that must be enabled to maximize robustness, as STP has no inbuilt security:

1. STP Root Guard – prevents a malicious user from accessing inappropriate data on the network, by allowing the network administrator to securely enforce the topology of the spanning tree.
2. BPDU guard – similarly increases the security of STP by allowing the network administrator to enforce the borders of the spanning tree, keeping the active topology predictable. BPDU Guard prevents any edge device (I.e. a camera, door access controller or PC) from being replaced with a switch by a malicious user trying to gain network access. If the edge switch sees STP packets on a link with this feature enabled, the link will be shut down to prevent unwanted access.

Storm Protection

Storm Protection reduces the adverse effects of any network loop that would potentially swamp the network. There are three facets that work together to protect the network from storms:

1. Loop detection – monitors traffic for the return of a loop detection probe packet. In the event of a problem, it can take a variety of actions including logging a fault, alerting the network administrator or disabling a link.
2. Thrash limiting – detects a loop if certain device hardware MAC addresses are being rapidly relearned on different ports. In the event of a problem, similar actions to those of loop detection can be taken.
3. Storm control – limits the rate at which a port will forward broadcast, multicast or unknown unicast packets. This controls the level of traffic that a loop may cause to be flooded in the network.

Control Plane Prioritization (CPP)

CPP prevents the switch Control Plane (which looks after network management traffic) from becoming flooded in the event of a network storm or Denial of Service (DoS) attack, ensuring critical network control traffic always reaches its destination.

Denial of Service (DoS) attack prevention

A DoS attack is an attempt to make online resources unavailable to users. There are numerous known DoS attacks that can be monitored. When detected, the options are to notify network administration, and/or shut down the affected switch port.

Access Control Lists (ACLs) and Filters

Managing traffic volume and the types of traffic allowed on the network is essential to ensure high performance, guard against unwanted traffic and provide continuous access to important data. Powerful ACLs and filtering capability provide a mechanism for network traffic control, all handled in the switch hardware, so wire-speed performance is maintained.

Shutdown

All unused edge ports should be shut down to prevent unwanted network access. Additionally, shut-down ports should be placed into an isolated VLAN so if any were unintentionally left online, they would still be isolated from any network data.