Contents

What is AMF Security mini

Quick Tour > What is AMF Security mini

---

---

Where does AMF Security mini Fit In

AMF-SEC (AMF-SECurity) is a solution that uses the SDN technology to improve network operation management efficiency and enhance security.
AMF Security mini is the SDN controller that is the core of the solution, and it realizes the cooperation between our products supporting the AMF (Allied Telesis Management Framework) and various business security related applications.

What is the AMF Application Proxy

The AMF Application Proxy controls traffic from edge devices which are connected to AMF Members (Edge Nodes) where AMF Master (Proxy Node) authenticates the devices by querying AMF Security mini (the AMF Application Proxy Whitelist).
It is also possible for AMF Security mini to notify the AMF Proxy Node of suspected node and make Edge Nodes to block the devices (the AMF Application Proxy Blacklist).

Note

A Proxy Node also can be an Edge Node.

To use the AMF Application Proxy, you have to configure all of AMF Security mini, Proxy Node and Edge Nodes.

What does AMF Security mini Manage (the AMF Application Proxy Whitelist)

AMF Security mini can centrally control the network access from various devices by utilizing the port authentication feature on the AMF Members it manages.

The AMF Application Proxy Whitelist is an AMF-SEC (AMF-SECurity)'s integration feature where AMF devices ask the AMF Security mini system's whitelist server if a specific device can be allowed access to the network.
If a device meets those conditions, it is allowed to join the logical network defined by a VLAN ID.

• Location
  From where a device can access the network.
  By associating AMF Members with a location, you can define a physical network space.
  
  
• Schedule
  When a device can access the network.
  You can specify a period of time with the Start Date / Time and the End Date / Time.
  
  
• Switch Port
  A port on an AMF Member from which a device can access the network.
  You can allow a device to access the network only when it connects to a specific port on a particular Switch.
  
  
• Network
  A VLAN subnet to which a device can belong (a logical network space defined by a VLAN ID).
  

Those elements are collectively referred to as security policies.

The MAC address interface of the device is managed by connecting, blocking, or isolating based on the security policy assigned to the device.
A device can have more than one MAC address interfaces.
Assuming that a device has two MAC addresses - one for a wireless and the other for a wired interface, any of them can access the same network if both meet the conditions for location and schedule.

Table 1: Configurable Security Policies (the AMF Application Proxy Whitelist)

Device Information
Device	a network-capable equipment which connects to an AMF Member
└	MAC Address	a MAC address of the device interface
	:	(multiple items can be defined)
└	Security Policies	Network			a VLAN segment (VLAN ID) to which a device is assigned.
		Location			a physical location from where a device can access the network.
		└	AMF Member		a switch in the location.
			└	Switch Port	a port on the switch from which a device can access the network.
			:		(multiple items can be defined)
		Schedule			a range of time during which a device can access the network (defined by Start/End date/time).
		(multiple items can be defined)

Blocking with the AMF Application Proxy

Notifying Proxy Node of Suspected Node Information

AMF Security mini notifies the Proxy Node of suspected node when it receives the information from a security software/hardware or an action is added by an administrator on the Policy Settings > Add Action page. The suspected node's information is stored on AMF Security mini and can be viewed on the Policy Settings > Action List page.
AMF Security mini does not notify the proxy node of the information again.

Note

If the proxy node holding the suspected node information reboots, the information is removed from the proxy node.
Because the proxy node cannot receive the information from AMF Security mini again, the proxy node cannot relearn the suspected node automatically.
To manually tell the proxy node about the suspected node, follow the steps below.
1. Open the Policy Settings > Action List page.
2. Click the "Export to CSV" button to save a CSV file.
3. Open the System Settings > System Information page.
4. Click the "Import" button in the Authentication Data item to open the "Upload Authentication Data" page.
4. Click the "Choose File" button, select the saved CSV file, and click the "Submit" button.

AMF Actions

When AMF Security mini notifies the Proxy Node of suspected nodes, it can also specify a blocking action (AMF action).
AMF Security mini can specify the following AMF actions.

• AMF Dependency
  
• Quarantine
  
• Drop Packets
  
• Link-Down
  
• IP-Filter
  
• Log-Only
  

When AMF Security mini specifies "Quarantine", "Drop Packets", "Link-Down", "IP-Filter" or "Log-Only", those actions are preferred to the one configured on edge nodes.
When "AMF Dependency" is set, the AMF action is not sent from AMF Security mini and the AMF action set on the edge node side is executed.

Note

If AMF Security mini and AMF Master may get suspected node information from multiple sources (e.g. external applications), please configure the same AMF action for all the sources.
AMF Action for each application can be configured in the "Rules" section on the System Settings > Trap Monitor Settings page.
To change the AMF action for a suspected node which has already been registered on the Policy Settings > Action List page, delete the existing action and recreate it.

Note

Quarantine action cannot be used on a whitelist port. Other actions can be used on the port. Even when a node is allowed by the whitelist, its traffic may be blocked in case other action matches the node.

Unblocking Suspected Nodes

To unblock a suspected node (delete the suspected node information), delete the corresponding action on the Policy Settings > Action List page. When the action is deleted, AMF Security mini tells the proxy node to delete the suspected node information.

Note

You can also unblock the suspected node by running commands on the proxy node. But in this case, the proxy node does not request AMF Security mini to delete the node information. So AMF Security mini keeps the suspected node information. If you want to delete it, manually delete the action on the Policy Settings > Action List page.
Refer to the AlliedWare Plus Product's command reference manual for the commands.

Displaying and Emailing Blocking Status of the Suspected Node

Status of the suspected node which has been applied an AMF action by an edge node can be view on the Device > Active Device List page.
AMF Security mini regularly gets this information from the proxy node at 30 second interval.

Note

To use this feature, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.4.8-1.x or later installed.

By using AMF Security mini's Email Notification Settings, you can also get email notifications of blocking.

• "Send Email Notification on Block Event" : An email is sent when a node is blocked by one of "Drop Packets", "Link-Down" or "IP-Filter" actions.
  
• "Send Email Notification on Quarantine Event" : An email is sent when a node is quarantined by the "Quarantine" action.
  

Note

When AMF Security mini queries the proxy node and finds that suspected node information is changed (e.g. a node moved to other switch and got blocked there again), AMF Security mini updates the information on the Device > Active Device List page and sends an email notification.

Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)

Refer to the AlliedWare Plus Product's command reference manual for how to configure Proxy Node and Edge Nodes.
Depending on the AlliedWare Plus product model you use for a Proxy Node, you may have to install the proper license on the products.

Note

To view the blocking status of suspected nodes and use email notification, please run the "atmf topology-gui enable" command on AMF Master (Proxy Node) in addition to the AMF Application Proxy's basic configurations.

Configuring AMF Security mini

To use the AMF Application Proxy on AMF Security mini, you have to configure an IP address, level 15 (privileged) username and password of the AMF Master (Proxy Node) on AMF Security mini.

1. Open the AMF > AMF Application Proxy Settings page.
   
   
2. Click the "Add" button.
   
   
3. Enter an IP address of the AMF Master (Proxy Node) in "IPv4 Address".
   
   
4. Enter a username and a password for a level 15 (privileged) user account on the AMF Master (Proxy Node).
   
   
5. Click the "Submit" button.
   

Note

When you move to other page after this configuration, the login page is displayed. The configuration has been successfully completed. Just login again please.
When you finish this configuration, AMF Security mini starts regular queries to the AMF Master (Proxy Node) at 30 second interval.

Refer to System Settings > Trap Monitor Settings for how to configure integration options with external applications.

Supported OpenFlow Switches

List of OpenFlow Switch models supported by AMF Security mini can be found on the release notes of AMF Security mini, switches and wireless access points.
Please find those documents on our website.
https://www.alliedtelesis.com

Application Integration Solutions

AMF Security mini can be used with other applications such as threat detection, device management and HR management in order to further enhance network administration efficiency and security.

The latest information on the services or applications which can be integrated into AMF Security mini system is published under the AMF-SEC Technology Partner Program. Contact our sales engineer for the Technology Partner Program.

---

(C) 2020 Allied Telesis, Inc. All rights reserved.

C613-04087-00 Rev A

18 Jan 2021 10:56