What is AMF Security mini

AMF-SECurity (AMF-SEC) is our solution to streamline network operations and enhance security in office environments.
AMF Security mini is the SDN controller that is the core of the solution, and it realizes the cooperation between our products supporting the AMF (Allied Telesis Management Framework) and various business security related applications.

What is AMF Application Proxy

The AMF Application Proxy controls traffic from edge devices which are connected to AMF Members (Edge Nodes) where AMF Master (Proxy Node) authenticates the devices by querying AMF Security mini (the AMF Application Proxy Whitelist).
It is also possible for AMF Security mini to notify the AMF Proxy Node of suspected node and make Edge Nodes to block the devices (the AMF Application Proxy Blacklist).

Note
◼ AMF Application Proxy Whitelist and AMF Application Proxy Blacklist
・ A Proxy Node also can be an Edge Node (Only supported models).
・ Cannot be linked with AMF controller.
You can use Whitelist only, Blacklist only, or both.

To use the AMF Application Proxy, you have to configure all of AMF Security mini, Proxy Node and Edge Nodes.

What does AMF Security mini Manage (the AMF Application Proxy Whitelist)

AMF Security mini can centrally control the network access from various devices by utilizing the port authentication feature on the AMF Members it manages.

The AMF Application Proxy Whitelist is an AMF-SEC (AMF-SECurity)'s integration feature where AMF devices ask the AMF Security mini system's whitelist server if a specific device can be allowed access to the network.
If a device meets those conditions, it is allowed to join the logical network defined by a VLAN ID.

Location
Where a device can access the network.
By associating AMF Members with a location, you can define a physical network space.
Schedule
When a device can access the network.
You can specify a period of time with a Start Date / Time and End Date / Time.
Switch Port
A port on an AMF Member from which a device can access the network.
You can allow a device to access the network only when it connects to a specific port on a particular Switch.
Network
A VLAN subnet to which a device can belong (a logical network space defined by a VLAN ID).

The MAC address interface of the device is managed by connecting, blocking, and isolating based on the security policy assigned to the device.
A device can have more than one MAC address interface.
Assuming that a device has two MAC addresses - one for a wireless interface and the other for a wired interface, both of them can access the same network if they meet the conditions for Location and Schedule.

Table 1: Configurable Security Policies (the AMF Application Proxy Whitelist)
Device Information
Device	network-capable equipment which connects to an AMF Member
└	MAC Address	a MAC address of the device interface
└	:	(multiple items can be defined)
└	Security Policies	Network			a VLAN segment (VLAN ID) to which a device is assigned.
		Location			a physical location where a device can access the network.
		└	AMF Member		a switch in the location.
			└	Switch Port	a port on the switch from which a device can access the network.
			:		(multiple items can be defined)
		Schedule			a range of time during a device can access the network (Start Date / Time, and End Date / Time).
		(multiple items can be defined)

Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)

The following are required settings for the AMF node to be managed.

Enable the service atmf-application-proxy command on all AMF nodes (both proxy and edge nodes)
Enable the service http command on all AMF nodes (both proxy and edge nodes)
Set a common user at privilege level 15 (privilege level) on all AMF nodes (both proxy and edge nodes)
Enable the atmf topology-gui enable command on the AMF Master (proxy node)
Enable the application-proxy whitelist server command on the AMF Master (proxy node)
Set White list related commands on the terminal connection port of AMF Member (edge node)

Refer to the AlliedWare Plus Product's command reference manual for more information.
Depending on the AlliedWare Plus product model you use for a Proxy Node, you may have to install the proper license on the products.

Configuring AMF Security mini

To use AMF Application Proxy Whitelist on AMF Security mini, you have to configure an IP Address, level 15 (privileged) username and password ,and pre-shared key (PSK) of the AMF Master (Proxy Node) on AMF Security mini.

Open the AMF > AMF Application Proxy Settings page.
Click "Add".
Enter an IP Address of the AMF Master (Proxy Node) in "IPv4 Address".
Enter a username and a password for a level 15 (privileged) user account on the AMF Master (Proxy Node).
In Pre-Shared Key, enter the pre-shared key set in the key parameter of the application-proxy whitelist server command of the AMF Master (Proxy Node).
Click "Submit".

Note
When you finish this configuration, AMF Security mini starts regular queries to the AMF Master (Proxy Node) at 30 second interval.

Blocking with AMF Application Proxy (AMF Application Proxy Blacklist)

Notifying Proxy Node of Suspected Node Information

AMF Security mini notifies the Proxy Node of suspected node when it receives the information from a security software/hardware or an action is added by an administrator on the Policy Settings > Add Action page. The suspected node's information is stored on AMF Security mini and can be viewed on the Policy Settings > Action List page.
AMF Security mini does not notify the proxy node of the information again.

Note
If the proxy node holding the suspected node information reboots, the information is removed from the proxy node.
Because the proxy node cannot receive the information from AMF Security mini again, the proxy node cannot relearn the suspected node automatically.
To manually tell the proxy node about the suspected node, follow the steps below.
1. Open the Policy Settings > Action List page.
2. Click the "Export to CSV" button to save a CSV file.
3. Open the System Settings > System Information page.
5. Click the "Import" button for the Authentication Data item to open the "Upload Authentication Data" dialog.
5. Click the "Choose File" button, select the saved CSV file, and click the "Submit" button.

AMF Actions

When AMF Security mini notifies the Proxy Node of suspected nodes, it can also specify a blocking action (AMF action).
AMF Security mini can specify the following AMF actions.

AMF Dependency
Quarantine
Drop Packets
Link-Down
IP-Filter
Log-Only

When "Quarantine", "Drop Packets", "Link-Down", "IP-Filter", or "Log-Only" are set, these AMF actions are executed with priority over the AMF actions set on the edge node side.
When "AMF Dependency" is set, the AMF action is not sent from AMF Security mini and the AMF action set on the edge node side is executed.

Note
If AMF Security mini and AMF Master receive suspected node information from multiple sources (e.g. external applications), specify the same AMF action for all the sources.
The AMF Action for each application can be specified in the "Rules" section on the System Settings > Trap Monitor Settings page.
To change the AMF action for a suspected node which has already been registered on the Policy Settings > Action List page, delete the existing action and recreate it.

Note
Even if the device is permitted by the whitelist, if it is the target of AMF Action, the communication from the corresponding device is processed according to the action.

Unblocking Suspected Nodes

To unblock a suspected node (delete the suspected node information), delete the corresponding action on the Policy Settings > Action List page. When the action is deleted, AMF Security mini tells the proxy node to delete the suspected node information.

Note
You can also unblock the suspected node by running commands on the proxy node. But in this case, the proxy node does not request AMF Security mini to delete the node information. So AMF Security mini keeps the suspected node information. If you want to delete it, manually delete the action on the Policy Settings > Action List page.
Refer to the AlliedWare Plus Product's command reference manual for the commands.

Displaying and Emailing Blocking Status of the Suspected Node

Status of the suspected node which has been applied an AMF action by an edge node can be view on the Device > Active Device List page.
AMF Security mini regularly gets this information from the proxy node at 30 second interval.

By using AMF Security's Email Notification Settings, you can also get email notifications of blocking.

"Send Email Notification on Block Event" : An email is sent when a node is blocked by one of "Drop Packets", "Link-Down", "IP-Filter" or "Log-Only" actions.
"Send Email Notification on Quarantine Event" : An email is sent when a node is quarantined by "Quarantine" action.

Note
When AMF Security mini queries the proxy node and finds that suspected node information is changed (e.g. a node moved to other switch and got blocked there again), AMF Security mini updates the information on the Device > Active Device List page and sends an email notification.

Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)

The following are required settings for the AMF node to be managed.

Enable the service atmf-application-proxy command on all AMF nodes (both proxy and edge nodes)
Enable the service http command on all AMF nodes (both proxy and edge nodes)
Set a common user at privilege level 15 (privilege level) on all AMF nodes (both proxy and edge nodes)
Enable the atmf topology-gui enable command on the AMF Master (proxy node)
Enable the application-proxy threat-protection command on the terminal connection port of AMF Member (edge node)

Configuring AMF Security mini

To use AMF Application Proxy Blacklist, you have to configure an IP Address, level 15 (privileged) username and password of the AMF Master (Proxy Node) on AMF Security mini.

Open the AMF > AMF Application Proxy Settings page.
Click "Add".
Enter an IP Address of the AMF Master (Proxy Node) in "IPv4 Address".
Enter a username and a password for a level 15 (privileged) user account on the AMF Master (Proxy Node).
Click "Submit".

Note
When you finish this configuration, AMF Security mini starts regular queries to the AMF Master (Proxy Node) at 30 second interval.

Refer to System Settings > Trap Monitor Settings for how to configure integration options with external applications.

TQ's AMF Application Proxy

TQ's AMF Application Proxy controls communication by authenticating the wireless terminal connected to TQ by AMF Security mini (AMF Application Proxy Whitelist).
Also, when AMF Security mini receives the IP address of the suspected terminal from the linked external application, it queries AT-Vista Manager EX for the MAC Address of the terminal based on that IP address. The communication control of the terminal is performed by acquiring the MAC Address held by the AWC Plug-in (AMF Application Proxy Blacklist).

Supported actions are Drop Packets, Quarantine, and Log (only Log Output without controlling communication of the corresponding device).

Note
TQ's AMF Application Proxy can be set from the AWC Plug-in (it cannot be done from the TQ's setting page).

Note
When using the AT-VST-APL / AT-VST-VRT version of AT-Vista Manager EX, AMF Security mini contacts the AWC Plug-in directly.

Note
Authentication when a wireless terminal is connected is performed in the order of "Authentication by AMF Application Proxy (AMF Security mini)" → "Authentication set by security of VAP (multi-SSID) setting". If both authentications are not successful, the wireless terminal connection is not be allowed.

Note
The following items are not supported by TQ's AMF Application Proxy.
・Location policy
・Schedule policy
・session-timeout
・Obtaining authentication information on TQ
・IP Address display of node
・Search Devices
・Account Group

Note
Once the connection between the connected AMF Master is set to be disconnected, if the device already managed by TQ's AMF Application Proxy (devices displayed on the Device > Active Device List page) exists, the authentication and action of that device remain applied. However, it is deleted from the Devices > Active Device List page.

To use this function, the following products and compatible versions are required.

Table 2: AT-TQ5403/AT-TQm5403/AT-TQ5403e
Compatible products	Corresponding version
AT-TQ5403/AT-TQm5403/AT-TQ5403e	6.0.1-6.1 or later
AT-Vista Manager EX (AWC Plug-in)	3.6.0 or later
AMF Security mini	2.2.1

Table 2: AT-TQ6602
Compatible products	Corresponding version
AT-TQ6602	7.0.1-1.1 or later
AT-Vista Manager EX (AWC Plug-in)	3.7.0 or later
AMF Security mini	2.2.1

Behavior when using TQ dynamic VLAN

For TQ's AMF Application Proxy, when WPA Enterprise is selected for the security of VAP (multi-SSID) setting of TQ, the VLAN ID given to the wireless terminal at the time of authentication differs depending on whether the dynamic VLAN is disabled or enabled.

When dynamic VLAN is disabled:
If the wireless terminal is authenticated by AMF Security mini and the VLAN ID is assigned by AMF Security mini, the VLAN to which the wireless terminal belongs is the VLAN ID of AMF Security mini. If the VLAN ID is not assigned by AMF Security mini, the wireless terminal belongs to the VLAN ID of VAP.

Note
The settings of AMF Security mini when the VLAN ID is not assigned by AMF Security mini are as follows.
・ Set the network with VLAN ID 0 in the policy setting (isolated VLAN ID)
・ Do not set Network Settings

When dynamic VLAN is enabled:
Authenticate the wireless terminal with AMF Security mini, and then authenticate with the RADIUS server on the WPA Enterprise side. The VLANs to which the wireless terminal belongs are as follows.
However, if the VLAN ID of the isolated VLAN is assigned by AMF Security mini, it belongs to the isolated VLAN ID assigned by AMF Security mini regardless of the presence or absence of the VLAN ID of the dynamic VLAN.

Table 4: VLAN to which the wireless terminal belongs
AMF Security mini Granted VLAN ID	RADIUS server grant VLAN ID	VLAN to which the wireless terminal belongs
Yes	Yes	RADIUS server grant VLAN ID
None	None	VAP VLAN ID
None	Yes	RADIUS server grant VLAN ID
Yes	None	AMF Security mini Granted VLAN ID

Note
The settings without VLAN ID in AMF Security mini are as follows.
・ Set the network with VLAN ID 0 in the policy setting (isolated VLAN ID)
・ Do not set Network Settings

◼ Operation when VLAN ID 1 is assigned to TQ
The behavior when VLAN ID 1 is assigned to TQ depends on the setting of the management VLAN tag of TQ.
Refer to the TQ's documentation for more details.

Critical mode

In the critical mode, you can select the processing of the newly connected wireless terminal when a failure such as a power failure occurs in the AMF Security mini.

Disabled :
All newly connected wireless terminals is denied connection because they cannot be authenticated by AMF Security mini.
In addition, the wireless terminal that was already connected can communicate as it is.

Enabled :
Allows newly connected wireless terminals without AMF Security mini authentication.
Normally, after successful authentication of AMF Security mini, the authentication set in the security of VAP (Multi SSID) setting is performed. In this case, proceed to the authentication set in the security of the VAP (multi-SSID) setting without performing the authentication by AMF Security mini.
The VLAN to which the wireless terminal belongs is the VLAN determined when the authentication set in the security of the VAP (multi-SSID) setting is successful.

Supported OpenFlow Switches

List of OpenFlow Switch models supported by AMF Security mini can be found on the release notes of AMF Security mini, switches and wireless access points.
Please find those documents on our website.
https://www.alliedtelesis.com

Application Integration Solutions

AMF Security mini can be used with other applications such as threat detection, device management and HR management in order to further enhance network administration efficiency and security.

The latest information on the services or applications which can be integrated into AMF Security system is published under the AMF-SEC Technology Partner Program. Contact our sales engineer for the Technology Partner Program.

C613-04126-00 Rev A

28 Jan 2022 14:19