Home
Products
Solutions
Services & Support
Partners
How to Buy
About Extreme
Advanced Search
Skip Navigation LinksHome Extreme Networks
Extreme Networks

White Paper
Extreme Networks Security Framework
Also Available in PDF format (1.1M) | Download the ZIP format (928K)

Traditionally, security has been the job of specialized appliances: firewalls, intrusion detection or prevention systems (IDS/IPS), antivirus software and so on. Since most attacks initially came in from the Internet, bolting discrete devices to the Wide Area Network (WAN) perimeter, where the private and public networks met, worked well.

However, these days, threats are appearing on the inside of the network, circumventing the elaborate firewall and antivirus protection at the WAN perimeter. In fact, the typical IT administrator finds out that there is a new threat on the Internet because it's already appeared inside the enterprise network (Figure 1). These security breakdowns are expensive. According to a 2003 security survey, the average company spent more than $200,000 just reacting to virus events. Disinfecting a single laptop or desktop can cost as much as $250.

In addition to being ineffective against the spread of viruses and worms within an enterprise, conventional protect-the-perimeter strategies also leave the corporate LAN wide open to inappropriate access by intruders. Intruders—whether digital or human—can pretty much go anywhere on the network, causing any number of problems.

Extreme Networks believes that LAN security is too important an issue to be left to the ever increasing "conga line" of perimeter security appliances. Instead the LAN itself must play an active role in defending the network and the resources on the network from inappropriate access or attack.

The Extreme Security Framework is an end-to-end security solution that puts the right protection in the right places.

Category of Threats

Before we describe the Extreme Networks® security framework in detail, it is helpful to quickly summarize the various ways in which a network can be compromised from a business perspective.

  1. Attacks on the network infrastructure itself, affecting business continuity
  2. Unauthorized access to the network and business data
  3. Viruses and worms (known and day-zero) affecting business productivity and data integrity


Figure 1.

Attacks on the Network Infrastructure
These can include attacking the switches on the network with the goal of causing them to cease functioning. A simple example of such a denial of service (DoS) attack is a ping flood, but attacks have become much more sophisticated in recent years. Another vulnerability that attackers probe for is unprotected passwords of network devices or some attackers may try to hijack the management of network devices so they can be reconfigured. Once a network is compromised in this manner, there are few limits to the amount of business disruption an attacker can cause.

Unauthorized Network and Data Access
Unauthorized data access represents a different, but equally important, security risk. Unauthorized users may attempt to connect to the network to launch an attack or to access sensitive information. Authorized users may try to use the network to access data prohibited by policy, including personnel and medical records and other sensitive information stored on network servers.

This type of security threat is even more important today because of new regulations governing information management. In the United States, for example, the Health Insurance Portability and Accountability Act (HIPAA) requires doctors, caregivers and medical institutions to prevent unauthorized access to medical records. Similarly, the Sarbanes-Oxley Act of 2002 requires America’s public companies to tightly control access to sensitive financial information. The network has a major role to play in reducing exposure.

Viruses and Worms
While there are many robust solutions designed for the WAN perimeter, the big exposure is inside the network. There are many ways in which the WAN perimeter defense is circumvented.

  • Viruses transmitted by the mobile workforce pose a huge problem. As end-users travel, laptop in hand, they may access the network over a wireless link at Starbucks or a use the broadband connection in their hotel room. In both settings, they are completely vulnerable to viruses and worms. Once the infected system is returned to the office, the virus rapidly spreads to other users.

  • Guest users present a similar problem. Visitors may want to access the Internet to download a presentation or demo or to check their e-mail. Every time they are allowed to connect to the corporate LAN network, there’s a chance that they’ll unleash a virus.

  • Personal e-mail accounts represent one of the major ways that viruses are disseminated. When users inside the network accesses an outside personal e-mail account they often do so using an encrypted SSL session. Therefore, IT administrators have no way to see if a message contains a malicious payload. If the user decides to open a message containing a virus, it can begin replicating throughout the network.

  • Another serious danger is remote users with VPN access. The most common type of VPN, IP Security (IPSec), establishes an encrypted tunnel between the remote client and the network. This creates a conduit for spreading viruses. If the client is on an unprotected network, a mobile hot spot, for example, it can easily be infected. Once that happens, the virus travels through the VPN tunnel to the corporate network. It’s even possible for a hacker to mount a man-in-the-middle attack, which uses the VPN client system as a proxy directly into the corporate net.

There are only two defenses against this problem: ensure that antivirus client software is completely up-to-date all the time or forbid any type of SSL-encrypted browser sessions. The former is extremely difficult given today’s diverse technologies; the latter may have an impact on company goals or may even break business applications.

The Distinction Between Known and Day-Zero Threats
A known threat is a virus, exploit or other attack that has already been seen and captured in the wild and one for which protection is already available: it could involve installing a security patch, updating antivirus signature files or taking some other action. The critical concept here is that IT managers can do something to keep from being victimized by known threats.

Day-zero (or zero-day) attacks are another matter. "Day zero" indicates that this is the first time this particular threat has appeared on the Internet, spreading from machine to machine and attacking systems. At first, no one understands the mechanism that is being used to spread the virus or worm or how the security exploit works. Defending against this type of threats is much more difficult: network administrators are pretty much on their own. Even identifying that an attack is in progress can be difficult.

The Extreme Security Framework
The Extreme security framework addresses the new security challenges facing IT managers within the enterprise, where they are most vulnerable. Its simple and flexible approach makes it possible to increase real-world security without trading off network performance or capabilities. The framework consists of three major components roughly corresponding to the three broad areas of compromise identified earlier in the paper:

  • Hardened Network Infrastructure protects the network itself from attack and compromise. Its primary goal is to close network vulnerabilities and keep the network functioning when a security incident is occurring. Keeping the network up means it can be managed—and IT administrators can determine the source of the threat and deal with it.

  • User Policy Enforcement protects the network from access by unauthorized users and protects sensitive resources from even authorized users by ensuring that only the right users access the right enterprise resources.

  • Threat Detection and Response identifies and responds to unusual network behaviors dealing with both known and unknown threats.

Figure 2 summarizes how the Extreme Networks security framework is implemented on an illustrative Extreme network consisting of a Unified Access layer, Intelligent Core layer, and a WAN Perimeter. The security needs at the Unified Access and Intelligent Core layers are addressed through a combination of features on Extreme’s switches, Extreme Networks’ EPICenter® management suite, and tight integration with select partners.

On the other hand, security appliances provided by Extreme Networks’ leading partners in this space best address the needs of the WAN perimeter.


Figure 2. Extreme Networks Security Framework

Hardened Network Infrastructure

Extreme Networks’ switches and EPICenter deliver several leading features that close network vulnerabilities and ensure that the network remains functional in the event of an attack.

Secure Management
Secure management is required in today’s network environment. Traditional methods of managing switches through Telnet and SNMP are no longer safe. It is possible to intercept these communications using sniffers or manin- the middle attacks. Once hackers have grabbed passwords and community strings, they can reconfigure the network and bypass security measures, including User Policy Enforcement.

Therefore, management traffic must be secured. Out-ofband management is one way to do this, but it’s often impractical, especially in very large LANs. The alternative is to use secure protocols SSH2, (not SSH1 because it has been cracked), SCP and SNMPv3, which implements 64-bit counters, adds encryption and allows SNMP management systems to authenticate whenever they connect to a switch.

Special attention must be paid to management systems, which are often the Achilles heel of secure management protocols. Extreme Networks’ net management tool, EPICenter, addresses security by encrypting net management traffic. Using the EPICenter management console, IT managers can reconfigure the network, create VLANs and establish dynamic policies. Meanwhile, all management communications will be encrypted across the network, so even if they are intercepted they won’t compromise resources or infrastructure.

In a wireless network, users sometimes introduce a vulnerability by attaching unauthorized access points to the switch ports. Extreme Networks’ "Rogue Access Point Detection" on its Altitude Access Points capability coupled with EPICenter gives the network manager a real time view of access points connected to the network. The network manager can see the unauthorized access point and take appropriate action to close the vulnerability by shutting down the port, for example.

Denial of Service Protection (DoS) for the Switch
DoS attacks, which can be very damaging to switches, are becoming increasingly common. Stopping the most basic types of DoS attacks, such as ping floods, is not difficult, and many vendors have hardened their switches accordingly.

Unfortunately, these simple attacks are becoming increasingly rare. To deal with more sophisticated DoS attacks, Extreme Networks pursues a two-pronged approach: extensive lab testing and dynamic attack response.

Testing the impact of attacks in the lab is critical to dealing with them successfully in the field. Extreme Networks currently subjects its firmware version to more than 40 DoS attacks and Internet exploits as part the certification process. More tests are being added constantly.

However, no lab test can account for new types of attacks. Extreme Networks Enhanced CPU DoS Protection addresses the new attack scenario. Enhanced CPU DoS Protection is a dynamic response mechanism that recognizes that under normal circumstances the vast majority of traffic is handled directly in hardware. If there are an unusually large number of packets in the CPU input queue, there’s probably a problem. If the switch decides it’s under attack, it reviews the packets in the input buffer and assembles ACLs that automatically stop these packets from reaching the CPU. After a period of time, the ACLs are removed. If the attack continues, they are re-installed.

Extreme’s enhanced CPU DoS protection also provides IT managers with valuable information about network attacks. Often, when the network infrastructure is under attack, it’s an indicator of a larger attack on the entire IT infrastructure itself. Enhanced CPU DoS sends alerts to the network management system about what type of attack the switch is under. These can help pinpoint the cause of a broader attack more quickly.

Network Resiliency
One of the characteristics of an attack is that the number of connections and amount of traffic can climb dramatically. This explosion can cause flow-based LAN switches to figuratively melt down. From the end-users’ perspective, the network will slow down, crash, and come back up, only to start the cycle over again.

During these high-flow traffic conditions it is absolutely critical that the network stays up and manageable. Extreme Networks has consequently moved away from flow-based routing to ASIC-based Longest Prefix Match (LPM) routing, eliminating the need for the control plane software to make these decisions. The latest Unified Access and Intelligent Core switches implement LPM in hardware enabling an entire network to be built with this resilient technology.

What about the millions of flow-based switch ports Extreme already has deployed in customer networks? The answer is IP Destination Address (IPDA) Subnet Lookup, which brings longest-prefix match performance to flowbased architectures. Although IPDA is not as scalable as LPM in hardware, it is usually more than enough to protect the enterprise.

Advanced Quality of Service (QoS) can greatly aid network management during attacks. As a matter of best practices, net management traffic should be given top priority, ahead of other types of traffic so that it has a better chance of reaching its destination even if traffic volume soars. As a result, IT managers have an opportunity to respond to the attack, even though the whole network may be filled with bad packets.

User Policy Enforcement

The User Policy Enforcement component of Extreme’s security framework is tuned to the different needs of the access and core layer of the network. At the Unified Access layer, policy enforcement ensures that only authorized users can connect to the port with the permissions and restrictions applied at the connecting port. At the Intelligent Core layer, policy enforcement ensures that the appropriate access policies are applied on the network resources like servers and subnets.

User Policy Enforcement in the Unified Access Layer
The key challenges involved in securing the LAN edge unauthorized network access and unauthorized access to sensitive information. The user policy enforcement mechanisms within Extreme Networks’ Unified Access offer a comprehensive solution to address these challenges.

One of the key characteristics of Unified Access is that it takes a uniform approach to security on both wired and wireless networks. Extreme Networks believes that both networks should be managed with the same tools and techniques. The one exception to this unified approach is that encryption is required on the wireless side to protect data on the air link. By taking a consolidated view of wired and wireless networking, Extreme is able to create significantly more secure networks while simultaneously simplifying network design.

The first step to keeping the network safe is keeping unauthorized users off it. Network Login is a flexible way to authenticate users and devices as they attempt to connect to the network. Three mechanisms are available: Webbased login, 802.1x, and Media Access Control (MAC) layer authentication.

Once users and systems get the green light, they are allowed to access the network. However, this does not mean unrestricted access. It is equally important to constrain end users to the network resources that they need to do their job. That is where intelligent network access comes in.

User Authentication via Network Login
Wide-open Ethernet ports and access points are gaping holes in network security. Requiring users to prove they have the right to access the network creates a dramatically more secure environment.

802.1x, defined in RFC 3580, provides the highest level of security of these three methods. 802.1x can be used in a variety of configurations; essentially, as the security level climbs, so does installation complexity (Figure 3).

For example, using 802.1x makes it possible to do a twoway certificate exchange, verifying the identity of both the system and the network. While this may seem unnecessary in a wired environment, it is very important on wireless networks. One of the ways to attack a wireless installation is to deploy a rogue network near the real one. Users connect to the rogue network and supply their credentials, which can then be used by the attacker to access the real network.


Figure 3. Network Login Mechanisms

802.1x is not available on all client platforms, however. It also requires special client software called a "supplicant" that must be loaded on every desktop. This software is included in Windows 2000 Service Pack 4 and Windows XP Service Pack 1, but it may not be available for all systems and there are always legacy setups that remain out of reach.

In these situations, or when it is impossible to require the client supplicant to be installed and configured, Webbased network login is a good choice. This approach uses a captive portal, or browser hijacking, to force users to provide credentials. When users attempt to connect, they are first presented with a login screen asking for their username and password. Once the user is authenticated, they can proceed to use the Web and other network services.

Both Web-based login and 802.1x use RADIUS (IETF RFC 2865) for usernames and passwords. Most RADIUS servers communicate with NT Domains, Active Directory, or LDAP (RFC 2251) and allow the same usernames and passwords used for desktop login to be used for network login as well.

Extreme Networks offers network login based on MAC address to handle devices without a Web browser, such as an IP phone. This approach allows IT managers to dedicate a particular port to one or a group of MAC addresses. Network login based on MAC address is very useful in public-access areas, where cameras or phones must be deployed.

Another approach is to use MAC authentication via RADIUS. This method adds a MAC address to the user database; when the phone is plugged in and begins transmitting, the switch verifies its MAC address in RADIUS. MAC authentication via RADIUS is an easy way to deal with IP phones and allows them to be moved around without the need to reconfigure the switch.

User Permissions via Inteligent Network Access
Once user identity and host integrity have been verified, users can be given access to those resources they need to do their jobs.

The identity-based technology in Intelligent Network Access enables IT managers to maintain strict control over access rights. If end-users try to reach an off-limits server, they are blocked at the edge port itself. Therefore, endusers don’t even have the opportunity to try to hack into the server, making intelligent network access a very powerful addition to conventional application-layer access control.

Sarbanes-Oxley and HIPAA establish new standards for safeguarding sensitive data. Intelligent network access helps companies comply with these recent mandates by restricting data access to only those users who need access to the sensitive data. Furthermore, this technology is a great way to demonstrate that all possible steps are being taken to comply with new regulations.

When intelligent network access authenticates users, it automatically restricts their network access using their login to determine group or individual policies are needed. There are two types of restrictions:

The first is through VLAN assignments. Specific VLANs can be assigned based on job function or workgroup. Once users are on different VLANs, access control lists (ACLs) can be established between the VLANs in the core of the network where routing is performed. The ACLs can be used to block access to sensitive servers or network segments.

Another way to restrict access is by applying ACLs directly to the port the user is logged in. These ACLs, which are based on IP addresses, block or allow users to access network resources.

Let’s take a look at Intelligent Network Access in action (Figure 4). When a user logs into the switch, via 802.1x or Web-based login, the switch communicates with the RADIUS server to check his or her user credentials. These can be extracted directly from LDAP or from Active Directory or they can be maintained statically on the RADIUS server.

If the user is authenticated, a signal is sent to the switch along with an optional VLAN assignment. The port changes the VLAN and comes online. At that point, a message is sent to the Extreme Network’s EPICenter Policy Manager, which installs the ACLs on the switch.

Extreme Networks’ EPICenter network management system and the Policy Manager plug-in are both required. Administrators configure network access rules using Policy Manager’s GUI.

Without multiple methods for controlling access, security concerns can force IT managers to implement an architecture they would rather not use. Alternatively, they may not be able to move to the necessary architecture. For example, if VLANs alone are used to restrict access, then every VLAN most be accessible from every switch on the network that deals with user logins. In larger campuses, with routed Layer 3 backbones and a large number of switches, the required VLAN access may not be possible.


Figure 4. Intelligent Network Access

User Policy Enforcement in the Intelligent Core Layer
If Network Login and Intelligent Network Access are implemented at the access layer then user policy enforcement may not be a major consideration in the network core design. However, there may be network managers who find user authentication and access policy management complex to administer at the per user level. Extreme’s Layer 3 Virtual Switching and ACL-based firewalls can be used in the Intelligent Core to implement user policies.

Layer 3 Virtual Switching
Layer 3 Virtual Switching is a valuable tool for increasing network security. This technology allows multiple, even overlapping, Layer 3 address spaces to coexist in a single physical switch. Virtual routing is used in service provider networks; typically, it has been available only on a few very high-end routers. Extreme Networks has put an end to those restrictions, implementing virtual routing in a Layer 3 Switch using its new 4GNSS chipset and modular ExtremeWare® XOS network operating system.

Virtual routers can be used in increase the security of enterprise networks in a number of ways: segmenting the enterprise core, simplifying data centers, and creating secure overlay networks (Figure 5).


Figure 5. Applications of Layer 3 Virtual Switching

In the core of a large enterprise, several buildings or campuses come together in one or more network backbones. These backbones often resemble carrier networks and are used to shunt traffic between buildings or business units. Layer 3 Virtual Switching can quickly isolate network segments and implement ACL-based firewalls between them. Individual buildings, for example, can have their own virtual routers. This scheme dramatically reduces the impact of routing issues, security incidents and other network problems, keeping them contained to a specific virtual router segment. What’s more, worms can often be stopped with a simple, portbased ACL. Additional security can be achieved by adding an external firewall between virtual router segments.

In the corporate data center, virtual routing can simplify network design while maintaining very high security levels. For example, one virtual router could be used for the external network and one for the internal network. On the outside, virtual routing and Border Gateway Protocol (BGP) could be used to peer with an ISP, as well as with Web servers and other hosts. The external virtual router could connect to a firewall and then back into the switch on its internal equivalent.

The internal virtual router, meanwhile, peers with the rest of the corporate network via Open shortest Path First (OSPF); the protected corporate servers would connect to it. The result: high security is achieved without implementing separate infrastructures for the internal and external networks.

ACL Based Firewalls
The use of ACLs to control access to server resources is an example of user policy enforcement in the Intelligent Core layer. Extreme Networks implementation of ACLs in the Intelligent Core is unique. The BlackDiamond® 10808 implements more than 100,000 ACLs or rules without impacting performance. The ACLs are "wide" and can look at header information in the first 120 bytes of the packet. An easy-to-use ACL scripting language makes it easy to define and then apply ACLs.

Threat Detection and Response

While applying user policies is the appropriate way for dealing with the problem of unauthorized network access and data access, it does not solve the problem of an "authorized" user launching a virus or worm attack consciously or by accident.

The Threat Detection and Response component of the Extreme Security Framework addresses this issue_by looking at both known and day-zero threats in turn.

Threat Detection and Response in the Unified Access Layer
Extreme’s Host Integrity and Response technology is a nearly fool proof way of dealing with known threats. It complements the 802.1x technology used as part of user policy management.

Using sFlow with analysis packages like those available from InMon is another approach to identifying viruses, worms and other threats by looking for unusual activity at the edge port.

Host Integrity Check and Response
Once users are authenticated, IT managers still need to make sure their computers don’t represent a threat to the network. As noted before, authenticated and authorized users may still unleash a virus or worm inside the enterprise when they connect their PC to the network. For example, the user may not have updated his or her virus definition files in a while and picked up a virus when they connected that PC to the Internet at home or in a hot spot. Host integrity checking allows the network to verify that systems are in compliance with the IT department’s standards. For example, IT may want everyone to run a specific antivirus program and have antivirus signature file number #3468.

Rather than simply keeping users that don’t comply off the network, which can affect productivity, IT can shunt them onto a quarantined VLAN, with a server that will automatically upgrade their system so that it is in compliance. The process of upgrading the end-user system and running the required scans to detect known threats is called remediation. Automatic remediation ensures that all users are up to date, without requiring desktop administrators or help desk personnel to get involved.

This approach is the most effective way to deal with known threats. When a new virus or worm comes out, the IT administrator may want to patch everyone’s system so they are not vulnerable, update their virus files, and run a disinfectant script in case any machines are already contaminated. By taking these steps before a potentially infected host is allowed onto the network, it is possible to neutralize most threats.

Extreme has chosen to work closely with Sygate Technologies and Zone Labs as standards-based solutions are being brought to market. Both partners are pioneers in enterprise end-point security and have developed a complete system for centrally managed end-point security that includes personal firewall, desktop intrusion detection system, application control and host integrity checking. Both also can enforce host integrity checking over IPSec and SSL VPNs, further tightening security.

End-users users connect to the network and employ 802.1x to authenticate. In the case of an Extreme Networks-Sygate solution, the Sygate agent that runs on the client uses the 802.1x session to send information about the host integrity to the Sygate LAN Enforcer server. Sygate is able to insert itself transparently into the authentication infrastructure by functioning as a RADIUS proxy. This means that existing 802.1x implementations in switches and clients do not need to be changed in order to add host integrity checking.

Authentication information also is sent to Sygate’s LAN Enforcer. At the same time it is evaluating host integrity information, Sygate Enforcer determines if the user is going to log in using 802.1x for login and password. If the answer is ‘yes’ the Enforcer sends that information to the RADIUS server. Combining the RADIUS server’s response with the configured host integrity policy, the Sygate Enforcer decide whether to slot the user onto the regular VLAN or the special one. If the answer is the latter, it signals the client software to initiate a repair process (Figure 6).


Figure 6. Host Integrity Checking and Remediation

Two efforts are underway to standardize host integrity checking. Extreme Networks is actively participating in both. One is led by the Trusted Computing Group, an industry standards body; the other, by Microsoft.

The goal of the Trusted Computing Group is to define a standard that supports host integrity checking on any operating system and allows security vendors to participate in an open host-integrity solution. For example, antivirus and personal firewall vendors could both have integrity agents on a desktop, each reporting different statistics.

Microsoft has also announced an infrastructure for host integrity checking, the Network Access Protection architecture. This architecture is very similar to the one being developed by the Trusted Computing Group, but is restricted to newer Windows systems. It is expected to be available late 2005.

Cisco also has its own effort, Network Admission Control. This is a completely closed architecture that will only work with Cisco products, as well as solutions from a select number of their security partners. To add insult to injury, it is only available on a very small subset of Cisco’s products.

sFlow Monitoring and Response
sFlow monitors network traffic by sending IP headers and other information from a statistically significant number of packets received on each port to a central management station for analysis. This approach is much more scalable than Netflow and other traffic-monitoring techniques. It enables IT managers to establish a statistical baseline for traffic patterns, revealing what users are doing, what applications are running, and who is using the most bandwidth.

sFlow provides an early warning system. Traffic baselines change very abruptly in response to a security problem: top talkers change and traffic levels skyrocket.

The most common response mechanisms to a threat detected using sFlow is to apply an ACL, change QoS parameters or change VLAN settings. One approach to responding to a threat is for the network operator to manually apply ACLs or change QoS/VLAN settings. A much more automated approach is to define policies in EPICenter for a particular threat and let the EPICenter automatically apply the ACLs or QoS/VLAN settings once it gets notified of a threat.

Threat Detection and Response in the Intelligent Core Layer
The key technologies that enable Threat Detection and Response in the Intelligent Core are sFlow and CLEARFlow.

CLEAR-Flow
The best way to detect security problems is to examine as much traffic as possible, and that is the idea behind CLEAR-Flow. In combination with techniques like line rate port mirroring of a subset of flows, ACLs, etc. CLEAR-Flow provides a closed loop system for detection and response.

CLEAR-Flow uses the special hardware capabilities of Extreme Networks’ ASICs in the BlackDiamond 10808 and the advanced software capabilities of ExtremeWare XOS to examine each and every packet, at line rate, looking for traffic that may indicate a network or security problem. Essentially, CLEAR-Flow is an analysis engine that picks out unusual traffic patterns. When the switch detects an anomaly it takes action. Thus, CLEAR-Flow gives IT managers the ability to react to unusual patterns in real time.

CLEAR-Flow examines traffic as it enters the switch, incrementing hardware-based counters when specific types of traffic are found. A software process continuously evaluates the counters; if they reach a certain absolute value or increase at a certain rate, the switch takes action (Figure 7).


Figure 7. CLEAR-Flow Detect and Respond Flow

CLEAR-Flow can easily detect virus and worm infections by monitoring the traffic coming from each system on the network. Tracking the frequency of TCP SYN packets, which initiate network connections, are a good indicator of network conditions. A large number of these packets is often a sign of a compromised system.

CLEAR-Flow uses an extended access list to identify and count desktop traffic. If the number of new connections per second exceeds a predefined threshold, CLEAR-Flow will automatically take whatever action the IT administrator has defined. If a desktop is involved, the administrator may want traffic blocked immediately using ACLs or throttled by changing QoS parameters and an alert sent to the help desk.

If a server is identified as a suspect system, a more cautious approach may be warranted (Figure 8). One response would be to engage a mirror port and allow an intrusion detection/prevention system (IDS/IPS) to monitor the traffic. The IDS will be able to make a much more accurate decision about whether the traffic flows represent a threat, because it can look at more of the traffic and use more elaborate analysis algorithms.

One of CLEAR-Flow’s most powerful capabilities is mirroring individual flows rather than all of the traffic on an entire port. This allows a single IDS/IPS deployed in the network core to investigate many flows simultaneously, even if they are coming into the switch from several different ports. As a result, an IDS can scale in a way that wasn’t possible before. The alternative is to deploy many IDS/IPS appliances internally in the data center, on key links, etc. In addition to cost, the other disadvantage of this approach is that the IDS/IPS appliances are not capable of functioning at line rate on gigabit or 10 gigabit core links (note that this performance limitation is not an issue in the WAN perimeter). Consequently, CLEAR-Flow, with its intelligent pre-processing capability makes the use of an IDS/IPS inside the LAN feasible.

If the traffic does constitute a worm or virus, the IDS/IPS can respond to the host directly, for example by sending RST packets, which will cause the suspicious connection to be dropped. Extreme Networks is already working to extend CLEAR-Flow by providing an easy-to-use API that permits an IDS to send messages directly into the switching infrastructure, where the network can take direct action against the threat.

Emerging Day Zero Technologies in the Core
Extreme Network’s is working on several advanced initiatives to bring even greater levels of Day Zero detection and response capabilities to the core. Day Zero attacks, especially new worms, disseminate themselves at a very high rate in the network. As an example, the SQL Slammer, which exploited a buffer overflow on Microsoft SQL Server, doubled in size in 8.5 seconds, scanning 55 million IP addresses per second. The Slammer worm infected 90% of the vulnerable hosts in the Internet in 10 minutes!

These kinds of Day Zero attacks are very damaging for an enterprise and can cost IT staffs upwards of $250 per system infected. One of the major characteristics of these worms is their ability to scan large range of IP addresses and ports. Extreme is investigating a number of techniques with its partners to detect those scans early on and attract them through "honey potting" techniques in order to contain the worm before it spreads and damages the whole enterprise.


Figure 8. Using CLEAR-Flow for External Analysis and Response

Conclusion

Security is too important to be left to just the security companies, the LAN infrastructure needs to play an active role in security. However, it is important to realize that great LAN security does not come from simply re-purposing WAN-side security technology and turning them into "blades" that go inside LAN switches. It is not just an issue of performance, it’s that there are better ways to solve the LAN security problem.

A more fundamental look at the problem is called for and Extreme Networks provides the solution through its Extreme security framework. Extreme Networks has focused on three critical areas:

  • Hardening the LAN network infrastructure so that vulnerabilities are closed and the network can stay operational even under attack.
  • Enforcing user policies so that only authorized personnel can access the LAN, and even that with the right permissions.
  • Implementing a switch-based rapid detection and response capability to deal with known and day-zero viruses, worms and other attacks initiated inside the four walls on the LAN.

With unique innovations underpinning each of the three areas, and a management solution that simplifies administration, an Extreme LAN is built for today’s security-conscious environment.