Security threats in the LAN

Febr 2014Febr 2014Febr 2014Febr 2014

Security threats in the LANSecurity threats in the LAN

Perimeter defensePerimeter defense

Security threatsSecurity threats

Security threats in the LANSecurity threats in the LAN

Information stealingInformation stealing

Information stealingInformation stealing

Information stealing /DoSInformation stealing /DoS

Rogue DHCP Server

DoSDoS

Information stealing/ DoSInformation stealing/ DoS

Information stealing / DoSInformation stealing / DoS

Spanning tree attack

Oh no!!!! What do we do??????Oh no!!!! What do we do??????

Look who’s knockingLook who’s knocking

AAAAAA

A

A

A

uthentication

uthorization

ccounting

IntroducingIntroducing 802.1x802.1x

» 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Component ProtocolsComponent Protocols

Two protocols involved in authentication conversation

EAPoL exchanged between Supplicant and Authenticator

EAPoL - Extensible Authentication Protocol over LAN is the protocol defined in IEEE802.1x

 RADIUS exchanged between Authenticator and Authentication Server

RADIUS has received specific extensions to interoperate with EAPoL

Example Message SequenceExample Message Sequence

Dynamic Vlan Assigment / Guest VlanDynamic Vlan Assigment / Guest Vlan

Router

Core Switches(stacked)

Authentication Switches

PCVlan 10

LinuxVLAN20

PrinterVLAN20

IP PhoneVLAN30PC VLAN20PC

Vlan 10

Link Aggregation

Link Aggregation

RADIUSServer

IP PhoneVLAN30

VoiceVLAN 30

GuestVlan 10

DataVLAN 20

Allied Telesis & Microsoft NAPAllied Telesis & Microsoft NAP

802.1x Authentication Supplicant MAC

Core Switches(stacked)

Authentication Switches

PrinterVLAN30

IP PhoneVLAN40

Windows VistaVLAN30

Windows VistaVLAN10

Link Aggregation

NIC TEAMING/802.3ad

RADIUSServer

Windows Server 2008( Network Policy Server (NPS), Domain Controller)

NAC OverviewNAC Overview

Remediation Server

What about him ?What about him ?

Disgruntled employee

DHCP snooping + ARP securityDHCP snooping + ARP security

Port securityPort security

DHCP snoopingDHCP snooping

Ingress filterIngress filter

Spanning tree defense

BPDU Guard / Root GuardBPDU Guard / Root Guard

This is a switch:This is a switch:

Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895

Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830

EMEA Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11

© 2011 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.