Febr 2014Febr 2014Febr 2014Febr 2014
Security threats in the LANSecurity threats in the LAN
Perimeter defensePerimeter defense
Security threatsSecurity threats
Security threats in the LANSecurity threats in the LAN
Information stealingInformation stealing
Information stealingInformation stealing
Information stealing /DoSInformation stealing /DoS
Rogue DHCP Server
DoSDoS
Information stealing/ DoSInformation stealing/ DoS
Information stealing / DoSInformation stealing / DoS
Spanning tree attack
Oh no!!!! What do we do??????Oh no!!!! What do we do??????
Look who’s knockingLook who’s knocking
AAAAAA
A
A
A
uthentication
uthorization
ccounting
IntroducingIntroducing 802.1x802.1x
» 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
Component ProtocolsComponent Protocols
Two protocols involved in authentication conversation
EAPoL exchanged between Supplicant and Authenticator
EAPoL - Extensible Authentication Protocol over LAN is the protocol defined in IEEE802.1x
RADIUS exchanged between Authenticator and Authentication Server
RADIUS has received specific extensions to interoperate with EAPoL
Example Message SequenceExample Message Sequence
Dynamic Vlan Assigment / Guest VlanDynamic Vlan Assigment / Guest Vlan
Router
Core Switches(stacked)
Authentication Switches
PCVlan 10
LinuxVLAN20
PrinterVLAN20
IP PhoneVLAN30PC VLAN20PC
Vlan 10
Link Aggregation
Link Aggregation
RADIUSServer
IP PhoneVLAN30
VoiceVLAN 30
GuestVlan 10
DataVLAN 20
Allied Telesis & Microsoft NAPAllied Telesis & Microsoft NAP
802.1x Authentication Supplicant MAC
Core Switches(stacked)
Authentication Switches
PrinterVLAN30
IP PhoneVLAN40
Windows VistaVLAN30
Windows VistaVLAN10
Link Aggregation
NIC TEAMING/802.3ad
RADIUSServer
Windows Server 2008( Network Policy Server (NPS), Domain Controller)
NAC OverviewNAC Overview
Remediation Server
What about him ?What about him ?
Disgruntled employee
DHCP snooping + ARP securityDHCP snooping + ARP security
Port securityPort security
DHCP snoopingDHCP snooping
Ingress filterIngress filter
Spanning tree defense
BPDU Guard / Root GuardBPDU Guard / Root Guard
This is a switch:This is a switch:
Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11
© 2011 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.