Download Slide 1

AT-9424 Product Overview
Managed Gigabit Switch
with Denial of Service (DoS)
Attack Protection
Allied Telesyn AT-9424
Gigabit Ethernet Switch for the Edge

First security focused gigabit switch for the access
edge
– Detects and protects against 6 DoS attack variants
– Classifies and ACLs provide additional customizable security
– Also offers a competitive base feature set outside of security
•Available Now
•24 10/100/1000 ports and 2 SFPs or GBICs in 1 RU
•Part Number: AT-9424T/SP-10 & AT-9424T/GB-10
Newest Addition to Extensive Switch Portfolio
SwitchBlade
9900 Series
•Large network applicability
8924
8800 Family
Enterprise and Service Providers
needing:
•High degree of traffic manipulation and
management
Layer 3
•Multiple redundancy options
9800 Family
8600 Family
Power over
Ethernet
•Customizable script based actions for
network management and security
9624 TBD
Small to Medium Enterprise needing:
Layer 2
Plus
8500 Family
•Simplified management
Power over
Ethernet
•VoIP optimization
•Security
Small to Medium Business needing:
8400 Modular Chassis
Layer 2
8000 Family
8300 Stackable
Family
•Low cost
•Simple management
•Connectivity for less than 1,000 users
Workgroup
Wiring Closet
NSP
Backbone
Enterprise
NSP
AT-9424 – Target Markets
Traditional
TraditionalEnterprise
EnterpriseLAN
LAN
Education
Institutions
Traditional
Enterprise LAN
Service-provisioned
Leased
Traditional Enterprise
LAN Offices or MTUs
These organizations need gigabit and DoS attack protection
– Have users that bring laptops in and out of the network making the
network susceptible to hosting DoS attacks
AT-9424 the Gig Switch of
Choice for:

Security Conscious Medium to Small organizations (50-1000
users)
–
–

SMEs and SMBs moving towards Gig-to-the-desk
–

Cost effective and more secure
SMEs seeking a simple server aggregation switch
–

The 9424 is the only switch in its class with attack detection and suppression
54% of respondents to the Network Computing Reader Survey plan to invest more
in security than in anything else
Rich quality of service (QoS) capabilities
SMEs who want to eliminate distribution tier bottlenecks
–
Wirespeed gigabit switching in a compact formfactor
The Denial of Service Threat

A denial of service attack is a network infrastructure attack that is
targeted towards:
–
–
–
Today IT attempts to address
this issue in their WAN facing
security hardware, but since
this attack is coming from the
inside the traffic is already
clogging the network
Network equipment (routers, switches)
Services (e-mail, file servers)
Computers group (PCs)
End Points
LAN
WAN Edge
Internet
X
Host systems are often
infected by spam email,
web browsing and laptops
used outside of the
network.
Excess phony
traffic from the
DoS zombie clogs
the network
If the attack is
successful it is a
liability to the host
network company
AT-9424 – Service Highlights
L2-L4 Intelligent Services
Redundancy
Rate Limiting (Ingress & Egress)
8 hardware queues per port
802.1p for MAC-based QoS
Layer 2, 3 and 4 classifiers
DiffServ for IP-based Qos
CoS to DSCP remarking
QoS
ACLs
802.1w Rapid STP
802.1s Multiple STP
802.1D Spanning Tree
Redundant Power Supply Option
802.3ad Link Aggregation (LACP)
Advanced Security
•Attack Detection / Suppression
•MAC Address Lockdown
• Radius/ TACACS+
• SSHv2 & SSL
•Port Security
• 802.1x
AT-9424’s Layer 2-4 Intelligence
Layer 2 – 4 intelligence is: Looking deep into the packet layer and using
classifiers to take action.
Using Layer 2-4 Intelligence for security
• The ability to allow and disallow access to networks and network resources based on:
-L2: MAC Address Source/Destination or both
-L3: IP Address Source/Destination or both
-L4: TCP and UDP port number
Using Layer 2-4 Intelligence for QoS
• The ability to prioritize and/or rate limit traffic based on:
-L2: MAC Address Source/Destination or both
-L3: IP Address Source/Destination or both
-L4: TCP and UDP port number
Using Layer 2-4 Intelligence for management
• The ability to mirror traffic based on:
-L2: MAC Address Source/Destination or both
-L3: IP Address Source/Destination or both
-L4: TCP and UDP port number
AT-9424’s Attack Detection and Suppression

AT-9424’s DoS-Attack Protection Feature
•
•
•
A firewall supplement not a firewall replacement
It is a cost-effective additional layer of security
It handles attacks that come from the inside and prevents them from clogging the network and
affecting other services like VoIP
End Points
LAN
WAN Edge
Internet
Primary Application Example
End Points
LAN
WAN Edge
Gigabit-to-the-Desk
Internet

Supporting Features
–802.1x
–VLANs by MAC/Protocol/Subnet
–ACLs
–Rate limiting
–Advanced QoS
–Wire speed

s
–Attack detection and suppression
–GARP / GVRP
–Broadcast storm control
–Port Security (MAC Lockdown)
–IGMP Snooping
Other Application Examples
End Points
LAN
WAN Edge
Server Aggregation
Servers
Internet

Supporting Features
–Rapid reconvergence (802.1w)
–Automatic port fail-over
–Link aggregation (LACP)
–Optional Redundant Power Supply
–QoS
–SFPs

s
–Attack detection and suppression
–VLANs by MAC/Protocol/Subnet
–ACLs
–Rate limiting
–Broadcast storm control
Other Application Examples
End Points
LAN
WAN Edge
Access Switch Aggregation
Internet

Supporting Features
–Attack detection and suppression,
–Multiple STP,
–CoS to DSCP remarking
–Rapid reconvergence (802.1w)
–Link aggregation (LACP)
–QoS,

s
–SFPs,
–Optional Redundant Power Supply
–ACLs
–Rate limiting
–Broadcast storm control
Other Application Examples
End Points
LAN
WAN Edge
Small Business Mini-core
Internet

Supporting Features
–Wirespeed Gigabit
–QoS
–link aggregation,
–Optional Redundant Power Supply
–Broadcast storm control

s
–Attack detection and suppression
–VLANs by MAC/Protocol/Subnet
–ACLs
–Rate limiting
–Bad cable detection
Most Compelling L2-4 Gigabit Switch
AT-9424

Everything you expect and more…
– Attack detection and suppression
– Advanced QoS capabilities
– L2-4 intelligence for custom security, management and QoS control
Available SFP Modules
Product Name
Speed
Distance
Ports
AT-SPSX
Gigabit
500m
MM Fiber
AT-SPLX10
Gigabit
10km
SM Fiber
AT-SPLX40
Gigabit
40km
SM Fiber
AT-SPLX40/1550
Gigabit
40km
SM Fiber
Gigabit
80km
SM Fiber
AT-SPZX80/xxxx
xxxx = Wavelengths:
1470, 1490, 1510, 1530, 1550, 1570, 1590, 1610
Available GBIC Modules
Product Name
Speed
Distance
Ports
AT-G8T
Gigabit
100m
Copper
AT-G8SX-01
Gigabit
500m
MM Fiber
AT-G8LX10
Gigabit
10km
SM Fiber
AT-G8LX25
Gigabit
25km
SM Fiber
AT-G8LX40
Gigabit
40km
SM Fiber
AT-G8LX70
Gigabit
70km
SM Fiber
Redundant Power Supply
Option

AT-RPS3204
AT-9424 Feature Summary
Security
QoS
Management and Monitoring
•Attack detection and suppression
(6 DoS variants)
•802.1p Class of service
•Web, CLI, Telnet, Serial
•Strict Priority and Weighted Round Robin
•SNMP v1, v2c, v3
•ToS
•RMON 1
•DiffServ
•Port-Mirroring
•CoS to DSCP mapping / remarking
•ASCII-based config file
•Ingress and egress rate limiting by port
and flow
•Event Log
•802.1x
•Port security
•TACACS+
•RADIUS Authentication and Accounting
•ACLs by: packet type, IP address,
protocol, port number, MAC address and
VLAN
•Unknown unicast/multicast blocking
•RFC 2236 IGMP Snooping (Ver. 2.0)
•RFC 1112 IGMP Snooping (Ver. 1.0)
(Groups: 1, 2, 3, 9)
•RFC951 BOOTP
•RFC 1350 TFTP
Redundancy
Scalability
VLANs
•802.1D Spanning Tree Protocol
•Switch cluster management
•Port-based VLAN (4096)
•802.1w Rapid Spanning Tree
•8-ports per trunk group
•GARP/ GVRP
•802.3ad Link-Aggregation (LACP)
•Bad Cable Detection
•Broadcast Storm Control
•802.1s Multiple STP (compatible with
PVST+)
•IEEE 802.1v VLAN Classification by
Protocol / IP Subnet
•Upstream forwarding only VLANs
•802.1Q VLAN bridge
•802.3ac VLAN 802.3x flow control tagging
extensions
Thank You
Competitive Positioning
AT-9424
Competitive Landscape






3com SuperStack 3 Switch 3824
3com SuperStack 3 Switch 3870
Cisco Catalyst 2970G-24TS
HP ProCurve Switch 2824
Foundry EdgeIron 24GS (FES2402CF)
Enterasys Matrix C1G124-24
Selling Against

24 10/100/1000 ports
–4 SFP combo slots
3com SuperStack 3 Switch
3824
Their Deficiencies Compared to Allied Telesyn
No
attack detection & suppression
No MAC address based VLANs
No VLAN classification by protocol
or subnet
Not PVST+ compatible
No 802.1s support
No redundant power supply option
No
access control lists
No SSL or SSH for management
No RADIUS accounting
No strict priority queuing
No rate limiting
No Telnet
No BootP support
Selling Against

24 10/100/1000 ports
–4 SFP slots
3com SuperStack 3 Switch
3870
Their Deficiencies Compared to Allied Telesyn
No
attack detection & suppression
No MAC address based VLANs
No VLAN classification by protocol
or subnet
Not PVST+ compatible
No 802.1s support
Limited ACL
capabilities
No CoS to DSCP mapping /
remarking
No flow based rate limiting
No BootP support
Selling Against
Cisco 2970G-24TS

24 10/100/1000 ports
–4 SFP slots
Their Deficiencies Compared to Allied Telesyn
They
are priced at a premium
No attack detection & suppression
No MAC address based VLANs
No RADIUS accounting
Selling Against

20 10/100/1000 ports
–4 SFP/TX combo ports
HP ProCurve Switch 2824
Their Deficiencies Compared to Allied Telesyn
No
attack detection & suppression
No CoS to DSCP mapping / remarking
No MAC address based VLANs
No VLAN classification by protocol or subnet
No
WRR queuing
No access control lists
No rate limiting
Not PVST+ compatible
Selling Against

24 10/100/1000 ports
–4 SFP combo slots
Foundry EdgeIron 24GS
(EIF24G-A)
Their Deficiencies Compared to Allied Telesyn
Priced
at a premium
No attack detection & suppression
No MAC address based VLANs
No VLAN classification by protocol or subnet
No 802.1s support
No
access control lists
No RADIUS accounting
No rate limiting
No NTP or SNTP support
No redundant power supply option
Selling Against

24 10/100/1000 ports
–4 SFP combo slots
Enterasys Matrix C1G124-24
Their Deficiencies Compared to Allied Telesyn
No
attack detection & suppression
No MAC address based VLANs
No VLAN Classification by Protocol /
IP Subnet
Not PVST+
No 802.1s (Multiple STP)
No switch cluster management
No
RADIUS accounting
Limited ACL capabilities
No TACACS+
No CoS to DSCP Mapping /
Remarking
No flow based rate limiting
No NTP or SNTP
No BootP support
Allied Telesyn AT-9424
Managed 24-port Gigabit Switch + 2 SFPs
Attack Protection
Advanced QoS
 Layer 2-4 Intelligence
 24 x 10/100/1000 auto-sensing
ports


–2 unpopulated combo SFP slots (mini GBICs)
Exceeding Expectations

Wirespeed, non-blocking
performance
–48-Gbps switching capacity
–35.7-Mpps forwarding rate
1 Rack-mount Unit (RU) high formfactor allows for rack space
optimization
 8 hardware queues
 RJ45 Consol port
 Ingress and egress rate limiting

Thank You
IEEE 802.1s (Multiple Spanning Tree)

Old Spanning Tree
•
•
•

802.1D – STP
 Allow all or block all VLANs coming from a port
 Slow Convergence
802.1w – RSTP
 Allow all or block all VLANs coming from a port
Non standard-based PVST
 Consumes too much CPU time and network bandwidth (with control traffic)
802.1s advantages:
•
Eliminates all limitations mentioned above
Image Source: NetworkWorldFusion,
‘802.1s solves architecture issues’ 08/04/03
IEEE 802.1s as Ethernet Services

802.1s with VLAN Services
•
•
•
Alternative to the Transparent LAN Services (aka Private Line Services)
Ethernet is cheaper and more bandwidth efficient compared to TDM or ATM-based TLS
Enables large “Flat” switched network for university campuses
 Department has offices around “Access Ring #1” only: vlan RED
 Department has offices around “Access Ring #1” & “Core Ring”: vlan BLUE
 Department has offices spanning across “All Rings”: vlan BLACK
Access Ring
#1
Campus Core
Ring
Access Ring
#2
IEEE 802.1x (Port-Based Network Access Control)

Prevents unauthorized use of network
resources, such as: Bandwidth and Servers

“Multi-Supplicant” and “Authenticator” modes are
supported to allow indirect and direct host
attachments

Verified with all popular 802.1x clients, such as:
Win-XP, Aegis Meeting House

8500 offers “Tiered Security” with 802.1x
authentication and DoS-attack protecttion