* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slide 1
Point-to-Point Protocol over Ethernet wikipedia , lookup
Parallel port wikipedia , lookup
Power over Ethernet wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
AT-9424 Product Overview Managed Gigabit Switch with Denial of Service (DoS) Attack Protection Allied Telesyn AT-9424 Gigabit Ethernet Switch for the Edge First security focused gigabit switch for the access edge – Detects and protects against 6 DoS attack variants – Classifies and ACLs provide additional customizable security – Also offers a competitive base feature set outside of security •Available Now •24 10/100/1000 ports and 2 SFPs or GBICs in 1 RU •Part Number: AT-9424T/SP-10 & AT-9424T/GB-10 Newest Addition to Extensive Switch Portfolio SwitchBlade 9900 Series •Large network applicability 8924 8800 Family Enterprise and Service Providers needing: •High degree of traffic manipulation and management Layer 3 •Multiple redundancy options 9800 Family 8600 Family Power over Ethernet •Customizable script based actions for network management and security 9624 TBD Small to Medium Enterprise needing: Layer 2 Plus 8500 Family •Simplified management Power over Ethernet •VoIP optimization •Security Small to Medium Business needing: 8400 Modular Chassis Layer 2 8000 Family 8300 Stackable Family •Low cost •Simple management •Connectivity for less than 1,000 users Workgroup Wiring Closet NSP Backbone Enterprise NSP AT-9424 – Target Markets Traditional TraditionalEnterprise EnterpriseLAN LAN Education Institutions Traditional Enterprise LAN Service-provisioned Leased Traditional Enterprise LAN Offices or MTUs These organizations need gigabit and DoS attack protection – Have users that bring laptops in and out of the network making the network susceptible to hosting DoS attacks AT-9424 the Gig Switch of Choice for: Security Conscious Medium to Small organizations (50-1000 users) – – SMEs and SMBs moving towards Gig-to-the-desk – Cost effective and more secure SMEs seeking a simple server aggregation switch – The 9424 is the only switch in its class with attack detection and suppression 54% of respondents to the Network Computing Reader Survey plan to invest more in security than in anything else Rich quality of service (QoS) capabilities SMEs who want to eliminate distribution tier bottlenecks – Wirespeed gigabit switching in a compact formfactor The Denial of Service Threat A denial of service attack is a network infrastructure attack that is targeted towards: – – – Today IT attempts to address this issue in their WAN facing security hardware, but since this attack is coming from the inside the traffic is already clogging the network Network equipment (routers, switches) Services (e-mail, file servers) Computers group (PCs) End Points LAN WAN Edge Internet X Host systems are often infected by spam email, web browsing and laptops used outside of the network. Excess phony traffic from the DoS zombie clogs the network If the attack is successful it is a liability to the host network company AT-9424 – Service Highlights L2-L4 Intelligent Services Redundancy Rate Limiting (Ingress & Egress) 8 hardware queues per port 802.1p for MAC-based QoS Layer 2, 3 and 4 classifiers DiffServ for IP-based Qos CoS to DSCP remarking QoS ACLs 802.1w Rapid STP 802.1s Multiple STP 802.1D Spanning Tree Redundant Power Supply Option 802.3ad Link Aggregation (LACP) Advanced Security •Attack Detection / Suppression •MAC Address Lockdown • Radius/ TACACS+ • SSHv2 & SSL •Port Security • 802.1x AT-9424’s Layer 2-4 Intelligence Layer 2 – 4 intelligence is: Looking deep into the packet layer and using classifiers to take action. Using Layer 2-4 Intelligence for security • The ability to allow and disallow access to networks and network resources based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number Using Layer 2-4 Intelligence for QoS • The ability to prioritize and/or rate limit traffic based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number Using Layer 2-4 Intelligence for management • The ability to mirror traffic based on: -L2: MAC Address Source/Destination or both -L3: IP Address Source/Destination or both -L4: TCP and UDP port number AT-9424’s Attack Detection and Suppression AT-9424’s DoS-Attack Protection Feature • • • A firewall supplement not a firewall replacement It is a cost-effective additional layer of security It handles attacks that come from the inside and prevents them from clogging the network and affecting other services like VoIP End Points LAN WAN Edge Internet Primary Application Example End Points LAN WAN Edge Gigabit-to-the-Desk Internet Supporting Features –802.1x –VLANs by MAC/Protocol/Subnet –ACLs –Rate limiting –Advanced QoS –Wire speed s –Attack detection and suppression –GARP / GVRP –Broadcast storm control –Port Security (MAC Lockdown) –IGMP Snooping Other Application Examples End Points LAN WAN Edge Server Aggregation Servers Internet Supporting Features –Rapid reconvergence (802.1w) –Automatic port fail-over –Link aggregation (LACP) –Optional Redundant Power Supply –QoS –SFPs s –Attack detection and suppression –VLANs by MAC/Protocol/Subnet –ACLs –Rate limiting –Broadcast storm control Other Application Examples End Points LAN WAN Edge Access Switch Aggregation Internet Supporting Features –Attack detection and suppression, –Multiple STP, –CoS to DSCP remarking –Rapid reconvergence (802.1w) –Link aggregation (LACP) –QoS, s –SFPs, –Optional Redundant Power Supply –ACLs –Rate limiting –Broadcast storm control Other Application Examples End Points LAN WAN Edge Small Business Mini-core Internet Supporting Features –Wirespeed Gigabit –QoS –link aggregation, –Optional Redundant Power Supply –Broadcast storm control s –Attack detection and suppression –VLANs by MAC/Protocol/Subnet –ACLs –Rate limiting –Bad cable detection Most Compelling L2-4 Gigabit Switch AT-9424 Everything you expect and more… – Attack detection and suppression – Advanced QoS capabilities – L2-4 intelligence for custom security, management and QoS control Available SFP Modules Product Name Speed Distance Ports AT-SPSX Gigabit 500m MM Fiber AT-SPLX10 Gigabit 10km SM Fiber AT-SPLX40 Gigabit 40km SM Fiber AT-SPLX40/1550 Gigabit 40km SM Fiber Gigabit 80km SM Fiber AT-SPZX80/xxxx xxxx = Wavelengths: 1470, 1490, 1510, 1530, 1550, 1570, 1590, 1610 Available GBIC Modules Product Name Speed Distance Ports AT-G8T Gigabit 100m Copper AT-G8SX-01 Gigabit 500m MM Fiber AT-G8LX10 Gigabit 10km SM Fiber AT-G8LX25 Gigabit 25km SM Fiber AT-G8LX40 Gigabit 40km SM Fiber AT-G8LX70 Gigabit 70km SM Fiber Redundant Power Supply Option AT-RPS3204 AT-9424 Feature Summary Security QoS Management and Monitoring •Attack detection and suppression (6 DoS variants) •802.1p Class of service •Web, CLI, Telnet, Serial •Strict Priority and Weighted Round Robin •SNMP v1, v2c, v3 •ToS •RMON 1 •DiffServ •Port-Mirroring •CoS to DSCP mapping / remarking •ASCII-based config file •Ingress and egress rate limiting by port and flow •Event Log •802.1x •Port security •TACACS+ •RADIUS Authentication and Accounting •ACLs by: packet type, IP address, protocol, port number, MAC address and VLAN •Unknown unicast/multicast blocking •RFC 2236 IGMP Snooping (Ver. 2.0) •RFC 1112 IGMP Snooping (Ver. 1.0) (Groups: 1, 2, 3, 9) •RFC951 BOOTP •RFC 1350 TFTP Redundancy Scalability VLANs •802.1D Spanning Tree Protocol •Switch cluster management •Port-based VLAN (4096) •802.1w Rapid Spanning Tree •8-ports per trunk group •GARP/ GVRP •802.3ad Link-Aggregation (LACP) •Bad Cable Detection •Broadcast Storm Control •802.1s Multiple STP (compatible with PVST+) •IEEE 802.1v VLAN Classification by Protocol / IP Subnet •Upstream forwarding only VLANs •802.1Q VLAN bridge •802.3ac VLAN 802.3x flow control tagging extensions Thank You Competitive Positioning AT-9424 Competitive Landscape 3com SuperStack 3 Switch 3824 3com SuperStack 3 Switch 3870 Cisco Catalyst 2970G-24TS HP ProCurve Switch 2824 Foundry EdgeIron 24GS (FES2402CF) Enterasys Matrix C1G124-24 Selling Against 24 10/100/1000 ports –4 SFP combo slots 3com SuperStack 3 Switch 3824 Their Deficiencies Compared to Allied Telesyn No attack detection & suppression No MAC address based VLANs No VLAN classification by protocol or subnet Not PVST+ compatible No 802.1s support No redundant power supply option No access control lists No SSL or SSH for management No RADIUS accounting No strict priority queuing No rate limiting No Telnet No BootP support Selling Against 24 10/100/1000 ports –4 SFP slots 3com SuperStack 3 Switch 3870 Their Deficiencies Compared to Allied Telesyn No attack detection & suppression No MAC address based VLANs No VLAN classification by protocol or subnet Not PVST+ compatible No 802.1s support Limited ACL capabilities No CoS to DSCP mapping / remarking No flow based rate limiting No BootP support Selling Against Cisco 2970G-24TS 24 10/100/1000 ports –4 SFP slots Their Deficiencies Compared to Allied Telesyn They are priced at a premium No attack detection & suppression No MAC address based VLANs No RADIUS accounting Selling Against 20 10/100/1000 ports –4 SFP/TX combo ports HP ProCurve Switch 2824 Their Deficiencies Compared to Allied Telesyn No attack detection & suppression No CoS to DSCP mapping / remarking No MAC address based VLANs No VLAN classification by protocol or subnet No WRR queuing No access control lists No rate limiting Not PVST+ compatible Selling Against 24 10/100/1000 ports –4 SFP combo slots Foundry EdgeIron 24GS (EIF24G-A) Their Deficiencies Compared to Allied Telesyn Priced at a premium No attack detection & suppression No MAC address based VLANs No VLAN classification by protocol or subnet No 802.1s support No access control lists No RADIUS accounting No rate limiting No NTP or SNTP support No redundant power supply option Selling Against 24 10/100/1000 ports –4 SFP combo slots Enterasys Matrix C1G124-24 Their Deficiencies Compared to Allied Telesyn No attack detection & suppression No MAC address based VLANs No VLAN Classification by Protocol / IP Subnet Not PVST+ No 802.1s (Multiple STP) No switch cluster management No RADIUS accounting Limited ACL capabilities No TACACS+ No CoS to DSCP Mapping / Remarking No flow based rate limiting No NTP or SNTP No BootP support Allied Telesyn AT-9424 Managed 24-port Gigabit Switch + 2 SFPs Attack Protection Advanced QoS Layer 2-4 Intelligence 24 x 10/100/1000 auto-sensing ports –2 unpopulated combo SFP slots (mini GBICs) Exceeding Expectations Wirespeed, non-blocking performance –48-Gbps switching capacity –35.7-Mpps forwarding rate 1 Rack-mount Unit (RU) high formfactor allows for rack space optimization 8 hardware queues RJ45 Consol port Ingress and egress rate limiting Thank You IEEE 802.1s (Multiple Spanning Tree) Old Spanning Tree • • • 802.1D – STP Allow all or block all VLANs coming from a port Slow Convergence 802.1w – RSTP Allow all or block all VLANs coming from a port Non standard-based PVST Consumes too much CPU time and network bandwidth (with control traffic) 802.1s advantages: • Eliminates all limitations mentioned above Image Source: NetworkWorldFusion, ‘802.1s solves architecture issues’ 08/04/03 IEEE 802.1s as Ethernet Services 802.1s with VLAN Services • • • Alternative to the Transparent LAN Services (aka Private Line Services) Ethernet is cheaper and more bandwidth efficient compared to TDM or ATM-based TLS Enables large “Flat” switched network for university campuses Department has offices around “Access Ring #1” only: vlan RED Department has offices around “Access Ring #1” & “Core Ring”: vlan BLUE Department has offices spanning across “All Rings”: vlan BLACK Access Ring #1 Campus Core Ring Access Ring #2 IEEE 802.1x (Port-Based Network Access Control) Prevents unauthorized use of network resources, such as: Bandwidth and Servers “Multi-Supplicant” and “Authenticator” modes are supported to allow indirect and direct host attachments Verified with all popular 802.1x clients, such as: Win-XP, Aegis Meeting House 8500 offers “Tiered Security” with 802.1x authentication and DoS-attack protecttion