Resumen del contenido incluido en la página 1
How To | Create A Secure Network With Allied Telesis
Managed Layer 3 Switches
Introduction
Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3.
This How To Note describes these features and includes brief examples of how to configure
them.
The implementations shown in this How To Note should be thought of as industry-standard
best practices.
Contents
Introduction ...................................................................................
Resumen del contenido incluido en la página 2
Which products and software versions does this information apply to? Appendix: Configuration scripts for MAC-forced forwarding example ................................... 27 Edge switch 1 .................................................................................................................. 27 Edge switch 2 .................................................................................................................................. 28 Edge switch 3 ................................
Resumen del contenido incluido en la página 3
Securing the device Securing the device The first step towards making a secure network is to secure Products the networking equipment itself. All switches listed on page 2 Software Versions There are two aspects to this. Firstly, physical security is vital—lock your networking equipment away. All Secondly, straight after powering up any new piece of networking equipment, change the default administrator user’s password. On an Allied Telesis managed layer 3 switch, the default user is “manager
Resumen del contenido incluido en la página 4
Protecting the network Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms: limiting broadcasts and multicasts on a port (“Bandwidth limiting” on page 4) detecting a storm and disabling that port or VLAN (“Using QoS policy-based storm protection” on page 5) Bandwidth limiting ARP packets are the most frequent trigger for broadcast Products storms. One ARP packet is flooded around and around a All swit
Resumen del contenido incluido en la página 5
Protecting the network Using QoS policy-based storm protection Policy-based storm protection lets you specify one of a Products range of actions for the switch to take when it detects a AT-8948 broadcast storm. It is a part of the QoS functionality. x900-48 Series AT-9900 Series Policy-based storm protection is more powerful than simple AT-9924Ts bandwidth limiting. It lets you restrict storm damage to x900-24 Series within the storming VLAN, and it gives you the flexibility to define what t
Resumen del contenido incluido en la página 6
Protecting the network Example The following example applies storm protection to classified broadcast traffic on port 1. If there is a storm, it takes the link down for 60 seconds. set switch enhancedmode=qoscounters Reboot after turning on enhanced mode. create classifier=1 macdaddr=ff-ff-ff-ff-ff-ff create qos trafficclass=1 stormstatus=enable stormwindow=100 stormrate=100 stormaction=linkdown stormtimeout=60 The rest of the QoS configuration is as normal, so: create qos flowgroup=1 add qos
Resumen del contenido incluido en la página 7
Protecting the network 2. Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second: set switch thrashlimit=5..255 Configuration Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, on trunk the switches probably cannot negotiate STP or any other trunks that they belong to. This groups immediately causes a broadcast storm. Rapid MAC movement protection
Resumen del contenido incluido en la página 8
Protecting the network IGMP filtering IGMP filtering lets you dictate exactly which multicast Products groups a specific port can receive, by creating a filter list and All switches listed on page 2 applying it to the port. Different ports may have different that support 2.7.5 or later filter lists applied to them. Software Versions If desired, you can select the type of message to filter. By 2.7.5 or later default, filters apply to IGMP reports. You can create extra entries to also filter
Resumen del contenido incluido en la página 9
Managing the device securely Managing the device securely In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic. Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private. Therefore, you should always use encrypted sessions when remotely administering n
Resumen del contenido incluido en la página 10
Managing the device securely Using SSL for secure web access Products If you prefer to configure the switch using the convenient All switches listed on page 2, web-based GUI, then this is unencrypted by default. SSL lets except AT-8948 and x900-48 you use the GUI securely, by using HTTPS instead of HTTP. Series which have no Configuration 1. Add a security officer to your switch’s list of users. graphical user interface 2. Create an encryption key for SSL to use. Software Versions 3. Create
Resumen del contenido incluido en la página 11
Managing the device securely Examples To allow the user “steve” full read, write and notify SNMP access to the switch: enable snmp add snmp view=full oid=1.3.6.1 type=include add snmp group=super-users securitylevel=authPriv readview=full writeview=full notifyview=full add snmp user=steve group=super-users authprotocol=md5 authpassword=cottonsox privprotocol=des privpassword=woollytop To also give the user “jane” read and notify access to everything on the switch, add the following commands:
Resumen del contenido incluido en la página 12
Managing the device securely Whitelisting telnet hosts For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks. Building a whitelist through
Resumen del contenido incluido en la página 13
Managing the device securely Building a whitelist through QoS On AT-8948, AT-9900, AT-9900s, and x900 Series switches, Products use classifiers to build a whitelist and QoS to apply it. AT-8948 x900-48 Series Configuration 1. Create classifiers to match telnet traffic from permitted IP addresses to the switch’s IP address. AT-9900 Series AT-9924Ts 2. Create a classifier to match all telnet traffic to the x900-24 Series switch’s IP address. 3. Create a flow group and add the classifiers for per
Resumen del contenido incluido en la página 14
Identifying the user Identifying the user This section describes methods for authorising and tracking users and preventing them from changing their identity on the network. IP spoofing and tracking Unknown users who attempt to change IP address—to circumvent billing or to hide their identity—can be a problem for administrators. Changing IP address for malicious reasons is most commonly called IP spoofing, and is also known as ARP spoofing, ARP poisoning, and ARP poison routing (APR). The net
Resumen del contenido incluido en la página 15
Identifying the user Rejecting Gratuitous ARP (GARP) Products Hosts can use GARP to announce their presence on a All switches listed on page 2 subnet. It is a helpful mechanism, particularly when there is a chance of duplicate addresses. However, attackers can use Software Versions GARP to penetrate the network by adding themselves to 2.5.1 and later the switch’s ARP table. You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring GARPs does not completely preve
Resumen del contenido incluido en la página 16
Identifying the user For more information about setting up DHCP snooping, see How To Use DHCP Snooping, Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP Snooping, Option 82 and Filtering on x900 Series Switches. These How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx. Setting up DHCP snooping This section describes a minimal configuration for DHCP snooping. With this configuration, the switch snoops DHCP packets to
Resumen del contenido incluido en la página 17
Identifying the user Using DHCP snooping to track clients If your DHCP server supports it, you can use “option 82” to record more information about DHCP clients. This enhances your ability to track users. The switch can pass option 82 information to the DHCP server so that the server can record the switch MAC, switch port, VLAN number and subscriber-ID that the client is a member of. Example To pass option 82 information to the server, including the information that port 1 is room 101, use t
Resumen del contenido incluido en la página 18
Protecting the user Protecting the user This section describes the following methods of protecting users from other users on the network: “Using private VLANs” on page 18. This feature isolates switch ports in a VLAN from other switch ports in the same VLAN. “Using local proxy ARP and MAC-forced forwarding” on page 19. These features force all traffic in a network to go via an access router. “Using IPsec to make VPNs” on page 24. This feature creates secure tunnels through an insecure net
Resumen del contenido incluido en la página 19
Protecting the user Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25: create vlan=example vid=2 private add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6 To remove ports from the VLAN: # remove port 4: delete vlan=2 port=4 # remove all private ports and the uplink ports: delete vlan=2 port=all Using local proxy ARP and MAC-forced forwarding Both these features ensure the integrity of ARP in your network and let you take granular co
Resumen del contenido incluido en la página 20
Protecting the user The following figure shows a network that can use either local proxy ARP or MAC-forced forwarding—the examples in both the following sections refer to this network. Internet Management PC 24 Access 5 Router 20 12 SIP and Multicast server LACP Residential 12 Gateway 1 Edge 15 Switch 1 49 50 Client 1 50 Edge Switch 3 49 Residential Gateway 2 49 50 Edge Client 2 14 Switch 2 15 Residential Gateway 3 Client 3 macff.eps Local proxy ARP In a network configuration like the previo
