Loading...
How To | Create A Secure Network With Allied Telesis Managed Layer 3 Switches
Introduction
Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3. This How To Note describes these features and includes brief examples of how to configure them.
The implementations shown in this How To Note should be thought of as industry-standard best practices.
Contents |
|
Introduction .............................................................................................................................................. |
1 |
Which products and software versions does this information apply to? ................................... |
2 |
Securing the device ................................................................................................................................. |
3 |
Protecting the network .......................................................................................................................... |
3 |
Protecting against packet flooding ................................................................................................ |
3 |
Protecting against rapid MAC movement ................................................................................... |
6 |
Controlling multicast traffic ........................................................................................................... |
7 |
Managing the device securely ................................................................................................................ |
9 |
Using Secure Shell (SSH) ................................................................................................................ |
9 |
Using SSL for secure web access ................................................................................................ |
10 |
Using SNMPv3 ................................................................................................................................ |
10 |
Whitelisting telnet hosts .............................................................................................................. |
12 |
Identifying the user ................................................................................................................................ |
14 |
IP spoofing and tracking ................................................................................................................ |
14 |
Rejecting Gratuitous ARP (GARP) ............................................................................................ |
15 |
DHCP snooping ............................................................................................................................. |
15 |
Using 802.1x port authentication ............................................................................................... |
17 |
Protecting the user ................................................................................................................................ |
18 |
Using private VLANs ..................................................................................................................... |
18 |
Using local proxy ARP and MAC-forced forwarding ............................................................. |
19 |
Using IPsec to make VPNs ........................................................................................................... |
24 |
Protecting against worms ............................................................................................................. |
25 |
C613-16103-00 REV A |
www.alliedtelesis.com |
Which products and software versions does this information apply to? |
|
Appendix: Configuration scripts for MAC-forced forwarding example ................................... |
27 |
Edge switch 1 .................................................................................................................. |
27 |
Edge switch 2 .................................................................................................................................. |
28 |
Edge switch 3 .................................................................................................................................. |
29 |
Access Router ................................................................................................................................. |
30 |
For information about the AlliedWare firewall, see the Firewall chapter of your Software Reference, and the following How To Notes:
zHow To Configure Some Basic Firewall And VPN Scenarios
zHow To Apply Firewall Policies And Rules
How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx.
Which products and software versions does this information apply to?
This How To Note applies to the following Allied Telesis switch series:
zAT-8600
zAT-8700XL
zAT-8800
zRapier i
zSwitchBlade
zAT-9800
zAT-8948 and x900-48
zAT-9900
zAT-9900s and x900-24
Some features are only available on some switches and/or some software versions. Therefore, when this How To Note describes each feature, it lists the applicable switches and versions.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
2 |
Securing the device
Securing the device
The first step towards making a secure network is to secure the networking equipment itself.
There are two aspects to this. Firstly, physical security is vital—lock your networking equipment away.
Products
All switches listed on page 2
Software Versions
All
Secondly, straight after powering up any new piece of
networking equipment, change the default administrator user’s password. On an Allied Telesis managed layer 3 switch, the default user is “manager”. To change the password, use the following command:
set user=manager password=<new-password>
The default password is well-known. If you do not change it, anyone with physical or IP access could reconfigure the switch.
Protecting the network
This section describes layer 2 based methods for controlling the negative impact of misconfigured devices and misuse of the network. These solutions work at the Ethernet level of a packet and cause no degradation in the switch's throughput.
You can protect your network against the following:
ztraffic storms (“Protecting against packet flooding” on page 3)
zexcessive MAC address learning (“Protecting against rapid MAC movement” on page 6)
zunwanted multicast traffic (“Controlling multicast traffic” on page 7)
Protecting against packet flooding
Service providers are often vulnerable to traffic storms, primarily when incorrectly configured customer equipment is directly connected to the provider. Storms overwhelm a subnet, and all of the switches in that subnet, with traffic. Such misconfiguration can quickly lead to widespread outages and compromise guaranteed service levels.
Storms are a reality in any network. They can occur by accident, maliciously, or when a network device fails. They occur naturally in a network where switches are connected more than once to the same VLAN, so administrators must employ a method to prevent these switch loops.
Spanning Tree Protocol based solutions are the most common method of preventing loops. However, incorrect configuration or other network issues can cause STP to fail. For example, if a single switch in the VLAN does not have STP enabled, the STP tree will not converge properly. Spanning tree protocols can even fail if a broadcast storm drowns out STP messages.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
3 |
Protecting the network
Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms:
zlimiting broadcasts and multicasts on a port (“Bandwidth limiting” on page 4)
zdetecting a storm and disabling that port or VLAN (“Using QoS policy-based storm protection” on page 5)
Bandwidth limiting
ARP packets are the most frequent trigger for broadcast storms. One ARP packet is flooded around and around a network, crowding out all other traffic.
You can use a simple Quality of Service (QoS) configuration to match ARP packets and make sure that when a broadcast storm occurs, the effect is minimised.
Products
All switches listed on page 2
Software Versions
All
|
|
|
ISP switch |
|
When ISP switch has |
misconfigured |
flood of ARPs |
port |
|
no bandwidth control: |
customer switch |
48 |
||
|
||||
|
|
|||
|
|
|
ISP switch |
|
When ISP switch has |
misconfigured |
flood of ARPs |
port |
|
bandwidth limiting: |
customer switch |
48 |
||
|
||||
|
|
|||
|
|
|
secure-switch-bandwidth.eps |
Configuration To limit the bandwidth for ARPs:
1.Create a classifier to match ARP packets.
2.Create a QoS framework of policy, traffic class, and flow group. In the traffic class settings, specify the maximum bandwidth for ARP traffic.
3.Apply the policy—and therefore the bandwidth limit—to one or more ports.
Example The following configuration limits ARP packets to 100kbps on port 48.
create classifier=1 protocol=0806 ethformat=ethii-untagged create qos policy=1
create qos trafficclass=1 maxbandwidth=100 create qos flowgroup=1
add qos policy=1 trafficclass=1 add qos trafficclass=1 flowgroup=1 add qos flowgroup=1 classifier=1 set qos port=48 policy=1
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
4 |
Using QoS policy-based storm protection
Policy-based storm protection lets you specify one of a range of actions for the switch to take when it detects a broadcast storm. It is a part of the QoS functionality.
Policy-based storm protection is more powerful than simple bandwidth limiting. It lets you restrict storm damage to within the storming VLAN, and it gives you the flexibility to define what traffic rate makes a broadcast storm.
Configuration To use storm protection:
Protecting the network
Products
AT-8948
x900-48 Series
AT-9900 Series
AT-9924Ts
x900-24 Series
Software Versions
2.8.1 and later
1.Turn on the switch enhanced mode qoscounters, unless it is already enabled. After this, you need to restart the switch.
2.Create a classifier to match the desired traffic. To match all broadcast packets specify a destination MAC address of ff-ff-ff-ff-ff-ff.
3.Create a QoS traffic class and define the following storm protection settings in it:
z Window (stormwindow) specifies how often the switch measures traffic to decide whether to activate storm protection (in seconds).
zRate (stormrate) specifies the amount of traffic per second that must be exceeded before the switch takes action.
zAction (stormaction) specifies what the switch does when it detects a storm: Link Down (linkdown) makes the switch physically disable the port on which the storm is occurring, so that the link goes down.
Port Disable (portdisable) makes the switch logically disable the port on which the storm is occurring, leaving the link up.
VLAN Disable (vlandisable) makes the switch block traffic only on the VLAN on which the storm is occurring.
zTimeout (stormtimeout) specifies the number of seconds that the port remains disabled for.
4.Create the rest of the QoS framework: a flow group and policy. Add the classifier to the flow group, the flow group to the traffic class, and the traffic class to the policy.
5.Apply the policy—and therefore the storm protection—to one or more ports.
The procedure above applies storm protection to classified traffic, and uses a classifier to select all broadcast traffic. This is the most common approach. If you want to, you can instead classify to select important non-broadcast traffic and apply storm protection to unmatched traffic. Unimportant or unwanted unicast and multicast traffic then counts towards the storm calculations.
To apply storm protection to unclassified traffic, configure storm protection on the default traffic class in the QoS policy settings. Use the parameters dtcstormwindow, dtcstormrate, dtcstormaction, and dtcstormtimeout.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
5 |
Protecting the network
Example The following example applies storm protection to classified broadcast traffic on port 1. If there is a storm, it takes the link down for 60 seconds.
set switch enhancedmode=qoscounters
Reboot after turning on enhanced mode.
create classifier=1 macdaddr=ff-ff-ff-ff-ff-ff
create qos trafficclass=1 stormstatus=enable stormwindow=100 stormrate=100 stormaction=linkdown stormtimeout=60
The rest of the QoS configuration is as normal, so:
create qos flowgroup=1
add qos flowgroup=1 classifier=1 add qos trafficclass=1 flowgroup=1 create qos policy=1
add qos policy=1 trafficclass=1 set qos port=1 policy=1
You can view matching traffic at the port level with the command:
show qos port=1 count trafficclass
Configuration on one or more ports
Protecting against rapid MAC movement
Rapid MAC movement protection detects excessive MAC address learning on a specific switch port. Once excessive learning is detected, the switch stops learning MAC addresses via the affected port.
Rapid MAC movement mostly occurs because of a broadcast storm, when one packet is storming around a layer 2 network. Rapid MAC movement protection is simpler to configure than QoS policy-based storm protection but is not guaranteed to stop all the varieties of broadcast storm.
Products
AT-8948
x900-48 Series
AT-9900 Series
AT-9924Ts
x900-24 Series
Software Versions
2.8.1 and later
Rapid MAC movement protection is on by default. The default action is to disable learning for 1 second. This gives the CPU of the switch some idle time, which may let a fast STP-type protocol converge. You can change the amount of idle time to suit your network, or select a different action.
To customise the protection:
1. Set the parameters in the following command:
set switch port=<ports> thrashaction={learndisable|linkdown|none| portdisable|vlandisable} thrashtimeout={none|1..86400} vlanstatustrap={on|off}
The parameter thrashaction specifies the switch’s response to rapid MAC movement:
zlearndisable makes the switch temporarily disable learning on the port.
zlinkdown makes the switch physically disable the port, so that the link goes down.
zportdisable makes the switch logically disable the port, leaving the link up.
zvlandisable makes the switch block traffic on only the VLAN on which the rapid learning occurred.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
6 |
Protecting the network
2.Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second:
set switch thrashlimit=5..255
Configuration Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, on trunk the switches probably cannot negotiate STP or any other trunks that they belong to. This
groups immediately causes a broadcast storm. Rapid MAC movement protection on the other switch in the trunk group detects such a storm because flooding of the same packet occurs on all trunk ports connected to the failed switch.
For a static trunk, to make use of rapid MAC movement protection, create the trunk and specify the optional thrashaction and thrashtimeout parameters:
create switch trunk=<name> port=<ports> thrashaction={learndisable|linkdown|none|portdisable| vlandisable} thrashtimeout={none|1..86400}
For a dynamic trunk using LACP, enable LACP, add ports, and set the optional thrashaction and thrashtimeout parameters:
enable lacp
add lacp port=<ports>
set lacp thrashaction={learndisable|linkdown|none|portdisable| vlandisable} thrashtimeout={none|1..86400}
Controlling multicast traffic
In a busy network, or one that has subscription-only access to multicast services, tight per-port control of multicast traffic is required. IGMP makes multicasting fairly efficient, but the extra control offered by AlliedWare helps increase efficiency.
When multicasting, it is essential to avoid filling the network with unnecessary multicast data and to make sure that the clients who join a group are entitled to receive it. It is also important to minimise delays in joining a group and to efficiently handle those who leave a group.
The following sections outline some of the IGMP controls that are particularly relevant for security. For detailed information on how to control IGMP in the network, see How To Configure IGMP for Multicasting on Routers and Managed Layer 3 Switches. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.
IGMP snooping
IGMP snooping is enabled by default on Allied Telesis managed layer 3 switches. IGMP snooping monitors the streams and clients involved in each multicast group, independent from IP itself. A snooping switch ensures that only ports that are interested in a group are sent it. This basic level of management works in tandem with the subnetwork's IGMP querier and makes sure that the querier gets notified of any client who wants to join the group.
Products
All switches listed on page 2
Software Versions
All
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
7 |
Protecting the network
IGMP filtering
IGMP filtering lets you dictate exactly which multicast groups a specific port can receive, by creating a filter list and applying it to the port. Different ports may have different filter lists applied to them.
If desired, you can select the type of message to filter. By default, filters apply to IGMP reports. You can create extra entries to also filter queries (type=query) and leave messages (type=leave).
Configuration For each port:
Products
All switches listed on page 2 that support 2.7.5 or later
Software Versions
2.7.5 or later
1.Work out which groups you want users on the port to be able to join.
2.Create an IGMP filter.
3.Create entries to allow the appropriate groups (action=include).
Note: The order of entries in a filter is important. When IGMP tries to match a message to a filter, it performs a linear search of the filter to find a matching entry. It tries each entry in turn, and stops processing the filter after the first match it finds.
4.Create an entry to block all groups (action=exclude). Give this entry a higher entry number than entries for the included groups.
5.Apply the filter to the port.
Example To stop the user attached to port 1 from joining any group except 224.12.13.14:
create igmp filter=1
add igmp filter=1 entry=1 group=224.12.13.14 action=include
add igmp filter=1 entry=2 group=224.0.0.0-239.255.255.255 action=exclude
set switch port=1 igmpfilter=1
IGMP throttling
Throttling limits the number of multicast groups that an individual port can join.
Example To limit port 2 to a total of 6 groups:
set switch port=2 igmpmaxgroup=6 igmpaction=replace
Products
All switches listed on page 2 that support 2.7.5 or later
Software Versions
2.7.5 or later
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
8 |
Managing the device securely
Managing the device securely
In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic.
Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private. Therefore, you should always use encrypted sessions when remotely administering network equipment, even in networks that you know well. The simplest way to achieve this is with Secure Shell (SSH).
This section describes secure management:
z“Using Secure Shell (SSH)” on page 9
z“Using SSL for secure web access” on page 10
z“Using SNMPv3” on page 10
Then the section ends by describing how to limit telnet access if you need to use telnet instead of one of the recommended secure options (“Whitelisting telnet hosts” on page 12).
When you are using a secure management scheme, we recommend that you block all telnet access to the switch, by disabling the telnet server:
disable telnet server
Using Secure Shell (SSH)
The Secure Shell (SSH) protocol is most simply described as an encrypted form of Telnet.
Configuration 1. Add a security officer to your switch’s list of users.
2. Create encryption keys for SSH to use.
Products
All switches listed on page 2
Software Versions
All
3.Enable the SSH server.
4.Add the security officer to the list of SSH users and specify a password for it. Only users in this list can use SSH to access the switch.
5.Enable system security.
Enabling system security makes telnet unavailable as an administrative interface—once you have configured SSH, you have to use it.
Example To configure SSH access for the security officer called “secoff”:
add user=secoff password=securepass privilege=security telnet=yes login=yes
create enco key=0 type=rsa length=1024 description="Host Key" form=ssh
create enco key=1 type=rsa length=768 description="Server Key" form=ssh
enable ssh server serverkey=1 hostkey=0 expirytime=1 logintimeout=60
add ssh user=secoff password=sameordifferentpassword
enable system security
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
9 |
Using SSL for secure web access
If you prefer to configure the switch using the convenient web-based GUI, then this is unencrypted by default. SSL lets you use the GUI securely, by using HTTPS instead of HTTP.
Configuration 1. Add a security officer to your switch’s list of users.
2.Create an encryption key for SSL to use.
3.Create a self-signed PKI certificate, or load a certificate generated by a Certificate Authority (CA) if you have one.
4.Add the certificate to the certificate database.
5.Turn security on for the HTTP server.
6.Enable system security.
Managing the device securely
Products
All switches listed on page 2, except AT-8948 and x900-48 Series which have no graphical user interface
Software Versions
All
Once you have configured SSL, HTTPS connections to the device are available only on port 443.
Example To allow the security officer called “secoff” to browse securely to the GUI, using a self-signed certificate:
add user=secoff password=secoff privilege=securityofficer login=yes
create enco key=0 type=rsa length=1024
set system distinguishedname="cn=switch1,o=my_company,c=us"
create pki certificate=cer_name keypair=0 serialnumber=12345 subject="cn=172.30.1.105,o=my_company,c=us"
add pki certificate=cer_name location=cer_name.cer trust=yes
set http server security=on sslkey=0 port=443
enable system security
Using SNMPv3
Traditionally, SNMP has been a popular but insecure way to monitor networks.
Allied Telesis devices are SNMPv3 compliant. By using SNMPv3, you can authenticate SNMP users and restrict their network access to parts of the network. SNMPv3 is very flexible, as the examples in this section show.
Products
All switches listed on page 2
Software Versions
2.6.4 and later
Configuration 1. Enable SNMP.
2.Set up one or more SNMP views. Views list the objects in the MIB that users can see.
3.Set up one or more groups and add the groups to the views. Each group is a collection of users who have the same access rights.
4.Set up one or more users and add them to the groups. Authentication parameters are set here.
5.Set up a traphost profile, for trap messages to be remotely sent to. This is not compulsory but we recommend it.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches |
10 |
Loading...