D-Link Network Security Solutions Robertas Matusa.
-
Upload
ilene-merritt -
Category
Documents
-
view
226 -
download
0
Transcript of D-Link Network Security Solutions Robertas Matusa.
D-Link Network Security SolutionsRobertas Matusa
Security in D-Link Switching Environment
Authentication
Authorization
Traffic Control
Node and Address Control
ZoneDefense
Network Access Protection
Authentication
Authentication802.1X Authentication
MAC-Based Access Control
Web-Based Access Control
802.1X Authentication Mechanism 802.1X Authentication Mechanism consists of three components• Authentication Server (RADIUS Server) : The Authentication Server
validates the identity of the client and notifies the Authenticator.
• Authenticator (Switch) : The Authenticator requests information from the client, verifies that information with the Authentication Server and relays a response to the client.
• Supplicant (Client) : The client requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must run 802.1XCompliant Client Software (eg. Windows XP has embedded 802.1X supplicant).
Disadvantage of 802.1X• Even through 802.1X is a secure authentication method, the integration
complexity of 802.1X supplicant agent and RADIUS server is always a challenge for deployment. It is not only costly, but also consuming resources for setup and maintenance.
Non-802.1X Authentication Mechanism
On the other hand, non-802.1X method makes authentication deployment easier and more user-friendly. It can complement what 802.1X technology lacks and facilitate the deployment. This clientless mechanism is flexible and provides required security.
Benefits of non-802.1X Authentication Mechanism• Easy deployment (does not require client software)
• Low TCO (RADIUS server maintenance, operation staff…)
• More user-friendly (eg. MAC does not require users to input username and password during authentication)
There are demands in emerging solutions of non-802.1X authentication. Customers are looking for solutions which are easy to deploy, maintain and requires no extra client software.
D-Link develops comprehensive solutions for both 802.1X and non-802.1X environments to increase productivity without compromising the security of the network.
IEEE 802.1X DefinitionDefine a client/server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The Authentication Server authenticates each client connecting to a switch port before the client has access to network resources.
D-Link’s Implementation• Port-Based 802.1X : Users have to be authenticated before accessing the
network. The switch will unlock the port only after the user passes the authentication.
• MAC-Based 802.1X : D-Link switch can perform authentication based on MAC addresses. Each switch port can authenticate multiple computers’ access credentials.
802.1X Components Before a Client is authenticated, 802.1X access control allows only EAPOL traffic to pass through the port where the client is connected. After authentication is successful, normal traffic can pass through the port.
Three different roles in IEEE 802.1X:• Client
• Authenticator
• Authentication Server
NIC Card
Ethernet 802.3 Wireless Card, etc
Network Port
Access point Ethernet switch etc.
AAA Server
Any EAP Server Mostly RADIUS
EAPOL Packet
NormalPacket
X
802.1X Device Role : Client
The device (workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and RADIUS server.
The Workstation must be running 802.1X-Compliant Client Software. Microsoft Windows XP operating system has embedded 802.1X supplicant.
802.1X Device Role : Authentication Server
The Authentication Server validates the identity of the Clients and notifies the Authenticator (switch) whether the Client is authorized or unauthorized to access the LAN.
RADIUS (Remote Authentication Dial-In User Service) operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and many RADIUS clients.
802.1X Device Role : Authenticator
The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server. It requests identity information from the Client, verifies that information with the Authentication Server and relays request / response messages (identity & challenge) between the Client and Authentication Server.
802.1X Authentication ProcessWorkstation
(Client)Switch
(Authenticator)RADIUS Server
(Authentication Server)
EAPOL Start
EAP Request/Identity
EAP Response/Identity
EAP Request/OTP
EAP Response/OTP
EAP Logoff
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
RADIUS Account-Stop
Port Authorized
Port Unauthorized
RADIUS Ack
OTP – One Time Password
EAP Success
Example: Port-Based 802.1X
All clients connected to the L2 Switch/Hub can pass through the Authenticator with Port-Based 802.1X once a client (James) is authenticated.
Example: MAC-Based 802.1X
Each client needs to provide the correct individual username/password to pass the authentication so that it can access the network.
Note that the L2 Switch/Hub needs to support 802.1X pass-through. Otherwise, 802.1X packet (with dest MAC = 0180c2000003, inside IEEE reserved range 0180c2000001~0f) will be dropped and never reach the Authenticator.
MAC-Based 802.1X is one of D-Link’s advantages in 802.1X technology. Most competitors only support port-based 802.1X authentication.
Port-Based 802.1X vs. MAC-Based 802.1X
Port-Based 802.1X• Once a port is authorized by a client, the others users connecting
to the same port through hub or switch can pass through the Authenticator.
MAC-Based 802.1X• Once a port is authorized by a client, only this client can pass
through the Authenticator.
Authorization using 802.1X Guest VLAN
802.1X Guest VLAN is used to implement (Guest) VLAN with limited access rights and features.
When this feature is enabled, all guest accounts or clients who are incompatible with 802.1X authentication will be directed to the guest VLAN when they try to access the switch.
MAC Access Control (MAC) Overview
To control user’s access to the network.
Define whether a user is authorized to access the network by matching the user’s MAC address and store the MAC addresses to the database (local or external)
Web-Based Access Control (WAC) Overview
D-Link xStack Switches can authenticate connected users when the users try to surf the Internet.It is an authentication process which uses HTTP protocol.
Web-Based Access Control (WAC) Overview
WAC with Switch’s Local Database1. When you visit the web server
2. A username/password dialog box will appear to ask for username/password
WAC with Switch’s Local Database3. Once the user input the correct username and password, he passes the authentication. A “successful log in” message screen will appear. The web page will be re-directed to 10.10.10.101, as configured in this example.
4. The authenticated user can access the network and has no limit to the web application.
Web-Based Access Control Summary
WAC provides an easy-to-use authentication method based on HTTP protocol. Before passing authentication, all traffic with TCP protocol will be blocked.
WAC can utilize Local Database or RADIUS Database to store the authentication information.
With WAC, different users are assigned with different VLAN memberships. It can provide different service levels based on different username logins.
Authorization
AuthorizationMost network administrators require authorization based on user identity. D-Link provides several features as follows:• Dynamic VLAN assignment
• Guest VLAN with restricted network access
• Client attribute assignment
• Bandwidth control for the port• 802.1p priority• ACL is assigned to users with different profiles
AuthorizationBenefits of User Authorization:• Granular access control
• Users get privilege with different access rights• Guests have limited network access on guest VLAN
• Flexible bandwidth and QoS control
• Bandwidth allocation and traffic prioritization can be set based on user identity
D-Link Implementations for User Authorization
Identity-Driven VLANIdentity-Driven VLAN describes the RADIUS server Dynamic VLAN Assignment definition (including VLAN ID and VLAN name).
This is applicable for all access control, such as, 802.1X, MAC-Based Access Control, Web-Based Access Control, and JWAC
Identity-Driven QoSD-Link defines the “Identity-Driven QoS” features with the following
two items
802.1X Extension Bandwidth Assignment• If an 802.1X port is authenticated, the bandwidth assignment from the RADIUS
server can overwrite the locally configured ingress or egress bandwidth of this port.
• If the assigned bandwidth is invalid (lesser than 0 or greater than the maximum supported value), it will be ignored. The switch will adopt its local setting.
• Zero (0) value means there is no bandwidth limit for the client.
• When 802.1X is disabled, the original bandwidth configuration will be restored.
802.1X Extension Priority Assignment• If an 802.1X port is authenticated, the priority from the RADIUS server can
overwrite the locally configured 802.1p default priority of this port.
• If the assigned priority is invalid (lesser than 0 or greater than 7), it will be ignored. The switch will adopt its local setting.
• When 802.1X is disabled, the original 802.1p priority configuration will be restored.
Traffic Control
Traffic Control Access Control List
Bandwidth Control
Traffic Storm Control
L2-L7 Access Control List D-Link Access Control List (ACL) filters network packets based on the following information:
• Switch port
• MAC address / IP address
• Ethernet type / Protocol type
• VLAN
• 802.1p / DSCP
• TCP / UDP port (Application type)
• Packet payload (Application type)
Guideline to Configure Access Profile
Analyze the filtering goal and determine whether to use Ethernet or IP Access Profile
Decide the filtering strategy• Deny some hosts and allow all - This strategy is suitable for the environment with few
hosts / protocol ports / subnets which need to be filtered
• Allow some hosts and deny all - This strategy is suitable for environment with few hosts / protocol ports / subnets which need to be allowed. The other traffic will be filtered.
Based on the strategy, determine what “access profile mask” are needed and create it. (correspond to “create access_profile” command)
Add “access profile rule” associated with the Mask. (correspond to “config access_profile” command)
Access profile rules are checked based on access_id number. The lower ID will be checked first. If there is no matching rule, packet will be permitted.
In a QoS environment, when the rule is matched, the 802.1p bits/DSCP can be replaced with new higher/lower priority before the packets are sent out.
Access Profile TypesThere are many types of Access Profile to support different conditions for filtering traffic into a switch.
Ethernet Profile IP Profile
Used to configure the Ethernet access profile on the Switch and define specific values for the rules that will be used by the Switch to determine if a given packet should be forwarded or filtered. Masks will be combined, using a logical AND operational method, with the values in the specified frame header fields.
It supports the following profile types:
• VLAN
• Source MAC
• Destination MAC
• 802.1p
• Ethernet type
Used to configure the IP access profile on the Switch and define specific values for the rules that will be used by the Switch to determine if a given packet should be forwarded or filtered. Masks will be combined, using a logical AND operational method, with the values in the specified frame header fields.
It supports the following profile types:
• VLAN
• Source IP Mask
• Destination IP Mask
• DSCP
• Protocol (ICMP, IGMP, TCP, UDP)
Packet Content Filtering Profile
Packet content filter feature is used to identify packets by examining the Ethernet packet header, by byte and then decide whether to filter or forward it, based on the user’s configuration. The user will specify which bytes to examine by entering them into the command, in hexadecimal form, and then select whether to filter or forward them.
Not all models support this feature. Please check product specifications for each model.
How to Count MaskSwitch Web GUI is an easy and convenient tool to count the Mask for mapping an ACL profile.
If Mask exceeds the range you assigned, a warning message will be prompted.
Time-Based ACL
config time 04Sep2007 17:00:00 Configure the Switch Time Profile
config time_range Time_Range hours start_time 8:0:0 end_time 17:0:0 weekdays mon-fri
create access_profile profile_id 2 ip source_ip_mask 255.255.255.0 tcp dst_port_mask 0xFFFF
config access_profile profile_id 2 add access_id auto_assign ip source_ip 192.168.0.0 tcp dst_port 80 port 1 deny time_range Time_Range
Configure Packet Content ACLCreate a Packet Content ACL Access Profile• Design of Packet Content ACL is to inspect any offset_chunk.
• An offset_chunk is a four-byte block in hexadecimal format which is used to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of four offset_chunk.
• Only one single profile of Packet Content ACL can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a switch.
Add Access Rule to the Access Profile and decide the Rule Action
ARP Spoofing AttackAddress Resolution Protocol (ARP)
ARP is the standard method for finding a host’s hardware address (MAC address) when only its IP address is known. This protocol is vulnerable as hackers can spoof the IP and MAC information in the ARP packets to attack the LAN (known as ARP spoofing).
How ARP Spoofing attacks a network?
ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data frames on a LAN, modify the traffic, or stop the traffic (known as Denial of Service (DoS) attack).
The principle of ARP Spoofing is to send the fake, or spoofed ARP messages to an Ethernet network.
Generally, the aim is to associate the attacker’s or any random MAC address with the IP address of another node (such as the default gateway). Any traffic destined for that IP address will be redirected to the node specified by the attacker.
ARP Spoofing AttackIP spoofing is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP address.
The diagram shows a hacker within a LAN is initiating ARP spoofing attack.
Prevent ARP Spoofing via Packet Content ACL
The DoS attack today is normally caused by ARP spoofing. D-Link managed switch can effectively mitigate it via its unique Packet Content ACL.
The basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination MAC information. There is a need for further inspections of ARP packets. To prevent ARP spoofing attack, D-Link switches uses Packet Content ACL to block invalid ARP packets which contain fake gateway’s MAC and IP binding.
Bandwidth ControlPort-based Bandwidth Control• The port-based bandwidth control is a D-Link QoS feature which
a network administrator can use to control upstream and downstream network access rate of a switch port.
Flow-based Bandwidth Control• The flow-based bandwidth control, on the other hand, is a
application derived from the access control list feature. With the flow-based bandwidth control, a network administrator can conduct a granular bandwidth control over traffic flows in application basis.
Node and Address Control
Node and Address ControlLoopback Detection
Port Security
IP-MAC-Port Binding
Loopback Detection (LBD)STP is a common way to prevent loop in the network. However, it has limitation when detecting loop occurring at the same physical port.
LBD is a compulsory feature in Metro Ethernet application. Without LBD, a loop at an end user home may affect and bring down the whole network.
Advantages of D-Link LBD:• VLAN blocking capability
• Auto-recovery design – when the loop is remove, the port can recover without administrator's interference.
Differences between LBD v2.0 and LBD v4.0
The main differences between STP Loopback Detection (LBD v2.0) and the latest LBD v4.0 are:
• STP Independent
•For LBD v2.0 – The STP Loopback Detection uses BPDU to detect the loop. It is necessary to enable STP to make this LBD feature works.
•For LBD v4.0 – The Loopback Detection uses another packet (Multicast) type to detect the loop. It is a better solution than STP-Dependent method.
• Optional Actions when loop occurs
•Action 1: Shut down the port•Action 2: Shut down the individual VLAN with loop
Two Actions of LBD v4.0D-Link provides two selectable actions when loop occurs.
Shut down Port (Default setting)• This is the same as LBD v2.0
Block the traffic from the VLAN where loop occurs, without shutting down the port• As the affected port is not shut down, there is no influence to the devices
or members of other VLANs on the same port.
• However, since the port is not shut down, the CPU will still receive the traffic including BPDU or ARP/Broadcast packets, which is high loading.
• Therefore, we need to enable Safeguard Engine to protect the CPU.
Port SecurityTo limit the number of users that have access to secured ports.
To control clients’ access to the secured port based on their physical addresses (MAC address)
Three modes of Port Security• Permanent – The locked addresses never age out even after the aging
timer expires.
• Delete on Timeout – The locked address will age out after the aging timer expires. If a link status change on the connected port, the MAC address learned on that port will be removed. The result is the same as the expiry of aging timer.
• Delete on Reset – The locked addresses age out after the switch is reset. (Default setting)
Problem Caused by Improper IP Management
Auditing Problem• Current auditing mechanism, such as syslog, application log,
firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the user without control.
IP Conflict Problem• IP conflict is the most common problem in today’s networks.
Users change the IP address manually and cause conflict with other resources, such as other PCs, core switches, routers or servers.
Solution to Improve IP ManagementIP-MAC-Port Binding (IMPB)• To restrict unauthorized access or block ARP spoofing attacks on certain switch
ports by comparing the pair of IP-MAC addresses with the database.
• By using IP-MAC-Port Binding, all packets will be dropped by the switch when the MAC address, IP address and connected port are not in the address-binding list.
ARP Mode ACL Mode
ARP Packet Inspection: Check IP-MAC pair in ARP packets and deny unauthorized ones
Does not consume switch ACL rules
ARP Packet Inspection: Check IP-MAC pair in ARP packets
IP Packet Inspection: Check IP and MAC in IP and MAC headers respectively using ACL
Consumes switch ACL rules
Stronger security policy enforcement
DHCP Snooping Option
Learn IP-MAC pairs by snooping DHCP packets automatically and save them to IP-MAC-Port binding white list
Hassle-free configurations: Administrators do not need to configure IP-MAC-Port entries manually
Robust security policy: Enforce end users to use DHCP; static IP setting is disallowed
Can be enabled along with either ARP or ACL mode
Solution to Improve IP Management
There is a great demand for IMPB feature today. It can ease IP management and prevent ARP spoofing attack.
There are many ARP spoofing attack tools on the Internet today. Anyone can use such tool to attack the network easily. Therefore, administrators of larger networks, such as Campus and Metro Ethernet, are seeking for solutions to prevent such attack.
D-Link IMBP is a proven feature from the field and its comprehensive options can address most field challenges.
D-Link IP-MAC-Port BindingThere are three IMPB modes.• ARP mode
• ACL mode
• DHCP mode
These three IMP modes are methods to build up the IMPB entries and to program those entries to the hardware tables. IMP is enabled in port basis. When IMP is enabled on the ports, the administrator needs to specify the port mode.• Strict mode: Port is blocked by default; the hosts must be authenticated
to send traffic.
• Loose mode: Port is enabled by default; the hosts can send traffic. When an invalid ARP is detected, the traffic will be blocked.
Three Modes of IP-MAC-Port BindingARP Mode• This is the default configuration for IMP enabled ports. In ARP mode, if the
switch identifies a legal host with valid ARP, the host’s MAC address will be programmed to L2 FDB with the action “allow”; otherwise, the host’s MAC address will be programmed to L2 FDB with the action “drop”. The security access control is based on Layer 2 MAC addresses.
ACL Mode• This provides a strict security for IP level traffic. If ACL mode is enabled,
the static configured IMP entries with ACL mode will be programmed to the hardware ACL table. If ACL mode is disabled, the IMP entries will be removed from the hardware ACL table. This mode is not supported on switches which do not have hardware ACL and the IMP entries are programmed to L2 FDB only. Both ACL mode and ARP mode can co-exist in a switch.
DHCP Snooping Mode• This is used to build up IMP binding entries automatically. When DHCP
snooping is enabled, the switch will snoop DHCP packets on IMP enabled ports. The switch will automatically build up IMPB entries and program them to L2 FDB and hardware ACL table (if ACL mode is enabled).
Two Port Modes of IP-MAC-Port Binding
Strict Mode• This mode provides a stricter method of control. If the user
selects this mode, all packets will be sent to the CPU, thus all packets will not be forwarded by the hardware until the S/W learns the entries for the ports.
Loose Mode• This mode provides a looser way of control. If the user selects
loose mode, ARP packets and IP Broadcast packets will be sent to the CPU. The packets will still be forwarded by the hardware until a specific source MAC address is blocked by the software.
Application of DHCP SnoopingIn a DHCP environment, DHCP snooping can be implemented to secure the network. With this feature configured in a switch, it allows only clients with specific IP/MAC addresses to obtain access to the network.
DHCP Snooping works with the information from a DHCP server to:• Track the physical location of a host
• Ensure a host to use the assigned IP address
DHCP Snooping ensures IP integrity on a Layer 2 switched domain.
When DHCP snooping is configured, only IP addresses in the white list are authorized to enter the network. This white list is configured at switch port level. Only a specific IP address with a specific MAC address on a specific port have access to the network.
ZoneDefense
ZoneDefense OverviewZoneDefense allows a D-Link Firewall to control D-Link Switches to disable. It can stop a virus-infected computer from infecting other computers in the network.
When a host or client on a network is infected with viruses or any form of malicious code, it will show its presence through anomalous behavior, such as large number of new connections are opened to outside hosts.
By setting up threshold rules, hosts or networks which exceed a defined connection threshold can be blocked dynamically using the ZoneDefense feature. Thresholds are based on either the number of new connections per second, or the total number of connections. The connections may be made by either a single host or all hosts within a specified CIDR network range (an IP address range specified by a combination of an IP address and its associated network mask).
When NetDefendOS detects a host or a network has reached the specified limit, it will upload Access Control List (ACL) rules to the relevant switches and block all traffic for the host or network which display the unusual behavior. The system administrators need to use Web or Command Line Interface to unblock the blocked hosts and networks manually.
Challenges to Legacy Network Security
Network Security Architecture with ZoneDefense
ZoneDefense Solution (E2ES)When a NetDefend firewall detects an malicious traffic, it will trigger the xStack switch to block them immediately.
ZoneDefense technology allows NetDefend firewalls and xStack switches to jointly work as one big virtual security system, where NetDefend firewall is in charge of traffic inspection and xStack switch perform wire speed filtering at port level.
ZoneDefense SwitchesThe switch information of the switches which are controlled by the firewall has to be specified manually in the firewall configuration. The information needed to control a switch includes:• IP address of the management interface of the switch
• Switch model
• SNMP community string (write access)
The following D-Link xStack switches support ZoneDefense• DES-3500 Series (firmware R4.01B19 or later)
• DES-3800 Series (firmware R2.00B13 or later)
• DGS-3200 Series (firmware R1.10B06 or later)
• DGS-3400 Series (firmware R2.00B52 or later)
• DGS-3600 Series (firmware R2.20B35 or later)
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol• SNMP is an application layer protocol for network management. SNMP
allows the SNMP managers to manage devices in a network to communicate with each other.
SNMP Managers• A typical managing device, such as D-Link Firewall, uses the SNMP
protocol to monitor and control network devices in a managed environment. The manager can query the information from the managed devices with the SNMP Community String as a simple authentication method. The string is similar to a password. If the community string type is “write”, the manager will be allowed to modify the device’s managed information.
Managed Devices• The managed devices, such as D-Link switches, must be SNMP compliant.
They store state data in the database known as the Management Information Base (MIB) and provide the information to the manager upon receiving an SNMP query.
Threshold RulesA threshold rule will trigger ZoneDefense to block out a specific host or a network if the connection limit specified in the rule is exceeded. The limit can be one of the following two types:• Connection Rate Limit – This can be triggered if the rate of new connections per
second to the firewall exceeds a specified threshold.
• Total Connections Limit – This can be triggered if the total number of connections to the firewalls exceeds a specified threshold.
Threshold rules have parameters which are similar to those for IP Rules. These parameters specify what type of traffic a threshold rule applies to.• A single threshold rule has the parameters
• Source interface and source network
• Destination interface and destination network
• Service
• Type of threshold: Host and/or network based
When the host/network threshold exceeds, it will trigger ZoneDefense. The switch(es) will block the host/network from accessing the network based on their IP addresses.
Anti-Virus ScanningZoneDefense can be used in conjunction with NetDefendOS Anti-Virus scanning feature.
NetDefendOS can first identify a virus source through anti-virus scanning and then block the source by communicating with switches configured to work with ZoneDefense. This feature is activated through the following Application Layer Gateways (ALGs).• HTTP – ZoneDefense can block an HTTP server that is a virus source.
• FTP – ZoneDefense can block a local FTP client that is uploading files with viruses.
• SMTP – ZoneDefense can block a local SMTP client that is sending emails with virus.
In D-Link firewalls, ALG is responsible for Anti-Virus Scanning and IDP Protection.
IDP EngineZoneDefense can be used in conjunction with the NetDefendOS Intrusion Detection and Prevention (IDP) Engine.
NetDefendOS can identify an intruder and then prohibit the intruder to communicate with switches configured to work with ZoneDefense.
Computer servers sometimes have vulnerabilities which expose them to attacks carried by network traffic. Worms, Trojans and backdoor exploits are examples of such attacks which can potentially compromise or take control of a server.
NetDefendOS not only can block intruder from passing through the DFLseries firewall, it can also block intruder from passing through the switches which are configured to work with ZoneDefense. This is D-Link End-to-End Security Solution.
Manual Blocking and Exclude ListsManual Blocking• As a compliment to threshold rules, it is also possible to
manually define hosts and networks which are to be blocked or excluded statically. Hosts and networks can be blocked by default or based on a schedule. It is also possible to specify the protocols and protocol port numbers to be blocked.
Exclude Lists• Exclude Lists can be created to exclude hosts from being blocked
when a threshold is reached. There are good practice includes adding the list of firewall’s interface IP or MAC addresses connecting to the ZoneDefense switch. This prevents the firewall from being blocked out accidentally.
LimitationsThere are some differences in ZoneDefense operation depending on the switch model.
The first difference is the latency between the triggering of a blocking rule to the moment when switch(es) actually starts blocking them. All switch models require a short latency time to implement blocking when the rule is triggered. Some models can activate blocking in less than a second while some may require more than a minute.
The second difference is the maximum number of rules supported by different switch models. Some switches support maximum 50 rules while others support up to 800 (usually, in order to block a host or network, one rule per switch port is needed). When this limit is reached, no host or network will be blocked.
Network Access Protection (NAP)
Network Access Protection (NAP)NAP Technology• NAP is a policy enforcement platform technology led by Microsoft to be
used in certain Windows platform to allow better network asset protection by enforcing compliance with system health requirement.
• With NAP, users can create policies to validate computer health before allowing for network access or communication, update compliant computer automatically to ensure ongoing compliance, and confine non-compliant computers to a restricted network until they become compliant.
Requirements to deploy NAP• Server: Microsoft Server 2008
• Clients: Microsoft Widows Vista, Windows XP SP2 with NAP Client, Windows XP SP3
• Appliance: D-Link xStack Switch Series
802.1X NAP Flow Chart
Necessary Policies in 802.1X NAP Deployment
There are three types of policies to be configured in the Network Policy Server, which is a component in Microsoft Windows Server 2008.
Connection Request Policy• This policy determines which connection request is acceptable.
• In 802.1X NAP deployment, only connection request from xStack Switch is acceptable.
Health Policy• System Health Validator (SHV) determines which element is needed
when validating health status, such as firewall status, anti-virus status, anti-spyware status, etc.
• Health Policy adopts SHVs to determine which criteria is healthy. Passing all SHV checks is considered healthy.
Network Policy• Network Policy determines which action is going to be taken based on the
health status.
Example: 802.1X NAPThe client is placed in Guest VLAN initially. If it complies to all requirements, the port where the client is connected will be placed in Compliance VLAN (VLAN 3 in this example). Otherwise, the port is placed in VLAN 2 for remediation. After remediation, the port will be authenticated again. Upon compliance, it is transferred to VLAN 3.
Questions ?