How To | Create A Secure Network With Allied Telesis Managed Layer 3 Switches Introduction Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3. This How To Note describes these features and includes brief examples of how to configure them. The implementations shown in this How To Note should be thought of as industry-standard best practices. Contents Introduction ..................................................................................................
Which products and software versions does this information apply to? Appendix: Configuration scripts for MAC-forced forwarding example ................................... Edge switch 1 .................................................................................................................. Edge switch 2 .................................................................................................................................. Edge switch 3 ....................................................
Securing the device Securing the device The first step towards making a secure network is to secure the networking equipment itself. Products There are two aspects to this. Firstly, physical security is vital—lock your networking equipment away. Software Versions All switches listed on page 2 All Secondly, straight after powering up any new piece of networking equipment, change the default administrator user’s password. On an Allied Telesis managed layer 3 switch, the default user is “manager”.
Protecting the network Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms: z limiting broadcasts and multicasts on a port (“Bandwidth limiting” on page 4) z detecting a storm and disabling that port or VLAN (“Using QoS policy-based storm protection” on page 5) Bandwidth limiting ARP packets are the most frequent trigger for broadcast storms.
Protecting the network Using QoS policy-based storm protection Policy-based storm protection lets you specify one of a range of actions for the switch to take when it detects a broadcast storm. It is a part of the QoS functionality. Policy-based storm protection is more powerful than simple bandwidth limiting. It lets you restrict storm damage to within the storming VLAN, and it gives you the flexibility to define what traffic rate makes a broadcast storm.
Protecting the network Example The following example applies storm protection to classified broadcast traffic on port 1. If there is a storm, it takes the link down for 60 seconds. set switch enhancedmode=qoscounters Reboot after turning on enhanced mode.
Protecting the network 2. Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second: set switch thrashlimit=5..255 Configuration on trunk groups Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, the switches probably cannot negotiate STP or any other trunks that they belong to. This immediately causes a broadcast storm.
Protecting the network IGMP filtering IGMP filtering lets you dictate exactly which multicast groups a specific port can receive, by creating a filter list and applying it to the port. Different ports may have different filter lists applied to them. Products All switches listed on page 2 that support 2.7.5 or later Software Versions If desired, you can select the type of message to filter. By default, filters apply to IGMP reports.
Managing the device securely Managing the device securely In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic. Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private.
Managing the device securely Using SSL for secure web access If you prefer to configure the switch using the convenient web-based GUI, then this is unencrypted by default. SSL lets you use the GUI securely, by using HTTPS instead of HTTP. Configuration 1. Add a security officer to your switch’s list of users. 2. Create an encryption key for SSL to use. 3. Create a self-signed PKI certificate, or load a certificate generated by a Certificate Authority (CA) if you have one.
Managing the device securely Examples To allow the user “steve” full read, write and notify SNMP access to the switch: enable snmp add snmp view=full oid=1.3.6.
Managing the device securely Whitelisting telnet hosts For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks.
Managing the device securely Building a whitelist through QoS On AT-8948, AT-9900, AT-9900s, and x900 Series switches, use classifiers to build a whitelist and QoS to apply it. Configuration 1. Create classifiers to match telnet traffic from permitted IP addresses to the switch’s IP address. Products AT-8948 x900-48 Series AT-9900 Series 2. Create a classifier to match all telnet traffic to the switch’s IP address. AT-9924Ts x900-24 Series 3.
Identifying the user Identifying the user This section describes methods for authorising and tracking users and preventing them from changing their identity on the network. IP spoofing and tracking Unknown users who attempt to change IP address—to circumvent billing or to hide their identity—can be a problem for administrators. Changing IP address for malicious reasons is most commonly called IP spoofing, and is also known as ARP spoofing, ARP poisoning, and ARP poison routing (APR).
Identifying the user Rejecting Gratuitous ARP (GARP) Hosts can use GARP to announce their presence on a subnet. It is a helpful mechanism, particularly when there is a chance of duplicate addresses. However, attackers can use GARP to penetrate the network by adding themselves to the switch’s ARP table. Products All switches listed on page 2 Software Versions 2.5.1 and later You can configure Allied Telesis switches and routers to ignore GARP packets.
Identifying the user For more information about setting up DHCP snooping, see How To Use DHCP Snooping, Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP Snooping, Option 82 and Filtering on x900 Series Switches. These How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx. Setting up DHCP snooping This section describes a minimal configuration for DHCP snooping.
Identifying the user Using DHCP snooping to track clients If your DHCP server supports it, you can use “option 82” to record more information about DHCP clients. This enhances your ability to track users. The switch can pass option 82 information to the DHCP server so that the server can record the switch MAC, switch port, VLAN number and subscriber-ID that the client is a member of.
Protecting the user Protecting the user This section describes the following methods of protecting users from other users on the network: z “Using private VLANs” on page 18. This feature isolates switch ports in a VLAN from other switch ports in the same VLAN. z “Using local proxy ARP and MAC-forced forwarding” on page 19. These features force all traffic in a network to go via an access router. z “Using IPsec to make VPNs” on page 24. This feature creates secure tunnels through an insecure network.
Protecting the user Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25: create vlan=example vid=2 private add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6 To remove ports from the VLAN: # remove port 4: delete vlan=2 port=4 # remove all private ports and the uplink ports: delete vlan=2 port=all Using local proxy ARP and MAC-forced forwarding Both these features ensure the integrity of ARP in your network and let you take granular control of
Protecting the user The following figure shows a network that can use either local proxy ARP or MAC-forced forwarding—the examples in both the following sections refer to this network. Internet Management PC 24 Access Router 5 20 1 2 SIP and Multicast server LACP Residential Gateway 1 1 2 Edge Switch 1 49 15 50 Client 1 50 Edge Switch 3 49 Residential Gateway 2 50 Edge Switch 2 49 Client 2 14 15 Residential Gateway 3 Client 3 macff.
Protecting the user Configuration of edge switches 1. Create the VLANs, specifying that they are private. Make a different VLAN for each type of traffic that you want to control differently. 2. Add the uplink and private ports to the VLANs as tagged ports. 3. Configure any other requirements, such as a management IP address. Configuration of access router 1. Create the VLANs. 2. Add the ports to the VLANs as tagged ports. 3. Enable IP. 4. Give each VLAN an IP address and turn on local proxy ARP. 5.
Protecting the user Use the following configuration for edge switches 2 and 3 (AT-8648 switches in this example): ena stp=default set stp=default mode=rapid create vlan="voice" vid=101 private add vlan=101 port=49-50 uplink frame=tagged add vlan=101 port=1-48 frame=tagged create vlan="video" vid=102 private add vlan=102 port=49-50 uplink frame=tagged add vlan=102 port=1-48 frame=tagged create vlan="data" vid=103 private add vlan=103 port=49-50 uplink frame=tagged add vlan=103 port=1-48 frame=tagged create
Protecting the user # Create a classifier to match all traffic in VLANs 101-104 create class=10 ipsa=192.168.0.0/16 ipda=192.168.0.0/16 # Create a classifier to match voice traffic create class=100 ipsa=192.168.1.0/24 ipda=192.168.1.0/24 # Create a classifier to match management traffic # The management PC is 192.168.4.250 create class=401 ipsa=192.168.4.0/24 ipda=192.168.4.250/32 create class=402 ipsa=192.168.4.250/32 ipda=192.168.4.
Protecting the user Configuration of edge switches 1. Create a VLAN for each type of service (for example, voice, video, and data). With software versions 291-04 and earlier, the VLANs must be private VLANs. With software versions 291-05 and later, you can use non-private VLANs. However, we recommend you use private VLANs for maximum security. 2. Add the uplink and private ports to the VLANs as tagged ports. 3. Enable DHCP snooping and ARP security.
Protecting the user z How To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperability without NAT-T support z How To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperability with NAT-T support z How To Configure IPsec VPN Between Microsoft ISA Server 2004 and an Allied Telesyn Router Client z How To Create a VPN between an Allied Telesis and a SonicWALL router, with NAT-T z How To Create a VPN between an Allied Telesis and a NetScreen route
Protecting the user Example To block the W32.Slammer worm on port 1, which does not have an SQL client or server attached to it: create classifier=1 udpdport=1434 protocol=ip iport=1 add switch hwfilter classifier=1 action=discard Blocking worms through QoS actions On AT-8948, AT-9900, AT-9900s, and x900 Series switches, use QoS to block traffic from a worm. Configuration 1. Find out which UDP or TCP port the worm attacks. 2. Create a classifier to match traffic using that UDP or TCP port. 3.
Appendix: Configuration scripts for MAC-forced forwarding example Appendix: Configuration scripts for MAC-forced forwarding example In this example (from page 23), the edge switches can be any of the following switches: z Rapier 16fi and Rapier 24i (but not Rapier 48i) z AT-8724XL (but not AT-8748XL) z AT-8824 and AT-8848 z AT-8624T/2M, AT-8624PoE, and AT-8648T/2SP The access router is a Rapier 24i switch. Edge switch 1 Edge switch 1 is directly connected to the access router.
Appendix: Configuration scripts for MAC-forced forwarding example Edge switch 2 Edge switch 2 is connected to port 50 of edge switch 1.
Appendix: Configuration scripts for MAC-forced forwarding example Edge switch 3 Edge switch 3 is connected to port 49 of edge switch 1.
Appendix: Configuration scripts for MAC-forced forwarding example Access Router set system name="Access Router" # Create a VLAN for accessing the Internet, SIP server and multicast groups create vlan=CoreNetwork vid=28 # Create the other VLANs create vlan=Voice vid=100 create vlan=Video vid=200 create vlan=Data vid=300 create vlan=Management vid=400 create vlan=EAN_Management vid=500 add add add add add add add vlan=28 port=20,24 vlan=500 port=5 vlan=100 port=1-2 frame=tagged vlan=200 port=1-2 frame=tagge
# Configure PIM sparse mode for multicast routing add pim interface=vlan28 add pim interface=vlan200 add pim bsrcandidate interface=vlan28 add pim rpcandidate group=224.0.0.0 mask=240.0.0.0 interface=vlan28 enable pim # Configure the DCHP server create dhcp poli=Voice_DHCP lease=7200 add dhcp poli=Voice_DHCP subn=255.255.255.0 router=172.16.1.254 dnss=10.0.0.100,10.0.0.101 maskdiscovery=off masksupplier=off create dhcp range=Voice_range poli=Voice_DHCP ip=172.16.1.
