Datasheet

ManualsBrandsExtreme Networks ManualsNetworking15105

Extreme Networks Data Sheet

Comprehensive Security Functionality Using Defense-in-Depth

User Authentication and Host

Integrity Checking

Network Login and Dynamic

Security Proﬁle

Network Login capability enforces user

admission and usage policies. Summit X250e

series switches support a comprehensive

range of Network Login options by

providing an 802.1x agent-based approach,

a web-based (agent-less) login capability

for guests, and a MAC-based authentica-

tion model for devices. With these modes

of Network Login, only authorized users

and devices are permitted to connect to

the network and be assigned to the

appropriate VLAN. The Universal Port

scripting framework lets you implement

Dynamic Security Proﬁles which in sync

with Network Login allows you to imple-

ment ﬁne grained and robust security

policies. Upon authentication, the switch

can load dynamic ACL/QoS for a user or

group of users, to deny/allow the access to

the application servers or segments within

the network.

Multiple Supplicant Support

Shared ports represent a potential vulner-

ability in a network. Multiple supplicant

capability on a switch allows it to uniquely

authenticate and apply the appropriate

policies and VLANs for each user or device

on a shared port.

Multiple supplicant support helps secure IP

Telephony and wireless access. Converged

network designs often involve the use of

shared ports (see Figure 4).

MAC Security

MAC security allows the lock down of a port

to a given MAC address and to limit the

number of MAC addresses on a port. This can

be used to dedicate ports to speciﬁc hosts or

devices such as VoIP phones or printers and

avoid abuse of the port—an interesting

capability speciﬁcally in environments such

as hotels. In addition, an aging timer can be

conﬁgured for the MAC lockdown, protecting

the network from the effects of attacks using

(often rapidly) changing MAC addresses.

IP Security

ExtremeXOS IP Security framework helps

protect the network infrastructure, network

services such as DHCP and DNS and host

computers from spooﬁng and man-in-the-

middle attacks. It also helps protect the

network from statically conﬁgured and/or

spoofed IP addresses and builds an external

trusted database of MAC/IP/port bindings

providing the trafﬁc’s source from a speciﬁc

address for immediate defense.

Host Integrity Checking

Host integrity checking helps keep infected

or non-compliant machines off the network.

Summit X250e series switches support a host

integrity or endpoint integrity solution that is

based on the model from the Trusted

Computing Group. Summit X250e interfaces

with Sentriant AG200, endpoint security

software from Extreme Networks, to verify

that each endpoint meets the security

policies that have been set and quarantines

those that are not in compliance.

Network Intrusion Detection

and Response

Hardware-Based sFlow Sampling

sFlow is a sampling technology that provides

the ability to continuously monitor applica-

tion level trafﬁc ﬂows on all interfaces

simultaneously. The sFlow agent is a

software process that runs on Summit X250e

and packages data into sFlow datagrams that

are sent over the network to an sFlow

collector. The collector gives an up-to-the-

minute view of trafﬁc across the entire

network, providing the ability to trouble-

shoot network problems, control congestion

and detect network security threats.

Port Mirroring

To allow threat detection and prevention,

Summit X250e supports many-to-one and

one-to-many port mirroring. This allows

the mirroring of trafﬁc to an external

network appliance such as an intrusion

detection device for trend analysis or for

utilization by a network administrator for

diagnostic purposes. Port Mirroring can

also be enabled across switches in a stack.

Line-Rate ACLs

ACLs are one of the most powerful

components used in controlling network

resource utilization as well as protecting

the network. Summit X250e supports

1,024 centralized ACLs per 24-port based

on Layer 2, 3 or 4-header information such

as the MAC, IPv4 and IPv6 address or

TCP/UDP port.

Denial of Service Protection

Summit X250e can effectively handle DoS

attacks. If the switch detects an unusually

large number of packets in the CPU input

queue, it will assemble ACLs that automat-

ically stop these packets from reaching the

CPU. After a period of time, these ACLs

are removed, and reinstalled if the attack

continues. ASIC-based LPM routing

eliminates the need for control plane

software to learn new ﬂows, allowing more

network resilience against DoS attacks.

Secure Management

To prevent management data from being

intercepted or altered by unauthorized

access, Summit X250e supports SSH2, SCP

and SNMPv3 protocols. The MD5 hash

algorithm used in authentication prevents

attackers from tampering with valid data

during routing sessions.

Implementing a secure network means providing protection at the network perimeter as well as the core. Working together with

the Sentriant

family of products from Extreme Networks, Summit X250e series uses a defense-in-depth strategy to help protect

your network from known or potential threats. Security offerings from Extreme Networks encompass three key areas: user and

host integrity, threat detection and response, and hardened network infrastructure.

Summit X250e offers multiple supplicant which helps providing the per MAC

based authentication with dynamic VLAN allocation

```

VLAN Green VLAN Orange VLAN Purple Rogue Clients

`` ` ```

Figure 4: Multiple Supplicant Support