Specifications
5
WWW.EXTREMENETWORKS.COM
Multi-user authentication and role-based policy can
provide significant benefits to customers by extending
security services to users connected through unmanaged
devices, third party switches/routers, VPN concentrators,
or wireless LAN access points at the edge of their network.
Authentication provides security, priority, and bandwidth
control while protecting existing network investments.
Integrated Security
Role-Based Policy
Utilizing ExtremeControl Policy Management, the role-
based policy framework empowers a network administrator
to define distinct roles or profiles that represent industry
specific operational groups that may exist in an education
or a business environment (e.g., administrator, teacher,
student, guest). Each defined role is granted individualized
access to specific network services and applications and
these access privileges remain associated with users as they
move across both wired and wireless network access points.
Users can be authenticated via IEEE 802.1X, MAC address,
or web authentication, and then assigned a pre-defined
operational role. Network operations can be seamlessly
tailored to meet business-oriented requirements by
providing each role with individualized access to network
services and applications, thus aligning network resource
utilization with business goals and priorities.
In addition, administrators can easily transition from
basic VLAN and complex ACL deployments to the
Extreme Networks rolebased policy framework in a
seamless fashion, without the need to make changes to
their RADIUS infrastructure.
MAC Security
MAC Security allows the lockdown of a port to a given
MAC address and limiting the number of MAC addresses
on a port. This capability can be used to dedicate ports to
specific hosts or devices such as VoIP phones or printers
and avoid abuse of the port – a capability that can be
especially useful in hospitality markets. In addition, an aging
timer can be configured for the MAC lockdown, protecting
the network from the eects of attacks using (often rapidly)
changing MAC addresses.
IP Security
ExtremeXOS IP security framework protects the network
infrastructure, network services such as DHCP and DNS
and host computers from spoofing and man-in-the-
middle attacks. It also protects the network from statically
configured and/or spoofed IP addresses and building
an external trusted database of MAC/IP/port bindings
providing the trac source from a specific address for
immediate defense.
Identity Manager
Identity Manager allows network managers to track users
who access their network. User identity is captured based
on NetLogin authentication, LLDP discovery, and Kerberos
snooping. ExtremeXOS then reports on the MAC, VLAN,
computer hostname, and port location of the user. Further,
Identity Manager can create both roles and policies, and
then bind them together to create role-based profiles based
on organizational structure or other logical groupings, and
apply them across multiple users to allow appropriate
access to network resources.
In addition, support for Wide Key ACLs improves security
by going beyond source/destination and MAC address
as identification criteria access mechanism to provide
filtering capabilities.
Secure Management
ExtremeXOS provides secure management via SSH2/SCP2/
SSL and SNMPv3, providing authentication and protection
against replay attacks, as well as data privacy
via encryption.
Access profiles for device management allow filters to
be set on device management to connections only from
specified sources.
CPU DoS Protect throttles trac directed to the switch and
can automatically set an ACL for defense, thus protecting
the switch from the eects of DoS attacks such as “Ping of
Death” and others. This defense mechanism works for all
CPU bound trac – Layer 2, IPv4 and IPv6.