Security Features Overview
General
Security is a term that covers several different aspects of
network use and operation.
One general type of security is control of the devices or users
that can access the network. Ways of doing this include authenticating the user at
the point of logging in, controlling access by defining limits on certain types of
traffic, or protecting the operation of the switch itself. Security measures in this
last category include routing policies that can limit the visibility of parts of the
network or denial of service protection that prevents the CPU from being overloaded.
Finally, management functions for the switch can be protected from unauthorized use.
This type of protection uses various types of user authentication.
Security Features
ExtremeXOS has enhanced security features designed to protect,
rapidly detect, and correct anomalies in your network. Extreme Networks products
incorporate a number of features designed to enhance the security of your network
while resolving issues with minimal network disruption. No one feature can ensure
security, but by using a number of features in concert, you can substantially
improve the security of your network.
The following list provides a brief overview of some of the
available security features:
- ACL (Access Control List)s—ACLs are policy files
used by the ACL application to perform packet filtering and forwarding decisions
on incoming traffic and packets. Each packet arriving on an ingress port is
compared to the ACL applied to that port and is either permitted or denied.
For more information about using ACLs to control and
limit network access, see Security.
- CLEAR-Flow—CLEAR-Flow inspects Layer 2 and Layer 3 packets,
isolates suspicious traffic, and enforces policy-based mitigation actions.
Policy-based mitigation actions include the switch taking an immediate,
predetermined action or sending a copy of the traffic off-switch for analysis.
For more information about CLEAR-Flow, see CLEAR-Flow.
- Denial of Service Protection—DoS protection is a dynamic
response mechanism used by the switch to prevent critical network or computing
resources from being overwhelmed and rendered inoperative. In essence, DoS
protection protects the switch, CPU, and memory from attacks and attempts to
characterize the attack (or problem) and filter out the offending traffic so
that other functions can continue. If the switch determines it is under attack,
the switch reviews the packets in the input buffer and assembles ACLs that
automatically stop the offending packets from reaching the CPU. For increased
security, you can enable DoS protection and establish CLEAR-Flow rules at the
same time.
For more information about DoS attacks and DoS
protection, see Denial of Service Protection.
- Network Login—Controls the admission of user packets and
access rights thereby preventing unauthorized access to the network. Network
login is controlled on a per port basis. When network login is enabled on a port
in a VLAN (Virtual LAN), that port does not
forward any packets until authentication takes place. Network login is capable
of three types of authentication: web-based, MAC-based, and 802.1X.
For more information about network login, see Network Login.
- Policy Files—Text files that contain a series of rule
entries describing match conditions and actions to take. Policy files are used
by both routing protocol applications (routing policies) and the ACL application
(ACLs).
For more information about policy files, see
Routing Policies.
- Routing Policies—Policy files used by routing protocol
applications to control the advertisement, reception, and use of routing
information by the switch. By using policies, a set of routes can be selectively
permitted or denied based on their attributes for advertisements in the routing
domain. Routing policies can be used to “hide” entire networks or to trust only
specific sources for routes or ranges of routes.
For more
information about using routing policies to control and limit network
access, see .
- sFlow—A technology designed to monitor network traffic by
using a statistical sampling of packets received on each port. sFlow also uses
IP headers to gather information about the network. By gathering statistics
about the network, sFlow becomes an early warning system, notifying you when
there is a spike in traffic activity. Upon analysis, common response mechanisms
include applying an ACL, changing QoS (Quality of Service) parameters, or modifying
VLAN settings.
For more information, see Using sFlow.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB