Security Features Overview
Security is a term that covers several different aspects of
network use and operation.
One general type of security is control of the devices or users that can
access the network. Ways of doing this include authenticating the user at the point
of logging in, controlling access by defining limits on certain types of traffic, or
protecting the operation of the switch itself. Security measures in this last
category include routing policies that can limit the visibility of parts of the
network or denial of service protection that prevents the CPU from being overloaded.
Another general type of security is data integrity and confidentiality, which is
provided by the MACsec protocol. Finally, management functions for the switch can be
protected from unauthorized use. This type of protection uses various types of user
ExtremeXOS has enhanced security features designed to protect,
rapidly detect, and correct anomalies in your network. Extreme Networks products
incorporate a number of features designed to enhance the security of your network
while resolving issues with minimal network disruption. No one feature can ensure
security, but by using a number of features in concert, you can substantially
improve the security of your network.
The following list provides a brief overview of some of the
available security features:
- ACLs—ACLs are policy files used by the ACL application to perform packet
filtering and forwarding decisions on incoming traffic and packets. Each packet
arriving on an ingress port is compared to the ACL applied to that port and is
either permitted or denied.
For more information about using ACLs to control
and limit network access, see ACLs.
- CLEAR-Flow—CLEAR-Flow inspects Layer 2 and Layer 3 packets,
isolates suspicious traffic, and enforces policy-based mitigation actions.
Policy-based mitigation actions include the switch taking an immediate,
predetermined action or sending a copy of the traffic off-switch for analysis.
For more information about CLEAR-Flow, see CLEAR-Flow.
- Denial of Service Protection—DoS protection is a dynamic
response mechanism used by the switch to prevent critical network or computing
resources from being overwhelmed and rendered inoperative. In essence, DoS
protection protects the switch, CPU, and memory from attacks and attempts to
characterize the attack (or problem) and filter out the offending traffic so
that other functions can continue. If the switch determines it is under attack,
the switch reviews the packets in the input buffer and assembles ACLs that
automatically stop the offending packets from reaching the CPU. For increased
security, you can enable DoS protection and establish CLEAR-Flow rules at the
For more information about DoS attacks and DoS
protection, see Denial of Service Protection.
- Network Login—Controls the admission of user packets and
access rights thereby preventing unauthorized access to the network. Network
login is controlled on a per port basis. When network login is enabled on a port
in a VLAN, that port does not
forward any packets until authentication takes place. Network login is capable
of three types of authentication: web-based, MAC-based, and 802.1X.
For more information about network login, see Network Login.
- Policy Files—Text files that contain a series of rule
entries describing match conditions and actions to take. Policy files are used
by both routing protocol applications (routing policies) and the ACL application
For more information about policy files, see
- Routing Policies—Policy files used by routing protocol
applications to control the advertisement, reception, and use of routing
information by the switch. By using policies, a set of routes can be selectively
permitted or denied based on their attributes for advertisements in the routing
domain. Routing policies can be used to “hide” entire networks or to trust only
specific sources for routes or ranges of routes.
information about using routing policies to control and limit network
access, see .
- sFlow—A technology designed to monitor network traffic by
using a statistical sampling of packets received on each port. sFlow also uses
IP headers to gather information about the network. By gathering statistics
about the network, sFlow becomes an early warning system, notifying you when
there is a spike in traffic activity. Upon analysis, common response mechanisms
include applying an ACL, changing QoS parameters, or modifying
For more information, see Using sFlow.
- MAC Security
(MACsec)—A protocol designed to provide data integrity (ensure data has not been
altered in an unauthorized manner) and data confidentiality (ensure data cannot
be read by an unauthorized party). This feature provides line rate data
encryption/decryption by the use of specialized cryptographic hardware.
5320 and 5420 series switches cannot achieve line
rate and are capped at 50MB/switch.
For more information about
MACsec, see MAC Security with Pre-shared Key Authentication.