Transcript 203 Training

Product Overview
PART III
Virtual LANs
Routing,
Authenticated VLANs
Firewalls
Flat networks don’t scale
Networks based on LAN switches are flat
networks
Flat, bridged network
VLANs
A VLAN is a collection of users contained in a
broadcast domain
VLANs allow for better isolation of broadcast traffic
 enrollment in VLANs can be simplified with AutoTracker
 VLANs can extend over the entire enterprise
 VLANs can work with DHCP



VLANs can be “trunked” across high-speed links
stations join VLANs by matching policies


policies matching is performed on the switch
VLANs can span across all media interfaces
Segmentation is required
Networks must be segmented
But what are these
segments?
Segment 2
Segment 4
Segment 1
Segment 3
VLANs provide segmentation
Switch-centric model with VLANs

the routing function provides logical connectivity
between the VLANs
Policy-based VLANs
VLANs
more flexible
and easier to
manage
 policies applied
uniformly to all
devices
 device can meet
more than one
policy, belong
to more than
one VLAN
 devices stay in
VLAN even
when moved

198.403.107.XXX
0A032133DDD3
198.403.107.XXX
198.403.107.XXX
02070118A92B
198.206.181.XXX
020701A3EF1A
Subnet-based VLANs
One of the most useful VLAN types is the
“Layer 3 address-based VLAN”

VLAN membership based on layer 3 address (e.g.,
subnet)
Subnet 2
Subnet 4
Subnet 1
Subnet 3
Summary: VLAN standards update
VLANS are required in large switched networks
VLAN frame tagging may be accomplished with:




LAN Emulation
802.10 (to some routers over some media)
vendor proprietary (oops, pre-standard)
802.1q

this is the standard being developed by IEEE 802.1
for VLAN frame tagging, expected ratification Q3/97
VLANs also play an important role in layer 3
switching (more later)
Routing
Routing
VLANs (and ELANs) necessitate routing
VLAN 2
VLAN 4
VLAN 1
VLAN 3
Where do routers go, anyway?
Traditional hub / router architecture

routers form the backbone
H
H
H
Where do routers go, anyway?
Replace hubs with LAN switches

routers still form the backbone
H
H
H
Where do routers go, anyway?
But with servers increasingly being centralized…
H
H
H
Where do routers go, anyway?
…are we really improving performance?
Are these LAN switches
really doing anything?
H
H
No, the routers are
in the way
H
Where do routers go, anyway?
A fully switched network is required

but, since VLANs (or ELANs) are required, so is routing
H
H
H
Routing in a switched network
Option 1: use routers

“one-armed router”
VLAN 1
VLAN 2
VLAN 3
802.1q, LANE 1.0, 802.10
or separate connections
Routing in a switched network
Option 2: embed routing in LAN or ATM switch
VLAN 1
VLAN 2
VLAN 3
Routing in a switched network
Option 3: put routing in hardware

packet-by-packet layer 3 switching
VLAN 1
VLAN 2
VLAN 3
Summary: routing
Routing is required in any large data network
The key question faced by many organizations
today is what to do with existing routers

routers can continue to be used to forward traffic
between layer 2 domains (VLANs, ELANs)


vastly fewer are required
routing can be performed by LAN / ATM switches
Security with
Authenticated
VLANs
Xylan’s position on security
Security on a switch is unique

Xylan is not a security vendor rather a switch vendor
that has a differentiated product line
Xylan’s partnering with a market leaders


Check Point (firewall and authentication)
others (complete security solution)
Partners needed to assist with the security solution




security vulnerability and policy creation
security design
security product and procedure implementation
security verification, maintenance and monitoring
Generation 2:
Internetworking
Generation 3:
Application /
Service
Generation 4:
Nomadic
1. Port
2. MAC address
3. Protocol type
4. Network address
5. Multicast address
6. Custom defined
7. DHCP Port & MAC
8. User Authenticated
Policy-based VLANs
Generation 1:
The Basics
Port Bindings
Enterprise-wide VLANs
Port binding VLANs
Problem: secured vs. unsecured

data centers are physically secured


hopefully, so is our equipment
work areas are typically less secure than data centers

more people come and go - additional security needed
Less-secure premise
Secure data center
Port binding VLANs
Port binding VLANs lock a device to a port

this port-locking ability is unique to Xylan
Ideal for non-mobile systems (like printers & servers)
if the device moves from its allocated location, it will not
be allowed to communicate over the network
 if the network address does not match the port and
MAC, it is not authorized (an IP spoofing mechanism)
 limits which protocol a device can use on the network

Port binding rules


port bound to MAC and protocol (IP or IPX)
port bound to MAC and network address (IP only)
User-authenticated VLANs
Authenticated VLAN access



secure user mobility within the enterprise including the
WAN
support for third-party authentication systems
simplified and deterministic security policies
VLAN membership based on user profiles


does not limit where a user can go once authenticated
this is determined by

user authorization -- individual privileges vary though
they may share the same network
A-VLANs overview
2
CP or 3rd party server
authenticates user and CP
server authorizes user’s
VLAN privileges
CP authentication
1
Log on and
establish access
privileges
Secured
Auth. VLAN
VLAN A
and authorization
server
Authorized
resource A
VLAN B
Client
Agent (switch)
3
Client is authorized to
connect to specific VLAN(s)
Authorized
resource B
A-VLANs applications
A-VLANs are ideal for mobile workforces

colleges and universities; public utilities companies;
medical environments; sales organizations
1
2
User
connects into
Xylan switch port;
prompted for
login
CP or 3rd party server
authenticates user and CP
server authorizes user’s
VLAN privileges
WAN
3
User placed in
authorized VLAN
VLAN
A-VLAN applications
A-VLANs are ideal for service providers



central or regional access points - preserving MAC address
perimeter authentication and authorization
provider can charge different fees for base and
supplemental access privileges
Access network
Internet
X-privileges
Group/VLAN Blue
POP
Secure
switches
Auth.
servers
A-VLAN architecture
Client
Agent
Authentication &
authorization server
(AMC)
NT
(Unix)
MAC s/w for Win95/NT
or Telnet
OmniSwitch/
PizzaSwitch/
OmniStack
3rd party
authentication
server
- Sec. Dyn.
- AssureNet
- RADIUS
A-VLAN requirements
Software


loadable on the MPM
MAC-based client authentication requires Win95 or NT
Hardware
server running NT (R3.2) or Unix (1H98)
 switch port is either Ethernet or token ring

Network

ports must be spanning tree leaf nodes


no router between (must deliver user’s MAC address)
desirable for one end system per port

will operate on shared segment
A-VLAN components
Server (management console)

host system running Check Point Firewall-1 server
software




one required per enterprise
backup authentication server option




NT - initial release
Unix (Solaris, SunOS, HP, AIX) - later release
if primary fails, backup connection attempted
both servers are configured and managed separately
user ID, password, and authorized VLAN data manually
entered or taken from common database
user/authorization database always resides on the AMC

authentication element can be third-party
A-VLAN components
Authentication management console

AMC provides both authentication and authorization



authentication on AMC is accomplished via (w/out 3rd
party)




authentication = you are who you say you are
authorization = rights and privileges
S-key
FW-1 password
OS password
3rd party platforms are only used for authentication



Security Dynamics SecureID
AssureNet SecureNet Key
RADIUS
A-VLAN components
Agent

authentication, authorization software in switch MPM

implements and applies profiles configured in server
supports flows from Telnet and MAC-based clients





agent supplies banner, log-in prompt, etc. from server
client sends user ID, password and other challenge
agent conveys successful/unsuccessful log-in attempts
contains log-on and log-off support




for log-off, user’s MAC is removed from the database
to reattach, user must repeat the login process
switch’s VLAN software recognizes a down condition
configurable inactivity timer (20 min default)
A-VLAN components
Client

location-independent -- assuming client attached to
switch

authentication/authorization based on user’s MAC info
Xylan’s MAC client software supports Win95 or NT





runs on Window’s boot-up or explicitly after Windows is
activated
Xylan’s XCAP protocol allows MAC level access prior to
obtaining IP address (from a DHCP server)
does not require TCP/IP stack
Telnet capable end station


requires TCP/IP stack (any vendor)
Telnet to special port (259)
A-VLAN performance
Performance impacted during log-in/log-out
periods, but not impacted once connected



max number of users per server ~13,000
max number of simultaneous user logins ~100
important consideration for begin of workday
Client login impact

Win95/NT none (no session open)


server and agent responding to individual requests
Telnet yes (open until validated)
IP Firewall
Protection Through Partnership
CHECK POINT
TM
Software Technologies Ltd.
Why partner?
The right solutions… the best solutions



Xylan - Best In Class switching
Check Point - Best In Class access control
result: first secure, policy-based switching platform
Centralize management for the entire enterprise


access control
user authenticated and authorized VLAN access
Firewall policies deployable throughout the
enterprise



between the trusted and untrusted world (Internet)
between internal resources
between VLANs
Enterprise security - Internet application
Implementation of public/private security policies
Partner site
Corporate
network
Remote user
Interne
t
Remote office
DMZ network
Enterprise security - Intranet application
Policies for enterprise-wide communication
Partner site
Corporate
network
Remote user
Interne
t
Remote office
DMZ network
Enterprise security - Extranet application
Secure communication between partners
Partner site
Corporate
network
Remote user
Interne
t
Remote office
DMZ network
Inter-VLAN firewalling
Guard against internal snooping

ideal design based on 80/20 rule


VLANs at layer 2 switching speed
inter-VLANs at layer 3 speeds -- firewall this traffic
VLAN Blue
VLAN Red
IP Firewall - access rules and policies




simple GUI-based configuration
complete: over 160 applications
and protocols supported out of
the box
centrally-defined security rules
investment protection:
extensible to new services,
applications
IP Firewall - event logs
Summary
 Security on a switching platform is unique to
Xylan
 VLANs can now be considered an additional
level of security


port binding VLANs
user-authenticated VLAN (not the same as user
authentication as found in IP Firewall)
 With IP Firewall, Xylan switches are not only
the fastest any-to-any switches but also the
most secure