Extreme is the only company in the industry that takes an architectural approach to bringing products to market (from R&D to product release). Everything we do and create is a part of this Software Defined Architecture [SDA]. Wireless LAN, Wired LAN, Data Center -- It starts with highly reliable, high performance infrastructure. This is our heritage and we have always been outstanding at this: WiFi, Campus LAN all the way to the Data Center. (Ranging from your user to the applications they consume.)
ExtremeXOS -- On top of this, we use a single consistent and differentiated OS call EXOS. (next gen HW will run on EXOS). Lots of companies make high performance hardware, so to truly offer value added differentiation; we include an integrated layer of software into our architecture.
Network Management & BYOD -- We fully integrate management across our entire portfolio. We are very proud that in only 5 months, NetSight became the management platform for the entire portfolio. This was an emphatic message to the market that we take a different approach aligned to our SDA. NetSight has a single, integrated database for all aspects of management. This streamlines operations, enables dynamic management and removes the manual aspect of correlating information.
Application Analytics -- Purview offers application layer analytics, so you can understand what is happening on your network, you can optimize your environment, help increase productivity and measure adoption. Purview allows you to deliver both tactical and strategic information to make better more rapid business decisions.
Finally, we offer orchestration across the entire architecture. Whether that infrastructure is multi-vendor or not. Orchestration within the data center is available across virtualized workloads and consolidated storage and compute. Extreme is the only company in the industry committed to this type of integration, backward compatibility and openness to support technology partners and third party vendors. Many in the industry have grown through M&A, successfully so, however it has led to a portfolio with lots of products that are not integrated through management or orchestration. Each time you add a product, it increases your complexity with the introduction of a new disparate management tool.
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
The ForgeRock Identity Platform and Edge security solution can turn any IoT device into a secure, trusted active subject enrolled and on-boarded from a hardware based root of trust to become an autonomous entity in your business relationship eco system represented by a digital twin.
An introduction to Solus - learn how Solus is combatting Cyber Crime and online security breaches with it's secure, easy-to-use, authentication platform. It's multifactor application uses biometric identification and scrambled pinpad technology and can be integrated with enterprise apps.
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
The ForgeRock Identity Platform and Edge security solution can turn any IoT device into a secure, trusted active subject enrolled and on-boarded from a hardware based root of trust to become an autonomous entity in your business relationship eco system represented by a digital twin.
An introduction to Solus - learn how Solus is combatting Cyber Crime and online security breaches with it's secure, easy-to-use, authentication platform. It's multifactor application uses biometric identification and scrambled pinpad technology and can be integrated with enterprise apps.
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
While the Internet of Things (IoT) is growing significantly in the number of devices and capabilities, there is little thought given to security by the manufacturers and software developers for these devices. This talk will explore one mechanism, using open standards, to add a layer of security and convenience for devices connecting to a personal cloud including the challenges that exist to make it a reality.
Las organizaciones necesitan evolucionar más allá del nombre de usuario y contraseña básico y asegurar las transacciones en línea con un abanico de opciones de autenticación segura.
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
In the wake of 2005 FFIEC regulation calling for stronger security methods, financial institutions have adopted two-factor authentication (2FA) as a means to mitigate online fraud.
Historically 2FA measures such as security questions, one time passwords, physical tokens, SMS authentications and USB tokens have been able to effectively stop fraud attacks. However, in the fast paced arms race that is the war against financial crime, cybercriminals are starting to take the upper hand by developing increasingly sophisticated techniques that bypass 2FA.
In this presentation, Ori Bach, Senior Security Strategist at IBM Trusteer demonstrates several of the 2FA beating techniques and explains how cybercriminals:
- Highjack authenticated banking sessions by directly taking over victims computers
- Make use fake overlay messages to trick victims to surrender their tokens
- Beat one time passwords sent to mobile devices
- Purchase fraud tool-kits to bypass 2FA
View the on-demand recording: https://attendee.gotowebinar.com/recording/6080887905844019714
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
Presentation delivered for Management Development Programme on "Information and Cyber Security" at Institute of Public Enterprise, Hyderabad on 12th September, 2015.
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
Short presentation about a gateway-based solution for medical data encryption and the Internet of Things. Paper presented at 12th IEEE International Conference on BioInformatics and BioEngineering
Ransomware webinar may 2016 final version externalZscaler
In the last few years, ransomware has taken the cybercrime world by storm. CryptoWall 3.0, one of the most lucrative and broad-reaching ransomware campaigns, was alone responsible for 406,887 infection attempts and accounted for about $325 million in damages in 2015.1 And, according to the Institute for Critical Infrastructure Technology, ransomware promises to wreak more havoc in 2016.
While individual users were once the preferred target of ransomware, perpetrators have increasingly set their sights on businesses and organizations. And you can bet that with larger targets, the ransom demands will increase accordingly.
Are you prepared for such an attack?
In this presentaiton we will highlight how ransomware can impact your business and why legacy security solutions don’t stand a chance against such threats.
Video now available at end of presentation slides!
Presentation on the Passwords '16 track at BSides Las Vegas discussing the improvements in password requirements being proposed in the NIST SP 800-63-3 preview draft
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
While the Internet of Things (IoT) is growing significantly in the number of devices and capabilities, there is little thought given to security by the manufacturers and software developers for these devices. This talk will explore one mechanism, using open standards, to add a layer of security and convenience for devices connecting to a personal cloud including the challenges that exist to make it a reality.
Las organizaciones necesitan evolucionar más allá del nombre de usuario y contraseña básico y asegurar las transacciones en línea con un abanico de opciones de autenticación segura.
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
In the wake of 2005 FFIEC regulation calling for stronger security methods, financial institutions have adopted two-factor authentication (2FA) as a means to mitigate online fraud.
Historically 2FA measures such as security questions, one time passwords, physical tokens, SMS authentications and USB tokens have been able to effectively stop fraud attacks. However, in the fast paced arms race that is the war against financial crime, cybercriminals are starting to take the upper hand by developing increasingly sophisticated techniques that bypass 2FA.
In this presentation, Ori Bach, Senior Security Strategist at IBM Trusteer demonstrates several of the 2FA beating techniques and explains how cybercriminals:
- Highjack authenticated banking sessions by directly taking over victims computers
- Make use fake overlay messages to trick victims to surrender their tokens
- Beat one time passwords sent to mobile devices
- Purchase fraud tool-kits to bypass 2FA
View the on-demand recording: https://attendee.gotowebinar.com/recording/6080887905844019714
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
Presentation delivered for Management Development Programme on "Information and Cyber Security" at Institute of Public Enterprise, Hyderabad on 12th September, 2015.
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
Short presentation about a gateway-based solution for medical data encryption and the Internet of Things. Paper presented at 12th IEEE International Conference on BioInformatics and BioEngineering
Ransomware webinar may 2016 final version externalZscaler
In the last few years, ransomware has taken the cybercrime world by storm. CryptoWall 3.0, one of the most lucrative and broad-reaching ransomware campaigns, was alone responsible for 406,887 infection attempts and accounted for about $325 million in damages in 2015.1 And, according to the Institute for Critical Infrastructure Technology, ransomware promises to wreak more havoc in 2016.
While individual users were once the preferred target of ransomware, perpetrators have increasingly set their sights on businesses and organizations. And you can bet that with larger targets, the ransom demands will increase accordingly.
Are you prepared for such an attack?
In this presentaiton we will highlight how ransomware can impact your business and why legacy security solutions don’t stand a chance against such threats.
Video now available at end of presentation slides!
Presentation on the Passwords '16 track at BSides Las Vegas discussing the improvements in password requirements being proposed in the NIST SP 800-63-3 preview draft
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
Companies moving workloads to the AWS Cloud may look for additional help maintaining PCI Compliance, improving workload visibility, and creating consistent security across their IT environment. Palo Alto Networks’ VM-Series with GlobalProtect helps organizations segment and monitor network traffic coming from thousands of remote data collection devices, helping them ensure PCI Compliance. Join our upcoming webinar to hear Palo Alto Networks and AWS discuss best practices for creating consistent security across hybrid IT environments using VM-Series with GlobalProtect, and how Warren Rogers leveraged it to help achieve PCI Compliance. Leverage VM-Series as a subscription through the AWS Marketplace or as a Bring-Your-Own-License to exert positive control over applications, prevent threats within your application flows, and provide consistent security to your IT environment.
Join us to learn:
• Best practices for enabling application-level segmentation policies for services like Amazon Virtual Private Clouds
• How to help protect your AWS workload deployment from cyber threats while maintaining data segmentation
• How Warren Rogers implemented policies to control and monitor user activity within each defined group
Who Should Attend:
Directors, Security Managers, Security Engineers, Security Architects, IT System Administrators, System Administrators, IT Administrators, IT Managers, IT Architects, IT Security Engineers, Business Decision Makers
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
Expand Your Control of Access to IBM i Systems and DataPrecisely
Controlling all the ways your company’s data is being accessed, especially given the proliferation of open source software and other non-traditional data-access methods, is critical to ensuring security and regulatory compliance. This webinar reviews the different ways your data can be accessed, discusses how exit points work and how they can be managed, and why a global data access control strategy is especially important to efficiently protect sensitive data against unwanted access.
Topics include:
• IBM i access methods and risks
• Using exit programs to block traditional and modern access methods
• Real life examples and perspectives
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Similar to 19.) security pivot (policy byod nac) (20)
Where is the 6 GHz beef?
The low number of channels available today forces users to share available bandwidth and creates congestion. As each client station waits to transmit (or receive) data, congestion is caused by devices, Access Points and Stations, sharing the same channel. To better describe the impact of 6GHZ wifi, let us borrow the catchphrase "Where is the beef?". As a visual aid, begin with a hamburger bun with a 2.4GHz and 5GHz spectrum in the middle. The picture below may exaggerate a 20 years spectrum limitation. However, the visual expresses the potential of the 6GHz range to deliver the spectrum beef.
Where is the 6 GHz beef?
The low number of channels available today forces users to share available bandwidth and creates congestion. As each client station waits to transmit (or receive) data, congestion is caused by devices, Access Points and Stations, sharing the same channel. To better describe the impact of 6GHZ wifi, let us borrow the catchphrase "Where is the beef?". As a visual aid, begin with a hamburger bun with a 2.4GHz and 5GHz spectrum in the middle. The picture below may exaggerate a 20 years spectrum limitation. However, the visual expresses the potential of the 6GHz range to deliver the spectrum beef.
Where is the 6 GHz beef?
The low number of channels available today forces users to share available bandwidth and creates congestion. As each client station waits to transmit (or receive) data, congestion is caused by devices, Access Points and Stations, sharing the same channel. To better describe the impact of 6GHZ wifi, let us borrow the catchphrase "Where is the beef?". As a visual aid, begin with a hamburger bun with a 2.4GHz and 5GHz spectrum in the middle. The picture below may exaggerate a 20 years spectrum limitation. However, the visual expresses the potential of the 6GHz range to deliver the spectrum beef.
The next generation ethernet gangster (part 3)Jeff Green
The original competitors in the Ethernet market remind me of gang members who each had their unique advantages to win over their turf. Over the past few years, Extreme assembled seven gangers from a variety of backgrounds with their strengths to perform a mission and deliver a new level of value to our customers. Extreme has adopted a gangster strategy going against the grain of the market leader. So far, the gangster strategy has been a winning strategy. When market leaders are proposing proprietary solutions, Extreme went open Linux with “superspec.” When they pushed DNA and its additional complexity, Extreme responded by re-thinking the way networks are designed, deployed, and managed without vendor lock-in. Final-ly, when they tied to service and to licensing together with Cisco One, Extreme responded with added flexibility in both licensing, services, and Extreme-as-a-service.
The next generation ethernet gangster (part 2)Jeff Green
The original competitors in the Ethernet market remind me of gang members who each had their unique advantages to win over their turf. Over the past few years, Extreme assembled seven gangers from a variety of backgrounds with their strengths to perform a mission and deliver a new level of value to our customers. Extreme has adopted a gangster strategy going against the grain of the market leader. So far, the gangster strategy has been a winning strategy. When market leaders are proposing proprietary solutions, Extreme went open Linux with “superspec.” When they pushed DNA and its additional complexity, Extreme responded by re-thinking the way networks are designed, deployed, and managed without vendor lock-in. Final-ly, when they tied to service and to licensing together with Cisco One, Extreme responded with added flexibility in both licensing, services, and Extreme-as-a-service.
The next generation ethernet gangster (part 1)Jeff Green
The original competitors in the Ethernet market remind me of gang members who each had their unique advantages to win over their turf. Over the past few years, Extreme assembled seven gangers from a variety of backgrounds with their strengths to perform a mission and deliver a new level of value to our customers. Extreme has adopted a gangster strategy going against the grain of the market leader. So far, the gangster strategy has been a winning strategy. When market leaders are proposing proprietary solutions, Extreme went open Linux with “superspec.” When they pushed DNA and its additional complexity, Extreme responded by re-thinking the way networks are designed, deployed, and managed without vendor lock-in. Final-ly, when they tied to service and to licensing together with Cisco One, Extreme responded with added flexibility in both licensing, services, and Extreme-as-a-service.
The next generation ethernet gangster (part 3)Jeff Green
Today Extreme can be more aggressive, with confidence in knowing we can compete with anyone in the market. As the #1 market alternative, there are three critical reasons for including Extreme in your technology considerations: our end-to-end portfolio, our fabric, and our customer service. We are moving Extreme from a reactive, tactical vendor to a pro-active, strategic partner. When Extreme gets a seat at the table, and we bring our unique “sizzle,” we are the customer’s choice. Our customer retention rate is unmatched in the industry, according to Gartner.
Jeff Green
Extreme Networks
jgreen@extremenetworks.com
Mobile (772) 925-2345
https://prezi.com/view/BFLC71PVkoYVKBOffPAv/
The next generation ethernet gangster (part 2)Jeff Green
Today Extreme can be more aggressive, with confidence in knowing we can compete with anyone in the market. As the #1 market alternative, there are three critical reasons for including Extreme in your technology considerations: our end-to-end portfolio, our fabric, and our customer service. We are moving Extreme from a reactive, tactical vendor to a pro-active, strategic partner. When Extreme gets a seat at the table, and we bring our unique “sizzle,” we are the customer’s choice. Our customer retention rate is unmatched in the industry, according to Gartner.
Jeff Green
Extreme Networks
jgreen@extremenetworks.com
Mobile (772) 925-2345
https://prezi.com/view/BFLC71PVkoYVKBOffPAv/
Places in the network (featuring policy)Jeff Green
Networks of the Future will be about a great user experience, devices and things…
In an industry that’s already defined, Extreme Network’s recent announcement of The Automated Campus is a significant advance in networking. For the first time, all the essential technologies, products, procedures and support are gathered together and integrated. All too often, the piecemeal/piecewise growth strategy, typically applied in network evolutions, results in too many tools, procedures, and techniques. The patchwork quilt approach precludes fast responsiveness, optimal operations staff productivity, and sacrifices the accuracy and efficiency required to keep end-users productive as well.
The most important opportunity to improve efficiency for governments today is in boosting both the productivity of end-users and network operators. The automated campus must address the productivity of network planners and network operations managers and staff. The often-significant number of elements required in an installation can demand significant staff time and can, consequentially, have an adverse impact on operating expenses (OpEx). While It is possible to build traditional networks that, when running correctly and optimally get the job done, they often embody such high operating expenses that cost becomes the overriding factor controlling the evolution of the campus network. The Automated Campus will allow XYZ Account to address all these issues and concerns. A key goal must be for XYZ Account to reduce the number of “moving parts” required to build and operate any campus and introduce a level of simplicity and automation that will address your future.
Extreme’s strategy for Campus Automation begins with re-thinking the way networks are designed, deployed and managed. Extreme’s Fabric-based networks enable faster configuration and troubleshooting; As a result, there is less opportunity for misconfiguration. Several automation solutions designed to enhance security often force network managers to accept complexity and degraded resilience to secure the network to meet local policies. Should a breach occur, containment to that segment protects even more sensitive parts of the network, resulting in a true dead-end for the hacker. With Extreme’s Automated Campus services can easily be defined and provisioned on-the-fly without disruption. Network operators specify what services are allowed or prohibited across the network.
The ubiquitous heavy-tailed distributions in the Internet im-plies an interesting feature of the Internet traffic: most (e.g. 80%) of the traffic is actually carried by only a small number of connections (elephants), while the remaining large amount of connections are very small in size or lifetime (mice). In a fair network environment, short connections expect rela-tively fast service than long connections. For these reasons, short TCP flows are generally more con-servative than long flows and thus tend to get less than their fair share when they compete for the bottleneck bandwidth. In this paper, we propose to give preferential treatment to short flows2 with help from an Active Queue Management (AQM) policy inside the network. We also rely on the pro-posed Differentiated Services (Diffserv) architecture [3] to classify flows into short and long at the edge of the network. More specifically, we maintain the length of each active flow (in packets3) at the edge routers and use it to classify incoming packets.
Fortinet Firewall Integration - User to IP Mapping and Distributed Threat Response
oAccurate User ID to IP mapping eliminates potential attacks and provides reliable, out of the box User Information to firewalls
oImproves security by blocking/limiting user access at the point of entry without impacting other users
oMore accurate network mapping for dynamic policy enforcement and reporting
In an industry that’s already defined, Extreme Network’s recent announcement of The Automated Branch is a significant advance in networking. For the first time, all the essential technologies, products, procedures and support are gathered together and integrated. All too often, the piecemeal/piecewise growth strategy typically historically applied in organizational network evolution results in too many tools, procedures, and techniques at work, precluding fast responsiveness, optimal operations staff productivity, and the degree of accuracy and efficiency required to keep end-users productive as well.
This reference design helps organizations design and configure a small to midsize data center (be¬tween 2 and 60 server racks) at headquarters or a server room at a remote site. You will learn how to configure the data center core, aggregation and access switches for connectivity to the servers and the campus network.
The Avaya Fabric Connect data center design supports high-speed 10 Gbps Ethernet connect-ed servers. The design can easily scale server bandwidth with link aggregation and servers can be connected to one or more switches in order to provide the level of availability required for the services delivered by the host. The design also supports legacy and low traffic servers that need 1 Gbps Ethernet connectivity,
The reference design presented in this guide is based on common network requirements and pro¬vides a tested starting point for network engineers to design and deploy an Avaya data center net¬work. This guide does not document every possible option and feature used to design and deploy networks but instead presents the tested and recommended options that will meet the majority of customer needs.
This design uses Avaya Fabric Connect in order to provide benefits over traditional data center design.
IT departments face several challenges in today’s data center:
· Data center traffic flow is not the same as campus traffic flow. Over 80% of the traffic is east-west, server-to-server, vs. north-south, client-to-server, like in a campus.
· Server virtualization allows a virtual machine or workload to be located anywhere in the physi¬cal data center. Data center networks can make it difficult to extend virtual local area networks (VLANs) and subnets anywhere in the data center.
· Server virtualization means that new services can be brought online in minutes or migrated in real time. Reconfiguring the network to support this is difficult because it can interrupt other services.
· Server virtualization means that the load on a physical box is much higher. Physical servers regularly host 10-50 workloads, driving network utilization well past 1 Gbps.
LANs are constantly evolving, build your XYZ Account Network with that baked-in…
Extreme Networks brings XYZ Account simplicity, agility, and optimized performance to your most strategic business asset. The data center is critically important to business operations in the enterprise, but often organizations have difficulty leveraging their data centers as a strategic business asset. At Extreme Networks, we focus on providing an Intelligent Enterprise Data Center Network that’s purpose-built for enterprise requirements. Our OneFabric Data Center Solution:
XoS “can be like an elastic Fabric” for XYZ Account Network…
Demand for application availability has changed how applications are hosted in today’s datacenter. Evolutionary changes have occurred throughout the various elements of the data center, starting with server and storage virtualization and network virtualization. Motivations for server virtualization were initially associated with massive cost reduction and redundancy but have now evolved to focus on greater scalability and agility within the data center. Data center focused LAN technologies have taken a similar path; with a goal of redundancy and then to create a more scalable fabric within and between data centers.
As vendors continue to tout networking architectures that decouple software from hardware, bare-metal switches are moving into the spotlight. These switches are built on merchant silicon deliver a lower-cost and more flexible switching alternative. Extreme Purple Metal switches are open enough to allow our customers to choose their network architecture based on their specific needs without going all the way to bare metal. We believe in the disaggregation of traditional enterprise networking. Extreme uses merchant silicon versus custom ASICs. Custom ASICs have fallen behind. Unless a vendor can build and compete against merchant silicon, there's no point in doing custom ASICs.
Audio video ethernet (avb cobra net dante)Jeff Green
AVB fits low-cost, small-form-factor products such as this microphone. The overall trend is that music no longer lives on shelves or in CD racks, but in hard drives in home computers, and increasingly in the cloud. This brings about its own unique problems, not in the encoding system used, or the storage technology, but in distributing the audio from the storage media to the speakers. AVB features are all enabled by a global and port level configuration. Connecting these elements is the AVB-enabled switch (in the graphic above, the Extreme Networks® Summit® X440.) The role of the switch is to provide support for the control protocols: AVB is Ethernet’s next stage of convergence, delivering pitch perfect audio and crystal clear video seamlessly over the network
IP/Ethernet is bringing simplicity and features to audio and video as it has brought to services like VoIP, Storage and many more
High quality, perfectly synchronized A/V until now has been difficult to maintain
Standards work by the IEEE and the AVB standard changes everything, creating interoperability and mass-marketing equipment pricing
Benefits of AVB - Delivers predictable latency and precise synchronization, maximizing the functionality of AV – time synchronization and quality or service
Reduced complexity and Ease of use through interoperability between devices
Streamlines complex network set-up and management, the Infrastructure negotiates and manages the network for optimal prioritized media transport
AV traffic can co-exist with non-AV traffic on same Ethernet infrastructure
Role based control at the XYZ Account - XYZ Account can identify devices and apply policies based on device type all the way down to the port and or the AP. Policies can dynamically change based on the device a user is connecting with and where that user is located. Extreme Networks provides infrastructure to deliver customizable prioritization and scalable capacity via configurable and built-in intelligence, ensuring a comprehensive, superior quality experience. Furthermore, when deployed with Extreme Wireless XYZ Account can configure the network to ensure applications receive the bandwidth they require, while still limiting or preventing high speed streaming of music of video or even games.
The Pug is a breed of dog with a wrinkly, short-muzzled face, and curled tail. The breed has a fine, glossy coat that comes in a variety of colours, most often fawn or black, and a compact square body with well-developed muscles.
Pugs were brought from China to Europe in the sixteenth century and were popularized in Western Europe by the House of Orange of the Netherlands, and the House of Stuart.In the United Kingdom, in the nineteenth century, Queen Victoria developed a passion for pugs which she passed on to other members of the Royal family. Pugs are known for being sociable and gentle companion dogs.[3] The breed remains popular into the twenty-first century, with some famous celebrity owners. A pug was judged Best in Show at the World Dog Show in 2004.
Donald J. Trump For President, Inc. –– Why Now?
On November 8, 2016, the American People delivered a historic victory and took our country back. This victory was the result of a Movement to put America first, to save the American economy, and to make America once again a shining city on the hill. But our Movement cannot stop now - we still have much work to do.
This is why our Campaign Committee, Donald J. Trump for President, Inc., is still here.
We will provide a beacon for this historic Movement as our lights continue to shine brightly for you - the hardworking patriots who have paid the price for our freedom. While Washington flourished, our American jobs were shipped overseas, our families struggled, and our factories closed - that all ended on January 20, 2017.
This Campaign will be a voice for all Americans, in every city near and far, who support a more prosperous, safe and strong America. That’s why our Campaign cannot stop now - our Movement is just getting started.
Together, we will Make America Great Again!
In an industry that’s already defined, Extreme Network’s recent announcement of The Automated Campus is a significant advance in networking. For the first time, all the essential technologies, products, procedures and support are gathered together and integrated. All too often, the piecemeal/piecewise growth strategy typically historically applied in organizational network evolution results in too many tools, procedures, and techniques at work, precluding fast responsiveness, optimal operations staff productivity, and the degree of accuracy and efficiency required to keep end-users productive as well.
The most important opportunity today is in boosting both productivity of end-users and network operators. The automated campus must address the productivity of network planners and network operations managers and staff. The often-significant number of elements required in an installation can demand significant staff time and can consequentially have an adverse impact on operating expenses (OpEx). While It is possible to build traditional networks that, when running correctly and optimally, get the job done – unfortunately, they often embody such high operating expenses that cost becomes the overriding factor controlling the evolution of the campus network overall. The Automated Campus will allow XYZ Account to address all these issues and concerns. A key goal here must be, of course, to reduce the number of “moving parts” required to build and operate any campus.
Extreme’s strategy for Campus Automation begins with re-thinking the way networks are designed, deployed and managed. Extreme’s Fabric-based networks enable faster configuration and troubleshooting; As a result, there is less opportunity for misconfiguration. Several automation solutions designed to enhance security often force network managers to accept complexity and degraded resilience to secure the network to meet local policies. Should a breach occur, containment to that segment protects even more sensitive parts of the network, resulting in a true dead-end for the hacker. With Extreme’s Automated Campus services can easily be defined and provisioned on-the-fly without disruption. Network operators specify what services are allowed or prohibited across the network.
XoS Performance - Separation between control and forwarding planes - The "SDN Classic" model, as illustrated by this graphic from the Open Networking Foundation, offers many potential benefits:
In the forwarding plane all switching, and feature implementation such as deep packet inspection , QoS scheduling, MAC learning and filtering, etc are performed in dedicated ASIC hardware
Wire speed performance across entire product line (Backplane resources, packet /frame forwarding rate, Bits per second throughput) Local switching on all line cards at no additional cost ,increasing throughput and reducing latency. Dedicated stacking interfaces, and stacking over fiber.
Low latency with Exceptional QoS
We build networks to deliver on today’s Experience Economy. Extreme Networks combines high performance wired and wireless hardware with a software-defined architecture that makes it simple, fast and smart for the user to connect with their device of choice. We provide a comprehensive portfolio, including Campus Mobility and Data Center solutions, which allow our customers to deliver a positive and consistent experience to each and every user in their environment. As SDN excitement grew, the term software-defined was adopted by marketers and applied liberally to all kinds of products and technologies: software-defined storage, software-defined security, software-defined data center.
What technologies allow me to do this today?
Key Features: Loop free load balancing, density, L2 overlays
VXLAN fabric in EXOS / EOS
MLAG: L2 Leaf/Spine with two spine members
VPLS: L2 Leaf/Spine for HPC deployments
SPB-V: S/K-Series for small enterprise data center
Evolution ExtremeFabric: fully automated
Why VxLAN? It’s a really easy L2 over L3 transport
MLAG technology Leaf/Spine Fabric
MLAG is a special case of Leaf/Spine with only two spine members and everything on L2 (We kill the spanning tree and maintain state between the spines) – We’ve been leading in MLAG for a while
VPLS technology Leaf/Spine Fabric
We have successfully built VPLS mesh Leaf/Spine networks for HPC deployments
Key Features: Loop free load balancing, density, L2 overlays
We need more scale!
21.x / 22.x bring some interesting new features that fix this
NEW with 21.1: The Scalable Layer 2 Fabric with VxLAN Technology
VXLAN – Overlay on routing for efficient load balancing and reachability
OSPF extensions massively simplify deployment
The Layer 2 traffic tunnels over any Layer 3 network
Can be used in any topology, but highest performance is Leaf/Spine
Removes the limitation on transit overlay in the spine
Easy setup, small configuration
X670-G2 and X770, S and K, and will be available on X870 at launch
Scale to 2592 10G ports (X670-G2-72, 1:1), 512 40G (X770, 1:1)
Available on EOS and EXOS NOW
NEW with EXOS 22.x and EOS 8.81: Future Fabric Technology
Extreme is rethinking the data plane, the control plane, and the management plane. Extreme is a better mouse trap which delivers new features, advanced function, and wire-speed performance. Our switches deliver deterministic performance independent of load or what features are enabled. All Extreme Switches are based on XOS, the industries first and only truly modular operating system. Having a modular OS provides higher availability of critical network resources. By isolating each critical process in its own protected memory space, a single failed process can not take down the entire switch. Application modules can be loaded and unloaded without the need for rebooting the switch. This is the level of functionality that users expect on other technology. Reaching the twenty million port milestone is a significant achievement demonstrating how our highly effective network solutions, with rich features, innovative software and integrated support for secure convergence. VoIP/Unified Communica Fons/Infrastructure/SIP Trunking (SBC) – Because of strong ROI, investment in this segment remains on a very strong growth trajectory.
Enterprises depend on modular switching solutions for all aspects of the enterprise network: in the enterprise core and data center, the distribution layer that lies between the core and wiring closet, and in the wiring closet itself. Modular solutions provide port diversity and density that fixed solutions simply cannot match. There are also high-capacity modular solutions that only the largest of enterprises and institutions use for high-density and high-speed deployments. Modular solutions are generally much more expensive than their fixed cousins, especially in situations where density or flexibility are not required. Fixed-configuration stackable switches are typically cost- optimized, but they offer no real port diversity on an individual switch. Port diversity means the availability of different port types, such as fiber versus copper ports. Stackable switches have gotten better at offering port diversity, but they still cannot match their modular cousins. Many of these products now offer high-end features such as 802.3af PoE, QoS, and multi-layer intelligence that were only found on modular switches in the past. This is due to the proliferation of third-party merchant silicon in the fixed configuration market. Generally, a stack of fixed configuration switches can be managed as a single virtual entity. Fixed configuration switches generally cannot be used to provision an entire large enterprise, but instead are mostly used out at the edge or departmental level as a low-cost alternative to modular products.
Assumptions:
Ethernet is Open
Active/Active in the Fabric
Therefore:
Open at the Edge
Active/Active at the edge
The Secret Sauce is the Control Plane, not the Encapsulation
Host Route Distribution decoupled from the Underlay protocol
Use MultiProtocol-BGP (MP-BGP) on the Leaf nodes to distribute internal Host/Subnet Routes and external reachability information
Route-Reflectors deployed for scaling purposes
VXLAN terminates its tunnels on VTEPs (Virtual Tunnel End Point).
Each VTEP has two interfaces, one is to provide bridging function for local hosts, the other has an IP identification in the core network for VXLAN encapsulation/decapsulation.
VXLAN Encapsulation and De-encapsulation occur on T2
Bridging and Gateway are independent of the port type (1/10/40G ports)
Encapsulation happens on the egress port
Decapsulation happens on the ingress port
Service Oriented Architecture
2 or 3 layer network to Leaf & Spine
High density and bandwidth required
Layer 3 ECMP
No oversubscription
Low and uniform delay characteristic
Wire & configure once network
Uniform network configuration
Workload Mobility
Workload Placement
Segmentation
Scale
Automation & Programmability
L2 + L3 Connectivity
Physical + Virtual
Open
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
3. StrategicAsset Security Pivot …Why?Why?How?
Reduce millions of
logs to actionable
intelligence.
Complete Network,
Policy And Compliance
Solution.
Automated
correlation and
analytics
Router
IPS/IDS
Firewall
Switches
Servers
DMZ
VPN
Network Components
4. Rumor: green M & M’s
are an aphrodisiac?
Security like Candy?
hard candy
shell
originally designed
as a treat for
soldiers!
Caution: Extreme Metaphor
6. Do you have…
Is Your Firm’s Environment Secure?
Port scanning and remediation
Perimeter vulnerability scanning
Timely OS patching
Network-level DDOS detection and prevention
Auditing of all operator access and actions
Just-in-time elevations
Automatic rejection of non-background-check
employees to high-privilege access
Automatic account deletion
When employee leaves
When employee changes groups
When there is lack of use
Isolation between mail environment and
production access environment for all employees
Automated tooling for routine activities
7. Attack your security gap
What is your Pucker Factor?
kRisk Assessment
Commodity Threats
Breach (event)
SOC (time to detect)
IR (Time to Respond)
Analytics
Targeted (APT)
Intel (contain)
Pivot
identify Potential Risk (shiny Objects)
SIEM logs activity in the
XYZ Account compute environment.
intelligence to respond
what actions should
XYZ Account take
Logs or
Events
Analytics CAD Oracle Netflix
It is all
about
time
Bad Actor
8. Keep
Last building in
castle to fall
Moat / Main Gate
Outer perimeter controlling
castle access
Inner Perimeter
Stronghold, higher walls
create a containment area
between Inner & Outer Perimeters
Traditional Castle Defenses
9. Defense in Depth: A Cascade of Security Zones
Access Control
De-Militarized
Zone (DMZ)
Outer Perimeter
Internal Network
(Intranet)
Inner Perimeter
Stronghold
Mission
Critical
Systems
Internal
Firewall
Keep
Dynamic
State Tables
Dynamic
State Tables
Dynamic State
Tables
10. Search & Pivot - IPS
Internet
DMZ
IPS
IPS
Core
Network
IPS
IPS User
Net
workIDS
Management
Server
Broad Attacks
Multi-faceted Targeted Attacks
Commodity
Threats
Advanced Persistent
Threat (APT)
Worms & Bots
Advanced
Targeted Attacks
11. Use your network as a key part
of your Security Framework
Access
Visibility
Protection
Analytics
AutomationCommand
Control
Enforcement
Scout
Front lines
12. How can your networks be protected from your
own users? (NAC, BYOD, Identity)
Infections
persists because
End point
security fails
because
applications can
be manipulated
and
unintentionally
messed up.
Time Gap
between new
virus and virus
repair.
Endpoint Security
Identity alone
fails against
unauthorized
access but not
malware.
Identifies users
but not devices
Identity
Network security
alone fails
because firewalls
do not block legit
ports and VPNs can
not block legit
users.
Malware
signatures must be
known so detection
occurs after-the-
fact.
Network Security
Fails verses
Targeted
attack
Company
encrypted
tunnels can
nor be tested
Time on the
side of bad
actor
Multisector
14. Solution Benefits
Accurate User ID to IP
mapping to eliminate
potential attacks and
provide reliable, out of the
box user information to Palo
Alto
Improved security that
blocks/limits user access at
the point of entry without
impacting other users
More accurate network
mapping for dynamic policy
enforcement and reporting
Solution with Palo Alto Networks
15. Allow
Single
SSID/VLAN
Rate Limit
Contain
Multiple
VLANs
Deny
A port is what it is because what
or who is connected to it.
District
Owned
Approved
BYOD
Unapproved
BYOD
Directory
Unaware
Guest Device
Device?
Wireless
Web based
MAC
Wired
802.1x
Access?
Library
Gym
5ft from an
Acess Pt
Hall way
Classroom
Location?
Policy?
Application
Delivery in
Minutes
Guest
Student
Fac / Staff
Admin
User?
HTTP
Online Testing
Youtube
Twitter
Facebook
SIS
VDI
Application?
Weekends
Holidays
M–F
8 am–6 pm
Anytime
Time?
16. Policy
Components
Through Layer 4
Any device, location, application
if X + Y, then Z
“if ” user matches a
defined attribute or
value …
…. “then” place user
into a defined ROLE
Faculty
Student
Guest
Roles
Optimized
Performance
Services
Rules
Device
Level
Layer 1- L3
classification rule behavior
based upon L2, L3, and L4 packet
fields
Services are simply
Policy Manager
Containers for groups of
similar Rules.
17. Policy-based Networking (Guest Onboarding)
18
Policies can be
applied to the
entire network
with a single
click
Passive policies
for what-if
scenarios prior
to enforcing
Rules allow,
deny, rate
limit or contain
Built-in Access Control
+ Policy
+ACLs. CDPv2 & LLDP
+ Sampled Netflow
Layer 1- L3 Through Layer 4
IT Admin Employee Guest
Oracle VPNAdmin.
AllowHTTP
AllowHTTPS
AllowIPSec
AllowSAP
RateLimit
AllowPing
AllowTelnet
AllowEmail
AllowTFTP
AllowSNMP
AllowOracle
DenyBlast
18. Policy role-based administration
Through Layer 4
if X + Y, then Z
Centrally
Managed
Layer 1- L3
No Scripts
No Element Management
Can be applied to the
entire network with a
single click
19. Role Based Policy
Role Based Policy – Secure
Enterprise
1. User Role
(Guest/Finance/Engineering/Administr
ators)
2. User/Device authentication, policy
definition and Management
3. Rules & Services enforcement for
secured access
4. Secure Application Access
XoS delivers 1024
Authenticated
users per switch.
Built-in Access Control
+ Policy
+ACLs. CDPv2 & LLDP
+ Sampled Netflow
Layer 1- L3 Through Layer 4
20. if X + Y = ? then then Z
Role Based Policy –
Platform Scaling
X620
X440-G2
X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63 63 63 63 63
Rules per Role (Profile) Up to 440 Up to 952 Up to 952 Up to 952 Up to 952
Authenticated Users
/Switch
Up to 256 1024 1024 512 512
Authenticated Users /Port
Unlimited
up
to 256
Unlimited
up
to 1024
Unlimited
up
to 1024
Unlimited
up to 512
Unlimited
up
to 512
Unique Permit/Deny Rules 440 952 952 952 952
MAC Rules N/A 256 256 256 256
IPv6 Rules N/A 256 256 256 256
IPv4 Rules 256 256 256 256 256
L2 Rules 184 184 184 184 184
Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB* CoS MIB*
Actions
Quality of
Experience
Business
Services
Users /
Devices
21. Policy = Ethernet “like a Mux”
Through Layer 4Layer 1- L3
COS Capabilities:
802.1D Priority Marking
IP ToS Overwrite
Inbound Rate Limiting
Rate Shaping
COS is integrated with existing EXOS QOS
leveraging much of the existing
infrastructure.
22. QoS Components Application Awareness
ExtremeXOS®
End to End
Data
Path
signalingclassification Routing
Control
Plane
Policy Server
Admission
Control
Traffic
Conditioning
Scheduling Shaping
Outpout
I/F
23. L4 Networking
(Automated Policy for Control)
Layer 1: Physical
Layer 2: Data Link
Layer 3: Network
Layer 4: Transport
Device Identity, User
Identity, Virtual Machine
Identity, Application
Identity, etc…
Layer 7: Application
24. Transparent Authentication
Intranet
Mail
Servers
CRM
Active Directory Server
RADIUS Server
LDAP Server
User logs into the
Active Directory
domain with user
name and password
1
ExtremeXOS® network
“snoops” the Kerberos login
by capturing the user
name
2
Active Directory validates
and approves user
credentials
and responds to host
3 ExtremeXOS grants
network access based on
AD server response
4
Username IP MAC
Computer
Name
VLAN
Location
Switch Port #
John_Smith 10.1.1.101 00:00:00:00:01 Laptop_1011 1 24
Success
Summit
25. Role-based Access Control
0
Role Internet Intranet Mail CRM/Database VLAN
Unauthenticated Yes No No No Default
Contractor Yes Yes No No Default
Employee Yes Yes Yes Yes Default
Internet
Intranet
Mail
Servers
Data
Center
Active Directory Server
RADIUS Server
LDAP Server
Role Derivation
• Users are assigned to a “role” based on
their attributes (e.g. job function,
location, etc…)
• Roles contains dynamic policies that
control access to network resources
regardless location
Who is
John?
LDAP
Response
Match
Department =
EmployeeUser: John
Role: Employee
Resource Access = Permit All
Who is Alice?
LDAP
Response
Match
Company =
IBM
User: Alice
Role: Contractor
Resource Access = Deny Mail and CRM
No Authentication
Detected =
Unauthenticated Role
User: Bob
Role: Unauthenticated
Resource Access = Internet Only
Summit
26. Take IT configurable actions on
Extreme Networks switching
infrastructure
… a User or Device is
connects to the network…
If…
then...
Communicate with LDAP server
for user/device profile
Place Device or User into Role
Dynamically create an ACL
Rate limit device or user
Blacklist or de-blacklist
and/or
and/or
and/or
and/or
Send out email alert or
generate Syslog event
and/or
Auto provision Users and Devices
that connect to the network
Automation through Power
Management
Time of day = 5:00pm
Take IT configurable actions on
Extreme Networks switching
infrastructure
If…
then...
Disable POE Power to Wireless AP
Hibernate Chassis Line Card
and/or
Send out email alert or
generate Syslog event
and/or
27. Event based Triggers
0
Automation through
customized scripting:
Trigger Type Variables:
Device
User Authentication
Time based
EMS (Event Management System)
User Input
Values for
Respective
Variables:
Value x
Value y
Value z
…
Execute
Script
File
If the following events are
triggered…
… and matches the
following values
… then
execute the
corresponding
profile script
28. Time-of-Day Profiles
• Timer Triggered
• Applications
– Disable guest VLAN
access
– Shutdown wireless
service in closed
buildings
– Timed backup of
configurations,
policies, ...
– Timed check on
statistics
Trigger Condition
Device-Detect Specific device detected by the
system
Device-
Undetect
Specific device is no longer present or a
timeout has occurred. Port properties
return to a known state.
User-
Authenticated
Specified user authenticated
User-
Unauthenticat
ed
Specified authenticated user has been
unauthenticated.
Port properties return to a known state.
Timer-AT Timer scheduled to occur AT a
specified time has occurred
Timer-AFTER Timer scheduled to occur AFTER an
event or specified interval has
occurred. Can be a one-time
occurrence or can be reoccurring.
User-Request Profile was triggered remotely by the
administrator through the CLI
Events that Trigger Profiles
29. Automation through customized scripting
Trigger Type Variables:
Device
User Authentication
Time based
EMS (Event
Management System)
User Input Values for
Respective Variables:
Value x
Value y
Value z
…
Execute Script
File
If the following
events are
triggered…
… and matches
the following
values
… then execute the
corresponding profile
script
30. Role Based Policy – Platform Limits
Features X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63 63 63 63
Rules per Role (Profile) Up to 928 Up to 928 Up to 928 Up to 928
Authenticated Users /Switch 1024 1024 512 512
Authenticated Users /Port
Unlimited up
to 1024
Unlimited up
to 1024
Unlimited up
to 512
Unlimited up
to 512
Unique Permit/Deny Rules 928 928 928 928
MAC Rules 256 256 256 256
IPv6 Rules 256 256 256 256
IPv4 Rules 256 256 256 256
L2 Rules 184 184 184 184
Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB*
802.1X
Web
MAC
MUALogic
Chris: Filter ID Policy X
Chris: Filter ID Policy Y
Authentication
Method:
MAC
Authenticat
ion Method:
802.1X
Chris :802.1X Credentials
Chris :MAC Credentials
Chris :802.1X
Chris :MAC
Policy Profile YChris
MAC = A:A
Dynamic Admin Rule for Policy Y
(SMAC = A:A)
Multiple authentication agents
on the same port.
802.1X
EXOS Web Authentication
MAC Authentication
Multiple policy profiles per port.
Each Policy profile is assigned to
a subset of the traffic
Policy is applied to ingress traffic
based on user sourced it
Users/devices may be
implementing different auth
methods
31. Ideal Model - Authentication and Authorization
Intuitively, we want the protocol to behave “as if” a trusted third party collected the
parties’ inputs and computed the desired functionality
Computation in the ideal model is secure by definition!
Given a statement s, authentication answers the question “who said s?”
Given an object o, authorization answers the question “who is trusted to access o?”
“who” refers to a principal
Principal = Abstraction of “Who”
Secrecy
Integrity
A B
x1
f2(x1,x2)f1(x1,x2)
x2
[Goldreich-Micali-Wigderson 1987]
32. Wireless Threat Landscape
Why Are Wireless LANs Prone to Attack?
“Open air” No physical barriers to intrusion - Silent attacks
Standard 802.11 protocol, Well-documented and understood. Most common
attacks against WLAN networks are targeted at management frames
Unlicensed, Easy access to inexpensive technology
Wireless Access Outside of Physical/Wired Boundaries
Physical Security
Bad
Actor
Target NetStumbler
Kismet
AirSnort
WEPCrack
Tools of the trade
33. IP spoofing
Target
Friend
impersonation
A
10.10.10.1
B
B
134.117.1.60
It must be OK, my
friend sent it. Yum Yum
10.10.10.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
11.11.11.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
spoofed
Bad
Actor
Eavesdropping,
packet sniffing,
illegal copying
Better not to trust any
individual router Can
assume that some
fraction of routers is good,
but don’t know which
34. Session hijacking
Bad
Actor
Server a User b
reset
Server a
address
User b drops
connection
Target
Intercept
Exploit
Bad
Actor
Server a User b
user b
address
User b ignores
server
Malicious
commands
Bad
Actor
User b
Authorized
connection
Server a
Target
Internet is designed as a public network
Wi-Fi access points, network routers see all traffic
that passes through them
Routing information is public
IP packet headers identify source and
destination
Even a passive observer can easily figure out who
is talking to whom
Encryption does not hide identities
Encryption hides payload, but not
routing information
Even IP-level encryption (tunnel-
mode IPsec/ESP) reveals IP
addresses of IPsec gateways
35. Denial of service(DOS)
Server a
Target
Bad
Actor
Zombie
Zombie
Zombie
Zombie
Zombie
Observation: malicious
behavior need not involve
system call anomalies
Malicious code
communicates with
its master by
“piggybacking” on
normal network I/O
Hide malicious
code inside a
server
Hook into a
normal
execution
path
36. “who” gets access and “what” they can do
Control at each Switch Port or Access Point
Only Authorized users can get Network
Access
Unauthorized users can be placed into
“Guest” VLANs
Prevents unauthorized APs
Identity Based
Network Access
Unauthorized
Users/Devices
Authorized
Users/Devices
User Based Policies
Applied
(BW, QoS etc)
37. War Driving for open Frequency Range
Counter measures for Wireless Attacks
Anti-war driving software makes it more difficult for attackers to
discover your wireless LAN
Honeypots - Servers with fake data to snare intruders
FakeAP and Black Alchemy Fake AP, Software that makes fake
Access Points.
Use special paint to stop radio from escaping your building
Radio Frequency Based Threats
Client Mis-Association - Client-to-Client Connections Bypass
Infrastructure Security Checkpoints
Rogue Access Points - Employees Connect to an External WLAN, Creating Portal to Enterprise
Wired Network
Denial of Service Attacks - Malicious Hackers Disrupt Critical Business Services
Ad-hoc Wireless Networks - Employees Unknowingly Create Opening to Enterprise Network
Bad
Actor
Target
Ad-hoc
Networks
Mis-
association
Networks
Rogue
Networks
38. 802.1X
Web
MAC
MUALogic
Chris: Filter ID Policy X
Dave: Filter ID Policy Y
Authentication
Method:
MAC
Authentication
Method:
802.1X
Chris :802.1X Credentials
Dave :MAC Credentials
Chris :802.1X
Dave :MAC
RADIUS Server
Policy Profile X
Policy Profile Y
Dave
MAC = B:B
Chris
MAC = A:A
Dynamic Admin Rule
for Policy X (SMAC =
A:A)
Dynamic Admin Rule
for Policy Y (SMAC =
B:B)
Allows for assignment of multiple policy profiles per port.
Each Policy profile is assigned to a subset of the traffic received
Policy profile is applied to ingress traffic based on which user sourced it
Users/devices may be implementing different authentication methods
Multi-User Authentication (MUA)
39. Access Control Possibilities Authentication Messages
Data Messages
Edge Switch Authentication
Server
MAC Authentication RADIUS Encryption
Non-
Intelligent
Devices
MACbased
HTTPS Authentication (encrypted) RADIUS Encryption
Browser
Only
Client
Web-based
802.1X
Client
802.1X Authentication (PEAP/MD5/TLS/TTLS) RADIUS Encryption
802.1x-based
No Encryption No Encryption
No Encryption No Encryption
No Encryption No Encryption
Summit
Server
40. Whitelist Backlist
User or
Device
Identity Management
Increased visibility and management of device identities
Roles based on
LLDP parameters
Whitelists and
Blacklists
Roles based on
MAC, IP, Port
Whitelist
Allow all traffic
from and to the
identity
Blacklist
Deny all traffic
from the identity
Client / Device
Attributes
• MAC OUI
• MAC Address
• IP Address
SummitSummit
Blacklist
Whitelist
Whitelist
Users mapped to a whitelist based on user/MAC/IPv4
Creates ACL to permit all traffic
if match all {Ethernet-source-address 00:00:00:00:00:02;}
then {permit;}
Blacklist
Users mapped to a blacklist based on
user/MAC/IPv4
Creates ACL to block all traffic
if match all {Ethernet-source-address
00:00:00:00:00:02;} then {deny;}
Server
41. network
Access Control in OS
Assume secure channel from user
Authenticate user by local
password
Map user to her user ID + group IDs
Local database for group memberships
Access control by ACL on each
resource
OS kernel is usually the reference
monitor
Any RPC target can read IDs of its
caller
ACLs are lists of IDs
A program has IDs of its logged-in user
Port put in
forwarding mode
User logs in, MAC
Address
Detected
Authenticated
1
2
3
Radius
Server
42. Authentication
Authentication is identification and
assurance of origin of information
Unauthorized assumption of
another’s identity
Q: Who is the sender of the message?
(who might have been able to create it)
Q: Who is the sender of the message?
(who might have been able to modify it)
network
Integrity is prevention of
unauthorized changes
Intercept messages,
tamper, release again
f: ({0,1}*)K ({0,1}*)K
K inputs (one per party);
each input is a bitstring
K outputs
Functionality
MAC Learning 802.1x AuthWebbased Login
MAC Mask
Network Login Authenticator
Local Database
RADIUSAuthentication
Server
Authenticator
URL Hijacking
EAP/RADIUS
User / passwd
VLAN VSA
User / passwd
VLAN VSA
Port #
Supplicants
43. Port-based 802.1Q
Pros
Separate broadcast domains for trusted internal users and
untrusted guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from untrusted guest PCs
Untrusted guest users are unable to access private internal servers
Use of VLAN Trunking Protocol eases VLAN management
Cons
No measure to prevent untrusted guests from connecting to private ports
Misconfiguration of a port will provide trusted network access
Use of separate subnets leads to inefficient use IP address space
Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast
brute force, etc.
Summit
(Network Security (VLANs) for network and
user segregation
Server
44. “Network Login” captive
portal
Captive Portal Features
Fully customizable
formatting and content
HTTPS redirection and
capture
Internal and external
hosting
Logout on browser close
Login, welcome and
failed pages
Unbranded login pages
for concealment
Bad
Actor
Client Switch
IP
DHCP-Response (short lease)
DHCP-Request
HTTP Login-Prompt (redirected)
HTTP request to any external webserver address (for example www.yahoo.com)
RADIUS Access-Accept,
VLAN Assignment
RADIUS Access-RequestHTTP Username/Password
DHCP-Response
DHCP-Request
DHCP
Speed Bump
Login
DHCP
DHCP or static IP
RADIUS
Radius
Summit
45. captive portal
AAA Features - Using Hotspot Authentication
Bandwidth Management Policies
Dynamic VLAN Assignments
LDAP authentication support
RADIUS authentication and accounting
Time-based access policies
Time of day and day of week access policies
Web browser-based authentication
Web browser-based guest user admin
CoovaChilli (morphed from Chillispot)
http://coova.org/wiki/index.php/CoovaChilli
Uses RADIUS for access and accounting.
CoovaAP openWRT-based firmware.
Open Source
M0n0wall http://m0n0.ch/wall/
Embedded firewall appliance solution built
on FreeBSD.
http://m0n0.ch/wall/images/screens/service
s_captiveportal.png
Server
46. MAC Auth Other Non-802.1X-Capable Endpoints
Unsupported devices: Integrity and authentication: only someone who knows KEY can compute MAC for
a given message
For the devices like network printers, Ethernet-based electronics like environmental sensors,
cameras, wireless phones , etc.
One way: Media Access Control (MAC) address filtering. Usually implemented by permitting
instead of preventing.
Win 2K & XP allow easy change for MAC addresses. MAC address is not an authentication
mechanism…
Native Client Support EAP-PEAP EAP-TLS EAP-TTLS
XBOX 360 NO NO NO
XBOX One MAYBE MAYBE MAYBE
PlayStation 3 & 4 NO NO NO
Nintendo Wii / Wii U NO NO NO
KEY
KEY
message
MAC (usually based on a cryptographic
hash, aka “digest”)
message, MAC(KEY,message)
=
?
Recomputes MAC and verifies
whether it is equal to the MAC
attached to the message
47. WEP Keys (Static Keys)
1.) Laptop send authentication
Frame saying want to authenticate
2.) AP sends a challenge text
3.) Laptop encrypts challenge text
with shared key and returns
4.) AP compares encrypted text with its own
5.) AP sends Authentication frame back to the device
Given: both parties already know the same secret
Goal: send a message confidentially
Shared key authentication
Symmetric Encryption
48. WPA & WPA2 Personal Security
WPA replaces WEP with TKIP
WPA2 uses a stronger data
encryption method called AES-
CCMP instead of TKIP encryption.
Still uses PSK (Pre-Shared Key)
authentication. People may send
the key by e-mail or another
insecure method.
Cracking WPA
TLS GSS_API
Kerberos
PEAP
MS-CHAPv2
TLS
IKEMD5
EAP
PPP 802.3 802.5 802.11 Other…
method
layer
EAP
layer
media
layer
Summit
49. Summit
Port-based Network Access Control (PNAC).
1.) Device
asks to join.
2.) AP asks device to verify
identity becomes the
middleman for
authentication server.
3.) Device sends identity
to authentication server.
4.) Authentication server verifies
identity.
5.) Device can join wireless LAN.
1) Initialization On detection
of a new supplicant on the
switch port.
2) Initiation the authenticator
will periodically transmit
EAP-Request Identity
frames to a special Layer 2
address on the local
network segment.
3) Negotiation – The
authentication server sends
a Access-Challenge packet)
to the authenticator.
4) Authentication - If the
authentication server and
supplicant agree EAP-
Success message sent and
port set to the "authorized"
state.
IEEE 802.1X…Supplicant
Authenticator
802.1X Authentication progression
802.1x Header EAP Payload
RADIUS Header EAP PayloadUDP HeaderServer
50. Summit
Identity Based Network Services
IEEE 802.1X…
Supplicant
Authenticator
AAA Radius Server
802.1x Authentication Server Login + Certificate
Login Verified
Login Good! Apply Policies.
Verify Login and Check with
Policy DB IEEE802.1x
+ VLANS
+ VVID
+ ACL
+ QoS
Switch applies policies
and enables port.
Set port to enable
set port vlan 10
Authentication
Server
LDAP or Active
Directory Server
Login and Certificate Services
51. Summit
Comprehensive NAC Solution
IEEE 802.1X…
Supplicant
Authenticator
Login + Certificate
Login Verified
End user attempts to
access network
Initial access is blocked
Single-sign-on or web loginNAC Server gathers
and assesses
user/device information
Username and password
Device configuration and
vulnerabilities
Noncompliant device
or incorrect login
Access denied
Placed to quarantine
for remediation
Quarantine
Role
NAC Server
THE GOAL
Intranet/
Network
1
2
3a
3b
Device is compliant
Placed on “certified devices list”
Network access granted
Authentication
Server
LDAP or Active
Directory Server
Login and Certificate Services
52. Summit
EAPClient
AuthenticationServer
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
Certificate
Client Key exchange
Cert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
Authenticator
EAPOL Start
Native Client Support EAP-PEAP EAP-TLS EAP-TTLS
Windows 8 YES YES YES
Windows 7 / Vista / XP YES YES NO
Mac OS X YES YES YES
Linux YES** YES YES
iOS YES YES YES*
Android YES** YES YES
Chrome OS YES** YES YES**
Windows Phone 8.1 YES YES (rumored) UNK
Windows Phone 7/8 YES NO** NO
BlackBerry 10 YES YES YES
BlackBerry 7 YES YES YES
53. IKEv2 with EAP & Server Certificate
ResponderInitiator UDP/500
Client
IDi IDr
AAA
Server
KEi Ni KErNr
Authr
Server
RADIUS
EAP
Challenge
EAP
Identity
IDr Certr
EAP
Response
PSK
PSK
Prot.
Ver.
Packet
Type
Packet
Body...
PAE
Ethernet Type
Packet Body
Length
54. Distribution of Public Keys - certificate authority (CA)
Public announcement or public directory
Risks: forgery, tampering
Public-key certificate
Signed statement binding a public key to an identity
sigAlice(“Bob”, PKB)
Common approach: An agency responsible for certifying public keys
Browsers are pre-configured with 100s of trusted CAs
135 trusted CA certificates in Firefox 3
A public key for any website in the world will be accepted by the browser if certified by one
of these CAs
? private key
public key
public key
Bad
Actor
Given: Everybody knows public
key Only Bob knows the
corresponding private key
Goal: Laptop sends a “digitally signed”
message To create a valid signature, must
know the private key To verify a signature,
enough to know the public key
Summit
Authentication
Server
55. What Is NAC, Really?
Beyond “Who Is It? ” Goal:
Decide whether to grant a
request to access an object
Quarantine &
Enforce
Update &
Remediate
Scan &
Evaluate
Authenticate
& Authorize
Where is it coming from?
Who owns it?
What do you have?
What’s the preferred
way to check or fix it?
NAC Server is an IP passive
bump in the wire, like a
transparent firewall.
Guards control access to
valued resources
Resource
Authentication
Server
56. Network Access Control
NAC Client
Enforcement PointAccess Controlled
Subnet
Isolation
Network
NAC Server
allow QuarantineRemediate
CheckSummit
Authentication
Server
58. Fingerprint – Who、What、When、Where、How
Sigle SSID –
Multiple Topologies –
Multiple Solutions
Control traffic
Traffic type
and QoS
Control access
resources based on
Who, what,
when, where,
how …
Ensure compliance
Who
Where
When
What device type
How
59. Purview Everywhere (more than CoreFlow2)
Available Today
Standalone Application
Sensor
Core / DataCenter –
CoreFlow S/K Series
Future
Use IPFix and packet
mirroring in the Summits
X460s (future XoS16.2) looks
at 1st 15 packets for Deep
Packet.
Wireless - IdentiFi APs &
Controllers
60
Purview
CoreFlow
Wireless
Controller
Wireless
AP
Virtual
Network
Standalone
Access
Switches
60. Identity and Application
Awareness
Deep Packet
Inspection
SSL
Visibility
Application A
Application B
Employee A
Employee B Prohibited Application
Attack Traffic
Employee C Botnet Traffic
Good Application
Clean Traffic
Network Traffic
and Flows
Inbound Traffic
Outbound Traffic
Protection, visibility, and control
Regular client
SSL server1. ClientHello
2. ServerHello
(send public key)
3. ClientKeyExchange
(encrypted under public key)
Exchange data encrypted with new shared key
Summit
Authentication
Server
61. Logs
Events Alerts
Configuration
information
System
audit trails
External
threat feeds
E-mail and
social activity
Network flows
and anomalies
Identity
context
Business
process data
Malware
information
Now: Intelligence
•Real-time monitoring
•Context-aware anomaly
detection
•Automated correlation and
analytics
Then: Collection
•Log collection
•Signature-based detection
Log collection - threat landscape
62. Page 63
Host Integrity—Summary
Microsoft Network Access Protection (NAP)—(9/2006)
– Open framework—Major security vendors involved
– Integration and Testing in progress. Demonstrated at RSA 2/2006.
– Microsoft availability with Vista/Longhorn beta and XP/2003 Service Pack in the future
Network Access
Device
CLIENT
Microsoft
Quarantine Agent
Partner Health
Agent Network Policy
Server (IAS)
Partner Enforcement
Client
Partner and
Microsoft Servers
e.g. a/v, patch
policy
Microsoft Quarantine
Server
Switch, Access Point
VPN, 802.1X, IPsec
Quarantine VLAN
Clean-up
Host Integrity Check Fail
Servers
Virus Update
OS Patch Update
etc.
RADIUS
User Auth Host Integrity Action
Pass Pass Corporate VLAN
Pass Fail Put into Quarantine VLAN
Fail Pass Close Port
Fail Fail Close Port
63. SIEM
Correlation
A
CB
Logging Compliance
Forensics
• Maintain an adequate internal control structure
• Procedures for financial reporting.
• Assess the effectiveness of internal control structures
Sarbanes- Oxley - Publicly Traded Companies must
• Maintain administrative, technical and physical safeguards to
ensure integrity and confidentiality
• Protect against threats or hazards;
• unauthorized uses or disclosures
HIPAA - Patient Information, Firms Must:
• Build and maintain a secure network
• Protect and encrypt cardholder data
• Regularly monitor and test networks, including wireless
PCI - All Merchants Using Payment Cards, Must
64. Dynamic Security Policies
Conceptual View
1. Administrator configures user
group policies in Netsite.
Policy includes VLAN, 802.1p
priority, extension mapped to
user group
2. Netsite pushes policy
to switch
3. User logs on to the network
5. Policy is applied and switch
configures VLAN, 802.1p
priority and ACLs on the
port
4. RADIUS server returns policy
name for user
Netsite Server
RADIUS Server
65. IP Security
Conceptual View (Trusted DHCP)
DHCP Server
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
192.168.0.1
00:04:96:10:46:60
Rogue DHCP Server
Un-Trusted Ports
Block DHCP servers
Trusted Port
Allow DHCP servers
66. IP Security
Conceptual View (DHCP Snooping)
DHCP Server
Trusted Port
Un-trusted Ports
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
Uses DHCP snooping to
build trusted DHCP
binding table
67. IP Security
Conceptual View (Gratuitous ARP Protection)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
(1) Sends gratuitous ARP
"I have IP address 192.168.0.1
and my MAC address is ..:F2”
(2) ARP cache poisoned
192.168.0.1 →..:F2
(4) Sends Gratuitous ARP
“For IP address 192.168.0.1
the correct MAC address is
..:60”
(5) ARP cache restored
192.168.0.1 →..:60
(3) Detects invalid
ARP entry
68. IP Security
Conceptual View (IP Source Lockdown)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.168.0.22
… …
DHCP Binding Table
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25:F7:23
Endpoint 2
IP: 192.168.0.22
Default GW: 192.168.0.1
MAC: 00:0B:7D:31:AD:F2
192.168.0.1
00:04:96:10:46:60
(1) Sends traffic with
source IP address of
192.168.0.8
(2) Blocks traffic since
source IP addressed is
spoofed