SlideShare a Scribd company logo

[SOS 2009] D-Link: Red Segura L2 L3

Chema Alonso
Chema Alonso

Charla impartida por Xavier Campos, de D-Link, en la Gira Summer of Security 2009, sobre seguridad en redes a nivel switching.

TechnologyBusiness
1 of 33
Download to read offline
Technet S.O.S Red Segura con Switches D-Link D- Xavier Campos Product Manager SP & PT xavier.campos@dlink.es Barcelona, 14 de Julio de 2009 D-Link
Challenges of Today’s Networks Firewall Service unstable Server Core Switch Farm Loop Switch Connection Switch Security breach Switch Performance downgrade IP Low manageability Conflict Worm s ARP Spoofing Unauthorized Access Worm infection within Intranet
Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
Problem: Unauthorized Access • Traditionally security censorship takes place at perimeter • Intranet users can connect to network without authorization Financial Information ERP Server Leakage System Employee Everyone can connect Malicious to your network without authorization! User Guest R&D Hackin g Server Incident • Lack of proper control on the RJ45 socket outlet • Lack of proper control for the wireless users • Client can easily go anywhere without authorization
Solution for Unauthorized Access • D-Link’s Solution 1: 802.1x Authentication Web-based Access Control (WAC) [Captive Portal] • When to use ? Perform user authentication to realize the user identity control The clients must be authenticated based on user login information, regardless of the user’s location or device. • Benefit : Mobility : User can get their designated privilege no matter where they are, or the devices they use Clientless: Easy to deploy, easy to use (WAC) Better Security Management: Pushing the security control to the edge, all the clients must be authenticated before entering the network
Solution for Unauthorized Access • D-Link’s Solution 2: MAC-based Access Control (MAC) • When to use ? For VoIP phone, printer, router, IP camera, AP devices which doesn’t have web browser, or 802.1x supplicant can’t be installed. Stricter control for end user devices. Specially suitable for campus network, public sector, or enterprises that need device control. • All the clients are authenticated automatically and granted a specific role to the network • Benefit : Clientless: Easy to deploy. Totally transparent to clients Device Management: Only allow legitimate devices to connect to the network
Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
Requirement: Authorization by user’s identity The network is under granular control by segregating the traffic! Financial ERP server system RD Accounting Sales R&D server • RD dep. is granted to access R&D server and internet only Guest • Accounting dep. is granted to access Financial server and ERP system only • Sales dep. is granted to access ERP system and internet only • Guest users can only connect to Internet
Solution for Authorization by user’s identity • D-Link’s Solution: Dynamic VLAN Assignment Guest VLAN (Restricted network access) Client Attribute Designation • Bandwidth control per port / per flow • 802.1p priority (default value per port) • ACL that delivers user identity control as set of services * Radius Server Bandwidth parameter 802.1p priority parameter ACL Client attributes can be designated by the Radius server after successful authentication • The identity-based security policies provide appropriate access right for different users * Under development
Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack mitigation • Microsoft NAP Server
Problem: Loop Connection • Users connect their own switches and cause loop unintentionally or purposely • The loop can cause packet storm and overwhelm the whole system Packet Storm Loop
Solution for Loop Connection • D-Link’s Solution: Loopback Detection ( LBD v4.0 ) STP (Spanning Tree Protocol) Independent • Unmanaged switches usually do not have Spanning Tree Protocol function • D-Link’s design can detect loop connections even when STP is absent Flexible Settings for Loop Prevention • Port-based or • VLAN-based V1 V2 V1 V2 PC1 Loop Loop PC2 1. Port-based LBD 2. VLAN-based LBD - Port shut down, no traffic is allowed - Block the traffic from the loop happening VLAN without shutting down the trunking port.
Loopback Detection Scenario enable loopdetect config loopdetect recover_timer 60 interval 10 mode port-based INTERNET config loopdetect trap both config loopdetect ports 1-10 state enable 192.168.0.1/24 192.168.0.2/24 Loopback Detection client client Loop Occurred
Problem: IP Management • Auditing Problem Current auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control. • IP Conflict Problem IP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers. Auditing IP Conflict Problem 192.168.1.1 00E0-0211-1111 192.168.1.2 00E0-0211-2222 192.168.1.1 IP Conflict 00E0-0211-3333
Solution for IP Management • D-Link’s solution 1: IMP (IP-MAC-Port) Binding v3 (DHCP Snooping) IMP Binding v3 will automatically learn the IP and MAC address pairs and save them into the local Database. Only the traffic with right address match in the White List can pass through the port IMP Binding v3 Enabled A 192.168.1.1 00E0-0211-1111 Assigned by DHCP B 192.168.1.2 00E0-0211-2222 192.168.1.1 C 00E0-0211-3333 Address Learning ( IP is Manually configured by user ) White List 192.168.1.1 00E0-0211-1111 Port1 192.168.1.2 00E0-0211-2222 Port2
Problem & Solution – Rogue DHCP Server • Problem: Users set up their own DHCP server • Impact: Incorrect IP assignment Disturb network connectivity • D-Link’s solution: DHCP Server Screening Screen rogue DHCP server packets from user ports to prevent unauthorized IP assignment DHCP Server Normal DHCP assignment Sorry, you’re illegal DHCP Server Packet I’m DHCP Server PC1 Rogue DHCP Server PC2
Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
Problem: ARP Spoofing Attack • What is ARP Spoofing? Hackers use faked ARP carrying the wrong MAC/IP information to cheat network Router PC MAC = “attacker MAC” address devices • How ARP Spoofing attacks the networks? ARP spoofing as DoS: Popular in Internet Café Hacker supplants a server or a router, or cheats the clients to go to a non-existing router The inter subnet connection and internet access of whole network will be impacted. Server Man in the middle: Popular in business environment Hacker Hacker cheats the victim PC that it is a Broadcast spoofed router PC MAC adress Router MAC = “attacker MAC” address Hacker cheats the router that it is the victim All the traffic will be sniffed by the hacker and users will never know
Solution for ARP Spoofing Attack • D-Link’s Solution: IP-MAC-Port Binding Establish the database of the relationship between the IP, MAC and port Switch blocks the illegal access immediately once the mismatched ARP packet is found. Router IP MAC Port IP: R R r 26 A a 2 MAC: r B b 12 C c 16 You’re not Router You’re not PC-A … … Faked ARP R IP: A I’m Router I’m PC-A MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c
Solution for ARP Spoofing Attack • D-Link’s Solution: ARP Spoofing Prevention An effective way to protect your router & servers Simpler setup than IMPB and consumes fewer ACL rules Users can input the IP and MAC of the Router or important Servers Switch will compare all inbound ARP Packets against configured MAC and IP Used to block the invalid ARP packets which contain fake gateway’s MAC and IP Router IP MAC R r IP: R S s MAC: r You’re not Router Server IP: S MAC: s Faked ARP IP: R I’m Router MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c
MITM Attack Scenario INTERNET ARP Scan Public FTP Server 192.168.0.1/24 ARP Poison Routing (APR) 192.168.0.2/24 FTP Server Cuenta Usuario: technet client Password: SOS hacker
MITM Attack Scenario Router DIR-655 (192.168.0.1) MAC: 00-1E-58-41-4C-E3 Switch: 192.168.0.2 GW: 192.168.0.1 PC 1 ( Victim ) Sniffer PC IP: 192.168.0.10 IP: 192.168.0.11 20 (Spoofed) Default Gateway: 192.168.0.1 MAC : 00-15-58-2A-E8-BD MAC : 00:15:58:2A:EF:0A config address_binding ip_mac ports 1-6,8-10 mode acl config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable strict config address_binding ip_mac ports 1-10 forward_dhcppkt enable create address_binding ip_mac ipaddr 192.168.0.10 mac_address 00-15-58-2A-EF-0A ports 1-10 create address_binding ip_mac ipaddr 192.168.0.11 mac_address 00-15-58-2A-E8-BD ports 1-10 enable address_binding trap_log enable address_binding arp_inspection config arp_spoofing_prevention add gateway_ip 192.168.0.1 gateway_mac 00-1E-58-41-4C-E3 ports 7
Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
Microsoft NAP Support • Advantage of Network Access Protection Authorized users may access systems from authorized endpoints Network Access Protection • Evaluating security compliance before connection permitted • Quarantine and remediation for non-compliance user • Identity-based network admission control Automatic endpoint remediation • Enforce policy before access is granted • Execute updates, programs, software services, etc.
NAP Illustration Corporate Network System Health Servers Restricted Network Remediation Server Ongoing policy updates to NPS Policy Server Can I have updates? Here you go May I have access. Requesting access? Should this client be restricted Here’s my new current based on its health? health status According to policy, the client You are given xStack Series is not to date up up to date. Quarantine Microsoft Network restricted access Switches client and request it to Policy Server until fix-up. Grant access!!! update. Client Client is granted access to full intranet
NAP 802.1X Flow Chart Enable port-based 802.1X with Guest VLAN on xStack Switch 802.1X Fai Client stays in Ye Authentication l Guest VLAN s Remediation If client compliance status or process completed company policy is changed Success Client is assigned to Not Compliant Policy Compliance Compliant Compliance VLAN Client is assigned to Non-compliance VLAN Check for remediation
Necessary Policies in 802.1X NAP Scenario • There are 3 type of polices should be configured under Network Policy Server, which is a component within Microsoft Windows Server 2008. – Connection Request Policy • This policy determines which connection request is acceptable. • In 802.1X NAP scenario, only connection requesting from xStack Switch is acceptable. – Health Policy • System Health Validator (SHV) determines which element is needed when validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on. • Health Policy adopts SHVs to determine which criteria is healthy, passing all the SHV checks is considered healthy. – Network Policy • Network Policy determines which action is going to take based on the health status.
How to implement NAP • Microsoft Active Directory – Install Active Directory Certificate Services • Microsoft Windows Server 2008 – Install Network Policy Server (new version RADIUS server) – Configure RADIUS setting, correlated with xStack – Configure polices, rules and actions • Connection Request Policy • Health Policy ( System Health Validator ) • Network Policy • Microsoft Windows Vista or XP SP3 with NAP client – Enable NAP client enforcement feature • D-Link xStack DES-3500, DES-3800, DGS-3200, DGS-3400 or DGS-3600 Series – Configure RADIUS setting, correlated with Windows 2008 – Enable Port-based 802.1X with Guest VLAN
NAP Server Scenario INTERNET 192.168.0.1/24 192.168.0.2/24 Administrator 192.168.0.3/24 client Authentication Server 192.168.0.14/24 (Windows Server 2008)
NAP 802.1X Scenario SW IP : 192.168.0.2/24 Guest VLAN VLAN 2 Client: 192.168.0.14/24 VLAN 3 AD/ NPS/Radius Server 192.168.0.3/24 The client is put in Guest VLAN originally. If it comply all requirement, the port connecting by the client will be transfer to Compliance VLAN (VLAN 2 in the example). Otherwise, the port is put in VLAN 3 and wait for remediation. After remediation, the port will be authenticated again and transfer to VLAN 2. Before remediation Client in NoCumple VLAN VID3 After remediation Client in Cumple VLAN VID2
DGS-3200-10 Configuration # 8021X Command enable 802.1x config 802.1x auth_mode port_based config 802.1x capability ports 1-4 authenticator config 802.1x capability ports 5-10 none # Setup Radius config radius add 1 192.168.0.3 key secreto default # Create two VLANs. One for Cumple (VLAN 2), another for NoCumple (VLAN 3) config vlan default delete 7-8 create vlan Cumple tag 2 con vlan Cumple add untag 7 create vlan Nocumple tag 3 con vlan NoCumple add untag 8 # Config System IP address config ipif System ipaddress 192.168.0.2/24 vlan default state enable # Guest VLAN configuration create 802.1x guest_vlan default config 802.1x guest_vlan ports 1-4 state enable
Network Access Protection - Resources • Network Access Protection Web site – http://technet.microsoft.com/zh-tw/network/bb545879(en-us).aspx • Introduction to Network Access Protection – http://www.microsoft.com/technet/network/nap/napoverview.mspx • Network Access Protection Platform Architecture – http://www.microsoft.com/technet/network/nap/naparch.mspx • Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab – http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb- bba2-07605eff0608&displaylang=en • Network Access Protection: Frequently Asked Questions – http://www.microsoft.com/technet/network/nap/napfaq.mspx • Network Access Protection - TechNet Forums – http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads/
http://www.dlink.es ftp://213.27.252.114 User: technet Password: SOS

Recommended

Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Ixia NVS Group
 
The Guardian
The GuardianThe Guardian
The Guardian
Al Asbab FZ LLC
 
Gigamon U - Missing Link TAP Technology
Gigamon U - Missing Link TAP TechnologyGigamon U - Missing Link TAP Technology
Gigamon U - Missing Link TAP Technology
Grant Swanson
 
Gigamon U - Its Not The Network
Gigamon U - Its Not The NetworkGigamon U - Its Not The Network
Gigamon U - Its Not The Network
Grant Swanson
 
Intro to SDN - Part III
Intro to SDN - Part IIIIntro to SDN - Part III
Intro to SDN - Part IIITallac Networks
 
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic AnalysisGigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Grant Swanson
 
Intro to SDN - Part IV
Intro to SDN - Part IVIntro to SDN - Part IV
Intro to SDN - Part IV
Tallac Networks
 
AP6522 Specification Sheet
AP6522 Specification SheetAP6522 Specification Sheet
AP6522 Specification Sheet
Advantec Distribution
 

Recommended

Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Ixia NVS Group
 
The Guardian
The GuardianThe Guardian
The Guardian
Al Asbab FZ LLC
 
Gigamon U - Missing Link TAP Technology
Gigamon U - Missing Link TAP TechnologyGigamon U - Missing Link TAP Technology
Gigamon U - Missing Link TAP Technology
Grant Swanson
 
Gigamon U - Its Not The Network
Gigamon U - Its Not The NetworkGigamon U - Its Not The Network
Gigamon U - Its Not The Network
Grant Swanson
 
Intro to SDN - Part III
Intro to SDN - Part IIIIntro to SDN - Part III
Intro to SDN - Part IIITallac Networks
 
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic AnalysisGigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Gigamon U - You Will See, Content Monitoring, Alerting, and Forensic Analysis
Grant Swanson
 
Intro to SDN - Part IV
Intro to SDN - Part IVIntro to SDN - Part IV
Intro to SDN - Part IV
Tallac Networks
 
AP6522 Specification Sheet
AP6522 Specification SheetAP6522 Specification Sheet
AP6522 Specification Sheet
Advantec Distribution
 
Intro to SDN - Part II
Intro to SDN - Part IIIntro to SDN - Part II
Intro to SDN - Part II
Tallac Networks
 
Intro to SDN - Part I
Intro to SDN - Part IIntro to SDN - Part I
Intro to SDN - Part I
Tallac Networks
 
Ap6532 spec sheet
Ap6532 spec sheetAp6532 spec sheet
Ap6532 spec sheetAdvantec Distribution
 
Ap 622 ss 0112_chv4
Ap 622 ss 0112_chv4Ap 622 ss 0112_chv4
Ap 622 ss 0112_chv4Advantec Distribution
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Khazret Sapenov
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
INSPIRIT BRASIL
 
Ap6521 spec sheet
Ap6521 spec sheetAp6521 spec sheet
Ap6521 spec sheetAdvantec Distribution
 
Ap 7131-gr-ss-v4a-fip svalidated
Ap 7131-gr-ss-v4a-fip svalidatedAp 7131-gr-ss-v4a-fip svalidated
Ap 7131-gr-ss-v4a-fip svalidatedAdvantec Distribution
 
Daniel künzli branch repeater
Daniel künzli branch repeaterDaniel künzli branch repeater
Daniel künzli branch repeaterDigicomp Academy AG
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
nicolasotira
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
Michal Jarski
 
Ap621 spec sheet
Ap621 spec sheetAp621 spec sheet
Ap621 spec sheetAdvantec Distribution
 
Nx9500 spec-sheet-1211
Nx9500 spec-sheet-1211Nx9500 spec-sheet-1211
Nx9500 spec-sheet-1211Advantec Distribution
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Yury Chemerkin
 
Openstack@ebay.pptx
Openstack@ebay.pptxOpenstack@ebay.pptx
Openstack@ebay.pptx
OpenStack Foundation
 
Net Basics
Net BasicsNet Basics
Net BasicsMichigan Nonprofit Association
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentalsAruba, a Hewlett Packard Enterprise company
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumJean-Christophe "JC" Martin
 
Identity management
Identity managementIdentity management
Identity managementkamalikamj
 
Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2
Robert Crane
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks
 

More Related Content

What's hot

Intro to SDN - Part II
Intro to SDN - Part IIIntro to SDN - Part II
Intro to SDN - Part II
Tallac Networks
 
Intro to SDN - Part I
Intro to SDN - Part IIntro to SDN - Part I
Intro to SDN - Part I
Tallac Networks
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Khazret Sapenov
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
INSPIRIT BRASIL
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
nicolasotira
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
Michal Jarski
 

What's hot (13)

Intro to SDN - Part II
Intro to SDN - Part IIIntro to SDN - Part II
Intro to SDN - Part II
 
Intro to SDN - Part I
Intro to SDN - Part IIntro to SDN - Part I
Intro to SDN - Part I
 
Ap6532 spec sheet
Ap6532 spec sheetAp6532 spec sheet
Ap6532 spec sheet
 
Ap 622 ss 0112_chv4
Ap 622 ss 0112_chv4Ap 622 ss 0112_chv4
Ap 622 ss 0112_chv4
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
 
Ap6521 spec sheet
Ap6521 spec sheetAp6521 spec sheet
Ap6521 spec sheet
 
Ap 7131-gr-ss-v4a-fip svalidated
Ap 7131-gr-ss-v4a-fip svalidatedAp 7131-gr-ss-v4a-fip svalidated
Ap 7131-gr-ss-v4a-fip svalidated
 
Daniel künzli branch repeater
Daniel künzli branch repeaterDaniel künzli branch repeater
Daniel künzli branch repeater
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
 
Ap621 spec sheet
Ap621 spec sheetAp621 spec sheet
Ap621 spec sheet
 
Nx9500 spec-sheet-1211
Nx9500 spec-sheet-1211Nx9500 spec-sheet-1211
Nx9500 spec-sheet-1211
 

Similar to [SOS 2009] D-Link: Red Segura L2 L3

Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Yury Chemerkin
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumJean-Christophe "JC" Martin
 
Identity management
Identity managementIdentity management
Identity managementkamalikamj
 
Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2
Robert Crane
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks
 
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
Nuage Networks
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
Hitachi ID Systems, Inc.
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
Nur Shiqim Chok
 
CSG Huawei.pdf
CSG Huawei.pdfCSG Huawei.pdf
CSG Huawei.pdf
chien29091
 
Vfm security with aruba wireless
Vfm security with aruba wirelessVfm security with aruba wireless
Vfm security with aruba wirelessvfmindia
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
dkaya
 
OpenFlow Beyond the Data Centre at IP Expo
OpenFlow Beyond the Data Centre at IP ExpoOpenFlow Beyond the Data Centre at IP Expo
OpenFlow Beyond the Data Centre at IP Expo
ADVA
 
PAN PA2000 series
PAN PA2000 seriesPAN PA2000 series
PAN PA2000 series
Altaware, Inc.
 
PAN PA2000 series
PAN PA2000 seriesPAN PA2000 series
PAN PA2000 series
Altaware, Inc.
 
Networking is NOT Free: Lessons in Network Design
Networking is NOT Free: Lessons in Network DesignNetworking is NOT Free: Lessons in Network Design
Networking is NOT Free: Lessons in Network Design
Randy Bias
 

Similar to [SOS 2009] D-Link: Red Segura L2 L3 (20)

Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
 
Openstack@ebay.pptx
Openstack@ebay.pptxOpenstack@ebay.pptx
Openstack@ebay.pptx
 
Net Basics
Net BasicsNet Basics
Net Basics
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
 
Identity management
Identity managementIdentity management
Identity management
 
Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2Introduction to Small Business Server 2003 Part 2
Introduction to Small Business Server 2003 Part 2
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data Diode
 
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
Nuage Networks: Gluecon 2013 Keynote: The True Potential of Network Virtualiz...
 
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
Nuage Networks: Delivering Datacenter Networks As Consumable as Computee_scot...
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
 
CSG Huawei.pdf
CSG Huawei.pdfCSG Huawei.pdf
CSG Huawei.pdf
 
Vfm security with aruba wireless
Vfm security with aruba wirelessVfm security with aruba wireless
Vfm security with aruba wireless
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
OpenFlow Beyond the Data Centre at IP Expo
OpenFlow Beyond the Data Centre at IP ExpoOpenFlow Beyond the Data Centre at IP Expo
OpenFlow Beyond the Data Centre at IP Expo
 
PAN PA2000 series
PAN PA2000 seriesPAN PA2000 series
PAN PA2000 series
 
PAN PA2000 series
PAN PA2000 seriesPAN PA2000 series
PAN PA2000 series
 
Networking is NOT Free: Lessons in Network Design
Networking is NOT Free: Lessons in Network DesignNetworking is NOT Free: Lessons in Network Design
Networking is NOT Free: Lessons in Network Design
 

More from Chema Alonso

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
Chema Alonso
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
Chema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
Chema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
Chema Alonso
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
Chema Alonso
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Chema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
Chema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
Chema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
Chema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
Chema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
Chema Alonso
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
Chema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
Chema Alonso
 

More from Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

[SOS 2009] D-Link: Red Segura L2 L3

  • 1. Technet S.O.S Red Segura con Switches D-Link D- Xavier Campos Product Manager SP & PT xavier.campos@dlink.es Barcelona, 14 de Julio de 2009 D-Link
  • 2. Challenges of Today’s Networks Firewall Service unstable Server Core Switch Farm Loop Switch Connection Switch Security breach Switch Performance downgrade IP Low manageability Conflict Worm s ARP Spoofing Unauthorized Access Worm infection within Intranet
  • 3. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
  • 4. Problem: Unauthorized Access • Traditionally security censorship takes place at perimeter • Intranet users can connect to network without authorization Financial Information ERP Server Leakage System Employee Everyone can connect Malicious to your network without authorization! User Guest R&D Hackin g Server Incident • Lack of proper control on the RJ45 socket outlet • Lack of proper control for the wireless users • Client can easily go anywhere without authorization
  • 5. Solution for Unauthorized Access • D-Link’s Solution 1: 802.1x Authentication Web-based Access Control (WAC) [Captive Portal] • When to use ? Perform user authentication to realize the user identity control The clients must be authenticated based on user login information, regardless of the user’s location or device. • Benefit : Mobility : User can get their designated privilege no matter where they are, or the devices they use Clientless: Easy to deploy, easy to use (WAC) Better Security Management: Pushing the security control to the edge, all the clients must be authenticated before entering the network
  • 6. Solution for Unauthorized Access • D-Link’s Solution 2: MAC-based Access Control (MAC) • When to use ? For VoIP phone, printer, router, IP camera, AP devices which doesn’t have web browser, or 802.1x supplicant can’t be installed. Stricter control for end user devices. Specially suitable for campus network, public sector, or enterprises that need device control. • All the clients are authenticated automatically and granted a specific role to the network • Benefit : Clientless: Easy to deploy. Totally transparent to clients Device Management: Only allow legitimate devices to connect to the network
  • 7. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
  • 8. Requirement: Authorization by user’s identity The network is under granular control by segregating the traffic! Financial ERP server system RD Accounting Sales R&D server • RD dep. is granted to access R&D server and internet only Guest • Accounting dep. is granted to access Financial server and ERP system only • Sales dep. is granted to access ERP system and internet only • Guest users can only connect to Internet
  • 9. Solution for Authorization by user’s identity • D-Link’s Solution: Dynamic VLAN Assignment Guest VLAN (Restricted network access) Client Attribute Designation • Bandwidth control per port / per flow • 802.1p priority (default value per port) • ACL that delivers user identity control as set of services * Radius Server Bandwidth parameter 802.1p priority parameter ACL Client attributes can be designated by the Radius server after successful authentication • The identity-based security policies provide appropriate access right for different users * Under development
  • 10. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack mitigation • Microsoft NAP Server
  • 11. Problem: Loop Connection • Users connect their own switches and cause loop unintentionally or purposely • The loop can cause packet storm and overwhelm the whole system Packet Storm Loop
  • 12. Solution for Loop Connection • D-Link’s Solution: Loopback Detection ( LBD v4.0 ) STP (Spanning Tree Protocol) Independent • Unmanaged switches usually do not have Spanning Tree Protocol function • D-Link’s design can detect loop connections even when STP is absent Flexible Settings for Loop Prevention • Port-based or • VLAN-based V1 V2 V1 V2 PC1 Loop Loop PC2 1. Port-based LBD 2. VLAN-based LBD - Port shut down, no traffic is allowed - Block the traffic from the loop happening VLAN without shutting down the trunking port.
  • 13. Loopback Detection Scenario enable loopdetect config loopdetect recover_timer 60 interval 10 mode port-based INTERNET config loopdetect trap both config loopdetect ports 1-10 state enable 192.168.0.1/24 192.168.0.2/24 Loopback Detection client client Loop Occurred
  • 14. Problem: IP Management • Auditing Problem Current auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control. • IP Conflict Problem IP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers. Auditing IP Conflict Problem 192.168.1.1 00E0-0211-1111 192.168.1.2 00E0-0211-2222 192.168.1.1 IP Conflict 00E0-0211-3333
  • 15. Solution for IP Management • D-Link’s solution 1: IMP (IP-MAC-Port) Binding v3 (DHCP Snooping) IMP Binding v3 will automatically learn the IP and MAC address pairs and save them into the local Database. Only the traffic with right address match in the White List can pass through the port IMP Binding v3 Enabled A 192.168.1.1 00E0-0211-1111 Assigned by DHCP B 192.168.1.2 00E0-0211-2222 192.168.1.1 C 00E0-0211-3333 Address Learning ( IP is Manually configured by user ) White List 192.168.1.1 00E0-0211-1111 Port1 192.168.1.2 00E0-0211-2222 Port2
  • 16. Problem & Solution – Rogue DHCP Server • Problem: Users set up their own DHCP server • Impact: Incorrect IP assignment Disturb network connectivity • D-Link’s solution: DHCP Server Screening Screen rogue DHCP server packets from user ports to prevent unauthorized IP assignment DHCP Server Normal DHCP assignment Sorry, you’re illegal DHCP Server Packet I’m DHCP Server PC1 Rogue DHCP Server PC2
  • 17. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
  • 18. Problem: ARP Spoofing Attack • What is ARP Spoofing? Hackers use faked ARP carrying the wrong MAC/IP information to cheat network Router PC MAC = “attacker MAC” address devices • How ARP Spoofing attacks the networks? ARP spoofing as DoS: Popular in Internet Café Hacker supplants a server or a router, or cheats the clients to go to a non-existing router The inter subnet connection and internet access of whole network will be impacted. Server Man in the middle: Popular in business environment Hacker Hacker cheats the victim PC that it is a Broadcast spoofed router PC MAC adress Router MAC = “attacker MAC” address Hacker cheats the router that it is the victim All the traffic will be sniffed by the hacker and users will never know
  • 19. Solution for ARP Spoofing Attack • D-Link’s Solution: IP-MAC-Port Binding Establish the database of the relationship between the IP, MAC and port Switch blocks the illegal access immediately once the mismatched ARP packet is found. Router IP MAC Port IP: R R r 26 A a 2 MAC: r B b 12 C c 16 You’re not Router You’re not PC-A … … Faked ARP R IP: A I’m Router I’m PC-A MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c
  • 20. Solution for ARP Spoofing Attack • D-Link’s Solution: ARP Spoofing Prevention An effective way to protect your router & servers Simpler setup than IMPB and consumes fewer ACL rules Users can input the IP and MAC of the Router or important Servers Switch will compare all inbound ARP Packets against configured MAC and IP Used to block the invalid ARP packets which contain fake gateway’s MAC and IP Router IP MAC R r IP: R S s MAC: r You’re not Router Server IP: S MAC: s Faked ARP IP: R I’m Router MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c
  • 21. MITM Attack Scenario INTERNET ARP Scan Public FTP Server 192.168.0.1/24 ARP Poison Routing (APR) 192.168.0.2/24 FTP Server Cuenta Usuario: technet client Password: SOS hacker
  • 22. MITM Attack Scenario Router DIR-655 (192.168.0.1) MAC: 00-1E-58-41-4C-E3 Switch: 192.168.0.2 GW: 192.168.0.1 PC 1 ( Victim ) Sniffer PC IP: 192.168.0.10 IP: 192.168.0.11 20 (Spoofed) Default Gateway: 192.168.0.1 MAC : 00-15-58-2A-E8-BD MAC : 00:15:58:2A:EF:0A config address_binding ip_mac ports 1-6,8-10 mode acl config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable strict config address_binding ip_mac ports 1-10 forward_dhcppkt enable create address_binding ip_mac ipaddr 192.168.0.10 mac_address 00-15-58-2A-EF-0A ports 1-10 create address_binding ip_mac ipaddr 192.168.0.11 mac_address 00-15-58-2A-E8-BD ports 1-10 enable address_binding trap_log enable address_binding arp_inspection config arp_spoofing_prevention add gateway_ip 192.168.0.1 gateway_mac 00-1E-58-41-4C-E3 ports 7
  • 23. Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server
  • 24. Microsoft NAP Support • Advantage of Network Access Protection Authorized users may access systems from authorized endpoints Network Access Protection • Evaluating security compliance before connection permitted • Quarantine and remediation for non-compliance user • Identity-based network admission control Automatic endpoint remediation • Enforce policy before access is granted • Execute updates, programs, software services, etc.
  • 25. NAP Illustration Corporate Network System Health Servers Restricted Network Remediation Server Ongoing policy updates to NPS Policy Server Can I have updates? Here you go May I have access. Requesting access? Should this client be restricted Here’s my new current based on its health? health status According to policy, the client You are given xStack Series is not to date up up to date. Quarantine Microsoft Network restricted access Switches client and request it to Policy Server until fix-up. Grant access!!! update. Client Client is granted access to full intranet
  • 26. NAP 802.1X Flow Chart Enable port-based 802.1X with Guest VLAN on xStack Switch 802.1X Fai Client stays in Ye Authentication l Guest VLAN s Remediation If client compliance status or process completed company policy is changed Success Client is assigned to Not Compliant Policy Compliance Compliant Compliance VLAN Client is assigned to Non-compliance VLAN Check for remediation
  • 27. Necessary Policies in 802.1X NAP Scenario • There are 3 type of polices should be configured under Network Policy Server, which is a component within Microsoft Windows Server 2008. – Connection Request Policy • This policy determines which connection request is acceptable. • In 802.1X NAP scenario, only connection requesting from xStack Switch is acceptable. – Health Policy • System Health Validator (SHV) determines which element is needed when validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on. • Health Policy adopts SHVs to determine which criteria is healthy, passing all the SHV checks is considered healthy. – Network Policy • Network Policy determines which action is going to take based on the health status.
  • 28. How to implement NAP • Microsoft Active Directory – Install Active Directory Certificate Services • Microsoft Windows Server 2008 – Install Network Policy Server (new version RADIUS server) – Configure RADIUS setting, correlated with xStack – Configure polices, rules and actions • Connection Request Policy • Health Policy ( System Health Validator ) • Network Policy • Microsoft Windows Vista or XP SP3 with NAP client – Enable NAP client enforcement feature • D-Link xStack DES-3500, DES-3800, DGS-3200, DGS-3400 or DGS-3600 Series – Configure RADIUS setting, correlated with Windows 2008 – Enable Port-based 802.1X with Guest VLAN
  • 29. NAP Server Scenario INTERNET 192.168.0.1/24 192.168.0.2/24 Administrator 192.168.0.3/24 client Authentication Server 192.168.0.14/24 (Windows Server 2008)
  • 30. NAP 802.1X Scenario SW IP : 192.168.0.2/24 Guest VLAN VLAN 2 Client: 192.168.0.14/24 VLAN 3 AD/ NPS/Radius Server 192.168.0.3/24 The client is put in Guest VLAN originally. If it comply all requirement, the port connecting by the client will be transfer to Compliance VLAN (VLAN 2 in the example). Otherwise, the port is put in VLAN 3 and wait for remediation. After remediation, the port will be authenticated again and transfer to VLAN 2. Before remediation Client in NoCumple VLAN VID3 After remediation Client in Cumple VLAN VID2
  • 31. DGS-3200-10 Configuration # 8021X Command enable 802.1x config 802.1x auth_mode port_based config 802.1x capability ports 1-4 authenticator config 802.1x capability ports 5-10 none # Setup Radius config radius add 1 192.168.0.3 key secreto default # Create two VLANs. One for Cumple (VLAN 2), another for NoCumple (VLAN 3) config vlan default delete 7-8 create vlan Cumple tag 2 con vlan Cumple add untag 7 create vlan Nocumple tag 3 con vlan NoCumple add untag 8 # Config System IP address config ipif System ipaddress 192.168.0.2/24 vlan default state enable # Guest VLAN configuration create 802.1x guest_vlan default config 802.1x guest_vlan ports 1-4 state enable
  • 32. Network Access Protection - Resources • Network Access Protection Web site – http://technet.microsoft.com/zh-tw/network/bb545879(en-us).aspx • Introduction to Network Access Protection – http://www.microsoft.com/technet/network/nap/napoverview.mspx • Network Access Protection Platform Architecture – http://www.microsoft.com/technet/network/nap/naparch.mspx • Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab – http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb- bba2-07605eff0608&displaylang=en • Network Access Protection: Frequently Asked Questions – http://www.microsoft.com/technet/network/nap/napfaq.mspx • Network Access Protection - TechNet Forums – http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads/
  • 33. http://www.dlink.es ftp://213.27.252.114 User: technet Password: SOS