The next generation ethernet gangster (part 2)

Jeff Green The perimeter is everywhere. Chapter 12.0
8/7/2019
In the past, the perimeter was well defined.
• The freedom to build the network you want — the solution the
XYZ Account wants.
• Simplified networking enables the resource to be diverted to
higher-value opportunities.
• Performance Under Duress – Fabric delivers proactive security
without impacting performance.
https://prezi.com/view/vWJ3A0677YIQvXRBEhem/
The Changing Network Perimeter
(Service Isolation)

8/7/2019 Changing the Network Perimeter.
Changing Network Perimeter, BYOD is a new normal, and
The first time I heard about stealth, it was probably called cloaking. A cloaking device is a hypo-
thetical or fictional stealth technology that can cause objects, such as spaceships or individuals,
to be partially or wholly invisible to parts of the electromagnetic (EM) spectrum. Star Trek
screenwriter Paul Schneider, inspired in part by the 1958 film Run Silent, Run Deep, and in part
by The Enemy Below, which in turn had been released the previous year, 1957, imagined cloak-
ing as a space-travel analog of a submarine submerging, and employed it in the 1966 Star Trek
episode "Balance of Terror", in which he introduced the Romulan species.
Stealth Airplanes - There are several theories of cloaking, giving rise to different types of invis-
ibility. In 2014, scientists demonstrated excellent cloaking performance in murky water, show-
ing that an object shrouded in fog can disappear completely when appropriately coated with
metamaterial. Stealth detection is due to the random scattering of light, such as that which oc-
curs in clouds, fog, milk, frosted glass, etc., combined with the properties of the metamaterial
coating. When light is diffused, a thin coat of metamaterial around an object can make it virtu-
ally invisible under a range of lighting conditions. An operational, non-fictional cloaking device
might be an extension of the fundamental technologies used by stealth aircraft, such as radar-
absorbing dark paint, optical camouflage, cooling the outer surface to minimize electromagnetic
emissions.
How to Hide Your IPAddress - Learning how to hide your IP address allows you to hide’
online because your IP address is your online identity. It tells online entities where you are, what
computer/OS you’re using, your browser, and who you are. Whether you’re browsing the web
or downloading a torrent, someone can use your IP to identify you so that stalkers can track you
down, or copyright holders can give you a DMCA notice, which is scary. Your IP address and
location are displayed below (No worries – we don’t log your info).

"The Enterprise Incident" (The secret mission to steal a Romulan cloaking device).
Newsweek ranked "The Enterprise Incident" as one of the best episodes of the original series. In
military parlance, a "kill chain" served as the primary plot for the episode. When I think about
kill chains, I think about this episode and their popular plot to still cloaking technology. In this
famous episode, the Captain executes an “old school” attack on the Romulan ship. Below I have
put together a recap of the Captain’s kill chain.
1) Reconnaissance – Captain Kirk takes the Enterprise into Romulan space. Romulan vessels
intercept the Enterprise and Kirk is given an order to surrender. Kirk, along Spock, is then
invited aboard the Romulan flagship.
2) Weaponization – Kirk orders McCoy to perform plastic surgery to give him Romulan fea-
tures and then transports back to the Romulan vessel disguised as one of their officers.
3) Delivery – Kirk claims that instrument failure caused the ship to stray off course, but Spock
divulges that the Captain ordered entry into Romulan space and asserts that he is insane.
Romulan guards lead Kirk to their brig.
4) Exploitation – Once aboard the Romulan ship, Kirk and Spock are taken before a female
commander who demands an explanation for their intrusion into Romulan space. The dis-
guise implies actual ‘detonation’ of the attack; a Romulans will accept his credentials.
5) Installation – Meanwhile, Spock and the commander dine in her quarters, and their conversa-
tion grows intimate.
6) Command and Control – When the commander goes to change her attire, Spock directs Kirk,
via communicator, to where the cloaking device is located. His signal is discovered and
tracked, and Spock surrenders himself to the Romulan officers, but they are too late.
7) Actions - Scotty adapted the clocking technology for use on the Enterprise. Once the cyber
attacker establishes access to the organization, they can then execute actions to achieve their
objectives. Motivations vary greatly depending on the threat actor. It may include political,
financial, or military gain, so it is challenging to define what those actions will be.

It is enclosed and self-contained with no reachability.
Stealth network is any network that is enclosed and self-contained with no reachability into and
out of it. It also must be mutable in both services and coverage characteristics. The standard
comparable terms used are MPLS IP-VPN, Routed Black Hole Networks, IP VPN Lite. Fabric
Connect based on IEEE 802.1aq provides for fast and agile private networking circuit-based ca-
pabilities that are unparalleled in the industry and do not require complex mixes of protocols or
design practices.
Fabric Connect is an enhanced implementation of IEEE 802.1aq Shortest Path Bridging. Fabric
Connect can offer a series of ‘circuit’ based services that can be either layer two or layer three
depending on requirements. These circuits are contracts known as I-SID’s or I-Component Ser-
vice Identifiers. If these services are used correctly, they can yield what are termed as Stealth
Networking Services. Hence, “Stealth” Networks are private ‘dark’ networks that are provided
as services within the Fabric Connect cloud. They come in two different forms:
• A layer 2 Stealth - A non-IP L2 VSN environment.
• A layer 3 Stealth - A L3 VSN IP VPN environment.
While Fabric Connect can provide the degree of secure segmentation required for instances of
compliance, this only will work if we can control who can access what and with which device.
With Fabric Connect, there is integrated intelligence into the network to provide for this Identity
Management requirement, which is of critical importance to any risk reduction plans. Addition-
ally, such a service should be focused on minimizing the operational impact of adds, moves, and
changes of devices, users, or policies. And finally, it needs to be open and able to operate with
any device, network technology, or even vendor.

The concept of ‘attack trees,’
An attack is not a ‘linear’ set of events (even though that is what results after the fact)
More typically, there are a series of new information points that are discovered that allows the
attacker a set of decision trees as they progress into the target network. These decisions lead to a
set of branches that lead to the root, which is the target in question.
• If, and - representing decisions within the branch to escalate towards the target
• If, or – representing separate branches to which the attacker may hop during infiltration
• As much of the compromised infrastructure is left intact as possible as they can become po-
tential paths for command and control (C2) and exfiltration.
Fabric Connect Stealth Networking
In this respect, SPB represents yet again a paradigm shift from IP-based core infrastructures.
Every IP interface seen in a network is like a door that an attacker will try to pry open or to scan
the topology of the system itself. By its very nature, SPB runs directly over Ethernet using IS-IS
as the control plane protocol and thus does not have any IP dependencies. IP becomes purely a
virtualized service running on top of SPB, and hence any IP interfaces only exist at the service
presentation level of an L3 VSN at the edge of the network.
The Fabric Connect core is thus only invisible to any IP scanning techniques. Anyone running
an IP scan against the environment would get a simple list of IP subnets all showing a single hop
to one another. The topological details of the core are dark to the scanning attempts because
there is simply no IP running in it; it’s not required. Each IP network point of presence views all
other IP networks not as the next hop to it but as the actual service point of presence on the other
side of the Fabric Connect cloud. Traffic separation is an essential component of network secu-
rity. The ability to segment disparate users and applications into private virtual networks and to
prevent communication where this is not warranted helps harden the system against potential
attacks.

The Defense Framework.
The MITRE ATT&CK knowledgebase describes cyber adversary behavior and provides a com-
mon taxonomy for both offense and defense. It has become a useful tool across many cybersecu-
rity disciplines to convey threat intelligence, perform testing through red teaming or adversary
emulation, and improve network and system defenses against intrusions. The process MITRE
used to create ATT&CK, and the philosophy that has developed for curating new content, are
critical aspects of the work and are useful for other efforts that strive to develop similar adver-
sary models and information repositories.
The bad actor (in this case captain kirk) will then utilize the compromised beachhead to estab-
lish C2 and exfiltration channels. Typically, they will develop MANY alternate paths through
compromised systems. Kirk wants to remain invisible and very quiet. Blending into the standard
traffic patterns, build a covert C2 network requires a high degree of lateral mobility.
A high degree of micro-segmentation limits this potential and causes the attacker to be ‘noisier’
in their attempts to control systems or move data. Exfiltration channels (Security includes all
people, processes, and technology). The attacker will then utilize the compromised beachhead
to establish C2 and exfiltration channels. Typically, they will develop MANY alternate paths
through compromised systems. They want to remain invisible and very quiet. Blending into the
standard traffic patterns. Note how the ability to create a covert C2 network requires a high de-
gree of lateral mobility. A high degree of micro-segmentation limits this potential and causes the
attacker to be ‘noisier.’

Predictable XYZ Account Network Behavior
Today’s layered approach for network protocols inherently creates dependencies of upper-layer
protocols on lower-layer protocols. In some cases, protocols rely on each other for proper opera-
tion. A multicast routing protocol relies on the underlying unicast routing protocol for route and
path information. In other cases, the protocols operate independently between systems on their
layer but are reliant on the availability of the lower tiers. In a Spanning Tree network, a higher
layer unicast routing protocol only re-establishes communication after the lower layer (Spanning
Tree) has converged. In all scenarios, the convergence time of all the contracts on the network
will vary. Unicast and Multicast protocols have different convergence times.
Re-architect Security Zones.
Traditional IP Networking is fraught with complexity and security vulnerabilities. A next-gener-
ation network model is required, one that delivers services efficiently & quickly while removing
the ability for hackers to inspect the Network. Next-generation Fabric Connect architecture from
Extreme overcomes the complexities of private IP networks while delivering highly secure
stealth networks.
Many will argue that private networking is nothing new. Additionally, few would say that in-
deed, private environments are challenging to design and even more challenging to maintain
over time. The primary aspect of networking is to establish and maintain an end to end path. Se-
curely maintaining that end to end path using a thirty-year-old model of traditional IP network-
ing has become an increasingly complex undertaking given the rapid increase in speed and mo-
bility of business operations. The problem is further exacerbated by constantly evolving ad-
vanced persistent threats (APTs). No single solution can provide the magic bullet to protect
company assets. However, we can design stealth networks using Extreme’s next-generation net-
work architectures to make it much harder for the sophisticated hacker to succeed while ulti-
mately discouraging the typical hacker.

15 Indicators of Compromise.

The Changing XYZ Account Network Perimeter.
The threat landscape has changed! The first point is that the threat actors have become very so-
phisticated and coordinated. Some are military, and nation-state sponsored with plenty of money
and resources to create very advanced malware that can penetrate current signature-based tech-
nologies. Both the exploits to compromise users and the malware that installs after the exploit
that is delivered is dynamic and polymorphic.
Droppers/executables/binaries are often the only part analyzed by sandboxes, which do not
know the initial exploit phase, second, third, or further stage malware downloads. Many times,
Incident response teams are led to believe that remediating the dropper file fixed the problem,
but the endpoint remains compromised. Also, the attacks are delivered across several threat
vectors. The adversaries combine, web email, and file-based vectors in a staged attack all of this
to go undetected.
No organization can afford to ignore the importance of protecting access to its network and traf-
fic. Without proper controls, a breach of one connected device in the enterprise network can
mean giving a hacker the virtual keys to the castle. However, by embracing the dynamic every-
where-perimeter perspective, organizations can create solutions and deliver services in a manner
that facilitates not only streamlined activity but also provides new layers of partition-based secu-
rity. The difference? Not only does hyper-segmentation offer a robust security foundation, but
it’s too efficient and straightforward to deploy and fully complements mission-specific security
products and solutions such as firewalls and intrusion detection systems.
Proper hyper-segmentation should natively offer elastic capabilities. After initial implementa-
tion, the flexible network automatically stretches service segments to the edge, only as required
and only for the duration of a specific application session. As applications terminate or endpoint
devices close or disconnect, the now redundant networking services retract from the edge. This
elasticity is imperative to making hyper-segmentation and stealth topology practical. This elastic
capability simplifies and expedites provisioning for the ever-increasing number of network de-
vices, many of which are now unattended, and it has the added benefit of reducing a network’s
exposure and attack profile.

Why your XYZ Account SOC and NOC should run together but separately?
You’re probably familiar with the castle and moat analogy. It was often used as a universal
model that organizations would use in the “dark ages” of cybersecurity. They would build a fig-
urative cyber moat around their networks in a valiant effort to protect their organization. Over
time, however, people came to realize that the notion of a singular defense to keep the bad guys
out (think: firewalls) weren’t as effective as they had hoped. As organizations matured, they
sought out models that would enable them to understand better how cyber attackers operated
and better ways to defend.
The similarities between the role of the Network Operation Center (NOC) and Security Opera-
tion Center (SOC) often lead to the mistaken idea that one can easily handle the other’s duties.
While it’s certainly true that both groups are responsible for identifying, investigating, prioritiz-
ing, and escalating/resolving issues, the types of problems, and the impact they have are consid-
erably different. Specifically, the NOC is responsible for handling incidents that affect perfor-
mance or availability while the SOC handles those incidents that jeopardize the security of in-
formation assets. The goal of each is to manage risk; however, the way they accomplish this
goal is markedly different.
The NOC’s job is to meet service level agreements (SLAs) and manage incidents in a way that
reduces downtime – in other words, a focus on availability and performance. The SOC is meas-
ured on their ability to protect intellectual property and sensitive customer data – a focus on se-
curity. While both things are critically important to the success of an organization, having one
handle the other’s duties can spell disaster, mainly because their approaches are so different. The
best solution is to respect the subtle yet fundamental differences between these two groups and
leverage a quality automation product to link the two, allowing them to collaborate for optimum
results.

XYZ Account Digital Network Architecture Fabric
Platform Agility - Our engaged networks offer unprecedented business agility and transparency
through the virtualization of information resources, unified control, faster deployment of services and
innovative new business processes XOS is the first modular Operating System for Enterprises, offers
enhanced availability by isolating critical functions.
Yes
Total Cost of Ownership (TCO) It is no longer enough to manage costs – the network must be able
to create growth opportunities and enable better ways of doing business. Our significant TCO ad-
vantage is obtained through lower hardware costs, lower maintenance costs, and reduced upgrade
costs due to the ease of expansion.
Yes
Fabric Connect - an end to end architecture spanning the campus and branch. By decreasing the time
required to execute deployment, operational and administrative tasks, more time can be devoted to
proactively generating future savings in reduced downtime, improved equipment, and network lon-
gevity and the ability to quickly deploy new applications.
Yes
Extreme XMC - Single pane of glass for the user, device, application, and network visibility. Sim-
plifies application administration, provisioning, network management, alarming, and monitoring. Net-
work security accounts for an increasing proportion of a typical organization’s IT budget. Wired and
Wireless + policy + analytics + management. The Universal Port feature supports secure auto-config-
uration, provides inventory information, and enables fine granularity to manage ports,
Yes
Network Function Virtualization (application visibility & policy enforcement) What can you deter-
mine about your network at a glance? What’s up and what’s down? How is everything configured? As
the number and type of devices in a LAN increase, it can become difficult to monitor and configure
each device or find and rectify problems. Integrated Management is the first step towards operational
simplicity.
Yes
Layer Discovery Protocol (LLDP) in our products and are jointly developing applications to use
LLDP information to better manage and deploy IP telephony and infrastructure components onto net-
works. The network discovers devices using LLDP and provisions services such as voice, video, data
or enterprise application access as soon as a user connects to the system.
Yes
Security framework with Virtualized Security Resources provides network-wide coverage for data
protection, threat mitigation, and network access management. Multiple 802.1x Supplicant Support
uniquely recognizes and applies the appropriate policies for each specific user or device on a shared
port. Secure login/authentication via 801.1x, MAC, and Web Login is supported on all switches.
Yes
Security Pivot - Campus segmentation for breach containment and to prevent lateral moves. We are
evolving network security from a reactive “seek and destroy” model to a proactive, policy-driven
model. Denial of services (DOS) attacks such as worms and viruses can cripple a network. Rapid de-
tection and mitigation of day-zero security threats are required to maintain network availability.
Yes
Insight - Insight provides a clear picture of real-time, network-wide voice performance. Our monitor-
ing capabilities deliver unprecedented insight and control over network operations. The result is an
engaged network that works in tandem with third-party resources, applications, and operational ser-
vices to provide a better platform on which to accomplish your business objectives. By insight, we
mean an open network that can give applications and solutions detailed, real-time visibility into net-
working business activities. The idea provides you visibility into possible security breaches or abnor-
mal behavior on the system.
Yes
Fingerprinting in Analytics - Our Analytics uses a decision-making engine to compare real-time
data against business policies and take specific avoidance or corrective action. Slow or Netflow is em-
bedded in Extreme’s switches. IP Telephony networks need to be monitored in real-time due to the
critical need for a voice to be dial tone reliable, with any degradation in connection quality corrected
proactively.
Yes

8/7/2019
8/7/2019
The Changing XYZ Account Network Perimeter,
• Today it is everywhere.
• A resource can be diverted to higher-value opportunities.
• Performance Under Duress.
https://prezi.com/view/K1szbUDBGmJvkvUX8hMJ
Six Degrees of Separation
(Don’t play the Kevin Bacon game with
your XYZ Account network.)

Don’t play the Kevin Bacon game with your XYZ Account network.
Bacon's Law is a parlor game based on the "six degrees of separation" concept, which posits that
any two people on Earth are six or fewer acquaintance links apart. Movie buffs challenge each
other to find the shortest path between an arbitrary actor and prolific actor Kevin Bacon. It rests
on the assumption that anyone involved in the Hollywood film industry can be linked through
their film roles to Bacon within six steps. In 2007, Bacon started a charitable organization called
SixDegrees.org.
The Bacon number of an actor is the number of degrees of separation he or she has from Bacon,
as defined by the game. The higher the Bacon number, the greater the separation from Kevin
Bacon, the actor is. The computation of a Bacon number for actor X is a "shortest path" algo-
rithm, applied to the co-stardom network:
• Kevin Bacon himself has a Bacon number of 0.
• Those actors who have worked directly with Kevin Bacon have a Bacon number of 1.
• If the lowest Bacon number of any actor with whom X has appeared in any movie is N, X's
Bacon number is N+1. 1

How to Hide Your IPAddress from Kevin Bacon? Learning how to hide your IP address al-
lows you to hide’ online because your IP address is your online identity. It tells online entities
where you are, what computer/OS you’re using, your browser, and who you are. Whether you’re
browsing the web or downloading a torrent, someone can use your IP to identify you so that
stalkers can track you down, Your IP address and location are displayed below (No worries – we
don’t log your info).2
Lockheed Martin created the concept of the kill chain. It maps out the typical steps that an at-
tacker might use to infiltrate and control a target network. While the original kill chain was
seven steps, it was realized that this could be mapped to 6 concurrent actions. It was also recog-
nized that the kill chain is too simple a concept to reflect a real-world attack.
You might ask yourself – why Kevin Beacon?
Concealment of the core infrastructure is a critical property for virtualized network architec-
tures, as it makes it much harder for potential outside attackers to gain any useful information
which could be used in an attack to compromise the availability and security of the network.
Concealment means that the core functions of the system are invisible to external systems and
the Internet to which the virtual VSN networks might be connected.
Hackers are becoming increasingly sophisticated, forcing organizations to find a better way to
thwart attacks and protect access to enterprise networks. Hyper-segmentation could deliver XYZ
Account a powerful and practical foundation for security. Hackers are becoming more sophisti-
cated in their methods. At the same time, as mobility and Internet of Things (IoT) systems and
technologies are introduced, the potential avenues for hackers attempting to gain entry to the en-
terprise network continue to grow.

XYZ Account Multi-Tenant
As large enterprises continue to evolve, many have become very similar to network service pro-
viders/carriers. The enterprise IT organization is the “service provider” for its internal custom-
ers. With this comes a new and evolving set of requirements that traditional providers have been
accustomed to for many years. The new network requirements are instantiating enhanced design
methodologies to create complete traffic separation between the customer domains, provide un-
interrupted service for business applications, significantly reduce the time to service from
weeks/months to hours/days and accommodate flexible network deployments.
With the need to support these complex multi-tenant environments comes the added cost and
complexity. Enterprise network operations teams have a relatively small staff and budget. Car-
rier technologies, which have been built to scale to thousands of customers, have an inherent
complexity, which is in many cases too expensive to operate for enterprise customers. A more
straightforward solution which provides the same or even more functionality can help reduce
network operating costs significantly.
SPB is the technology that will help satisfy all aspects of the multi-tenant customer. The tech-
nology evolved from similar protocols used by carriers and service providers. SPB has been en-
hanced to add “enterprise-friendly” features to give it the best of both worlds, carrier robust-
ness/scalability and applicability with enterprise-class features and interoperability. The simplic-
ity of the technology doesn’t require an entire team with specialized training or knowledge and
therefore makes it very appealing. Existing staff will quickly understand the simple end-point
provisioning and the ease of troubleshooting a much less complicated network that inherently
supports Layer 2 and Layer 3 virtualization. SPB provides all the benefits of a carrier-class sys-
tem without all the overhead, complexity, or cost, and it’s simple and scalable.

Fabric Connect Stealth Networking Services
Understanding how we arrived at the modern-day IP network architecture with stacks of proto-
cols, protocol extensions, and layers of convergence is helpful as well as a simple analogy.
In the early days of networking with bridges and routers, we faced challenges in scaling layer
two domains without experiencing MAC flooding, hence the introduction of switches or the
need to separate Layer 2 areas before they got too big with routing interfaces. Switching tech-
nology was designed to provide a more cost-effective scaling solution which could manage in-
dependent MAC forwarding tables. Layer 2 limitations ultimately led to the introduction of
routing switch technology to the market. This technology also evolved to support Layer 4
lookups and provide more powerful and flexible ACL’s (Access Control Lists) or Filters pre-
venting communications between VLANs.
Traditional IP Networking is fraught with complexity.
It is important to remember by default VLANs with Routing enabled automatically could com-
municate and exchange information. To control the type or amount of traffic between VLAN do-
mains, one would have to create ACL’s / Filters or make use of Layer 4 lookups to more appli-
cation-specific traffic communications or preventions. ACL’s/filters became overwhelming for
customers with hundreds and in some cases thousands of ACL’s/filter rules to be configured.
Firewalls came to the rescue and played a significant role in preventing communications by de-
fault between layer 2 or layer three domains. However, firewalls which were designed to protect
from external attacks, are now performing deep packet inspection and routing at a very high
cost.

An SPB I-SID that is associated with End VLANs.
Let’s go back to fundamentals, switches should switch, routers should route, and firewalls
should protect your enterprise from hackers penetrating your corporate network as well as pro-
tect your DMZ (demilitarized zone). To secure networks quickly, we need to move away from
the traditional network design model. In the conventional IP networking model, private net-
working creates a ‘catch 22’ because the IP protocol is not only the service that is delivered, but
it is the utility which establishes the sense of a network path. Traditional connectivity means that
all other levels of abstraction to provide for service virtualization and hence, privacy is built
upon the IP. A good analogy is brushing the trail during clandestine operations such as surveil-
lance. The method involves erasing the trail and backtracking to a place where the path is effec-
tively obscured.
• No IP addresses assigned*
• Provides for a closed non-IP or single subnet IP based network
• Typically used within and between the Data Centers
In the early days of networking with bridges and routers, we faced challenges in scaling layer
two domains without experiencing MAC flooding, hence the introduction of switches or the
need to separate Layer 2 areas before they got too big with routing interfaces. Switching tech-
nology was designed to provide a more cost-effective scaling solution which could manage in-
dependent MAC forwarding tables.

Layer 3 Stealth Network (IP VPN)
In most instances, the brushed trail looks just as obvious, if not more so than the actual foot-
prints. A seasoned tracker (IP Hacker) will look for telltale signs and go from that point to the
nearest paths and search for other clues. The task is challenging to mask because we are bound
to a single plane; in this case, the ground. As such, no brushed path will be perfect. It’s just a
question of whether the tracker will be kind enough to pick it up or not. Just as in traditional IP
networking, we cannot divorce ourselves from the fact that we must use the path that we are at-
tempting to conceal.
The analogy is quite like methods for private networking today. Since we are dependent upon IP
to establish the first service path (sections thereof), all new path notions such as BGP and MPLS
are dependent upon it, meaning that these networks are potentially vulnerable to IP scanning
techniques. Likely, since reliable access control lists can mask the environment from the general
routed core. But ACLs carry their own set of challenges, in that path behavior is dependent upon
reachability. Consequently, there is only so much that can be masked. Specific nodes will need
to ‘see’ the IP reachability information, so all of this leads to a scenario very similar to the trail
brushing analogy.
If we don’t limit ourselves to the ground (IP), then we open several available yet hard to trace
paths. A bird can arrive at any given location. It will most certainly take away to succeed as well
as one to leave. It will only leave footprints where it landed; it’s ‘point of presence’ on the
ground. Beyond this, there is no trace of the bird’s path even though it did indeed take one. No
amount of tracking on the ground will effectively yield the path information. Stealth is achieved
because the available outs for the bird are occurring on a different plane.

Minimize the XYZ Account ’s attack surface.
In Fabric Connect, path behavior is created at the Ethernet Switched Path level (hereafter re-
ferred to as ESPs). All ESP knowledge is handled within resident link-state databases in each
Fabric Connect switch node. As a result, IP becomes a service around the edge of the Fabric
Cloud. Much like the bird’s footprints, an IP subnet becomes a ‘service point of presence.’ Spe-
cific path information, however, is obscured from the perspective of IP because the path is not a
routed IP hop by hop path; it is held as an ESP at the Ethernet Shortest Path Bridging level.
Like the bird using the air as the path, Extreme’s Fabric Connect architecture effectively di-
vorces itself from dependence upon the IP protocol for path behaviors while prioritizing security
and ease of service delivery. Secure zones are dynamically extended to any port after secure au-
thentication without the need to pre-configure any zone, anywhere.
≠ VLANs transition to services-based architecture and no longer communicate by default.
≠ Layer 4 deep packet inspection run at wire-speed to off-load the firewall.
≠ 16,777, 216 unique services contribute to PCI or HIPPA compliance.
≠ The network becomes utterly invisible to IP hacking. Only the edge of the Fabric is visi-
ble when implementing Layer 3 Virtual Services (VSN’s) with IP Shortcuts.
≠ Troubleshooting only requires viewing entry and exit points of the Fabric.
≠ Eliminates unnecessary protocols to provide Layer 2, Layer 3, and Multicast services.

Native Stealth Capability.
Proper hyper-segmentation protects individual network segments as well as traffic flows and the
broader networking infrastructure. Traffic is encapsulated at the network edge, creating end-to-
end private layers, and these remain invisible from all other layers and the intermediate network
nodes during transit. Fabric Connect dynamically establishes virtual borders that protect essen-
tial applications and confidential data. Additionally, hyper-segmentation can leverage a control
plane that forwards traffic and avoids the traditional node-based IP tables. Fabric Connect cre-
ates immunity to the IP/Internet-based hacking exploits that use node hopping as a means of lat-
erally moving around within the network, from one compromised host to the next. Operating in
this stealth mode delivers an environment that has significantly reduced visibility and a corre-
spondingly lower attack profile.
Traditional Topology from View of IP Hacker once Firewall is penetrated
As shown above, due to the IP hop by hop legacy model, as explained earlier, the IP hacker
would quickly gain full visibility of your network topology in a matter of seconds. Not the ex-
posure any organization wants.
Fabric Connect Topology view when Layer 2 VSN’s are deployed
As shown above, since Extreme’s Fabric Connect architecture does not use IP hopping,
despite the hacker penetrating the firewall, the hacker does not see any topology. The to-
pology is invisible or stealthy. The anatomy of a Layer Two Stealth network is elemen-
tary. It is a Layer Two Virtual Service Network without any IP addresses assigned to the
VLAN’s at the edge.

Dark network topology enabled through stealth networking
With Fabric Connect, secure zones are dynamically created with L2 Ethernet Switched Paths.
These paths are therefore not vulnerable to L3/ IP scanning/hacking techniques — ensuring that
if breached - the end-to-end network topology is hidden. Elimination of back door entry points –
With Fabric Connect, services extend and retract dynamically as corporate assets, IoT devices,
and authorized users to connect and disconnect.
IP utilizes hop by hop routing - Fabric Attach intends to reduce the points of manual configura-
tion and provide an automated way of creating VLANs and Services for users or devices attach-
ing to the network, saving time and money. Fabric Attach is an IEEE Standards-Based mecha-
nism (in draft) to automatically configure VLANs and SPB VSNs (virtual services) on a net-
work. VLANs and services can be provisioned from the enterprise campus network.
• Dynamic routing requires for the advertisement of IP routes
• Routes must be visible to be used
• Access Control Lists and Route Policies are necessary to limit path visibility
Security and safety are right influencers on the quality of living within the city and its surround-
ings. Video surveillance is a significant contributor to this with many cities expanding its de-
ployment. Today, smarter IP cameras provide more excellent capabilities beyond generating and
transmitting video; they can also communicate with centralized management systems delivering
video analytics output, alarms, and metadata alongside the video stream. These smarter video
surveillance systems need the right network infrastructure to ensure the scale, performance, and
quality of the video.

Simplified XYZ Account Deployment
Fabric Connect eliminates XYZ Account network-wide provisioning practices standard in to-
day’s IP-based surveillance networks. Provisioning is required on only the ports attached to
cameras and monitoring stations/and receivers — with no need to provide any core switches in
between. Fabric Connect not only reduces the risk of an outage due to human error during
change but also allows the video surveillance network to be deployed faster and easier than ever
before — with the ability to add, move and change cameras on the fly.
Fabric Connect is an enhanced implementation of IEEE 802.1aq Shortest Path Bridging. Fabric
Connect can offer a series of ‘circuit’ based services that can be either layer two or layer three
depending on requirements. These circuits are constructs known as I-SID’s or I-Component Ser-
vice Identifiers. If these services are used properly, they can yield what are termed as Stealth
Networking Services. A Stealth network is any network that is enclosed and self-contained with
no reachability into and out of it. It also must be mutable in both services and coverage charac-
teristics.
o Real-time streaming: Once the endpoints are provisioned, the network determines the short-
est path from the sources (the cameras) to the destinations (monitoring stations) with opti-
mized network path delivery, thus improving video delivery performance over traditional
networked-based solution.
o Better resiliency: Extreme Fabric Connect eliminates gaps in video streams by delivering
sub-second convergence resulting from network outages. Traditional IP network convergence
can range anywhere from a few seconds to minutes based on topology, while Extreme Fabric
Connect offers sub-second recoveries for both unicast and multicast routing. Therefore, a sin-
gle link or nodal failures are entirely transparent for the video surveillance application.
o Supports massive numbers of cameras: The ability to help tens of thousands of unicast/and
multicast streams, with minimal impact on switch processing is advantageous for Extreme
Fabric to Connect customers.

XYZ Account Demarcation options
Extreme plays a significant role in the layered defense model and the cybersecurity framework.
Engagement solutions and real-time communications are simply applications running on the net-
work, which means that security must be addressed holistically rather than use by request. Ex-
treme’s solutions are designed to work together holistically to provide both a defense-in-depth
as well as defense in breadth regardless of the location of the user about the “perimeter.”
The anatomy of a layer two stealth network is also elementary.
It is nothing more than an I-SID that is associated with VLAN’s. The VLAN’s are not given IP
addresses, however. As such, a standalone layer two networks are created where nothing can en-
ter or exit. These are extremely useful to extend secure Layer two protocol environments such as
SCADA. Layer two Darkhorse networks allow for the smooth and reliable distribution of such
protocol environments.
Additionally, IP can run inside the Layer two dark horse network. But it is a self-contained IP
subnet that is not routed to the outside world. It is invisible. As a result, they can be used for Se-
cure Data Center usage where IP reachability is not necessarily desirable. Finally, a comparable
service in MPLS, known as Layer 2 VPLS requires roughly 30 to 40 command lines of code to
execute whereas a Layer 2 Stealth network in Fabric Connect is one command.

Stealth Networks are private ‘dark’ networks.
ExtremeControl applies granular controls over XYZ Account endpoints that are requesting on-
boarding to the network. ExtremeControl matches parameters with attributes, such as user, time,
location, vulnerability, or access type, to create an all-encompassing contextual identity. Role-
based identities follow a user or IoT device, no matter where or how it is connected to the net-
work. Compromised devices are quickly identified and quarantined from the system. Also, isola-
tion of groups of IoT devices performing a specific function or role is supported by assigning
each of these functions their secure segment.
Fabric can minimize the exposed XYZ Account Attack Surface.
Imagine using our switching as a policy enforcement engine to manage your network. Extreme
offers a Carrier-class solution for the delivery of business and residential Ethernet services. Ex-
treme Networks Metro Ethernet offerings enable service provider customers to provide a variety
of business and residential Ethernet services using a resilient, high performance and service-rich
platform. Extreme Switch Hardware-based design so the ISD will experience no performance
penalty for running advanced features such as Multicast, ACLs, and QoS. Extreme can deliver
the ISD Special Service Differentiation.

Extreme Automated Campus for XYZ Account Fabric
Data Center, MAN, and WAN solutions - Fabric Connect target use cases are covering end-to-end
network solutions, including Campus. With this horizontal network, segmentation (a.m. Network vir-
tualization) can be achieved seamlessly. Fabric Connect has been deployed widely worldwide and has
proven to be a very robust technology. Its target segment not only covers Enterprise networks but is
also in use in hosting as well as transport provider infrastructures.
Yes
Fabric over a traditional non-fabric network deployment? A fabric solution has several benefits;
one of the key ones is the separation between network connectivity services and network infrastruc-
ture. In service provider networks, this view of separating services from support is ingrained into their
business processes, Enterprises, however, have not embraced this approach widely yet. If one looks at
VLANs as L2 VPNs and IP subnets with VRFs as L3 VPNs then they form network services; Net-
work nodes with interconnection links between each other as a network.
Yes
Network Service Abstraction - Network services are provisioned at the network edge and can be de-
ployed dynamically. VLANs or VRF can be extended through fabric with service access point provi-
sioning only, without having to “touch” the core of a network. The Network infrastructure can be put
in place, changed, and extended without having to worry about the deployed network services
(VLANs, IP subnets, routing,..) in no small degree.
Yes
Topology freedom - Building network hierarchy is possible, but not required anymore; fabrics allow
a much more distributed and “flat” design model. Adding additional links or nodes into a fabric net-
work is seamless, fabric services are only affected minimally when new shortest paths are being made
available. Extending networks for bandwidth and availability reasons can be done risk-free during of-
fice hours.
Yes
Zero-touch – XYZ Account network administrators must configure less in a fabric network due to its
zero-touch core attributes and if a failure occurs in a fabric network, failure restoration times are typi-
cally sub-second, and thus network outages can be reduced, and network availability is increased.
Fabric Connect only requires one routing protocol for all types of network service. Therefore, network
operations and deployments are simplified significantly.
Yes
Physical v Virtual Interface Types - Fabric Connect supports physical network to network (NNI)
interface types and logical system to network interface types. A physical interface type is either an
Ethernet port or a link bundle (MLT or LAG). Between two fabric nodes, only one IS-IS will be ac-
tive, even if parallel links exist (an MLT/LAG is one link). A logical interface type can either be a
consistent fabric VXLAN tunnel over IP routed or a logical fabric tunnel over a VLAN (VID).
Yes
VXLAN - The requirement for VXLAN tunnels are that both end-points need to be reachable to es-
tablish an IS¬IS adjacency. An additional element is that the IP connection needs to support jumbo
frames. It is recommended to have at least 1590-byte support in the IP underlay.
Yes
Latency Requirements - Fabric does not pose any stringent latency requirements on an NNI link.
NNI links can stretch thousands of miles across the globe, if the physical Ethernet or emulated Ether-
net integrity is guaranteed. IS-IS timers are typically very long (multi-seconds); thus, a link won’t
time-out due to the extended distance between the NNI ports. If packet loss occurs on the Ethernet
links, the application layers will have to retransmit packets. If excessive packet loss occurs, then links
might drop due to missed IS-IS hello packets.
Yes
Layer 2 and Layer 3 virtualization. These virtualized Layer 2 (L2) and Layer 3 (L3) instances are
referred to as Virtual Services Networks (VSNs), and this section describes those services. A Service
Identifier (I-SID) is used to uniquely identify each of these service instances in a Fabric Connect do-
main and a User-Network Interface (UNI) is the boundary or demarcation point between the “service
layer” of traditional networks, i.e., VLANs, VRFs and the Fabric Connect “service layer,” i.e., L2 &
L3 VSNs.
Yes

Network topology: hierarchies v. mesh Fabric
Non-fabric networks are typically built in a strictly hierarchical model. 2-,3-, or 4-tiered designs are
very common; each tier is providing an additional level of aggregation. Usually network designers
have tried to avoid stretching L2 domains beyond the first aggregation layers; however, user and ap-
plication requirements, in the campus as well as in the data center, have driven many network opera-
tors to stretch the L2 segments across multiple layers still.
Yes
Connect takes the complexity of networking. Delivering a comprehensive array of network ser-
vices, including Layer 2 and Layer 3 virtualization with optimized routing and IP multicast support, it
allows customers to phase out multiple sophisticated legacy technologies gradually and enables all
services through a single, next-generation technology.
Yes
Fabric Connect - Fabric networks can be built much the same way, but its flexible L2 extension ca-
pabilities, as well as the availability of high-density high-speed core and aggregation switches com-
bined with the link-state protocol, new distributed, less hierarchical and much more flexible mesh de-
sign models, have become available. The distributed fabric model consists of network core nodes and
network edge nodes. Core nodes can be meshed together according to the open connectivity layout
and bandwidth requirements. Edge nodes are typically dual-homed to a pair of fabric nodes.
Yes
Flooding and Learning - While fabrics constitute of an Ethernet switching domain, the forwarding
behavior is not comparable to a traditional bridging network. The flooding and learning mechanisms
of traditional bridged Ethernet are replaced by IS-IS control plane which is programming forwarding
states (Unicast and Multicast forwarding records) into the forwarding tables of the network elements.
Extreme Fabric ensures predictable state and at the same time provides loop-free forwarding due to its
built-in reverse path forwarding check. While the forwarding in the SPB backbone domain is BMAC
based, for connectivity services (ISIDs), the forwarding behaviors.
Yes
Stretch IP Subnets - In data center deployments where L2 segments need to be stretched to enable
virtual machine movements, routing functions should be placed at the aggregation layer that is closest
to the extend L2 domains that will allow virtual machine (VM) movement. In virtualized DC environ-
ments, the TOR switch can become the access and aggregation node, thus enabling the routing func-
tion on the TOR is the most effective forwarding solution between locally attached Subnets.
Yes
Unicast Routing - The IP Shortcuts functionality of FC allows using IS-IS as the global router rout-
ing protocol instead of OSPF. Networks can be migrated to IP Shortcuts smoothly by using the proto-
col preference functionality. Initially, the IS-IS IP preference can be set such that OSPF is preferred
over IS-IS, once the fabric is up and running, the choice can be changed on the network nodes to ena-
ble the use of IS-IS over OSPF.
Yes
VPN - Some customer scenarios require interconnecting a virtualized fabric infrastructure with an
MPLS WAN network which is running multiple IP VPNs. In this scenario, each IP VPN needs to be
individually interconnected with the fabric L3 VSNs. One or numerous physical links (link bundle)
can be used to do so. Separate the data planes for each VPN interconnect, VLAN multiplexing shall
be used by configuring 802.1Q on the interconnection links.
Yes
Fabric Overlay - fabric overlay solutions, in this scenario, the fabric services are running like “ships-
in-the-night” on top of the underlay IP infrastructure. For how to connect fabric services to non-fabric
services such as VLANs, VRFs or Multicast Routed domains, please refer to section Interconnecting
Traditional Networks with Fabric Connect. Xt, RIP, OSPF, BGP, PIM routing, or MPLS IP VPNs.
Yes
NSX to a DC fabric - VMWare NSX Edge Gateways are directly connected to BEB nodes using
802.1Q tagging on the UNI interfaces. By enabling OSPF on a per VLAN/Subnet/VRF basis routes
can be exchanged between the distributed NSX VRF on the NSX GW and the Avaya Fabric L3 VSN.
Simultaneously the ESX hosts can be connected to a fabric infrastructure in IP shortcut mode building
the IP routing underlay support for NSX. In this deployment, the fabric switches can strengthen the
NSX underlay fabric for IP transport and at the same time map to the NSX virtualization instances
through the Edge GW.
Yes

8/7/2019
Jeff Green Transformative Education Chapter 13.0
8/7/2019
Extreme can answer XYZ Account’ and key concerns…
• Parents: Harnessing technology to grow the business,
improve students, and protect the enterprise.
• Board Members: Delivering new revenue-generating
services, maintaining control of steadily rising IT costs.
• Superintendent: Aligning technological capabilities
with business requirements.
• Principle: Meeting the needs of teachers, students, and
parents. Can I give $ back?
• Teacher (Security): Collaborating with the CIO to pro-
tect student data privacy and manage compliance.
• Students: Reducing the number of clicks, improving in-
teractions between students and applications.
https://prezi.com/view/WfVvCHNEV4Ex5IqYjiIq/
Transformative Education
with Extreme Control

8/7/2019 Reducing the number of clicks
Access Control to the XYZ Account 2020 Classrooms.
"You Can't Always Get What You Want" is a song by the Rolling Stones on their 1969 album
Let It Bleed. Written by Mick Jagger and Keith Richards, it was named as the 100th greatest
song of all time by Rolling Stone magazine in its 2004 list of the "500 Greatest Songs of All
Time". Still today, You Can't Always Get What You Want" (technology built on need), with
switches the need is for speed,
Remember that timing is everything. You must be careful to take intelligent risks by assessing
the leading company's product entry and then developing something that genuinely can be dif-
ferentiated from the leader. If you wait too long, the opportunity can be lost, and the market so-
lidified behind the first to the market firm. Carrying the marketing concept through to building a
long-term relationship with customers also requires that you understand the needs of the market-
place. Therefore, take the time to conduct market research to assess the reactions of customers
to the initial product or service. Be quick and agile to make changes that will position your firm
more closely to their needs.

Because XYZ Account Teachers don’t know what a MAC address is…
Teachers neither know or care to understand how the technology they interact with day to day
operates. All they know is how technology ultimately impacts students. When they call and are
being asked to manage an application or network outage for their domain within the Schools all
they care about is how quickly it will be back up and what do I do in the meantime.
Imagine, you come into your office in the morning and see compliance risks for network config-
urations on a simple dashboard. The information has all been analyzed for you automatically.
Our solution analyses the confirmation of your entire wired and wireless network and provides
you with a detailed remediation map to achieve compliance of your network configurations.
“Situational awareness is the engine behind various ‘classroom of the future,’
‘digital classroom’and ‘smart classroom’initiatives”.
Recently, I had a meeting with a CIO who is a Cisco customer. During the meeting, the CIO
made a comment that I thought was one of the best antis- “we are a Cisco shop” comments, so I
have burned into my brain. The statement that this CIO made was…
“…our organization can no longer afford the fiscal irresponsibility of habit.”
Technology is changing the way education is delivered, how information is shared among care
teams, how research is done, how information is visualized, and how Education organizations
interact with each other. Extreme Networks is pleased to present the enclosed response to XYZ
Account. We are committed to providing XYZ Account with a high-value proposal with the abil-
ity to expand quickly and efficiently through low-cost enterprise-class technology and deliver on
time and budget. Today’s Education organizations are under tremendous technical and financial
pressure to deploy a secure and mission-critical wired and wireless network to support data,
voice, video, and school device applications.

Teachers neither know or care to understand how the technology operates.
Technology alone is probably the weakest reason for a potential customer to take on the risk of a
new vendor. The personnel requirements for the different types of staff vary for different network
configurations, but they are invariably higher for Cisco than they are for Extreme. While we
found it easy to predict the staffing delta between Cisco and Extreme Networks for equivalent
networks, the total number of staff required can be affected by many factors. Cisco command-
line complexity will typically require more experienced staff when compared to the same tasks
with Extreme.
Today, almost 80 Percent of technology’s budget is still dedicated to keep-the-lights-on (KTLO)
activities and maintaining siloed systems. With the right IT infrastructure, the right techniques,
the right security, and the proper operational practices, Education organizations can improve
students, protect the security and privacy of their Students and their enterprise, and position
themselves for new growth opportunities.
• Capital outlay (Affordable Licensing) – Does your vendor have a history of forcing
system-level upgrades: results in difficulty planning an update or configuration change
without having other needed features fall away, or have dependencies on the combination of
components in a specific platform.
• Complexity (Intuitive management) - Basic configuration tasks being time-consuming and
error-prone, and often require more expertise to deploy. Inferior functionality: results in
cumbersome workarounds, to make up for less advanced capabilities. Lower the risk of
“refresh” costs needed to support unexpected business needs.
• Operational Expenses (OPEX): Operational automation modules based on Universal Port
simplify change management, reduce costs. Cisco’s Multiple Platform approach results in the
network having incompatible elements; the same function is often performed in different
ways on different products. Cisco’s simplicity comes at the cost of DNA and Cisco One.

Extreme Policy-Driven Control 2.0 (Wired and Wireless Control).
The network edge is where digital transformation is won or lost. It’s where your organization en-
gages customers, where mobile transactions occur, where IoT devices connect, and where you
make the first stand against cyber threats. Extreme’s Smart OmniEdge network solution provides
a unified wired/wireless infrastructure for cloud or premise deployment, augmented with AI-
powered applications and managed through a single pane of glass. The result? A network that de-
livers a consistent customer-driven experience contains costs and enables competitive advantage
through innovation and rapid new service delivery.
Balancing how best to partition the work so that risk is minimized but expenses do not become
unbearable is a non-trivial exercise, and no single answer will serve everyone. Prices for the se-
curity infrastructure, both capital and operating, will rise, inevitably; but reducing the risk of ex-
tended service outages has several benefits:
• Improved ability to provide care and positive Student outcomes
• Reduced risk of death, injury, or worsening health
• Reduced risk of lawsuits and damages
• Reduced risk of regulatory infractions, fines, and penalties
A recent innovation in the space is to put a firewall in front of each piece of equipment, a so-
called “micro firewall” explicitly built for small-scope deployments, and to consume little space
or power. Micro firewalls generally remove the need for secured VLANs, since the secure seg-
ment is just the cable attaching the equipment to the firewall. They also minimize the complexity
of the rulesets, since each firewall only must know how to protect the one piece of equipment be-
hind it. Where the VLAN was supposed to stretch to the system back-end in the data center,
though, the secure VLAN might still be needed, in which case the micro firewall approach has
not succeeded in significantly simplifying network management.

A solution that Learns (Smart URL based detection).
Our solution can scale on demand to support communities, not just School. Education organiza-
tions are becoming service providers to an ever-expanding number of roles and access require-
ments, so they need to provide access to the latest clinical information faster and through more
channels. Because traffic profiles can be complicated to create manually, the Defender for IoT
solution automates this process using an “Auto Policy Generator.” The Defender for IoT solu-
tion enables adapters to mirror traffic to the Defender Application where the Auto Policy Gener-
ator can create a traffic profile for the IoT device.
Having a single pair of firewalls puts all services at the mercy of that pair, and anything that
takes them out of service renders all the equipment useless. As with all connected technology
adoption, issues are emerging in terms of security. The Internet and its associated enabling tech-
nologies bring with it a host of insecurities that can affect Student safety. The future challenge
for the Education industry is to be able to take advantage of technological benefits while mini-
mizing potential risks. The balance is not an easy one to reach and requires education in new ar-
eas, notably cybersecurity.

Start Troubleshooting at XYZ Account in the Right Place…
A constant risk to the network and ultimately, the School are unapproved applications and rogue
devices that may appear on the system and either permit unauthorized access or interfere with
other devices. A means to monitor all devices and applications that operate across the web is vi-
tal. Just as important are the audit and reporting capabilities necessary to report on who, what,
where, when, and how Student data is accessed. IT operations have evolved beyond connectivity
and now requires proactive monitoring and management of mission-critical applications and ser-
vices, including electronic School applications.
Students are learning that a strong digital footprint can boost their chances with college admis-
sions and employment. Social should not be a scary thing. And it’s not scary if you have 100%
visibility and control into all activities and social traffic traversing the enterprise network, and
that’s what we provide. While the system must connect all devices, it must also be very selec-
tive in doing so.
• 51% of schools use or will use social media in the classroom within 12 months.
• 75% of students ages 12-17 participate in social networks.
• 45% of K-12 teachers update social-networking sites for work purposes.
Authorized devices should be expeditiously on-boarded, while unauthorized devices must be de-
nied access to the network or moved to a guest access network. The best way to implement this
is with a defined policy as to which devices, users, and apps can access the network resources
from designated locations at specified times of the day. This policy needs to be implemented
consistently across the wired and wireless network with policy integration from firewalls to pre-
vent access from outside sources that can damage the system.

Access Policy Evaluation.
The Extreme Identity and Access Control solution is a very flexible solution. It is possible (and
highly recommended) to use a phased deployment approach with each phase building on the
knowledge gained along the way. It allows you to fix any underlying network, end-system, or
user perception issues as they appear in each phase, making for a smooth deployment process.
Phase 1 – Passive Identity and Access Design (Initial Deployment) As an end-system connects
to the network, the Identity and Access Control solution records the MAC address of the device
via the MAC authentication process. This information is then compiled in a database for future
use. This phase is non-intrusive and does not assess or remediate the edge devices. The purpose
of this is to gather information about the connecting end-systems/hosts and to provide visibility
to the administrator of the end-systems/hosts connecting to the Identity and Access Control
managed a network.
Phase 2 – Authentication
As an end-system connects to the system, the Identity and Access Control solution records the
MAC address of the device via the MAC authentication process as in the Passive design phase.
In the authentication phase, however, the Identity and Access Control solution has been config-
ured for authentication. The authentication mechanism used could be 802.1x, preconfigured
MAC address groups, pre-configured IP address groups, pre-configured user groups, or any of
the various authentication mechanisms offered in the Extreme Identity and Access Control solu-
tion. Regardless of the device used, the Extreme Identity and Access Control solution are con-
figured to apply a policy/VLAN to the port based on customer determined criteria which are
programmed into the extreme management Identity and Access rule set and the information ob-
tained during the authentication of the end system/host.

Guest access makes use of built-in web portals included.
Guest access is an additional part of the authentication phase. It is possible, using a “captive por-
tal” to utilize the Identity and Access Control solution for guest access to the network (wired or
wireless). Guest access makes use of built-in web portals included with the Identity and Access
Control appliance to allow and control guest access to the network. To properly utilize guest ac-
cess, the existing system should have the capability to perform policy-based routing or route
maps.
Phase 3 – Assessment
This phase builds on Phase 1, which provides information about the host, and Phase 2, which
authenticates the host. In the assessment phase, the Identity and Access Control solution can ei-
ther perform a scan of a host (from a scanner built into the Identity and Access Control appli-
ance) or can use an Identity and Access Control agent deployed onto the host system. The as-
sessment process is initiated after the authentication process has completed. The end sys-
tem/host can be placed into a temporary policy which allows for customer determined access to
the network during the assessment. After the appraisal, a further dynamic system can be applied
based on the assessment results. It is also possible to use a “quarantine” policy which can redi-
rect the end-system/host to a web-page explaining their failure to pass an assessment.
Front Desk
Self-Service w/
Sponsor
Sponsor
Social
Media
Self-Service

Phase 4 – Policy Enforcement
The design for Identity and Access Control policy enforcement is dependent on the completion
of the customer’s policy definition(s). Once the customer has defined the access policy, the
Identity and Access Control solution can be configured to enforce the access policy. During the
earlier phases, it is possible to allow end-system/host access to the network by using a “fall
through” as part of the Identity and Access Control rule set. The concept enables an end-system
to/host to access the net even though they failed to pass any existing Identity and Access Control
rules. The control allows the system to be adjusted to prevent blocking legitimate traffic.

Phase 5 – Remediation
Identity and Access Control remediation is the most complex of the deployment phases. The re-
mediation design is based on the customer’s requirements for assessment. If an end system/host
device fails evaluation, it is “quarantined” based on the policy role. The remediation web page
will provide information as to why the user is quarantined and how to resolve the issue. The de-
sign of the web page needs to be reviewed and modified according to customer requirements.
The web page typically will provide links to internal services to resolve the issue.
The Authorization Rules Engine.
To remain competitive and profitable, retailers today must deliver a convenient, personalized,
and mobile-centric in-store shopping experience, which aligns with the digital expectations of
today’s guest and fosters the connection between brand and customer. Retailers can achieve an
Enhanced In-Store Experience by enabling seamless guest onboarding and access to reliable, se-
cure, always-on Wi-Fi while understanding the preferences and behaviors of their customers.
These network-driven insights translate to targeted, contextual engagements with onsite shop-
pers and the improved impact of digital campaigns and ecosystem platforms. Ultimately, driving
more value with customers and more revenue for the business.
Who
User role: Engineer, HR, Professor, Student, Guest, Contractor, Sup-
pliers…
What
Corporate laptop, BYOD, Smartphone, tablet, printer, game console,
IoT Device…
Where
Wired network, wireless, AP, group of APs, SSID, cafeteria, conf.
Room.
How
802.1X, web authentication, MAC authentication, Kerberos, Guest
Management, Social Login…
When Time-of-Day, time-of-week, day-of-month.

Eliminate XYZ Account multi-day manual audits with automated assessments.
The reality is that consumer-grade tech will operate in Schools, and it’s up to IT to find a means
of support that includes solution delivery, and security. Extreme XMC can safeguard Student in-
formation and the organization’s brand. No organization can afford to fall victim to cyber-at-
tacks, particularly Education organizations, entrusted with sensitive Student data. The penalties
of failing to meet security requirements and compliance mandates are prohibitive. XMC’s built-
in analytics and reports eliminate finger-pointing.
Schools are now being measured directly on Student satisfaction.
Student retention is an ongoing concern to many institutions, a problem that the economic crisis
and competitive market in higher education have exacerbated. Innovative CIOs, however, can
use technology to fight back. These CIOs have found numerous ways to improve retention, such
as developing early warning systems to identify students before they drop out, using case-man-
agement methods to track students as appropriate, and generally supporting students during their
life on campus. Many of the initiatives they designed to support students help not only retention
but also create a compelling college experience for students that builds the institution’s brand
and differentiates it from the competition.
Extreme is uniquely qualified to assist Education organizations on every step of their journey to
software-defined business transformation. Our Education platform addresses everything from
bridging siloed legacy systems to adding intelligence and automation, to delivering next-genera-
tion Education services and more. Our uniquely broad combination of products, expertise, and
implementation services enables customers to accelerate their transformation and achieve their
business objectives sooner.
Extreme networks embrace mobility to empower providers, engage Students, and improve care.
Physicians need secure access to vital information from anywhere so that they can be more pro-
ductive and develop their quality of life. Students want to use mobile devices to get better an-
swers to questions faster, to promote the Education experience, and to reduce some of the stress
that comes with School issues. And all parties want to harness mobility to enhance the overall
quality of students.

Defender combines the virtues of a micro-firewall with a centralized policy.
Our Extreme Networks IdentiFi Wi-Fi solution provides wired-like performance, security, and
reliability for mobile and BYOD users. Advanced Policy includes access points, centralized
management, and controllers that provide enterprises with economic value, reduced risk, and
flexibility to adapt to change in the business environment rapidly. Waves of new networked de-
vices are flooding enterprise networks, each a potential point of attack and breach. Most organi-
zations use familiar security technologies to secure them: VLANs, ACLs, firewalls, Network Ac-
cess Control.
Defender combines the virtues of a micro-firewall with a centralized, policy-driven holistic man-
agement system to reduce IT hands-on time in deploying and moving equipment and reduce
spend on firewalls, NAC, and elsewhere. Organizations are experiencing waves of new kinds of
devices flooding onto their networks and use a variety of means to secure these new networked
devices on the LAN. Using VLANs, router ACLs, firewalls, and network access control systems,
IT departments try to strike the best balance among cost, complexity, and risk management. In
the end, most methods end up requiring too much staff time to implement.
By taking a radically different approach to secure the equipment’s network access, can up-end
cost/benefit calculations by eliminating much of the hands-on labor of IT, simplifying design
problems, and sidestepping capacity management pitfalls. Per-device IT staff time to deploy a
piece of equipment and later to move a part of equipment drop to zero; planning times are signif-
icantly reduced as well. By so dramatically reducing operating costs while also simplifying man-
agement and improving security, a solution like a Defender can make the new age of networked
and mobile devices survivable for any IT department.
The security of the Old Way - Organizations typically take one of four approaches:
• Put it on a secured VLAN or set of VLANs.
• Put firewalls between secure VLANs and the rest of the network.
• Put it on secure VLANs with Network Access Control (NAC) applied.
• Put micro firewalls on each piece of equipment.

Network-Powered Classroom Analytics.
Unified management is the glue that connects all the hardware and software components that
make up the OneFabric solution set. The fact that you have visibility and control at your finger-
tips, including mobile and smart devices, is music to the ears of CIOs. We provide extensive
automation to network management. To be strategic, you as a CIO need a high degree of auto-
mation, so you have time to be decisive. Our unified management with automation is the secret
sauce for making it all work together. Balance, simplicity, and scale are the tenets of our One-
Fabric architecture. The tangible element is the user interface and network management; all
working in concert with our analytics technologies and the functionality that we have embed-
ded in our switches, routers, and wireless products.
Who is on my network? What are they doing on my system? What do you do now around the
following - There is a “Records Request” whereby the network administrator needs to provide
detailed information based on the request from a parent, instructor, or administrator? (ie. My
son Johnny says he flunked the online test because the wireless network was not working cor-
rectly during the test just for him) What applications are being accessed on the system and how
they are being used? Are there applications that need to be restricted, are there applications that
can be optimized to improve the user experience?
• What applications are being accessed on the network and how they are being used? Are
there applications that need to be restricted, are there applications that can be optimized to
improve the user experience?
• We continue to deliver enhancements to our wired and wireless network management capa-
bilities. Our solutions are mobile and simple to use.
• We are incredibly excited about our application intelligence launch later this year that will
solidify our position as the industry leader when it comes to network-driven, scalable and
open architecture with the most granular visibility and control capabilities to date.
So “Why Extreme Networks”? I want to leave you with one takeaway with three elements to it:
At Extreme Networks, we are driven by People first (competitors can never replicate our best
employees) Our solutions are deep and wide; we are not RFP checklist driven. We take a prag-
matic architectural approach to deliver solutions to the market. Our services are second to none.
We are top-of-mountain; we know we must work hard to stay there. That’s the difference: Cul-
ture; Solutions; and Services.

Critical Technology Issues for One-to-One Computing Deployment.
K-12 school districts are faced with extraordinary challenges, as well as opportunities to reshape
how students are best prepared for college and 21st-century careers. Schools can take advantage
of emerging educational technology to meet the teaching needs while adhering to austere budg-
ets. Delivering personalized learning to students requires rich, digital content, including video
and adaptive learning textbooks. One-to-one computing programs are a way to make sure all
students enjoy the benefits of digital learning content. These are the critical technology issues
facing school districts as they implement one-to-one computing. Addressing these issues will
help school districts achieve their objective of learning success for all students.
Access to a global restricted access center (GTAC) on a 24x7 basis ensures that all support ques-
tions can always be answered promptly to keep the network functioning. Before installation, it is
essential to survey and assess the RF characteristics of the site to determine the optimal place-
ment of access points and switches. Depending on the network support resources available
within the district, network training and managed services may be required.
The solution described below provides school districts with Wi-Fi connectivity, including an ef-
ficient means to onboard and manage both district-owned and guest devices. The system offers a
single window for administering the network and setting a policy to determine which resources
each device can access. The network must selectively connect authorized devices and block un-
authorized devices. A great classroom experience requires comprehensive policy enforcement
that is based on device type, user, location, time of day, and many more attributes. Network inte-
gration with web filters and firewalls is also essential. The network must be capable of both con-
trolling and monitoring all devices and network activity.

Challenges to the Smart Classroom.
The network is the central nervous system in today’s digital era. It is what connects technology
to people. It is where an organization and its customers meet, where users engage, Internet of
Things (IoT) devices connect, mobile transactions occur, and it is the first line of defense against
cyber-security attacks. However, the demands of today’s businesses put on the network cannot
be met because of the following challenges:
• Classroom Overload - The sheer number of users, devices, and applications make managing
enterprise environments unwieldy and unpredictable. Most mistakes or breaches occur due to
human error in configuration or response time. Security is at the top of nearly every organiza-
tion's priority list, especially with the meteoric rise in connected devices (IoT). Unsophisti-
cated devices from unproven vendors present a vastly increased attack surface. The demise of
the network perimeter only adds to the security challenge.
• IT and Classroom Integration: The silos between IT and business need to be eliminated.
Few systems are available to help tie everything connected to the network into a meaningful
set of insights to transform the industry. The ability to adapt quickly to changing market en-
vironments is critical in today’s economic climate. A company can quickly fall behind if it
cannot adjust to new ways of operating or adapt to changing customer demands.
• Manageability - Many schools are not aware of how many devices or users are on their net-
work. They do not have visibility into what is connected, what network traffic and applica-
tions are in use, and they cannot implement consistent policy across a broad set of distributed
users, devices, applications, and experiences.
The Autonomous Enterprise, and technologies such as artificial intelligence and machine learn-
ing, promise to disrupt enterprises in ways we have yet to imagine. Businesses that embrace the
change, and take the opportunity to reinvent themselves, will endure and thrive in the long-
term. The Autonomous Enterprise, where business decisions are made with the help of machine
learning and artificial intelligence, delivers better outcomes & experiences. Schools can auto-
mate the mundane, repetitive tasks and put human knowledge to better use.

Transformative XYZ Account Education with Extreme Control Goals
Single pane of glass management – Network Management System delivers XYZ
Account centralized visibility and end-to-end granular control of the unified net-
work. Stabilization of Existing Wired and Wireless Infrastructure to Support
Growth of School Devices. Extreme Controls from access, to campus, to Data Cen-
ter with the same management solution. That is unique.
Yes
One-to-many - XYZ Account Students can be anywhere, on any device, and a sin-
gle teacher delivers content with various media. Learning occurs at any time (In the
past, many only students learn only when physically with teachers). The real value
that the Internet of Things creates is at the intersection of gathering data and lever-
aging it. All the information collected by all the sensors in the world isn’t worth
very much if there isn’t an infrastructure in place to analyze it in real-time.”
Yes
Unified Control Wired and Wireless LAN - Pervasive Wi-Fi Connectivity and
Bandwidth for Clinician Workflow and Communications. Hybrid deployment archi-
tectures (Bridged at AP or Controller), single sign-on to simplify management. Ap-
plication and device-based policy controls. Embedded flow-based ASIC flow sensor
technology per port, 3M flows/sec collection.
Yes
On-demand instruction - XYZ Account Content can be recorded and delivered
multiple time to multiple students anytime and anywhere (In the past, guidance
gave once to every student).
Yes
Zero-touch deployment and core operation? Extreme is ten times easier to de-
ploy and operate, is proven in the enterprise, and allows for easy hyper-segmenta-
tion, VRF and multicast support (even multicast within VRF).
Yes
Differentiated XYZ Account Learning - Content can come to life by utilizing var-
ious deliveries, and the student learns at their own pace via the methods that work
best for their learning style (In the past, static content such as textbooks; all students
on the same speed).
Yes
Governance - Maintaining FERPA and other regulatory requirements. Visibility
into application usage, website access, bandwidth consumption, and patterns of ac-
tivity are essential for optimizing the user experience and verifying that digital edu-
cational content is adequately delivered. Governance is also vital for optimizing
XYZ Account infrastructure and for short- and long-term planning.
Yes
Collaboration - Customized XYZ Account curriculum that can be updated in real-
time collaboratively by teachers and instructional (In the past, staff Expensive in-
structional resources that are outdated the minute they are printed).
Yes
Wired and Wireless Policy - Critical Device and Agentless Application - Auto-
mated and secure provisioning and control of School devices on the wired/ wireless
network. Automation strategy from scripting to console. Other vendors use CLI the
same way for the past 20 years.
Yes

Schools are now being measured directly on Student satisfaction. Goals
Efficiency - Grading can be done in real-time and delivered to stakeholders in a
just-in-time manner freeing up time for teachers to create curriculum and teach (In
the past, Grading and entry into student information system manually),
Yes
Location - Technology is changing the way education is delivered. Visibility into
XYZ Account device communications, areas, performance, and patterns of activity
are essential. In addition to easy onboarding of district-owned devices, a simple
method for onboarding guest devices and instilling them with the appropriate access
to Internet resources must be provided.
Yes
Wireless - With WAP’s in every classroom and triangulation technologies, attend-
ance can be automated (Teachers take audience manually). Buses can be tracked in
real-time, routes developed from the data and scheduled effectively,
Yes
Textbooks and video present high-quality learning content at a lower cost than tra-
ditional books, but require high speed, ubiquitous Wi-Fi to connect every mobile
device. Edge switches provide backhaul from the Wi-Fi access points and connect
wired infrastructure to the network. High availability or fault tolerance is essential
to ensure uninterrupted teaching.
Yes
Application Control - A constant risk to the network, and ultimately, the Schools
are unapproved applications and rogue devices that may operate on the net that ei-
ther permit unauthorized access or interfere with other devices. It is not uncommon
for one School device system to incorrectly be configured for DHCP services which
can disable an entire VLAN.
Yes
Carbon Footprint - HVAC systems networked to allow more control, more visibil-
ity, proactive support, and more tracking of energy consumption (HVAC operations
adjusted manually). Your current network infrastructure supports computers, tablets,
and peripherals.
Yes
Built-in NAC - The network must selectively connect authorized devices and block
unauthorized devices. BYOD requires comprehensive policy enforcement that is
based on device type, user, location, time of day, and many more attributes. Net-
work integration with web filters and firewalls is also essential. The network must
be capable of both controlling and monitoring all devices and network activity
Yes
Telemetry Service - As more School device manufacturers move away from legacy
Wireless School Telemetry Service (WMTS) bands to Wi-Fi, Whether its connect-
ing XYZ Account workstations on wheels, barcode scanners
Yes
Security Posture - Cohesive XYZ Account security posture for wired and wireless
is not possible without significant overhead. You would be managing two separate
environments for the foreseeable future. Our unified management and policy solu-
tion for wired and broadcast has been proven in the market place for years and is
not ACL driven.
Yes

Deliver New XYZ Account Student Experiences Goals
Proactive Operations - Machine learning and artificial intelligence can process
more information and act on it faster than humans. Furthermore, unlike humans,
that only react to problems after they occur, machines can automate processes and
proactively find and address failures before they become an issue. A network that
continuously learns and self optimizes, adjusting resources in real-time
Yes
Visibility and Manageability - Pervasive intelligence across the entire network
provides enterprises the insights they need to personalize engagement, improve
business outcomes, and enable programmability of networking as the whole infra-
structure — analytics and Insights to track user, application, and IoT device usage
in real-time. Digital transformation is causing massive disruption to society. It is
changing everything about our daily lives. How we engage, how we work, the tools
we use, what we are exposed to do, the choices we make, and more.
Yes
Superior XYZ Account Experience - Detecting and correcting problems before
they manifest themselves to the end-user, dramatically enhances the end-user expe-
rience and reduces the maintenance and troubleshooting burden on IT. Self-drive
and self-optimize with minimal, if any, human involvement.
Yes
Enhanced XYZ Account Security - Machine learning and artificial intelligence
can enhance the experience for security analysts by providing proactive, automated,
remediated capabilities. By detecting anomalies and breaches quickly, and provid-
ing automated remediation, it can significantly bolster an enterprise’s security pos-
ture. Automation – cross-domain and closed-loop automation to optimize network
and application performance. Security with multi-layer security protecting, users,
devices and IoT
Yes
Faster Time to Service - By streamlining and automating network configuration
and the dynamic, secure attachment of wired and wireless users and IoT devices,
the delivery of network services can be simplified and accelerated. Leverage Artifi-
cial Intelligence to automate functions previously performed by humans. To deliver
new human experiences and achieve next-generation outcomes, enterprises must
evolve. They must become more agile and aware – where they can anticipate and
respond to their customers’ needs proactively, and continuously learn and improve
every second.
Yes
Open XYZ Account ecosystem – so businesses can build the architecture they re-
quire to fulfill the specialized demands of their enterprise. Build on traditional opti-
mization, taking it further with crowdsourcing techniques and advanced analytics
and strategy. Central to this evolution is the underlying network. A free enterprise
requires a self-contained network. Independent networks are self-driving and self-
healing, empowering businesses of the future to deliver new human experiences.
Separate networks serve as the central nervous system of the Autonomous Enter-
prise. It is the foundational layer that connects humans, machines, and devices to
technology; the gateway to Digital Transformation.
Yes

8/7/2019
Jeff Green One click – one thousand actions. Chapter 14.0
8/7/2019
Extreme Policy (One-click – one thousand actions)
1) 89% of businesses have digital transformation initiatives.
An intelligent network can enable transformation.
2) 75% of Security Spend focused on the network perimeter.
However, only 27% of breaches emanate from that point.
3) 60% of Network Engineers spend >25% time fixing Wi-Fi.
Extreme Policy Maps right into Fabric-Based Networking.
Enable networks to react to evolving security threats with
AI-based actions with EXOS.
https://prezi.com/view/cRGzaknwAJBMgRJbjhbj
Extreme Policy
(One click –
One thousand actions)

8/7/2019 Extreme Policy.
Jeff Green One Whack – one thousand actions. Chapter 14.1
Monday, May 6, 2019
Stop playing whack-a-mole with your network access control.
Stop the practice of repeatedly getting rid of something, only to have more of that thing appear
over and over without end. Solving the problem of excellent Network access control reminds me
of an arcade game in which players use a mallet to hit toy moles, which appear at random, back
into their holes. Next time you are near a kiddie amusement park, go in and play a round of
whack-a-mole. While playing the game every time you seem to solve a problem, it is only tem-
porary and superficial, resulting only in temporary improvement.
Whack-A-Mole - an arcade game in which the player uses a small rubber mallet to hit robotic
toy moles that pop up randomly in holes laid out across the surface of the machine. I love com-
ing to this old arcade. I have a lot of fond memories playing whack-a-mole and skeet ball here
as a kid. Whack-A-Mole presents an operator experience or situation to the gamer that many
network managers can relate too. It is an escalating behavior in which problems continue to rise
faster than one can solve or cope with them, resulting in piecemeal, incomplete, or temporary
results.

Digital Transformation requires a visibility.
Legacy management was device-specific and focused primarily on the state of a switch or
router. With this model, there was no way to get an end-to-end view of how the network was
functioning, making troubleshooting very difficult. Also, the only way to analyze data to im-
prove the system was through manual analysis. Smart Omni Edge was possible a decade ago
when traffic volumes were low. But systems create orders of magnitude more data today—far
too much for even the most experienced engineer. The lack of visibility also leads to several
“blind spots,” such as IoT devices that are primarily deployed by non-IT individuals.
Security challenges - Legacy networks have been secured by placing overlay devices at spe-
cific points in the system, such as the demilitarized zone (DMZ). Smart Edge was capable when
all traffic was coming into and out of an organization through a single point. Today, cloud appli-
cations, IoT devices, mobile users, and other factors have increased the network attack surface
by orders of magnitude. One related and compelling data point comes from the ZK Research
2017 Security Survey, which found that 75% of security spend is focused at the traditional pe-
rimeter even though only 27% of breaches emanate from that point.
The entire security model requires a rethink.

Ask yourself what XYZ Account the cost to chaos ratio is.
Regardless of size, location, or industry enterprises share a common goal—how best to grow
their business. They look to operational efficiency, security, new customer experiences and di-
versified business models to allow them to keep up with and thrive in today’s economic environ-
ment—a challenging feat given we are experiencing the fastest pace of industrial development in
history. Businesses need to look beyond their traditional borders to innovate and grow. Today,
we face a changing society due to the massive disruption of digital transformation.
Why not Automate everything that can be automated? Policy profiles can be configured auto-
matically based on who logs onto the network and what connects to the system. The policy pro-
vides flexibility, saves configuration time, and can dramatically reduce configuration errors. Be-
fore the invention of the system, when devices were added, moved, or changed, IT personnel
had to be available to place equipment, and then configure both the network port and the new
device. Legacy CLI configuration can be tedious and expensive, typically took a long time,
didn’t support mobility, and was error-prone.
• Capital outlay (Affordable Licensing) – Does your vendor have a history of forcing sys-
tem-level upgrades: results in difficulty planning an update or configuration change without
having other needed features fall away or have dependencies on the combination of compo-
nents in a specific platform.
• Reducing Time-to-Solution – Networks can consume a more-than-considerable amount of
time and effort in requirements planning, network design, configuration and deployment, on-
going operational management, and for new installations, extensions to coverage and capac-
ity, reconfigurations, moves/adds/changes, and, of course, upgrades to address growing traf-
fic demands and user/device/ application-traffic volumes.
• Managing Complexity – All too often, the piecemeal/piecewise growth strategy typically
historically applied in organizational network evolution results in too many tools, procedures,
and techniques at work, precluding fast responsiveness, optimal operations staff productivity,
and the degree of accuracy and efficiency required to keep end-users productive as well.

Prevent escalation of disruptive behavior?
The ability to organize your responses and calmly respond are practical de-escalation techniques
that can help you avoid a potential crisis. To help with securing your network access control a
more comprehensive approach to the problem. Like with whack-a-mole it would be great if you
could use a hammer which could whack more than one mole at a time. Besides, it would also be
great if you could automate the whacking of the mole with some additional intelligence to know
which hole they will appear from before you need to swing your hammer.
The mantra for today’s discerning network operators and users is “I want it all, and I want it
now.” Network operators want to maintain constant vigilance and control over their infrastruc-
ture. However, one attribute cannot be at the expense of another. For example, strong security or
granular visibility must not come at the cost of performance or ease of use. The net-net is in to-
day’s highly competitive environment; compromise is not an option—network operators and us-
ers want it all.
Increase your span to control the moles. One-click, 1000 Actions will increase the span of
control need to cover both wired and wireless which will result in a flatter or more overall secu-
rity posture, with fewer management positions relative to the number of network experiences —
authorization, Authentication, and Accounting of network connections using control built-into
the network. Extreme policy exploits role-based restrictions of the user, device, location, or time
for both wired and wireless networks.
Secure your network with in-depth visibility into your wired and wireless network throughout
your system. Tightly integrate with our Analytics use visibility before pivoting to control
through policy across wired and wireless networks. “Your network is too slow!” This statement
immediately places the burden of proof on the administrator’s shoulders. And that can get com-
plicated. It does not take long to check whether the topology is stable, and the network load is
within an acceptable range. The only things that can then help to pinpoint the underlying causes
are random checks. Because subjecting the entire data traffic to analysis is a real challenge.

The next generation ethernet gangster (part 2)

The next generation ethernet gangster (part 2)

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to The next generation ethernet gangster (part 2)

Similar to The next generation ethernet gangster (part 2) (20)

More from Jeff Green

More from Jeff Green (20)

Recently uploaded

Recently uploaded (20)

The next generation ethernet gangster (part 2)