Extreme Networks Summit X250e Series Technical Specifications page 4

Extreme Networks Data Sheet: Summit X250e Series
Comprehensive Security Management
User Authentication and Host Integrity Checking
Network Login and Dynamic Security Profile
Network Login capability enforces user admission and usage policies.
Summit X250e series switches support a comprehensive range of Network
Login options by providing an 802.1x agent-based approach, a Web-based
(agent-less) login capability for guests, and a MAC-based authentication
model for devices. With these modes of Network Login, only authorized
users and devices are permitted to connect to the network and be assigned
to the appropriate VLAN. The Universal Port scripting framework lets you
implement Dynamic Security Profiles which in sync with Network Login
allows you to implement fine-grained and robust security policies. Upon
authentication, the switch can load dynamic ACL/QoS profiles for a user or
group of users, to deny/allow the access to the application servers or
segments within the network.
Multiple Supplicant Support
Shared ports represent a potential vulnerability in a network. Multiple
supplicant capability on a switch allows it to uniquely authenticate and
apply the appropriate policies and VLANs for each user or device on a
shared port.
Multiple supplicant support helps secure IP Telephony and wireless access.
Converged network designs often involve the use of shared ports (see
Figure 4).
Media Access Control (MAC) Lockdown
MAC security allows the lockdown of a port to a given MAC address and
limiting the number of MAC addresses on a port. This can be used to
dedicate ports to specific hosts or devices such as VoIP phones or printers
and avoid abuse of the port—a capability that can be especially useful in
environments such as hotels. In addition, an aging timer can be configured
for the MAC lockdown, protecting the network from the effects of attacks
using (often rapidly) changing MAC addresses.
IP Security
ExtremeXOS IP security framework helps protect the network
infrastructure, network services such as DHCP and DNS, and host
computers from spoofing and man-in-the-middle attacks. It also helps
protect the network from statically configured and/or spoofed IP addresses
and builds an external trusted database of MAC/IP/port bindings so
you know where the traffic from a specific address comes from for
immediate defense.
Identity Manager
Identity Manager allows network managers to track users who access their
network. User identity is captured based on NetLogin authentication, LLDP
discovery and Kerberos snooping. ExtremeXOS uses the information to
then report on the MAC, VLAN, computer hostname, and port location of
the user. Further, Identity Manager can create both roles and policies,
and then bind them together to create role-based profiles based on
organizational structure or other logical groupings, and apply them across
multiple users to allow appropriate access to network resources. In
addition, support for Wide Key ACLs further improves security by going
beyond the typical source/destination and MAC address as identification
criteria access mechanism to provide filtering capabilities.
Host Integrity Checking
Host integrity checking helps keep infected or noncompliant machines off
the network. Summit X250e series switches support a host integrity or
endpoint integrity solution that is based on the model from the Trusted
Computing Group.
Network Intrusion Detection and Response
CLEAR-Flow Security Rules Engine
CLEAR-Flow Security Rules Engine provides first order threat detection
and mitigation, and mirrors traffic to appliances for further analysis of
suspicious traffic in the network.
Hardware-Based sFlow Sampling
sFlow is a sampling technology that provides the ability to continuously
monitor application-level traffic flows on all interfaces simultaneously.
The sFlow agent is a software process that runs on Summit X250e and
packages data into sFlow datagrams that are sent over the network to an
sFlow collector. The collector gives an up-to-the-minute view of traffic
across the entire network, providing the ability to troubleshoot network
problems, control congestion and detect network security threats.
Port Mirroring
For threat detection and prevention, Summit X250e supports many-to-
one and one-to-many port mirroring. This allows the mirroring of traffic to
an external network appliance such as an intrusion detection device for
trend analysis or for utilization by a network administrator for diagnostic
purposes. Port Mirroring can also be enabled across switches in a stack.
Line-Rate ACLs
ACLs are one of the most powerful components used in controlling
network resource utilization as well as protecting the network. Summit
X250e supports 1,024 centralized ACLs per 24-port block based on Layer 2,
3 or 4-header information such as the MAC, IPv4 and IPv6 address or
TCP/UDP port. ACLs are used for filtering the traffic, as well as classifying
the traffic flow to control bandwidth, priority, mirroring and policy-based
routing/switching.
Denial of Service Protection
Summit X250e can effectively handle DoS attacks. If the switch detects an
unusually large number of packets in the CPU input queue, it will assemble
ACLs that automatically stop these packets from reaching the CPU. After a
period of time, these ACLs are removed, and reinstalled if the attack
continues. ASIC-based LPM routing eliminates the need for control plane
software to learn new flows, allowing more network resilience against
DoS attacks.
Secure Management
To prevent management data from being intercepted or altered by
unauthorized access, Summit X250e supports SSH2, SCP and SNMPv3
protocols. The MD5 hash algorithm used in authentication prevents
attackers from tampering with valid data during routing sessions.
Technical Specifications
4