Network Intrusion Detection; Port Mirroring - Extreme Networks Summit X250e-24p Datasheet

Comprehensive Security Functionality Using Defense-in-Depth
Implementing a secure network means providing protection at the network perimeter as well as the core. Working together with
the Sentriant family of products from Extreme Networks, Summit X250e series uses a defense-in-depth strategy to help protect
®
your network from known or potential threats. Security offerings from Extreme Networks encompass three key areas: user and
host integrity, threat detection and response, and hardened network infrastructure.
User Authentication and Host
Integrity Checking
Network Login and
Dynamic Security Profile
Network Login capability enforces user
admission and usage policies. Summit X250e
series switches support a comprehensive
range of Network Login options by
providing an 802.1x agent-based approach,
a Web-based (agent-less) login capability
for guests, and a MAC-based authentica-
tion model for devices. With these modes
of Network Login, only authorized users
and devices are permitted to connect to
the network and be assigned to the
appropriate VLAN. The Universal Port
scripting framework lets you implement
Dynamic Security Profiles which in sync
with Network Login allows you to imple-
ment fine-grained and robust security
policies. Upon authentication, the switch
can load dynamic ACL/QoS for a user or
group of users, to deny/allow the access to
the application servers or segments within
the network.
Multiple Supplicant Support
Shared ports represent a potential vulner-
ability in a network. Multiple supplicant
capability on a switch allows it to uniquely
authenticate and apply the appropriate
policies and VLANs for each user or device
on a shared port.
Multiple supplicant support helps secure IP
Telephony and wireless access. Converged
network designs often involve the use of
shared ports (see Figure 4).
Summit X250e offers multiple supplicant which helps provide per-MAC
based authentication with dynamic VLAN allocation
` ` `
VLAN Green
Figure 4: Multiple Supplicant Support
© 2009 Extreme Networks, Inc. All rights reserved.
MAC Security
MAC security allows the lockdown of a port
to a given MAC address and limiting the
number of MAC addresses on a port. This can
be used to dedicate ports to specific hosts or
devices such as VoIP phones or printers and
avoid abuse of the port—an interesting
capability specifically in environments such
as hotels. In addition, an aging timer can be
configured for the MAC lockdown, protecting
the network from the effects of attacks using
(often rapidly) changing MAC addresses.
IP Security
ExtremeXOS IP security framework helps
protect the network infrastructure, network
services such as DHCP and DNS, and host
computers from spoofing and man-in-the-
middle attacks. It also helps protect the
network from statically configured and/or
spoofed IP addresses and builds an external
trusted database of MAC/IP/port bindings so
you know where the traffic from a specific
address comes from for immediate defense.
Host Integrity Checking
Host integrity checking helps keep infected
or non-compliant machines off the network.
Summit X250e series switches support a host
integrity or endpoint integrity solution that is
based on the model from the Trusted
Computing Group. Summit X250e interfaces
with Sentriant AG200 endpoint security
appliance from Extreme Networks to verify
that each endpoint meets the security
policies that have been set and quarantines
those that are not in compliance.
` ` `
VLAN Orange VLAN Purple
` ` `
Rogue Clients
Extreme Networks Data Sheet

Network Intrusion Detection

and Response
Hardware-Based sFlow Sampling
sFlow is a sampling technology that provides
the ability to continuously monitor applica-
tion-level traffic flows on all interfaces
simultaneously. The sFlow agent is a
software process that runs on Summit X250e
and packages data into sFlow datagrams that
are sent over the network to an sFlow
collector. The collector gives an up-to-the-
minute view of traffic across the entire
network, providing the ability to trouble-
shoot network problems, control congestion
and detect network security threats.

Port Mirroring

For threat detection and prevention,
Summit X250e supports many-to-one and
one-to-many port mirroring. This allows
the mirroring of traffic to an external
network appliance such as an intrusion
detection device for trend analysis or for
utilization by a network administrator for
diagnostic purposes. Port Mirroring can
also be enabled across switches in a stack.
Line-Rate ACLs
ACLs are one of the most powerful
components used in controlling network
resource utilization as well as protecting
the network. Summit X250e supports
1,024 centralized ACLs per 24-port block
based on Layer 2, 3 or 4-header information
such as the MAC, IPv4 and IPv6 address or
TCP/UDP port.
Denial of Service Protection
Summit X250e can effectively handle DoS
attacks. If the switch detects an unusually
large number of packets in the CPU input
queue, it will assemble ACLs that automat-
ically stop these packets from reaching the
CPU. After a period of time, these ACLs
are removed, and reinstalled if the attack
continues. ASIC-based LPM routing
eliminates the need for control plane
software to learn new flows, allowing more
network resilience against DoS attacks.
Secure Management
To prevent management data from being
intercepted or altered by unauthorized
access, Summit X250e supports SSH2, SCP
and SNMPv3 protocols. The MD5 hash
algorithm used in authentication prevents
attackers from tampering with valid data
during routing sessions.
Summit X250e Series—Page 4