© 2009 Extreme Networks, Inc. All rights reserved.
Summit X350 Series—Page 4
Extreme Networks Data Sheet
Comprehensive Security Using Defense-in-Depth
User Authentication and
Host Integrity Checking
Network Login
Network Login capability enforces user
admission and usage policies. Summit X350
series switches support a comprehensive
range of Network Login options by providing
an 802.1x agent-based approach, a Web-based
(agent-less) login capability for guests, and a
MAC-based authentication model for
devices. With these modes of Network Login,
only authorized users and devices are
permitted to connect to the network and be
assigned to the appropriate VLAN.
Multiple Supplicant Support
Shared ports represent a potential vulner-
ability in a network. Multiple supplicant
capability on a switch allows it to uniquely
authenticate and apply the appropriate
policies and VLANs for each user or device
on a shared port.
Multiple supplicant support helps secure
IP Telephony and wireless access.
Converged network designs often involve
the use of shared ports (see Figure 2).
Host Integrity Checking
Host integrity checking helps keep infected
or non-compliant machines off the network.
Summit X350 series switches support a
host integrity or endpoint integrity solution
that is based on the model from the Trusted
Computing Group. Summit X350 interfaces
with Sentriant AG200 endpoint security
appliance from Extreme Networks to verify
that each endpoint meets the security
policies that have been set, and quarantines
those that are not in compliance.
Extensive MAC and
IP Security Functionality
MAC Security
MAC security allows the lockdown of a port to
a given MAC address and to limit the number
of MAC addresses on a port. MAC security can
be used to dedicate ports to specific hosts or
devices such as VoIP phones or printers and
avoid abuse of the port—an interesting
capability specifically in environments such as
hotels. In addition, an aging timer can be
configured for the MAC lockdown, protecting
the network from the effects of attacks using
(often rapidly) changing MAC addresses.
IP Security
ExtremeXOS IP Security Framework helps
protect the network infrastructure, network
services such as DHCP and DNS and host
computers from spoofing and man-in-the
middle attacks. It also helps protect the
network from statically configured and/or
spoofed IP addresses and builds an external
trusted database of MAC/IP/port bindings
providing the traffic’s source from a specific
address for immediate defense.
Network Intrusion Detection
and Response
Hardware-Based sFlow
Sampling
sFlow
®
is a sampling technology that provides
the ability to continuously monitor application-
level traffic flows on all interfaces simultane-
ously. The sFlow agent is a software process
that runs on Summit X350 switches and
packages data into sFlow datagrams that are
sent over the network to an sFlow collector.
The collector gives an up-to-the minute view
of traffic across the entire network, providing
the ability to troubleshoot network problems,
control congestion and detect network
security threats.
Port Mirroring
To allow threat detection and prevention,
Summit X350 switches support many-to-one
and one-to-many port mirroring. This allows
the mirroring of traffic to an external
network appliance such as an intrusion
detection device for trend analysis or for
utilization by a network administrator for
diagnostic purposes.
Line-Rate ACLs
ACLs are one of the most powerful compo-
nents used in controlling network resource
utilization as well as protecting the network.
Summit X350 switches support 1,024
centralized ACLs per 24-port block based on
Layer 2, 3, or 4 header information such as
the MAC, IPv4 and IPv6 address or TCP/
UDP port.
Denial of Service Protection
Summit X350 can effectively handle DoS
attacks. If the switch detects an unusually
large number of packets in the CPU input
queue, it will assemble ACLs that automati-
cally stop these packets from reaching the
CPU. After a period of time, these ACLs are
removed, and reinstalled if the attack
continues.
Secure Management
To prevent management data from being
intercepted or altered by unauthorized
access, Summit X350 supports SSH2, SCP
and SNMPv3 protocols.
Implementing a secure network means providing protection at the network perimeter as well as the core. Working together with
the Sentriant
®
family of products from Extreme Networks, Summit X350 series switches use a defense-in-depth strategy to help
protect your network from known or potential threats. Security offerings from Extreme Networks encompass three key areas:
user and host integrity, threat detection and response, and hardened network infrastructure.
Summit X350 offers multiple supplicant support which helps provide
per-MAC based authentication with dynamic VLAN allocation
`
`
`
VLAN Green
VLAN Orange
VLAN Purple
Rogue Clients
`
`
`
`
`
Figure 2: Multiple Supplicant Support