i2o solutions - hdn network security solution

www.handream.net

Apr 2, 2014

HanDreamnetIndustry’s 1st Security Switch

2

Well Prepared from Attack outside with IPS / Firewall

No Active Protection from internal attack

Outside Network

Access Network (Internal)No real-time detect & protection from Attack / Hacking

Very vulnerable if the attack raise from access level

Backbone LayerSecond damaged level from internal user attack

Attack make the overall performance to be delayed.

Required Auto detect / block

Block only harmful traffic

Cost effective solution

Easy Maintenance

Is perimeter security adequate?

80% of IT breaches are perpetrated by internal traffic !!!!

3

Hacking

AttackNetwork Attack

(Flooding/DDoS)

Authentication

Direct Attack Intended

(Sniffing/Spoofing)

SECURITY

ISSUE

Provide internal user authentication

Easy management

Network Resource

Management

Intercept Massage or Files

Tapping Authentication(VoIP) Network Down due to attack

Spread damage to the upper layer or peers

HanDreamnet Solution

4

HackingIP & ARP spoofing

Network trouble

(Management Issue)IP Address conflicts

Cable Loop

AttackingDoS/DDoS/SCAN/TCP Syn

flooding etc

L2 AuthenticationInternal IP address

management

Current Network Threats

How does your current L2/L3 switch prevent…

5

HDN Switch Differentiator

Active and Real Time Solutions for

• DoS/DDoS Attacks

• Advanced Persistent Threats

• Cable Looping

• Information Leakage

6

Internet

현재 네트워크 문제점

DoS/Harmful traffic from internal

• Harmful traffic spread into internal

network

No internal security

• Internal attack effects on entire

network

Effect on entire network

• Hard to find out where

Difficult to find out

7


• No agent software required

Secured internal network

• Block harmful traffic only

• Normal traffic can be passed

Protect entire network

• Auto detection

• Report function provide

Easy to find problem

Internet

DoS/Harmful traffic from internal

8


Solution for APT (Advanced Persistent Threat)

• Only blocking outbound packet

Blocking Point

• Malware can spread internal network

Internal Network

• Hard to find APT source device or

port of the switch

finding APT source

Internet

APT MalwareProtection

System

9


• SG switch can block malware without

agent sofware

Block Point

• Can be secured internal network

Internal Network

• Can find device and port

Finding APT Source

Internet

APT Protection

VIPM

Solution for APT (Advanced Persistent Threat)

10

When security function is OFF

Server/Recorder

Normal Data Traffic Flow

UDPUDP

IP Camera

Case 1: CCTV

11

When security function is OFF

Server/ Recorder

Attack to Camera using TCP Syn Flooding

Syn

Syn

Hacked on empty port

Operating stopped

Could not respond to

mass traffic

IP Camera

No Video

Case 1: CCTV

12

When Security function OFF

Sever / Recorder

Attack to Recorder using TCP Syn Flooding

Syn

Syn

Operating stopped.

Could not respond to

mass traffic

IP Camera

Hacked on empty

port

No Video

Case 1: CCTV

13


Server/Recorder

Normal Data Traffic Flow

UDPUDP

IP Camera

Case 2: ARP spoofing on CCTV

14


Server/Recorder

Image replacing by ARP Spoofing attack

Hacked on empty

port

IP Camera

ARP

Misidentify local

server


15


Server / Recorder

Image replacing by ARP Spoofing attack

Hacked on empty

port

IP Camera

UDP

Misidentify local

server

Replacing

image

Replaced image is recorded


17

Internet


Cable Looping

• Broadcasting storm generated

Cable looping by mistake

• Entire network down

• Service stop

Network down

• Very hard to find out

• Take long time to fix it

Difficult find out

18

Internet


• Auto detect looping packet

Secured internal network

• Block broadcasting storm

Protect entire network

• Auto detection


Easy to find out

Cable Looping

19


Information leakage

• ID/Password stealing and wire

tapping on VoIP

Internal data leaking

• Man In The Middle attack

• Packet go through hackers PC

Network speed down

• No one catch ARP Spoofing attack

Difficult to find out

20


• Auto detect ARP Spoofing

Secured internal data

• Block Man In The Middle attack

Keep normal condition

• Auto detection


Easy to find out

Information leakage

21


Total Solution

• Multi product required

Total Solution

• Hard to find problem because multi

vendor products

When Failure

• High installation, maintenance, and

engineers

Cost

Internet

NMS

Access Management

IP Management

IP ManagerProbe

22


Internet

VIPM

• SG Security Switch and VIPM

• NMS, Authentication, IP

management, Traffic monitoring

Total Solution

• One vendor solution

When Failure

• Cost effective for all mission

• Security, NMS, Authentication, IP

Management, TMS

Cost

Total Solution

23

SG Security Switch

• Detect/Block all kinds of internal attacks

• No service interruption

• Embedded proprietary security ASIC

• Visible and audible alarm for Administrator

• Web-Alert

Normal Traffic

Harmful Traffic

Sever

L2 Switch

• No way to detect various harmful traffic

• ACL is consuming time

• No Alarm

• No Alert

• Threshold is not enough

Normal Traffic

Harmful Traffic

Sever

Regular Switch SG Security Switch

Regular vs. Security Switch

Dirty Clean

Function Regular Switch SG Security Switch

Harmful Traffic Detection

• Only over traffic can be detected

• Manual troubleshooting

• Decreased Performance

• Can’t detect IPv6 attack

• Detect all kinds of harmful traffic

• Real time detect and block

• No performance delay

• IPv6 security features & function

Isolate Harmful Traffic• Block Port or IP

• Service impact

• Blocked ONLY harmful traffic

• Normal traffic is OK

IP telephony tapping(ARP Spoofing)

• Detect only dynamic IP (DHCP) • Detect Dynamic and Static too

Cable Looping• Manual fix once it happened

• Service impact until resolved.

• Auto Detect and Block

• No service impact

NMS• No report feature

• No function except configuration

• Provide CIO Report

• Shows malicious traffic status

Power Redundancy (POE) • Internal and external redundancy • Internal redundancy

Green IT • Possibly Yes• Save power consumption(max 50%)

• 802.3az EEE

Monitoring/ Management • Need to buy • Included

Regular vs. Security Switch

25

SG2024G Catalyst 2960S-24TS

Hardware &

Interface

Power Internal power redundancy External RPS

10/100/1000Base-T 24 24

1000 Base-X 4 4

Performance

Forwarding Rate 71.4 Mpps 42 Mpps

Flash / DRAM 256M 64M / 128M

MAC address 32k 8k

Layer 2

STP/RSTP/MSTP/PVST+ / PVRST+ Yes Yes

Port Redundancy Smart Port Redundancy Flexbile Link

Voice VLAN Yes Yes

Ring Protocol Yes No

UDLD, Cable diagnostic (TDR) Yes Yes

QoS Queue per port 8 4

Security

L2/L3/L4 ACL , ACL, Time based ACL,

VLAN ACLYes Yes

DHCP Snooping, IPSG Yes Yes

802.1x (Multi user, MAC bypass…) Yes Yes

Management

Stacking No Yes

CDP, DHCP Server, SNMPv1/2/3,

TACACS+, RADIUS, IPv6 management,

LLDP, LLDP-MED

Yes Yes

Flow Monitoring sFlow No

Spec comparison – Cisco vs HDN

26

SG2024G Catalyst 2960S-24TS

Security

features

Set up/Release security policy automatically OK N/A

Real time log & history for dropping attack on CLI

OK N/A

Real time report while Drop Attack traffic OK N/A

Scan Attack OK N/A

IP Spoofing attack OK N/A

ARP Spoofing attack OK N/A

NetBios flooding attack OK N/A

Worm_port_Attack attack OK N/A

TCP/UDP/ICMP DoS/DDoS_Attack OK N/A

TCP SCAN_Attack OK N/A

TCP/UDP/ICMP Flood_Attack OK N/A

TCP Syn Flood Attack OK N/A

Loop detection OK N/A

Security features comparison

27

Specification

Wire Speed

L2 function (STP/PVST+/VLAN/LACP)

IPT function

(Voice VLAN/Auto QoS/PoE)

General security function

(ACL, DHCP Snooping, DAI, IPSG etc)

Special security function

(hardware based, smart detection, attack, hacking,

spoofing)

Management (free NMS, security log, real time detection

report, remote-configuration)

Reliability & Certification (1U internal power redundancy,

IPv4/IPv6 CC certified, IPv6 Ready Logo)

TAC support system

Others vs. Security Switch

28

MDS Engine

Main Technology

29

Network Attack Protection (Layer 4 level)

MAC source/dest address

IP source/dest address/port

IP rangeTCP flags

Protocol (TCP/UDP/ICMP)TCP/UDP dest port

Port pattern/IP patternDetection count

Cable Loopback Test

IP Spoofing, DHCP Attack, ICMP Attack

Cable disconnected, Loop Detection

MAC Flooding, MAC falsify , ARP Attack

TCP Syn flooding (DoS/DDoS/Random Attack)

UDP flooding, Scanning

Detect Malicious traffic

No signature based update

30

MDS Security Engine: 6 Cube

DoS DDoS DDoS(spoofed) Flash crowds,Worms(spoofed)

Attack Packet AnalysisMulti-dimension Security Engine

Sensor Log

MD Protection Engine

RT Packet Gathering Module

Switching FabricProtection

DDoS ClassDoS ClassScan ClassRandom Class

Security Filter Module

(0011)

Response

Analysis of user traffic based on S-IP, S-port, D-port, D-IP, Protocol and Entropy of user traffic.

31

MDS Security Engine: 6 Cube

MDS DoS : Src IP 192.168.254.200 attacks Dst IP 192.168.254.1 and Port 445.

32

MDS Security Engine: 6 Cubes

6 Cube based on RPGM (Real-Time Packet Gathering Module)

33

VNM

Monitoring Software

34

VNM(Visual Node Manager)

Network management Simple Management

Fast Resolution

Detail CIO Report

35

Visual & Audible Alarm

VNM(Visual Node Manager)

Provides visual alarm with lightning symbol on attacked ports

Provides audible alarm when it triggers.

36

Auto-Config / Backup configuration files

VNM (Visual Node Manager)

Detects new device automatically.

Backup configuration files from all distributed switches(show it through vnm)

38

Easy

Installation

Intelligent

Security

Who needs?

High

PerformanceL2 Level

Authentication

Easy

Maintenance

Hacking

Security

Authentication