About Access Control Lists (ACLs)
Access Control Lists allow a network administrator to apply granular filtering to the traffic based on various packet parameters. Each packet is examined by the switch hardware at wire speed to determine if it is to be forwarded or dropped based on the criteria configured in the ACLs. NetVisor OS supports Layer 2 ACLs, based on MAC addresses, as well as IP-based ACLs, which can be based on source and destination addresses, and on protocol type. NetVisor OS supports UDP, TCP, IGMP, and ICMP protocol types.
For example, ACLs can allow one host to access part of your network and prevent another host from accessing the same area. You can also use ACLs to decide what types of traffic are forwarded or blocked.
For configuration examples on ACLs, see the following sections.
Moreover, for more granular security policies, which also support statistics collection, see the Configuring and Using vFlows chapter and in particular the Using vFlows to Disable Communication for Security Monitoring section.
IP Spoofing Protection
Using someone else’s identity (“spoofing”) is a very desirable characteristic in various types of attacks, for example for untraceability purposes and/or to amplify the effect of an attack. As a matter of fact, DDoS attacks would usually spoof random systems’ source addresses.
In some cases, spoofed addresses are selected on purpose in a specific target network, so that when attacking one or more target devices those would respond with ICMP messages or other traffic, thereby unwittingly overloading the spoofed devices selected by the attackers.
As described in more detail in RFC 2827, sites can protect themselves by implementing proper filtering techniques to check the source addresses of the traffic. Firewalls, for example, can filter traffic coming from outside the DC and filter out spoofed IP sources (for example, sources that are known to be inside the DC, not outside, or that use invalid/reserved addresses such as the so-called “Martian addresses” which include any address within the 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4 ranges).
However, when a spoofing attack is locally originated, DC network devices connected to the servers (typically the leaf switches) need to implement the source address filtering mechanism.
In high-performance environments a correspondingly high-performance solution needs to be deployed to be able to cope with IP spoofing issues with zero (or minimal) performance loss. On routers, this solution is usually known as Unicast Reverse Path Forwarding (uRPF, in short) technology, which in some cases may have performance implications.
NetVisor OS leverages its high-performance vFlow hardware technology to implement comprehensive uRPF validation that works with all types of traffic: bridged, routed, and VXLAN- encapsulated (whether pass-through or terminated).
vFlow can be used to completely prevent servers from sourcing IP traffic using an illegitimate address and to monitor attempted violations through dedicated statistics. A simple two-level source filter is described below in this example:
CLI (network-admin@switch) > vflow-create vlan 11 src-ip 10.1.11.0/27 name amber-urpf-permit action none table System-VCAP-table-1-0
CLI (network-admin@switch) > vflow-create vlan 11 src-ip 0.0.0.0/0 name amber-urpf-deny action drop table System-VCAP-table-1-0