Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

Transcription

1 Course: 1DV447 Advanced LAN Technologies Network Security Spring 2014 Topology This is the logical topology of the network environment used for testing. 1/

2 Introduction The area i want to focus on is network related security, or more specifically to what extent can we secure a network given the equipment we have. I want to research about what different security issues and measures are common, configure the network equipment in a secure manner and try to find a way to test all of the security related configuration that will be used. The questions i want answered is what can be done when the security requirements for a network is very high, do the steps taken really work, how can they be tested and what are the potential pitfalls when securing a network. The scenario i want to work on is a small network with one router and one switch that i want to lock down as hard as i can without rendering it completely unusable. On the network i will have one RADIUS server, one DHCP server, one client (expected to be there, behaves fine), one more client (expected to be there, behaves badly and can t be trusted) and one client that shouldn t be there at all but it wants to get in. I want to try things like port security, 802.1X, IP source guard, dynamic ARP inspection and DHCP spoofing prevention. Simply everything i can think of that could improve the security of the network. Almost all of the different tests i want to do will be performed on a virtual machine running Ubuntu Desktop. For example after enabling IP source guard and dynamic ARP inspection i will try to create traffic that under normal circumstances could fool other hosts on the network and see what happens. For every security feature i am going to try out i will follow these steps: 1. Do some tests before anything is configured to see how things work under normal circumstances. 2. Configure the security features on the network devices (either on the router or the switch). 3. Do tests to see if the enabled security features works as one would expect them to or not. 4. See what happens when a successful test of a security feature is performed, what are the consequences of triggering the newly enabled restriction(s). One would expect that a security feature works as expected but how can you know before you try it out? Or more realistically, how can you be certain that you really did secure the network and not just think that you did it? There is a lot of questions and uncertainties that i want to clear up. Does the equipment support the things i want to try, will i encounter something that does not 2/

3 quite work as expected and how is it possible to create specific network traffic (for example traffic that contains a different source IP address or answer ARP requests with fake ARP replies). Tests There are several tests i want to perform and because they are all unrelated to each other i have one section for each subject. All of the sections contains tests performed before, detailed configuration of a feature and the results of tests performed afterwards (end results). Port Security The first thing i want to try out is putting limits on which machines can be used to access specific ports on the switch. By using what is called as port security i can configure a specific interface on the switch to only accept access to a machine with a specific MAC hardware address, if the switch encounters traffic on the port that has a different MAC hardware address specified as source then the switch will immediately notice it and an action is triggered [1]. In this scenario we want high security and therefor we configure the switch to completely shutdown an interface when the security feature is triggered. Tests Before Under normal circumstances there are no restrictions on what MAC hardware address can be used on different interfaces. Most of the time it is simple not something you want to have enabled. Because of this there is not much to test except using different machines (or change the MAC hardware address on just one machine through software) on one port just to make sure that it really does work no matter what. Configuration interface FastEthernet0/1 switchport port-security switchport port-security mac-address c4e.2067.fe0 switchport port-security violation shutdown interface FastEthernet0/13 switchport port-security switchport port-security mac-address 000c.22a.4415 switchport port-security violation shutdown interface FastEthernet0/14 3/

4 switchport port-security switchport port-security mac-address 000c.2f3.055 switchport port-security violation shutdown The command switchport port-security enables the port security feature, switchport portsecurity mac-address <MAC> specifies which MAC hardware address is allowed on the interface and switchport port-security violation shutdown specifies that when another MAC hardware address is encountered on the port then the interface should immediately be disabled. Tests After To make sure that the port security feature really does work as expected i plugged in one client on the interface fa0/13 that has a MAC hardware address that is allowed and another client on the interface fa0/14 that has a MAC hardware address that is not allowed. The client on interface fa0/13 can use the network as one would expect but the client on interface fa0/14 cannot. The interface fa0/14 has immediately been disabled and marked as Errdisable which means that the only way for that port to start working again is if you manually turn the interface on and off on the switch by running shutdown and no shutdown on it. DHCP snooping In this specific network scenario there exist one legitimate DHCP server that all of the clients on the network can use the get IP address configuration. Under normal circumstances any machine on a network can act as a DHCP server which can create potential problems. If a malicious user on the network starts a DHCP server then the other clients can start using it and get IP address configuration that is not correct. A malicious user can for example send out IP address configuration that does not work at all or even worse send out working IP address configuration that says that the malicious user s machine is the gateway for the network [2]. We want all DHCP replies that comes from untrusted ports to be dropped by the switch. Tests Before Before enabling the DHCP snooping feature on the switch i made sure that the legitimate DHCP server was up and running and could be used by all of the clients on the network. Configuration ip dhcp snooping ip dhcp snooping vlan 10 4/

5 no ip dhcp snooping information option interface FastEthernet0/1 switchport mode access switchport access vlan 10 ip dhcp snooping trust interface FastEthernet0/2 switchport mode access switchport access vlan 10 interface FastEthernet0/13 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 interface FastEthernet0/14 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 The command ip dhcp snooping turns on the feature, ip dhcp snooping vlan 10 specifies the VLAN that should be protected, no ip dhcp snooping information option prevents the switch from manipulating DHCP packets that makes the legitimate DHCP service stop working, ip dhcp snooping trust specifies on which port the legitimate DHCP server is located and ip dhcp snooping limit rate 3 specifies a limit for how many DHCP requests are allowed on a port under a specific time (prevents flooding). Tests After We got one legitimate DHCP server connected to the interface fa0/1 that is supposed to work and to make sure it still does we can run sudo dhclient eth0 on one of the clients connected to interface fa0/13 or fa0/14. After we have made sure the service still works on a trusted port we can move the host that is connected to port fa0/1 to the untrusted port fa0/2 and run dhclient once more on the client to see what happens. It will no longer work because the switch will silently drop the DHCP packets coming from the untrusted port. To test the flooding prevention we move the DHCP service back to interface fa0/1 and run sudo dhclient eth0 && sudo dhclient -r more than 3 times in a row under a short time. The switch will immediately disable the interface and put it in Errdisable state. 5/

6 IP Source Guard To prevent hosts on the network from lying about the IP source address that is put inside of network packets we can make use of the DHCP snooping database that we conveniently already have on the switch (it contains the MAC hardware address and IP address of hosts connected to different ports). This security feature knows what IP address is supposed to be inside of packets coming in from all of the different ports. [3] Tests Before To try out a network connection and at the same time also fake the IP source address we can use a program called hping3 on one of the clients. With hping3 we can very easily ping another host and at the same time lie about the IP source address. To do both things all we need to do is run the command hping3 -a and see what happens ( is a fake IP address and is the DHCP server). The communication works just fine. Configuration interface FastEthernet0/1 ip verify source port-security interface FastEthernet0/13 ip verify source port-security interface FastEthernet0/14 ip verify source port-security ip source binding C3E.2067.FE0 vlan fa0/1 The command ip source binding C3E.2067.FE0 vlan fa0/1 creates a static entry for the gateway (DHCP server) because it does not exist in the DHCP snooping database, ip verify source port-security enable the feature. Tests After To test the IP source guard feature all we need to do is run the exact same test as before enabling it. More specifically we run the command hping3 -a once again. This time the communication will not work because the switch will silently drop all packets containing fake IP source addresses. 6/

7 Dynamic ARP Inspection When a host on a network wants to find out the MAC hardware address of another host with a specific IP address it asks everyone on the network and everyone can answer the question. The host who answers the question first might be a malicious user with bad intentions. For example if a new host arrives to the network and asks for the MAC hardware address of the host with IP address (our gateway) another host (for example ) might answer the question and from now on the new host will think that the host who has the IP address is the gateway even though it is not. This is a typical man-in-the-middle attack [4]. Tests Before To test this we need to try and send out fake ARP replies and see if we can trick another host to believe we are someone else on the network. We can use a program called arpspoof to continuously to flood our network with ARP replies. First we run the command arpspoof -i eth0 -t (we target host and tell it we are ) on the host with IP address and on the host with IP address we simple run the command traceroute to see how traffic travels to the IP address From the results we can see that the host (our target) believes that the attacker is indeed the host that have the IP address Configuration ip arp inspection vlan 10 ip arp inspection validate src-mac dst-mac ip The command ip arp inspection vlan 10 enables the dynamic ARP inspection on VLAN 10, ip arp inspection validate src-mac dst-mac ip makes the function check the source and destination MAC hardware address and the IP address to make sure everything looks legitimate. Tests After To perform testing on the dynamic ARP inspection feature we do exactly the same thing as we did in the test before. The results will be that the host who sends our fake ARP replies ( ) can no longer trick the target ( ) to believe it is in fact the host The switch immediately notice that fake ARP replies arrives on a port and all of the packets are dropped and the switch prints out error messages every time it happens. The attack can no longer work. 7/

8 Reflection When i started working on this project i wanted to do more than what i ended up eventually doing. I had plans that was a little bit too big, time was running out and the essay was supposed to be quite short which i noticed early on mine would not be. In the introduction i talk about things like RADIUS and about common security problems etc which i ended up skipping. I leave the introduction and topology intact so the reader at least can understand what i wanted to do and what i wanted to achieve. At least most of the projects goals was met. The port security feature works but it is in reality little more than security by obscurity. A user that wants to gain access to the network can under certain circumstances easily find out what MAC hardware address works on different ports. Lets say that we got two stationary workstations connected to the ports fa0/13 and fa0/14, the malicious user could just unplug one of them and listen to the traffic that it sends out to find out what MAC hardware address the workstations has and later on use the same one on another computer. Port authentication with 802.1X and RADIUS could be used as a solution to this weakness. The DHCP snooping feature was the only one i had any real problems with. Turning it on was not a problem but making the legitimate DHCP server work was a big problem. It was not working quite as one would expect it to, saying that a port was to be trusted was not enough for the legitimate DHCP server to work again. After a lot of wasted hours i fixed the problem with the command no ip dhcp snooping information option, without it the switch will add information in the option field inside of the DHCP header when it encounters DHCP packets and that creates problems for some reason which i do not fully understand. The IP source guard feature worked like a charm. Thanks to the already existing DHCP snooping database little configuration is needed and it will continue to work in a dynamic fashion. I did have to add information about one host but that was only because the host is the same one that is running the DHCP server and it will therefor never use it which in turn makes it not end up in the dynamic DHCP snooping database. The host will simply not ask itself for IP network configuration settings and even if it did that information would not cross the switch and it would continue to be unaware of it no matter what. I think the dynamic ARP inspection feature is the most important security feature of the different ones i tested out. A malicious user on the network can do a lot of bad things if it can pretend to be someone else on the network on such a low level (layer 2). Someone with more experience could easily wreak havoc on a network while continuing to go unnoticed in most circumstances. 8/

9 References [1] D. Huckaby, "Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [2] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [3] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [4] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp /