Network Security. Ensuring Information Availability. Security

Transcription

1 Ensuring Information Availability Security

2 - Ensuring Information Availability Introduction The advent of the Internet and the huge array of connected devices has led to an insatiable demand for access to information when and where we need it. This has also changed the way we do business, with an ever increasing reliance on Information Technology resources and applications. The security of these resources has become a principal concern for network administrators to ensure maximum availability of the corporate network and Internet access. The deployment of switched networks in the Enterprise provides high-speed access to applications and the sharing of information. Security on these switches is as important as that of servers and end user computer equipment. The switches are as integral to maintaining network security as they are to forwarding data. There are a number of ways that the switching infrastructure maintains security in the modern network. industry leading switching technology provides a comprehensive security suite and supports a multi-layered approach to safeguarding the network, users, and business critical information. First, we will consider four areas where switches can help ensure a reliable and secure network infrastructure, and then look at some common network attacks and how they are mitigated. Multi-layered security Providing a secure environment for the sharing of corporate information and broader online access requires a considered approach. When security is cohesively implemented in the ) Network Infrastructure ) Switch Management 3) Features 4) Network Access the outcome is a resilient and reliable environment for access to online resources. ) Network Infrastructure The underlying network design is the starting point, providing a solid platform on which further switch features can secure network access and specific applications. Dividing the LAN up into Virtual LANs (VLANs) reduces broadcast traffic on the network and simplifies management. VLANs group subsets of ports into virtual broadcast domains which are isolated from each other. This provides a scalable solution as the network grows, while limiting unnecessary traffic from using precious network bandwidth. It also allows management of network access, and application use to be controlled for different groups of users, who do not need to be located together physically. As data packets are marked as belonging to a specific VLAN, we can separate traffic into independent domains and the switch can manage it appropriately. As IP networking has found its way into an increasingly wide array of scenarios, VLAN implementation has kept pace with advanced features to meet the security needs of different market segments. Private VLANs Private VLANs block traffic between hosts in that VLAN. This is perfect, for example, in a Hotel environment where guests in each room can be provided with Internet access, while traffic between rooms is disallowed for security. In conjunction with other advanced security features, private VLANs can be used to tightly manage Layer security in a switched environment. Nested VLANs Nested VLANs are used to overlay a private Layer network over a public Layer network. This allows a customer s LAN to spread to multiple locations in a city, as a second VLAN identifier is used to isolate customer traffic as it is tunnelled through the network Service Provider s infrastructure. Page

3 Virtual customer networks over shared Ethernet infrastructure is another solution facilitated by Nested VLANs, as shown in figure. In a multi-tenant building, each tenant can have their own VLAN structure overlaid on the physical network, and utilizing a high-speed resilient ring topology around the building provides exceptional performance. Each tenant s data runs within its own tunnel, completely separated from anyone else s data, with no possibility of cross-over from one virtual network to another. secure switches allow building management companies to make additional services available to tenants, such as a centralised Data Center and Internet access. The tenant s VLAN structure is encapsulated in a single QinQ VLAN for secure high speed access across their own virtual network to other office space, the data center and Internet. VLAN A Management VLAN Sales B VLAN C Service VLAN 3 x900-4xt Tenant 3 VLAN 3 x900-4xt VLAN Tenant VLAN Tenant VLAN 3 Tenant 3 x600-4ts VLAN 4 Tenant 4 SwitchBlade x908 Data Center Tenant Tenant Tenant 3 Tenant 4 AR750S Router Internet Figure : Virtual customer networks over shared Ethernet infrastructure Page 3

4 - Ensuring Information Availability " security features provide a safe environment for sharing information" ) Secure Switch Management On top of a securely designed environment is the need to manage the various devices that constitute the overall network. switches have a number of secure management options. An out of band Ethernet management port is provided to separate management access from network traffic. When remotely logging in to monitor or manage a switch, Secure Shell (SSH) access provides confidentiality and integrity of data. Switches can be further secured by disabling unused access services, for example, HTTP server and Telnet server. Network management systems use Simple Network Management Protocol (SNMP) to communicate with network switches and other devices. support of SNMPv3 provides secure access with authentication and encryption of management data. Additionally, the Graphical User Interface (GUI) utilises SNMPv3 for protected access when using this visual tool for monitoring and management. To provide a detailed audit trail in the event of a suspected security breach, or other problem, a Syslog server can be configured so switch log messages are stored in a central network repository. 3) Features switches provide numerous security features to enable a safe environment for sharing information. Let s have a look at a few of these: Port Security The ability to limit the number of workstations that are able to connect to specific ports on the switch is managed with Port Security. If these limits are breached, or access from unknown workstations is attempted, the port can do any or all of the following - drop the untrusted data, notify the network administrator, or disable the port. Further to this, specific ports can be set to only allow network access at specific times of day. For example, as shown in figure, a school can keep tight control over network access and application availability for students. Servers x600 AR45 Internet Classroom 8000S Network access allowed between 8am and 4pm 8000S Computer Lab Gigabit link 0/00 link Link aggregation Advanced port security options allow this school to control the times of day that access to online resources and the Internet is available Figure : Port Security Page 4

5 Secure configuration of Spanning Tree Protocol (STP) STP is the most commonly used means of preventing loops in Layer networks. There are two protection mechanisms that should always be enabled to improve robustness, as STP has no inbuilt security. ) STP Root Guard prevents a malicious user being able to access inappropriate data on the network, by allowing the network administrator to securely enforce the topology of the spanning tree. ) BPDU Guard similarly increases the security of STP by allowing the network administrator to enforce the borders of the spanning tree, keeping the active topology predictable. Storm Protection Use storm protection to reduce adverse affects of any network loop that would potentially swamp the network. There are three facets that together protect the network from storms. ) Loop detection monitors traffic for a return of a loop detection probe packet and in the event of a problem can take a variety of actions including logging a fault, disabling a link, or disabling a port or VLAN. ) Thrash limiting detects a loop if certain device hardware addresses are being rapidly relearned on different ports. In the event of a problem similar actions to loop detection can be taken. Control Plane Prioritisation (CPP) CPP prevents the Control Plane from becoming flooded in the event of a network storm or Denial of Service (DoS) attack, ensuring critical network control traffic always reaches its destination. Denial of Service (DoS) attack prevention A DoS attack is an attempt to make online resources unavailable to users. There are a number of known DoS attacks that can be monitored, with detection options being to notify network administration and/or shut down the affected switch port. DHCP Snooping DHCP servers allocate IP addresses to clients, and the switch keeps a record of addresses issued on each port. IP Source Guard checks against this DHCP snooping database to ensure only clients with specific IP and/or MAC address can access the network. DHCP snooping can be combined with other features, like Dynamic ARP Inspection, to increase security in layer switched environments, and also provides a traceable history, which meets the growing legal requirements placed on Service Providers. Access Control Lists (ACLs) and Filters Managing traffic volume and the types of traffic allowed on the network is essential to ensure a high performance, guard against unwanted traffic, and provide continuous access to important data. powerful ACLs and filtering capability provide a mechanism for network traffic control, all handled in the switches' hardware so wire-speed performance is maintained. 3) Storm control limits the rate at which a port will forward broadcast, multicast or unknown unicast packets. This controls the level of traffic that a loop will cause to be flooded in the network. Page 5

6 - Ensuring Information Availability 4) Controlling Network Access The security issues facing enterprise networks have evolved over the years, with the focus moving from mitigating outward attacks to reducing internal breaches and the infiltration of malicious software. This internal defence requires significant involvement with individual devices on a network, which creates greater overhead on network administrators. lowers this overhead and provides an effective solution to internal network security by integrating advanced switching technology as a part of Network Access Control (NAC). In conjunction with NAC, Tri-authentication provides options for managing network access for all devices. Network Access Control (NAC) NAC allows for unprecedented control over user access to the network, in order to mitigate threats to network infrastructure. switches use 80.x port-based authentication in partnership with standards-compliant dynamic VLAN assignment, to asses a user s adherence to network security policies and either grant authentication or offer remediation. Furthermore, if multiple users share a port then multi-authentication can be used. Different users on the same port can be assigned into different VLANs, and so given different levels of network access. Additionally, a Guest VLAN can be configured to provide a catch-all for users who aren't authenticated. Tri-authentication Authentication options include alternatives to 80.x port based authentication, such as web authentication to enable guest access, and MAC authentication for end points that do not have an 80.x supplicant, as shown in figure 3. All three authentication methods - 80.x, MAC-based and Web-based, can be enabled simultaneously on the same port (tri-authentication). Strong Access Shield By providing Tri-authentication, and integrating with NAC, Allied Telesis switches constitute a secure wall around the edge of your LAN, allowing no infected or rogue devices to get network access. Policy and RADIUS Server 80.x authenticated device x600-4ts Tri-authentication capable switch Policy Decision Point Web authenticated device Policy Enforcement Point MAC authenticated device Access Requestor Figure 3: Tri-authentication Page 6

7 Mitigating common network attacks Network security is significantly increased with ' superior multi-layer security suite that we ve described. However, due to increased mobility and the wide availability of various hacking tools, attacks can still occur from within the LAN itself. Let s consider some of the more common information stealing and denial of service attacks and how the switch security suite protects your LAN, preserving the safety of both your mission-critical applications and your productivity. MAC flooding attack Information stealing can be facilitated using a MAC flooding attack, which provides a source of accessible data. A malicious host sends packets from thousands of different bogus source MAC addresses, which fills the forwarding database. Once full, legitimate traffic is flooded and becomes widely accessible, as the switch does not have room to learn any more specific destination addresses in the forwarding database. switches provide two security measures which guard against a MAC flooding attack. The first is host authentication, where authenticating ports will only accept traffic from the MAC addresses of authenticated hosts. The second is port security, which controls how many MAC addresses can be learnt on a specific port, as shown in the diagrams below. Configurable options when limits are breached are to drop the un-trusted data, notify the network administrator, or disable the port. Address Resolution Protocol (ARP) spoofing attacks Another form of information stealing attack is ARP spoofing. A malicious host sends a bogus reply to a network server, claiming to be a genuine host desiring information. Once the switch has an incorrect entry in its ARP table, the malicious host starts to receive data intended for the genuine recipient. switches use DHCP Snooping with ARP Security to protect your network from ARP spoofing attacks. All ARP replies from un-trusted ports are checked to ensure they contain legitimate network addressing information, safeguarding your network and ensuring online information reaches its intended destination. Traffic generated with bogus source MAC addresses 3 Traffic destined for B is also visible to C Traffic flooded Port 3 C B A B A B A Port Port Traffic flooded MAC flooding attack The switch s MAC table is full of bogus MAC addresses. No room to learn any more, so all packets are treated as unknown destination MAC and flooded Configure a MAC learn limit on the switch s edge ports C 3 Traffic destined for B is no longer flooded Port 3 B A A B Port Port MAC flooding defence When the MAC limit is reached, packets from any further MACs are dropped Page 7

8 - Ensuring Information Availability VLAN hopping attacks VLANs aim to provide a degree of network security via user segmentation. A malicious host wishing to gain access to an unauthorised VLAN sends a tagged packet into the network with the VLAN identifier of the target VLAN, which typically the switch will forward to that VLAN. A variation on the VLAN attack is to send a double-tagged packet with the outer tag of the originating VLAN and an inner tag of the target VLAN. The switch will strip off the outer tag and pass the packet on to the target VLAN identified by the inner tag. switches eliminate basic and double-tagged VLAN hopping attacks by using Ingress Filtering to drop all tagged packets, since workstations attached to edge ports should not send tagged packets into the network, as shown in the diagrams below. Spanning Tree Protocol (STP) Attack STP prevents loops in Layer networks, while allowing path redundancy. Switch ports are designated as being either in a forwarding state or a blocked state. If a path becomes unavailable, the network responds by unblocking a previously blocked path to allow traffic to flow. In an STP attack, a malicious user sends an STP message (BPDU) which attempts to compromise the network topology, by forcing it to reconfigure. switches prevent spanning tree attacks by using BPDU guard on all edge ports, preventing bogus STP messages originating from a workstation. Double-tagged packets sent with an outer tag of the local VLAN, and inner tag of the target VLAN Victim 80.q, 80.q Trunk 80.q, Frame Frame Target VLAN Attacker The switch strips off the first tag and sends back out Double-tag VLAN hopping attack Configure the switch s edge ports with ingress filtering to accept ONLY untagged packets Victim Attacker Trunk 80.q, 80.q 3 Target VLAN Tagged packets are dropped Double-tagged packets sent with an outer tag of the local VLAN, and inner tag of the target VLAN Double-tag VLAN defence Page 8

9 Dynamic Host Configuration Protocol (DHCP) attacks DHCP servers allocate IP network addresses to hosts, allowing them to access resources on the network. Two forms of DHCP attack can compromise user s network access. ) DHCP Starvation Attack A malicious user inundating the DHCP server with countless requests from different bogus MAC addresses, results in the server running out of IP addresses. Genuine users are unable to gain a network address and therefore network access. switches use port security to stop malicious users sending multiple MAC addresses to the DHCP server, as shown in the diagrams below. Options are available for corrective action including notifying the network administrator and/or disabling the switch port of the offender. ) DHCP Rogue Server Attack A malicious user disguises himself as a DHCP server and responds to DHCP requests with a bogus network address, compromising the network access of genuine users. switches avoid DHCP rogue server attacks using DHCP Snooping to designate which ports may accept DHCP server response packets. If a rogue server is attached to an 'untrusted' port, its response packets will be dropped, rendering it useless. Denial of Service (DoS) attacks Keeping productivity high requires reliable network access, and there are a number of DoS attacks that can threaten to thwart information availability. Some of these target devices, causing them to reduce performance, while others attempt to send a storm of data at a specific victim, or consume online resources. switches are capable of mitigating all of these attacks using DoS defence, which for the majority of these attacks is implemented in the switch s hardware, so does not affect network performance. Attacker sends many different DHCP requests with many source MACs Port Server runs out of IP addresses to allocate to valid users Port DHCP Server Port 3 DHCP starvation attack Configure MAC learn limit on switch s edge ports Port Attacker sends many different DHCP requests with many source MACs Port DHCP Server Port 3 3 When the learn limit is reached, packets from any further MACs are dropped DHCP starvation defence Page 9

10 Summary switches guarantee a reliable and secure network infrastructure. The fully featured security suite safeguards the network, as well as mitigating threats that would compromise user s access to business critical resources and applications. Network administrators can rest assured that the network is resilient and reliable, and business owners can expect reduced expense along with increased productivity. network security ensuring information availability. About Inc. is a world class leader in delivering IP/Ethernet network solutions to the global market place. We create innovative, standards-based IP networks that seamlessly connect you with voice, video and data services. Enterprise customers can build complete end-to-end networking solutions through a single vendor, with core to edge technologies ranging from powerful 0 Gigabit Layer 3 switches right through to media converters. also offer a wide range of access, aggregation and backbone solutions for Service Providers. Our products range from industry leading media gateways which allow voice, video and data services to be delivered to the home and business, right through to high-end chassis-based platforms providing significant network infrastructure. ' flexible service and support programs are tailored to meet a wide range of needs, and are designed to protect your investment well into the future. Visit us online at. USA Headquarters 9800 North Creek Parkway Suite 00 Bothell WA 980 USA T: F: European Headquarters Via Motta Chiasso Switzerland T: F: Asia-Pacific Headquarters Tai Seng Link Singapore 5348 T: F: Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C RevA