Securing end devices

Transcription

1 Securing end devices Securing the network edge is already covered. Infrastructure devices in the LAN Workstations Servers IP phones Access points Storage area networking (SAN) devices.

2 Endpoint Security If users are not practicing security in their desktop operations, no amount of security precautions will guarantee a secure network.

3 Endpoint security applications IronPort security appliances Network admission control (NAC) Cisco Security Agent (CSA).

4 Securing Layer 2 MAC address spoofing STP manipulation attacks. Layer 2 security configurations include: Enabling port security BPDU guard Root guard Storm control Cisco switched port analyzer (SPAN) Remote SPAN (RSPAN).

5 Endpoint security Cisco Network Admission Control (NAC) complies with network security policies Endpoint protection Cisco Security Agent (CSA) IronPort Network infection containment automating key elements of the infection response process SDN ->NAC, CSA, IPS

6 Operating systems Trusted code the operating system code is not compromised Trusted path the system is a genuine one and not a Trojan Horse Privileged context of execution Provides identity authentication and certain privileges based on the identity. Process memory protection and isolation Provides separation from other users and their data. Access control to resources Ensures confidentiality and integrity of data.

7 Operating systems Protect an endpoint from operating system vulnerabilities: Least privilege concept Isolation between processes Reference monitor An access control concept that mediates all access to objects. Small, verifiable pieces of code

8 Endpoint security solution IronPort C-Series - An security appliance for virus and spam control. S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware. M-Series - A security management appliance that compliments the and web security appliances by managing and monitoring an organization's policy settings and audit information.

9 SenderBase IronPort SenderBase is the world's largest traffic monitoring service. SenderBase collects data from more than 100,000 ISPs, universities, and corporations. It measures more than 120 different parameters for any server on the Internet. This massive database receives more than five billion queries per day, with real-time data streaming in from every continent and both small and large network providers. SenderBase has the most accurate view of the sending patterns of any given mail sender because of the size of the database.

10 NAC With NAC, network security professionals can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access

11 NAC

12 CSA Policy-driven, data-loss prevention with zero-update attack prevention and antivirus detection

13 CSA

14 Other vendors McAfee Symantec Juniper SonicWALL Fortinet.

15 Layer 2 Security Layer 2 attacks typically require internal access, either from an employee or visitor. If the Data Link Layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as the weakest link. Regarding network security, the Data Link Layer is often the weakest link. When the layer is compromised, other layers are not aware of that fact, Buffer overflows Cisco Security Agent

16 Layer 2 Security

17 MAC address spoofing attacks

18 MAC address overflow attacks MAC address tables are limited in size Macof tool Bombarding the switch with fake source MAC addresses The switch begins to flood all incoming traffic to all ports => a hub

19 MAC address overflow attacks

20 MAC address overflow attacks Mitigated by configuring port security on the switch Statically specify the MAC addresses on a particular switch port Allow the switch to dynamically learn a fixed number of MAC addresses for a switch port.

21 Manipulation attacks

22 STP

23 Manipulation attacks

24 Manipulation attacks Mitigation techniques for STP manipulation include Enabling PortFast Root guard and BPDU guard.

25 LAN Storm attack Errors in the protocol stack implementation Mistakes in network configurations Users issuing a DoS attack can cause a storm. Broadcast storms can also occur on networks. Switches always forward broadcasts out all ports. Some necessary protocols, such as Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP), use broadcasts; therefore, switches must be able to forward broadcast traffic. Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces.

26 LAN Storm attack

27 VLAN hopping attack Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination. Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.

28 VLAN hopping attack Prevent a basic VLAN hopping attack Turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations Manually enable trunking.

29 VLAN hopping attack

30 Mitigating Layer 2 attacks Enable port security. Statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. Limit the number to one. The port either shuts down until it is administratively enabled (default mode) or drops incoming frames from the insecure host (restrict option). It is recommended that an administrator configure the port security feature to issue a shutdown rather than dropping frames from insecure hosts with the restrict option. The restrict option might fail under the load of an attack.

31 Configuring port security Step 1. Sets the interface mode as access If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port.

32 Configuring port security Step 2. Enables port security on the interface

33 Configuring port security Step 3. Sets the maximum number of secure MAC addresses for the interface (optional) The range is 1 to 132. The default is 1.

34 Violation rules for the switch-port Step 1. Sets the violation mode (optional) Default condition (shutdown mode).

35 Violation rules for the switch-port Step 2. Enters a static secure MAC address for the interface (optional)

36 Violation rules for the switch-port Step 3. Enables sticky learning on the interface (optional)

37 Port Fast The spanning-tree PortFast feature causes an interface configured as a Layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states. Switch(config-if)# spanning-tree portfast Switch(config)# spanning-tree portfast default

38 Port Fast

39 BPDU Guard BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them. If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard. Use this command to enable BPDU guard on all ports with PortFast enabled. Switch(config)# spanning-tree portfast bpduguard default

40 Root Guard Root guard is best deployed toward ports that connect to switches that should not be the root bridge. Switch(config-if)# spanning-tree guard root

41 Storm control Enables broadcast storm protection. Enables multicast storm protection. Specifies the action that should take place when the threshold (level) is reached.

42 VLAN Trunk Security Be sure to disable DTP (auto trunking) negotiations Manually enable trunking. To prevent a VLAN hopping attack that uses double 802.1Q encapsulation, the switch must look further into the frame to determine whether more than one VLAN tag is attached to it. One of the more important elements is to use a dedicated native VLAN for all trunk ports. Disable all unused switch ports and place them in an unused VLAN.

43 VLAN Trunk Security

44 VLAN Trunk Security Step 1. Specifies an interface as a trunk link

45 VLAN Trunk Security Step 2. Prevents the generation of DTP frames

46 VLAN Trunk Security Step 3. Set the native VLAN on the trunk to an unused VLAN The default native VLAN is VLAN 1.

47 SPAN Switched Port Analyzer A SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network. RSPAN

48 Summary Layer2 Manage switches in secure a manner (SSH, out-of-band management, ACLs, etc.). Much like routers. Set all user ports to non-trunking ports (unless you are using Cisco VoIP). Use port security where possible for access ports. Enable STP attack mitigation (BPDU guard, root guard).

49 Summary Layer2 Use Cisco Discovery Protocol only where necessary with phones it is useful. Configure PortFast on all non-trunking ports. Configure root guard on STP root ports. Configure BPDU guard on all non-trunking ports. Always use a dedicated, unused native VLAN ID for trunk ports

50 Summary Layer2 Do not use VLAN 1 for anything. Disable all unused ports and put them in an unused VLAN. Manually configure all trunk ports and disable DTP on trunk ports. Configure all non-trunking ports with switchport mode access.

51 Wireless security WAR-Driving

52 Threats to wireless Network Stumbler software finds wireless networks. Kismet software displays wireless networks that do not broadcast their SSIDs. AirSnort software sniffs and cracks WEP keys. CoWPAtty cracks WPA-PSK (WPA1). ASLEAP gathers authentication data. Wireshark can scan wireless Ethernet data and SSIDs.

53 Mitigating threats to wireless Wireless networks using WEP or WPA/TKIP (Wi Fi Protected Acccess) (Temporal Key Integrity Protocol) are not very secure and are vulnerable to hacking attacks. Wireless networks using WPA2/AES (Advanced Encryption Standard) should have a pass phrase of at least 21 characters and this is the state of the art. If an IPsec VPN is available, use it on any public wireless LAN. If wireless access is not needed, disable the wireless radio or wireless NIC.