Securing end devices

Securing end devices

• Securing the network edge – is already covered.

• Infrastructure devices in the LAN • Workstations

• Servers • IP phones

• Access points

Endpoint Security

• If users are not practicing security in their desktop operations, no amount of security

Endpoint security applications

• IronPort security appliances

Securing Layer 2

• MAC address spoofing

• STP manipulation attacks.

• Layer 2 security configurations include: • Enabling port security

• BPDU guard • Root guard • Storm control

Endpoint security

• Cisco Network Admission Control (NAC)

– complies with network security policies

• Endpoint protection

– Cisco Security Agent (CSA) – IronPort

• Network infection containment

– automating key elements of the infection response process

Operating systems

• Trusted code

– the operating system code is not compromised

• Trusted path

– the system is a genuine one and not a Trojan Horse

• Privileged context of execution

– Provides identity authentication and certain privileges based on the identity.

• Process memory protection and isolation

– Provides separation from other users and their data.

• Access control to resources

Operating systems

• Protect an endpoint from operating system vulnerabilities:

– Least privilege concept

– Isolation between processes – Reference monitor

• An access control concept that mediates all access to objects.

Endpoint security solution

• IronPort

– C-Series - An email security appliance for virus and spam control.

– S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware.

SenderBase

• IronPort SenderBase is the world's largest email traffic monitoring service. SenderBase collects data from more than 100,000 ISPs, universities, and corporations. It measures more than 120 different parameters for any email server on the Internet. This massive database receives more than five billion queries per day, with real-time data streaming in from every continent and both small and large network providers. SenderBase has the most accurate view of the sending

NAC

– With NAC, network security professionals can authenticate, authorize, evaluate, and

CSA

Layer 2 Security

• Layer 2 attacks typically require internal access, either from an employee or visitor.

• If the Data Link Layer is hacked, communications are

compromised without the other layers being aware of the problem.

• Security is only as strong as the weakest link.

• Regarding network security, the Data Link Layer is often the weakest link.

• When the layer is compromised, other layers are not aware of that fact,

• Buffer overflows

MAC address overflow attacks

• MAC address tables are limited in size • Macof tool

• Bombarding the switch with fake source MAC addresses

• The switch begins to flood all incoming traffic to all ports

MAC address overflow attacks

• Mitigated by configuring port security on the switch

• Statically specify the MAC addresses on a particular switch port

Manipulation attacks

• Mitigation techniques for STP manipulation include

LAN Storm attack

• Errors in the protocol stack implementation • Mistakes in network configurations

• Users issuing a DoS attack can cause a storm.

• Broadcast storms can also occur on networks. Switches always forward broadcasts out all ports. Some

necessary protocols, such as Address Resolution Protocol (ARP) and Dynamic Host Configuration

Protocol (DHCP), use broadcasts; therefore, switches must be able to forward broadcast traffic.

• Storm control prevents traffic on a LAN from being

VLAN hopping attack

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode.

From here, the attacker can send traffic tagged with the target VLAN, and the switch then

delivers the packets to the destination. • Introducing a rogue switch and enabling

trunking. The attacker can then access all the VLANs on the victim switch from the rogue

VLAN hopping attack

• Prevent a basic VLAN hopping attack

• Turn off trunking on all ports, except the ones that specifically require trunking. • On the required trunking ports, disable

Mitigating Layer 2 attacks

• Enable port security.

• Statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.

• Limit the number to one.

• The port either shuts down until it is administratively enabled (default mode) or drops incoming frames from the insecure host (restrict option).

• It is recommended that an administrator configure the port security feature to issue a shutdown rather than dropping frames from insecure hosts with the restrict

Configuring port security

• Step 1.

• Sets the interface mode as access • If an interface is in the default mode

Configuring port security

• Step 2.

Configuring port security

• Step 3.

• Sets the maximum number of secure MAC addresses for the interface (optional)

Violation rules for the switch-port

• Step 1.

Violation rules for the switch-port

• Step 2.

Violation rules for the switch-port

• Step 3.

Port Fast

• The spanning-tree PortFast feature

causes an interface configured as a Layer 2 access port to transition from the

blocking to the forwarding state

immediately, bypassing the listening and learning states.

• Switch(config-if)# spanning-tree portfast

BPDU Guard

• BPDU guard is used to protect the switched

network from the problems caused by receiving BPDUs on ports that should not be receiving

them.

• If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard.

• Use this command to enable BPDU guard on all ports with PortFast enabled.

Root Guard

• Root guard is best deployed toward ports that connect to switches that should not be the root bridge.

Storm control

• Enables broadcast storm protection. • Enables multicast storm protection.

VLAN Trunk Security

• Be sure to disable DTP (auto trunking) negotiations

• Manually enable trunking.

• To prevent a VLAN hopping attack that uses double 802.1Q encapsulation, the switch must look further into the frame to determine whether more than one VLAN tag is attached to it.

• One of the more important elements is to use a dedicated native VLAN for all trunk ports.

VLAN Trunk Security

• Step 1.

VLAN Trunk Security

• Step 2.

VLAN Trunk Security

• Step 3.

• Set the native VLAN on the trunk to an unused VLAN

SPAN Switched Port Analyzer

• A SPAN port mirrors traffic to another port where a monitoring device is connected. • Without this, it can be difficult to track

hackers after they have entered the network.

Summary Layer2

• Manage switches in secure a manner (SSH, out-of-band management, ACLs, etc.). Much like routers.

• Set all user ports to non-trunking ports (unless you are using Cisco VoIP).

• Use port security where possible for access ports.

Summary Layer2

• Use Cisco Discovery Protocol only where necessary – with phones it is useful.

• Configure PortFast on all non-trunking ports.

• Configure root guard on STP root ports.

• Configure BPDU guard on all non-trunking ports. Always use a dedicated, unused

Summary Layer2

• Do not use VLAN 1 for anything.

• Disable all unused ports and put them in an unused VLAN.

• Manually configure all trunk ports and disable DTP on trunk ports.

Wireless security

Threats to wireless

• Network Stumbler software finds wireless networks.

• Kismet software displays wireless networks that do not broadcast their SSIDs.

• AirSnort software sniffs and cracks WEP keys. • CoWPAtty cracks WPA-PSK (WPA1).

• ASLEAP gathers authentication data.

Mitigating threats to wireless

• Wireless networks using WEP or WPA/TKIP (Wi Fi Protected Acccess) (Temporal Key Integrity Protocol) are not very secure and are vulnerable to hacking attacks.

• Wireless networks using WPA2/AES (Advanced Encryption Standard) should have a pass

phrase of at least 21 characters and this is the state of the art.

• If an IPsec VPN is available, use it on any public wireless LAN.