School of Communications Technology and Mathematical …



|SECURING WIRED LOCAL AREA NETWORK PROJECT PROPOSAL REPORT |

|Mr Sentuya Francis Derrick, |

| ID 08051602 |

|Module: CT3P50N |

|fds0008@londonmet.ac.uk |

| |

| |

|Supervisor: Dr. Shamhram Salekzamankhani |

|s.salekzamankhani@londonmet.ac.uk |

A project proposal report as a partial fulfilment

of the requirements of London Metropolitan University for

the degree of Bachelor of Science in Computer Networking with Honours

April-13-2011

|Faculty of Computing |

| |

Table of contents

Chapter 1 : Introduction 4

Chapter 2 : Literature Review 5

2.1 LAN overview, 5

2.2 Brief history 6

2.3 Network Security 7

2.4 Evolution of LAN Security 8

2.5 The OSI 7 Layer model Approach to understand LAN Vulnerabilities 9

2.5.1 Application Layer (Layer 7) 10

2.5.2 Presentation Layer (Layer 6) 10

2.5.3 Session Layer (Layer 5) 11

2.5.4 Transport Layer (Layer 4) 11

2.5.5 Network Layer (Layer 3) 11

2.5.6 Data Link Layer (Layer 2) 11

2.5.7 Physical Layer (Layer 1) 11

2.6 LAN’s Most Vulnerable layer 11

2.7 Most common layer 2 attacks/threats: 12

2.8 Types of other Network Threats 14

2.8.1 Reconnaissance attacks 14

2.8.2 Denial-of-service 15

2.8.3 Access attacks 16

2.9 Impact of Network security breaches/ threats 16

2.10 Cisco Security Agent Firewall (Endpoint device security) 18

2.11 Port level traffic control 19

2.12 Port Security 19

2.13 Storm Control 20

2.14 Protected VLAN edge 21

2.15 Access Lists 21

2.16 Spanning Tree Protocol Measures (features) 22

2.16.1 Port-Fast 22

2.16.2 BPDU Guard 22

2.16.3 Root Guard 22

2.16.4 Loop Guard 23

2.16.5 Ether Channel 23

2.16.6 VLAN Trunk Security 23

2.17 Cisco Security Monitoring, Analysis, and Mitigation system CS-MARS 24

2.18 Port Address Translation PAT / NAT Overload 24

2.19 TACACS+ / RADIUS Server 25

2.20 Cisco Adaptive Security Appliance (ASA) firewall 26

2.20.1 Extended Simple Mail Transfer Protocol (ESMTP) 27

2.20.2 File Transfer Protocol 27

2.20.3 H TTP 28

2.20.4 Internet Control Massage Protocol (ICMP) 28

2.20.5 H.323 Standard 28

2.20.6 Skinny Protocol (Simple Client Control Protocol -SCCP) 28

2.20.7 Simple Network Management Protocol (SNMP) 29

2.20.8 Trivial File Transfer Protocol (TFTP) 29

2.20.9 Real Time Streaming Protocol (RSTP) 29

2.21 DNS Implementation 29

2.22 Intrusion detection and Prevention system 30

2.22.1 State-full pattern-matching recognition, 31

2.23 Host- Based Intrusion Detection Systems 32

2.24 Demilitarized Zone (DMZ). 33

2.25 DHCP Snooping 33

2.25.1 Dynamic ARP inspection 34

2.25.2 IP source guard 34

Chapter 3: Aims and Objectives 35

Aim 1: To investigate which layer of the OSI model is most vulnerable to attacks on the Local Area Network. 35

Objectives 35

Aim 2: To investigate and analyse the available tool and methods to secure a wired Local Area Network. 36

Chapter 4: Approach and Scenario 37

4.1 Approach 37

4.2 Scenario 37

4.2.1 Secured LAN Virtual Topology 38

Chapter 5: Project Scope, and Methodology 39

5.1 Project Scope 39

5.2 Methodology 39

5.2.1 Resources 40

5.3 Assumptions 41

5.4 Contingency Plans 42

Chapter 6 : Project Plan 43

6.1 GANTT CHART 43

6.2 WORK BREAKDOWN STRUCTURE 44

Chapter 7: Final Project report Table of Contents 45

Chapter 8: Conclusion 47

References: 48

Chapter 1: Introduction

This project proposal is about how to secure a wired local area network. Local Area Networks are defined as a group of computers and devices interconnected together in a limited geographical area such as computer laboratory, home, office building, or school. Local Area Networks enable the sharing of resources like printers, games, files, or other applications amongst users on the network. One Local Area Network can be connected to other Local Area Networks, and also to the internet.

By this definition it’s imperative therefore to make Local area networks secure to provide users with Confidentiality, data Integrity, and Authentication of everyone who is accessing the network.

Network security is such an important part of Local area networks which involves securing protocols, technologies, and devices, by mitigating any network security threats by use of network security tools and techniques. In addition, network security policies are put in place to provide a framework and guideline for network users/employees to follow when doing their work on company computer networks.

It is in my interest to investigate, analyse, learn and gain skills about the dangers and threats computer networks are faced with, and the technology used to mitigate these threats. Hence have a more secure Local Area Network environment.

A Virtual topology is used to show how to a secured LAN solution.

Chapter 2 : Literature Review

2.1 LAN overview,

In the local area network, users have computer devices, that have got disk, processor and operating systems as a platform for soft wares and other applications run. These computers communicate with one another within a small geographical area covered by the networked computers, usually a single building or group of buildings. Local Area Networks may also connect to other the network of computers with printers, server computer or mainframes with higher processing power and memory storage, that can send information from the Local Area Network over telephone lines to another location or network.

LANs include higher data-transfer rates, no need for a leased telecommunication lines. In the past ARCNET, Token Ring and other technology standards have been used in the past, but Ethernet over twisted pair cabling and Wi-Fi are the two most common technologies currently in use.

This type of networks allows its users to have isolated or separate offices but still be able to operate off the same system, as if they were all sitting around a single computer.

This network can be easily installed simply, upgraded or expanded with little difficulty, even moved or rearranged without disruption. LANs have helped in the increased work place productivity, decreased the amount of paper used and the speeding up of the information flow.

It’s important to mention that on the other hand LANs have also created additional work in terms of organization, maintenance, security and trouble-shooting.

2.2 Brief history

In 1970s and 1980s after the development of both desk operating systems bases personal computers and Control Program for Microcomputers based personal computers meant that one site could have a big number of computers. A need developed to share disk space and laser printers due to the higher cost of these devices, and as a result the idea of LAN started to be developed.

In early 1980 it was advent of Novell NetWare that provided operating systems that support for dozens of competing card/cables types, until the mid 1990 Microsoft introduced Windows NT, UNIX workstations from Sun Microsystems, Silicon Hewlett-Packard bell, Intergraph etc were using TCP/IP based networking which has since then almost replaced other protocols used on early computers.

The introduction of the OSI model has enabled multi-vendors products that can be compatible and work together on one single machine. As a result, users were able to share resources regardless what operating system, network cards, cabling or protocols being used by different software running on the different machines. This poses numerous network security vulnerabilities that can have catastrophic results to businesses, individuals and government organisations as well. This has intern made network security an integral part of computer networks to secure and mitigate network attacks.

2.3 Network Security

Network security involves the protecting of information, systems and the hardware that use, store, and transmit that information. It involves the steps taken to make sure that confidentiality, integrity, and availability of data / resources is maintained form both the internal and external networks threats.

Network security solutions started coming up form the early 1960 but didn’t have a big impact due to the complexity of network security and the dynamic/ever changing nature of networks not until the 2000s. Following below is a brief time line of the network threats over the last 30 years:

❖ 1978 - First Spam on ARPAnet

❖ 1988 - The Morris Internet Virus

❖ 1999 - Melissa Email Virus

❖ 2000 - Mafiaboy DoS Attack, Love Bug Worm, L0phtCrack password cracker released

❖ 2001 - Code Red DoS Attack

❖ 2004 - Botnet hits U.S. Military Systems

❖ 2007 - Storm botnet, TJX Credit Card Data Breach

❖ 2008 - Société Générale Stock Fraud

Due to the fact that network security become an integral part of the business, dedicated devices to network security functions emerged. Over the last 30 years, following network security detection systems and firewall solutions have emerged:

❖ Intrusion detection system (IDS), first developed by SRI International in 1984.

❖ In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution.

❖ In 1988, Digital Equipment Corporation (DEC) created the first network firewall in the form of a packet filter.

❖ In 1989, AT&T Bell Laboratories developed the first state-full firewall.

❖ In 1991 DEC SEAL Application Layer Firewall was released

❖ In 1994 Check Point Firewall was released.

❖ In 1995 NetRanger IDS was also released.

❖ In August 1997 RealSecure IDS firewall was released.

❖ In 1998 and 1999 Snort IDS and First IPS were released respectively.

❖ As from 2006 Cisco released Cisco Zone-based policy Firewall and

2.4 Evolution of LAN Security

LAN security threats are mostly if not all target the protocols and technologies used on the local area network or the switched network infrastructure, and they fall into two types: Denial of service and Spoofing attacks. The following shows the measures / or Security technologies that have been developed over the last 13 year to mitigate LAN types of threats.

❖ In 1998 measures to Mitigate MAC Address Spoofing, MAC Address Table Overflow Attacks, and LAN Storm were released.

❖ In 2000 measures to Mitigate Root Bridge Spoofing and VLAN Attacks were released.

❖ In 2003 measures to Mitigate ARP Spoofing Attacks were released.

Network Security also requires that Data should be protected and secured. This is achieved by the use of encryption and hashing mechanisms technology which the hiding plaintext data as it traverses the network thus providing Confidentiality, Integrity, and Authentication which are the three components of information security. The following gives an outline of the cryptography security technology and their timeline:

❖ In 1993 Cisco GRE Tunnels was released.

❖ In 1996 Site-to-Site IPSec VPNs was released

❖ In 1999 Secure Socket Layer (SSH) was released

❖ In 2000 Multi-Protocol Label Switching (MPLS VPNs) was released

❖ In 2001 Remote-Access IPSec VPN was released

❖ In 2002 Dynamic Multipoint VPN was released

❖ In 2005 Secure Socket Layer (SSL) VPN was released.

2.5 The OSI 7 Layer model Approach to understand LAN Vulnerabilities

To understand how to secure wired LAN, I am using the (OSI) 7 layer model approach. The OSI Model ISO model of how network protocols and equipment should communicate and work together (interoperate). This approach helps me to investigate the different protocols used on each layer and the security vulnerabilities they pose. Find a way to secure the vulnerabilities by undertaking network security measures to mitigate any attack that may take advantage of these security loopholes. This approach will indicate which OSI layer is the most vulnerable on the LAN.

Diagram 1 : OSI 7 Layer model

[pic]

Figure 1: osi model



The following is the outline of some of the protocols and examples of network devices associated with each layer of the OSI Model.

2.5.1 Application Layer (Layer 7)

Protocols on this layer: HTTP, FTP, SMTP, NTP, SNMP, EDI, Telnet etc are used.

2.5.2 Presentation Layer (Layer 6)

Protocols on this layer: GIF and JPEG, GIF, MPEG, MIME, SSL, TLS.

2.5.3 Session Layer (Layer 5)

Protocols on this layer: NETBIOS, RPC, MAIL SLOTS, APPLETALK, WINSHOCK etc are used.

2.5.4 Transport Layer (Layer 4)

Protocols on this layer TCP, UDP, SPX, and ICMP, etc are used.

2.5.5 Network Layer (Layer 3)

Protocols on this layer: Internet Protocol (IP), Internet Packet Exchange (IPX), ICMP, ARP, IPSEC, BGP, IGRP, and EIGRP etc are used. Examples of devices: Routers, layer 3 switches.

2.5.6 Data Link Layer (Layer 2)

Examples of Layer 2 protocols, Ethernet, Token Ring, Frame Relay, FDDI, ATM, PDN, and Examples of devices are Layer 2 Switches, Bridges, etc.

2.5.7 Physical Layer (Layer 1)

This layer defines the physical medium such as Cabling, interface specifications such as AUI, 10Base-T, RJ45, etc. It’s where data is turned into bits of 0 and 1’s to be sent on the cabling medium.

2.6 LAN’s Most Vulnerable layer

Basing on the OSI model research approach to find out what layer of the seven (7) layers is most vulnerable; I conclude that Layer 2 of the OSI model – (Data link layer) poses the most network security vulnerabilities on the LAN. The data link layer is divided into two sub-layer; logical link control and Media Access Control layer. Examples of the protocols that run on this layer are; FDDI, Ethernet, Token ring, MAC addresses, etc.

A layer 2 LAN switch performs switching and filtering based only on the data link layer 2 MAC address. This makes layer 2 switches completely transparent to the network protocols and user applications. Unauthorised access to the layer 2 devices will put the whole network resources and performance at high security risk.

It should be noted that layer 3 switches are to be seriously considered even though they are operating at a network layer (3). In addition, all protocols on other layers of the OSI model are to be secured to provide a holistic secure LAN environment for security threats.

2.7 Most common layer 2 attacks/threats:

• MAC address spoofing- Switches populate the MAC address table by recording the source MAC address of a frame, and associating that address with the port on which the frame is received. This method has lead to a vulnerability known as MAC spoofing, which occurs when one host poses as another to receive otherwise inaccessible data or to circumvent security configurations.

• STP manipulation attack - STP allows for redundancy, and ensures that only one link is operational at a time and no loops are present.

In an STP manipulation attack, the attacking host broadcasts STP configurations, with BPDUs of a lower bridge priority in an attempt to be elected as the root bridge by forcing spanning-tree recalculations. If the attack is successfully done, the attacking host becomes the root bridge and sees a number of frames wouldn’t have been accessible.

• MAC address table overflows - MAC address tables have got a limited memory size allocated. MAC flooding takes advantage of this limitation by flooding the switch with fake source MAC addresses until the switch MAC address table is full. If enough entries are entered into the MAC address table before older entries expire, the table fills up to the point that no new entries can be accepted. As a result the switch begins to flood all incoming traffic to all ports due to lack of space to learn any legitimate MAC addresses. Its at this point the attacker can see all of the frames sent from one host to another.

• LAN storms – This form of attack occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Switches are cable of broadcasting especially when they are building the MAC address tables, or when using Address Resolution Protocols (ARP), and Dynamic Host Configuration Protocols (DHCP).

• VLAN attacks - The attack works by taking advantage of an incorrectly configured trunk port. Trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. The attack can then: spoof DTP messages and cause the switch to enter into trunking mode, or bring up a rogue switch and enable trunking as a result access all the VLANs on the victim switch.

2.8 Types of other Network Threats

In order to have a secure LAN, securing layer 2 on the OSI model is imperative and the primary vulnerabilities for the end –users on their personal computers for example:

❖ Virus –this is malicious software that attaches itself to another program in order to execute a specific unwanted function on a computer.

❖ Worm - This executes arbitrary code and installs copies of itself in the memory of the host computer which then infects other hosts on the network.

❖ Trojan horse - this is an application called a malware in the computing world that carries out malicious operations under the guise of a desired function. It could carry a virus or a worm.

The following shows other categories of network security threats that can exploit the vulnerabilities on the layer 2, end user devices, and other layers on the OSI 7 layer model.

2.8.1 Reconnaissance attacks

These types of attacks gather information on the network or targeted devices security vulnerabilities to be exploited later by using tools like:

• Packet sniffers - a software application that uses the network adapter card in promiscuous mode to capture all network packets which are sent across a LAN.

• Ping sweeps - used to scanning and determining live hosts by use of ICMP echo requests sent to multiple hosts.

• Port Scans - this tool scans a range of TCP or UDP port numbers on a host to detect listening services by sending messages to ports on the host and any response indicates whether the ports is used.

• Internet information queries - these are used to determine who owns a given domain and the addresses that are assigned to that domain.

2.8.2 Denial-of-service

This type of attack sends large numbers of requests over the network in order to cause the target devices to be overwhelmed causing them to run suboptimal and eventually becoming unavailable to serve its legitimate access and use. Examples of DOS attacks are:

• Ping of Death – where the attack sends an echo request in an IP packet that is larger than the maximum packet size of 65,535 bytes that can cause the target computer to crash.

• Smurf Attack – the attack sends a large number of ICMP requests to a directed broadcast address with spoofed source addresses on the same network as the directed broadcast, when the routing device forwards the broadcasts to all hosts on the destination network all hosts will reply to each packet thus causing degrading the network performance.

• TCP SYN Flood attack- floods of TCP SYN packets are sent by the attack with forged sender address where each packet is handled as a connection request causing the server to leave half-open connections by replying with a TCP SYN-ACK packet and waiting in vain for response, this will eventually keep the server from responding to legitimate requests until when the attack ends.

2.8.3 Access attacks

These attacks are used to gain access to the network and retrieve data, and escalate rights to resources. The following are the types of this form of attack:

• Man-in-the-middle- This type of attack involves the attack positioned in the middle of the communications between two legitimate entities in order to read or modify the data that passes between the two parties.

• Buffer overflow – this attack writes data beyond the memory buffer allocated for a certain program and as a result valid data is overwritten to execute a malicious code.

• Port Redirection- a targeted host is used as a stepping point for an attack on other host targets on the network or other networks.

• Password attacks – the attacker keeps guessing the passwords of the targeted host, for example by using a dictionary attack.

• Trusted exploitation – the attacker uses or exploits the privileges granted to a system in unauthorised way as a result compromising the target host.

2.9 Impact of Network security breaches/ threats

Today there is an increasing urgent need to secure computer networks due to many factors some of which are mentioned below:

❖ Increase in cyber crime

• Identity theft

• Child Pornography

• Theft of Telecommunication Services

• Electronic Vandalism, Terrorism and Extortion

• Fraud/Scams

❖ Impact on business and individuals

• Decrease in productivity

• Loss of Sales revenue

• Loss of time

• Compromise of trust and reputation

• Threats to trade secrets or formulas

❖ Sophistication of threats

❖ Proliferation of threats

❖ Legislation and liabilities

❖ Internet connectivity

In order to mitigate the LAN security threats the following technology will be implemented to achieve a secure LAN environment.

2.10 Cisco Security Agent Firewall (Endpoint device security)

I will use Cisco security Agent which protects endpoints against threats that are posed by viruses, Trojan Horses, and worms as means to secure my end devices.

Figure 3: Cisco Security Agent Firewall

[pic]

Ref: CCNA Security, Implementing Network Security book, Cisco Press

Cisco Security Agent is host based intrusion prevention system (HIPS) software that provides protection for servers and computers systems. It can support over 100,000 agents,

It has two components:

• The management canter for CSA- to maintain a log of any security violations and generate alerts.

• Cisco Security Agent firewall – to be installed on hosts to proactively block any malicious attacks and gets updates from the management centre, and continuously monitors local systems activities and analyse all the operations of the system.

Cisco Security Agent provides protection by use of the following interceptors:

• File system interceptor – Read or write requests are intercepted and allowed or denied according to the security policy.

• Network interceptor – This interceptor can limit the number of network connection allowed within a specified time in order to prevent Dos attacks.

• Configuration interceptor- Read and write requests to the registry are intercepted because modification of the registry configuration can have serious consequences.

• Execution space interceptor- This interceptor maintaining the integrity of the dynamic runtime environment of each application by detecting and blocking requests to write to memory that are not owned by the requesting application

The following are the measures/configurations to mitigate layer 2 attacks are to be implemented to secure Layer 2 network devices.

2.11 Port level traffic control

At this level the following are the protection configurations that can be configured on catalyst switches:

2.12 Port Security

In order to prevent MAC table overflows and MAC Spoofing, port security is to be configured to allow specification of MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses as determined by the network administrator. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down until the administrator enables it. For example, one MAC address can be limited one and assigned to a secure port which will control unauthorized expansion of the network and also prevent the port from forwarding frames with a source MAC address that is not assigned to it or outside the group of the defined addresses on that port. In addition, Port security aging is to be configures either Absolute or Inactivity were its required.

2.13 Storm Control

This traffic suppression feature will prevent broadcast, multicast, or uncast of hostile packets flooding on a LAN segment that can cause unnecessary and excessive traffic that degrades the network performance. It monitors inbound packets over a per second interval and compares it to the configured storm control suppression level using one of these methods: -

i) Percentage of total available bandwidth of the port allocated for broadcast ,multicast, and uncast traffic,

ii) Traffic rate over in packets per second at which broadcast, multicast or uncast packets are received on the interface.

iii) Traffic rate in packets per second and for small frames that is configured on each interface.

iv) Traffic rate in bits per second at which broadcast, multicast, and or uncast packets are received.

2.14 Protected VLAN edge

Based on the security policy requirement PVLAN feature will enable the isolation of traffic by creating a firewall- like barrier blocking any uncast, broadcast, multicast traffic among protected ports on the same LAN segment. The PVLAN features will achieve the following:

i) No traffic is forwarded between ports configured as protected. Packets must be routed via a layer 3device between protected ports.

ii) Forwarding behaviour between protected ports and non-protected ports proceeds normally per default behaviour.

2.15 Access Lists

These are traffic filtering tools such as Switch ACL, Routers ACL, Ports ACL, VLAN ACL and MAC ACL to filter IP and non-IP traffic on the network. There are 3 types of access lists that can be used i.e. Standard, extended, and MAC – extended.

• Port access lists – Configured on physical interface on layer 2 switch support in and out-bound traffic filtering. They can be applied on trunk port to filter all VLANs and Voice traffic – (if data and voice is trunked).

• Router access lists – these will filter network traffic on switched virtual interfaces(SVI)-which are layer 3 interfaces on VLANs on layer 3 physical interface and Ether-channel interfaces.

• VLAN access list – these will filter all types of traffic that are bridged or routed within a VLAN routed into or out of the VLANs. This feature used in combination with Private VLAN feature can filter traffic based on direction.

2.16 Spanning Tree Protocol Measures (features)

2.16.1 Port-Fast

This is a spanning-tree feature that enables an interface configured on a layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states. This feature will minimize the time taken waiting by access port for STP to converge as a result eliminating the vulnerability a longer waiting time a port has to transition from blocking to forwarding state.

2.16.2 BPDU Guard

The BPDU guard feature is to be used to protect the switched network from problems caused by the receiving of BPDUs on ports that should not be receiving them. These BPDUs can be from an unauthorized attempt to add a switch to the network, and if they (BPDUs) are received on a port with this feature enabled then it will be disabled, giving a secure response to invalid configuration form attackers. So to prevent any rogue switch on the network by an attacker BPDU guard will be deployed toward user-facing ports with Port-Fast enabled.

2.16.3 Root Guard

Configuring this feature will help us to limit the switch ports on which the root bridge can be negotiated in switched networks. It is to be deployed on ports that connect to switches that should not be the root bridge. When the attacker sends out spoofed BPDUs in order to become a root bridge the switch receiving the BPDUs will ignore them and put the port in a root-inconsistent state, and the port will recover until the attacker stops sending BPDUs. Root guard is the best practice even though there may be a switch with a zero priority and a lower MAC address, and therefore a lower a lower bridge ID.

2.16.4 Loop Guard

Loop guard feature will enabled on all switches across the network to prevent alternative or root ports from becoming designated ports because of a failure resulting in a unidirectional link. A result providing additional layer of protection against layer 2 forwarding loops (STP loops).

2.16.5 Ether Channel

Enabling this feature on switches will detect Ether Channel miss-configurations between switches and any connected devices such as unidentified parameters and don’t match both sides. Ether Channel guard will place the switch interface into disabled state or display an error message. This guard will have to be enabled on both sides of devices.

2.16.6 VLAN Trunk Security

In order to mitigate VLAN hopping attacks, trunking is to be enabled on ports only requiring trunking and use a dedicated native VLAN for all trunk ports. In addition, auto trunking negotiations-DTP will be disabled and enable trunking manually and all unused switch ports will be disabled, and placed in an unused VLAN.

2.17 Cisco Security Monitoring, Analysis, and Mitigation system CS-MARS

Using Cisco Security Monitoring, Analysis, and Mitigation appliance will enable us to monitor, identify, isolate, and counter or mitigate any security threats on the network. In addition, this system is so cost effective and very flexible in its use as its features can be accessible via the web.

2.18 Port Address Translation PAT / NAT Overload

By use of the address space reserved for private use under the RFC 1918 that include:

• 10.0.0.0 - 10. 255. 255. 255 Mask /8

• 172.16.0.0 – 172. 31. 255. 255. 255 Mask /12

• 192.168.0.0 – 192. 168. 255. 255 Mask /16

NAT overload sometimes called PAT (Port Address Translation) maps multiple unregistered or private IP addresses to a single registered or public IP address by using different ports. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. This process also validates that the incoming packets were requested, thus adding a degree of security to the session.

Figure 4: PAT Translation

[pic]



2.19 TACACS+ / RADIUS Server

Cisco ASA supports both a Radius (Remote Authentication Dial-in User Services) protocol, and TACACS+ protocol. Can maintain a local database, or use external server for authentication. For scalability, increased security I will maintain an external /server-based AAA authentication on a Cisco Secure Access Control Server for authentication running TACACS+ or RADIUS protocol.

In this case the Cisco Adaptive Security Appliance authenticates itself to a Radius server with a shared secret key that is never sent over the network, which then passes user information to the Radius Server. The password is encrypted by hashing using a shared secret key.

The diagram below shows this implementation running a RADIUS protocol.

Figure 5: TACACS+ Protocol

[pic]

, Theme=ccna3theme,Style=ccna3,Language=en,Version=1,RootID=knet-lcms_ccnasecurity_en_10,Engine=static/CHAPID=null/RLOID=null/RIOID=null/theme/cheetah.html?cid=2000000000&l1=en&l2=none&chapter=3

Figure 6: RADIUS Protocol

[pic]

Ref:[ ]

2.20 Cisco Adaptive Security Appliance (ASA) firewall

It is modelled on a self-defending Network (SDN) principle having several protective and integrated layers such as firewalls, intrusion prevention, and anomaly mitigation.

Cisco Adaptive Security Appliance provides state-full application inspection of all application and services traffic based on explicitly preconfigured polices and rules. This inspection keeps tracks of every connection passing through the interface making sure that they are valid connections; monitors established, closed, resets or negotiates state of connections and maintains a database with this information in a stable table. ASA provides intelligent threat defence and secure communications services that stop attacks before they affect business continuity. Packet headers and contents of the packets are examined through up to the application layer. Cisco Adaptive Security Appliance will be configured to inspect the following protocols:

2.20.1 Extended Simple Mail Transfer Protocol (ESMTP)

This protocol will be used to restrict the type of SMTP commands that can pass through Cisco ASA. Any illegal command found in ESTMP/SMTP packet will cause a negative reply/an SMTP error code will generated.

2.20.2 File Transfer Protocol

File transfer protocol sessions are examined to provide:

• Enhanced security while creating dynamic secondary data connections for File Transfer Protocol transfers,

• Enforcement of File Transfer Protocol command – response sequence,

• Generation of an audit trail for File Transfer Protocol sessions,

• Translation of embedded IP address.

2.20.3 H TTP

The Cisco ASA HTTP inspection engine checks HTTP transaction is compliant with RFC 2616 by checking all HTTP request messages. Traditional firewalls and Intrusion detection systems detect only 1st round encoded HTTP URI requests, but Cisco ASA is capable of detecting double- encoded attacks known as HTTP de-obfuscation.

2.20.4 Internet Control Massage Protocol (ICMP)

Cisco ASA support state-full inspection of Internet control massage protocol packets will the ability to translate Internet control message protocol error messages which contains full IP header of the IP packet that failed sent by either intermediate hops based on Network Address Translations configurations.

2.20.5 H.323 Standard

This standard stipulates components, protocols and procedures that provide multimedia communication services such as Audio, Video, and Data, that use TCP and UDP connection 2 and 6 respectively. Cisco ASA monitors TCP and dynamically allocates ports after inspection of the messages thus making it secure.

2.20.6 Skinny Protocol (Simple Client Control Protocol -SCCP)

This protocol is used in VOIP application, Cisco IP phones, Cisco call manager, and Cisco call manager express. To support a unified wired LAN (Audio and data), the Cisco ASA offers the ability to inspect skinny transactions using this protocol that making the wired LAN a secure unified network.

2.20.7 Simple Network Management Protocol (SNMP)

This protocol is used to manage and monitor networking devices. The Cisco ASA can be configured to deny traffic based on the SNMP packet versions. Early versions are less secure. This practice can be incorporated as a security policy thus making the LAN more secure.

2.20.8 Trivial File Transfer Protocol (TFTP)

This protocol allows systems to read and write files between a client /server relationship. Cisco ASA TFTP application inspection will be used to:

i) Prevent hosts from opening invalid connections, and

ii) Enforces the creation of a secondary channel initiated from the server thus restricting TFTP clients creating them.

2.20.9 Real Time Streaming Protocol (RSTP)

Cisco ASA supports the inspection of this protocol which is a multimedia streaming protocol as stipulated in RFC 2326 which could have disastrous embedded codes. This protocol mostly use TCP port 554 application, and the applications that use RSTP are Real Audio, Apple Quick Time, Real Player, Cisco IPTV.

2.21 DNS Implementation

Traditionally, DNS queries will require not only relying on generic UDP handling based on activity timeouts. With the Cisco Adaptive Security Appliance, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received (like the DNS guard feature in Cisco PIX firewall). Cisco ASA DNS will further provide more security measures such as:

• Guarantees that the ID’s of the DNS reply matches ID’s of DNS query,

• Allows translation of DNS packets using NAT,

• Reassembles DNS packets to verify its length which has a maximum of 65,553 bytes making any packets larger than that to be dropped.

2.22 Intrusion detection and Prevention system

Intrusion detection and prevention technologies that detect attempts from an intruder to gain unauthorised access to Network or Host to create performance degradation or steal information are to be implemented both at the Network edge router and on Hosts.

The Cisco Intrusion prevention system (CIPS) will effectively mitigate a wide range of network attacks. As already mentioned above that Cisco Adaptive Security Appliance (ASA) which is also a network based intrusion detection solution will be used, it has got an intrusion prevention system feature integrated. The Cisco ASA supports Adaptive Inspection Prevention Security Service Module running Cisco intrusion prevention system (CIPS) software V5.0 or later that has the ability to process and analyse traffic inline or promiscuous mode.

I will implement Inline Intrusion prevention system on the Cisco ASA which is more secure than promiscuous mode but affects overall throughput. In this case the Cisco ASA will direct all traffic to the Adaptive Inspection Prevention Security Service Module for process and analyse, dropping any malicious packets, generate an alarm, or reset connection, before it is forwarded by the ASA. This will mitigate network attacks such as Denial of Service (i.e. TCP sync flood attacks, land attacks, Smurf attacks), Distributed Denial of Service, Session Hijacking (i.e. Man- in-the- Middle).

The system will use the following methods:

2.22.1 State-full pattern-matching recognition,

Whereby the device will search in a chronological order in a TCP stream that is considered and keeps track of arrival order of packets in a TCP stream and handle matching patterns across packet boundaries. This supports all non-encrypted IP protocols, and has the capability to directly correlate specific exploits within the pattern.

Figure 7: Network Based- Inline Intrusion Prevention system

[pic]

The following steps explain the sequence of events:

1. [pic]The Cisco ASA receives an IP packet from the Internet.

2. [pic]Because the Cisco ASA is configured in inline IPS mode, it forwards the packet to the AIP-SSM for analysis.

3. [pic]The AIP-SSM analyzes the packet and, if it determines that the packet is not malicious, forwards the packet back to the Cisco ASA.

4. [pic]The Cisco ASA forwards the packet to its final destination (the protected host).

2.23 Host- Based Intrusion Detection Systems

Cisco Security Agent software firewalls to be installed on individual servers or client machines to safeguard critical computer systems containing crucial data or other shared resources. They secure Hosts against attacks targeted on resources that reside on hosts and will intercept any attacks that have not been detected by the other Network detection systems of firewalls. The diagram below illustrates this implementation.

Figure 9: Host Based- Intrusion Prevention system

[pic]

2.24 Demilitarized Zone (DMZ).

A DMZ network segment as a “neutral zone" between a company's private network and the outside public network will enable Internet/external users to access a company's public servers, including Web and File Transfer Protocol (FTP) servers, while maintaining security for the company's private LAN. An Example of such a firewall to use is a Cisco ASA 5500.

Figure 8: DMZ Implementation

[pic]

2.25 DHCP Snooping

In order to protect the Network against rogue DHCP servers, DHCP snooping is to be implemented to create a logical firewall between un-trusted hosts and DHCP servers. The switch builds and maintains a DHCP snooping table also called DHCP binding database used to identify and filter un-trusted message from Network. This database contains track of DHCP addresses assigned to ports and filters DHCP Message from un-trusted ports. Incoming packets from un-trusted ports are dropped if the source MAC address doesn’t match MAC address in the binding table entry.

2.25.1 Dynamic ARP inspection

By enabling Dynamic ARP inspection feature I will make sure that valid, and only Valid ARP packet requests and responses are forwarded by performing an IP-to-MAC mapping.

2.25.2 IP source guard

Enabling IP source guard in combination with DHCP snooping feature on the un-trusted layer 2 interfaces will restricts IP traffic on un-trusted layer 2 ports by filtering traffic based on DHCP snooping binding database or manually configuring IP source binding as result it will prevent IP spoofing attacks when hosts tries to spoof or use IP address of another host.

Chapter 3: Aims and Objectives

Aim 1: To investigate which layer of the OSI model is most vulnerable to attacks on the Local Area Network.

Objectives

I. To secure the physical devices that operate at the physical layer such as; Network interface cards, transceivers, repeaters, hubs, multi-station access units.

II. To secure layer 2 protocols of the OSI model such as the Ethernet/IEEE 802.3, token ring / IEEE 802.5, fibre distributed data interface FDDI, point-to-point (PPP) etc.

III. To secure the addressing structure and the routing protocols at the network layer of the OSI model for packet delivery on the LAN and to the external networks.

IV. To have an identifiable secure and reliable transport mechanism between two communicating devices on the Local Area Network.

V. To provide a secure way for applications to translate data formats, encrypt, decrypt, compress, and decompress data traversing the network.

VI. To provide a secure platform where end users interacts with the application and other software by securing the application layer protocols such as HTTP,FTP,TELNET, H.323 etc.

Aim 2: To investigate and analyse the available tool and methods to secure a wired Local Area Network.

Objectives

I. To prevent un-trusted traffic to access the network resources and secure gateways at the session layers to control the setup and teardown of sessions on the OSI model.

II. To provide a cost effective but efficient and reliable Local Area Network.

Personal and Academic objectives

I. To study, and learn how to secure Local Area Networks, and the security threats faced by these Networks in a dynamic network technological environment.

II. To learn how to organise meaningfully my time in order to achieve my intended goals in a given limited time.

III. To learn the techniques and approach on how to carry out a meaningful research on specific topics.

IV. To achieve skills on how to write successfully a well-structured report.

V. To improve my presentation skills and increase my confidence.

VI. To prepare myself for a future carrier as a computer network security professional.

Chapter 4: Approach and Scenario

4.1 Approach

The network security strategy to follow in securing a wired LAN is to start by securing the LAN’s network endpoints which include: hosts, servers, or other devices that act as network clients, including non-endpoint LAN devices such as switches, storage area networking devices (SAN), IP telephony etc., and mitigating attacks such as LAN storms, MAC address table overflows, STP manipulation, and VLAN attacks. The following figure shows the endpoint security.

Endpoint security

[pic]

In addition a Virtual topology is used to show the LAN devices that require to be secured on which this project proposal is based as a structured guide to follow.

4.2 Scenario

As a final year student in Computer Networking at London Metropolitan University, I am assigned with a project specification of type research and practical work to do a project on ‘Securing wired Local Area Networks (LANs)’. As stated in the introduction a virtual topology is used to show how to secure LAN so that users and programs can perform actions that have been allowed. This topology includes the network devices that require to be secured on the LAN. This is achieved by specifying and implementing both software and hardware formats of network security.

In order to meet the specific requirements of the project, a plan to secure protocols and devices on the OSI model is to be followed with specific emphasis put on layer 2 of the OSI model (Data link layer) and securing the internal network from un-trusted external traffic.

4.2.1 Secured LAN Virtual Topology

[pic]

Chapter 5: Project Scope, and Methodology

5.1 Project Scope

Securing computer network environment involves a wide verity of measure to be undertaken to mitigate the threats posed to the Network from all angles such as Wired, wireless devices, voice and video as well on both LANs and WANs. However, in this case am going to concentrate on securing wired LANs. The following lists the areas that are covered in this project proposal:

• Brief History of LAN evolution

• Network Security in General

• Wired LAN Security Threats

o Internal Threats

o External Threats

• Wired LAN Security Vulnerabilities

o Internal Threats

o External Threats

• Wired LAN Security Mitigation Technologies

• Secure Wired LAN Devices

• Virtual Topology to show LAN Security implementation

• Impacts of the Network Security Threats

5.2 Methodology

1. Designate a secure physical environment – Data centre that is well ventilated, with backup power supply and controlled access to only authorised personnel.

2. Make Use of other port level traffic control provided by catalyst switches such as storm control, protected ports, private virtual LAN(PVLAN),port blocking and port security.

3. Implementation of VLAN technology on the Local Area Network.

4. Configure security access control measures using access- lists such as router access- lists, port access- lists, Mac access- lists, and VLAN access- lists.

5. Configure DHCP snooping and enable IP source guard to prevent rogue DHCP on the network.

6. Use/ configure Authentication, Authorization, and Accounting (AAA) protocol by implementing a server-based AAA authentication to provides the necessary framework to enable scalable access security to access a Cisco Secure Access Control Server (ACS). Use TACACS+ protocols servers to achieve this.

7. Use the Cisco Adaptive Security Appliance (ASA) firewall as a network firewall to achieve network security between the trusted and un-trusted network.

8. Create a demilitarized zone (DMZ) to enable external / internet host access to company web, email, FTP servers and to provide security systems residing within them

9. Use Network-based and Host-based intrusion prevention systems that can provide in-depth checks of packets on layer 4 through to layer 7.

10. By structuring the LAN in a hierarchal structure i.e. core, distribution and access to provide redundancy, efficient, and reliability on the LAN. Optional: use 2 layer 2, and 3 switches and 2 ASA which offer extra features at a relatively low cost compared to buying other standalone devices such as PIX of layer 2 switches.

5.2.1 Resources

Hardware:

❖ 2 Layer 2 switches

❖ 2 layer 3 switches

❖ 1Cisco Adaptive Security Appliance

❖ 4 Personal Computers

❖ Perimeter Router Firewall

❖ RADIUS / or TACACS+ server

❖ Ethernet Cross over cable with RJ45 connectors

❖ Straight through cable with RJ45 connectors

❖ DHCP/DNS Server

❖ Web/Email/FTP Server

❖ Cisco Secure- MARS

Software/configuration:

❖ Firewall(HIPS/NIDS)

❖ Cisco IOS images

❖ GNS3

5.3 Assumptions

1. It is assumed that this model can be applied to a large LAN.

2. The network management will continuously patch all the LAN security software vulnerabilities by installing updating.

3.The network security professionals employees will continuously monitoring, and testing the networks’ security using network security auditing tools, and also researching about the new network security threats out there.

4. A virtual topology is used that will display some devices of a physical type but can be implemented as software on the physical topology. For example, the Cisco ASA device offers features which I wanted to show through the Virtual topology and which won’t visually show.

5. Its assumed that a routing protocol is configured on the LAN and there is connectivity from one end device to the other.

5.4 Contingency Plans

1. Instead of a Cisco ASA we can use Cisco PIX firewall device.

2. Use RADIUS instead of TACACS+ for server-based AAA authentication.

3. The LAN can have layer 3 switches instead of having layer 2 switches which will improve security and performance, and to provide redundancy extra trunk links can be added and secured.

4. NAC, CSA, and IronPort, technologies can be used to in parallel to provide protection of operating system vulnerabilities against both direct and indirect attack.

5. Software firewall can be configured on devices that support them if money to buy and maintain them is short.

Chapter 6 : Project Plan

6.1 GANTT CHART

To have a good plan for the project in place is such a significant measure for a successful completion of the project. it entails what should be done, how it is gone be done, when to do it, how long it will take to do a certain task, what measures are there to gauge the success, and lastly a review plan of every stage.

This chart displays the tasks which will need to be completed, and each task is allocated a specific time in which it will start and be completed until the end of the project.

Figure 2: Project Proposal Gantt chart

[pic]

6.2 WORK BREAKDOWN STRUCTURE

This is a breakdown of the list of the project tasks that have got to be undertaken and completed in order for the project to be completed.

Figure 1: WORK BREAKDOWN STRUCTURAL CHART

[pic]

Chapter 7: Final Project report Table of Contents

Below is the structure of the contents that will be used for the final report. All sections have been stated, including subheadings in the literature review.

❖ Front Page

❖ Contents Page

❖ Introduction

❖ Acknowledgements

❖ Dedications

❖ What is a LAN?

• History of LANs

• Use of LANs

❖ What is Network Security?

• History of LAN Security

❖ LAN Security Threats

❖ LAN Security Devices

❖ Benefits of a Secured Wired LANs

❖ LAN Security Technologies

• Hardware based

• Software based

❖ Secured Wired LAN Topology

• Layer 2 Switches

• Layer 3 switches

• Cisco Adaptive Security Appliance

• TACACS+/Radius Server (AAA)

• Demilitarized Zone (DMZ)

• Edge Router

• End Devices

• Crossover and Straight through with RJ45 connectors cables

❖ Testing and Analysis

❖ Conclusion

❖ References & Bibliography

❖ Appendix A: Project Plans & System Models

❖ Appendix B: Test Plans & Results

❖ Appendix C: Project Proposal Report

Chapter 8: Conclusion

Over the last 25 years companies have come to realise a great need to secure their LANs due to the increasing dynamic network security threats that has resulted in big financial and identity losses which have damaged company brands and individuals. As a result companies and government have learnt the importance of network security and they are committing a lot of money to maintain a secure LAN environment so as to achieve the three basic principle of network security that is to say: Confidentiality, Integrity, and Authentication. Wired LANs security is a fundamental basic requirement that has become an integral part of computer networks. Many organisations, governments and businesses have put in place network security policies are to provide a framework and guideline for network users/employees to follow when doing their work on company computer networks infrastructure.

Since it is impossible to have a totally secured wired LAN due the very dynamic network security threats out there in the computer world advanced with presence of the internet technology. It is my advice that having put in place Network Security Policies and taken steps to achieve them, Network Security Professionals should continually install software patches, monitor, and test the computer networks and also keep learning and sharing information about the new security threats.

References:

1. Wayne Lewis, LAN Switching and Wireless, Exploration Companion Guide

2. Hucaby, D. (2005) Cisco ASA and PIX Firewall Handbook, Cisco Press

3. Carroll, B. (2004) Cisco Access Control Security: AAA Administration Server, Cisco Press, 2Rev Ed.

4. CCNA Security, Implementing Network Security, Cisco Press

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download