School of Communications Technology and Mathematical
Sciences
SECURING WIRED LOCAL AREA NETWORK PROJECT PROPOSAL REPORT
Mr Sentuya Francis Derrick,
ID 08051602
Module: CT3P50N
[email protected]
Supervisor: Dr. Shamhram Salekzamankhani
[email protected]
A project proposal report as a partial fulfilment
of the requirements of London Metropolitan University for
the degree of Bachelor of Science in Computer Networking with
Honours
April-13-2011
Faculty of Computing
Table of contents
4Chapter 1 : Introduction
5Chapter 2 : Literature Review
52.1 LAN overview,
62.2 Brief history
72.3 Network Security
82.4 Evolution of LAN Security
92.5 The OSI 7 Layer model Approach to understand LAN
Vulnerabilities
102.5.1 Application Layer (Layer 7)
102.5.2 Presentation Layer (Layer 6)
112.5.3 Session Layer (Layer 5)
112.5.4 Transport Layer (Layer 4)
112.5.5 Network Layer (Layer 3)
112.5.6 Data Link Layer (Layer 2)
112.5.7 Physical Layer (Layer 1)
112.6 LAN’s Most Vulnerable layer
122.7 Most common layer 2 attacks/threats:
142.8 Types of other Network Threats
142.8.1 Reconnaissance attacks
152.8.2 Denial-of-service
162.8.3 Access attacks
162.9 Impact of Network security breaches/ threats
182.10 Cisco Security Agent Firewall (Endpoint device
security)
192.11 Port level traffic control
192.12 Port Security
202.13 Storm Control
212.14 Protected VLAN edge
212.15 Access Lists
222.16 Spanning Tree Protocol Measures (features)
222.16.1 Port-Fast
222.16.2 BPDU Guard
222.16.3 Root Guard
232.16.4 Loop Guard
232.16.5 Ether Channel
232.16.6 VLAN Trunk Security
242.17 Cisco Security Monitoring, Analysis, and Mitigation
system CS-MARS
242.18 Port Address Translation PAT / NAT Overload
252.19 TACACS+ / RADIUS Server
262.20 Cisco Adaptive Security Appliance (ASA) firewall
272.20.1 Extended Simple Mail Transfer Protocol (ESMTP)
272.20.2 File Transfer Protocol
282.20.3 H TTP
282.20.4 Internet Control Massage Protocol (ICMP)
282.20.5 H.323 Standard
282.20.6 Skinny Protocol (Simple Client Control Protocol
-SCCP)
292.20.7 Simple Network Management Protocol (SNMP)
292.20.8 Trivial File Transfer Protocol (TFTP)
292.20.9 Real Time Streaming Protocol (RSTP)
292.21 DNS Implementation
302.22 Intrusion detection and Prevention system
312.22.1 State-full pattern-matching recognition,
322.23 Host- Based Intrusion Detection Systems
332.24 Demilitarized Zone (DMZ).
332.25 DHCP Snooping
342.25.1 Dynamic ARP inspection
342.25.2 IP source guard
35Chapter 3: Aims and Objectives
35Aim 1: To investigate which layer of the OSI model is most
vulnerable to attacks on the Local Area Network.
35Objectives
36Aim 2: To investigate and analyse the available tool and
methods to secure a wired Local Area Network.
37Chapter 4: Approach and Scenario
374.1 Approach
374.2 Scenario
384.2.1 Secured LAN Virtual Topology
39Chapter 5: Project Scope, and Methodology
395.1 Project Scope
395.2 Methodology
405.2.1 Resources
415.3 Assumptions
425.4 Contingency Plans
43Chapter 6 : Project Plan
436.1 GANTT CHART
446.2 WORK BREAKDOWN STRUCTURE
45Chapter 7: Final Project report Table of Contents
47Chapter 8: Conclusion
48References:
Chapter 1: Introduction
This project proposal is about how to secure a wired local area
network. Local Area Networks are defined as a group of computers
and devices interconnected together in a limited geographical area
such as computer laboratory, home, office building, or school.
Local Area Networks enable the sharing of resources like printers,
games, files, or other applications amongst users on the network.
One Local Area Network can be connected to other Local Area
Networks, and also to the internet.
By this definition it’s imperative therefore to make Local area
networks secure to provide users with Confidentiality, data
Integrity, and Authentication of everyone who is accessing the
network.
Network security is such an important part of Local area
networks which involves securing protocols, technologies, and
devices, by mitigating any network security threats by use of
network security tools and techniques. In addition, network
security policies are put in place to provide a framework and
guideline for network users/employees to follow when doing their
work on company computer networks.
It is in my interest to investigate, analyse, learn and gain
skills about the dangers and threats computer networks are faced
with, and the technology used to mitigate these threats. Hence have
a more secure Local Area Network environment.
A Virtual topology is used to show how to a secured LAN
solution.
Chapter 2 : Literature Review2.1 LAN overview,
In the local area network, users have computer devices, that
have got disk, processor and operating systems as a platform for
soft wares and other applications run. These computers communicate
with one another within a small geographical area covered by the
networked computers, usually a single building or group of
buildings. Local Area Networks may also connect to other the
network of computers with printers, server computer or mainframes
with higher processing power and memory storage, that can send
information from the Local Area Network over telephone lines to
another location or network.
LANs include higher data-transfer rates, no need for a leased
telecommunication lines. In the past ARCNET, Token Ring and other
technology standards have been used in the past, but Ethernet over
twisted pair cabling and Wi-Fi are the two most common technologies
currently in use.
This type of networks allows its users to have isolated or
separate offices but still be able to operate off the same system,
as if they were all sitting around a single computer.
This network can be easily installed simply, upgraded or
expanded with little difficulty, even moved or rearranged without
disruption. LANs have helped in the increased work place
productivity, decreased the amount of paper used and the speeding
up of the information flow.
It’s important to mention that on the other hand LANs have also
created additional work in terms of organization, maintenance,
security and trouble-shooting.
2.2 Brief history
In 1970s and 1980s after the development of both desk operating
systems bases personal computers and Control Program for
Microcomputers based personal computers meant that one site could
have a big number of computers. A need developed to share disk
space and laser printers due to the higher cost of these devices,
and as a result the idea of LAN started to be developed.
In early 1980 it was advent of Novell NetWare that provided
operating systems that support for dozens of competing card/cables
types, until the mid 1990 Microsoft introduced Windows NT, UNIX
workstations from Sun Microsystems, Silicon Hewlett-Packard bell,
Intergraph etc were using TCP/IP based networking which has since
then almost replaced other protocols used on early computers.
The introduction of the OSI model has enabled multi-vendors
products that can be compatible and work together on one single
machine. As a result, users were able to share resources regardless
what operating system, network cards, cabling or protocols being
used by different software running on the different machines. This
poses numerous network security vulnerabilities that can have
catastrophic results to businesses, individuals and government
organisations as well. This has intern made network security an
integral part of computer networks to secure and mitigate network
attacks.
2.3 Network Security
Network security involves the protecting of information, systems
and the hardware that use, store, and transmit that information. It
involves the steps taken to make sure that confidentiality,
integrity, and availability of data / resources is maintained form
both the internal and external networks threats.
Network security solutions started coming up form the early 1960
but didn’t have a big impact due to the complexity of network
security and the dynamic/ever changing nature of networks not until
the 2000s. Following below is a brief time line of the network
threats over the last 30 years:
· 1978 - First Spam on ARPAnet
· 1988 - The Morris Internet Virus
· 1999 - Melissa Email Virus
· 2000 - Mafiaboy DoS Attack, Love Bug Worm, L0phtCrack password
cracker released
· 2001 - Code Red DoS Attack
· 2004 - Botnet hits U.S. Military Systems
· 2007 - Storm botnet, TJX Credit Card Data Breach
· 2008 - Société Générale Stock Fraud
Due to the fact that network security become an integral part of
the business, dedicated devices to network security functions
emerged. Over the last 30 years, following network security
detection systems and firewall solutions have emerged:
· Intrusion detection system (IDS), first developed by SRI
International in 1984.
· In the late 1990s, the intrusion prevention system or sensor
(IPS) began to replace the IDS solution.
· In 1988, Digital Equipment Corporation (DEC) created the first
network firewall in the form of a packet filter.
· In 1989, AT&T Bell Laboratories developed the first
state-full firewall.
· In 1991 DEC SEAL Application Layer Firewall was released
· In 1994 Check Point Firewall was released.
· In 1995 NetRanger IDS was also released.
· In August 1997 RealSecure IDS firewall was released.
· In 1998 and 1999 Snort IDS and First IPS were released
respectively.
· As from 2006 Cisco released Cisco Zone-based policy Firewall
and
2.4 Evolution of LAN Security
LAN security threats are mostly if not all target the protocols
and technologies used on the local area network or the switched
network infrastructure, and they fall into two types: Denial of
service and Spoofing attacks. The following shows the measures / or
Security technologies that have been developed over the last 13
year to mitigate LAN types of threats.
· In 1998 measures to Mitigate MAC Address Spoofing, MAC Address
Table Overflow Attacks, and LAN Storm were released.
· In 2000 measures to Mitigate Root Bridge Spoofing and VLAN
Attacks were released.
· In 2003 measures to Mitigate ARP Spoofing Attacks were
released.
Network Security also requires that Data should be protected and
secured. This is achieved by the use of encryption and hashing
mechanisms technology which the hiding plaintext data as it
traverses the network thus providing Confidentiality, Integrity,
and Authentication which are the three components of information
security. The following gives an outline of the cryptography
security technology and their timeline:
· In 1993 Cisco GRE Tunnels was released.
· In 1996 Site-to-Site IPSec VPNs was released
· In 1999 Secure Socket Layer (SSH) was released
· In 2000 Multi-Protocol Label Switching (MPLS VPNs) was
released
· In 2001 Remote-Access IPSec VPN was released
· In 2002 Dynamic Multipoint VPN was released
· In 2005 Secure Socket Layer (SSL) VPN was released.
2.5 The OSI 7 Layer model Approach to understand LAN
Vulnerabilities
To understand how to secure wired LAN, I am using the (OSI) 7
layer model approach. The OSI Model ISO model of how network
protocols and equipment should communicate and work together
(interoperate). This approach helps me to investigate the different
protocols used on each layer and the security vulnerabilities they
pose. Find a way to secure the vulnerabilities by undertaking
network security measures to mitigate any attack that may take
advantage of these security loopholes. This approach will indicate
which OSI layer is the most vulnerable on the LAN.
Diagram 1 : OSI 7 Layer model
Figure 1: osi model
http://compnetworking.about.com/library/graphics/basics_osimodel.jpg
The following is the outline of some of the protocols and
examples of network devices associated with each layer of the OSI
Model.
2.5.1 Application Layer (Layer 7)
Protocols on this layer: HTTP, FTP, SMTP, NTP, SNMP, EDI, Telnet
etc are used.
2.5.2 Presentation Layer (Layer 6)
Protocols on this layer: GIF and JPEG, GIF, MPEG, MIME, SSL,
TLS.
2.5.3 Session Layer (Layer 5)
Protocols on this layer: NETBIOS, RPC, MAIL SLOTS, APPLETALK,
WINSHOCK etc are used.
2.5.4 Transport Layer (Layer 4)
Protocols on this layer TCP, UDP, SPX, and ICMP, etc are
used.
2.5.5 Network Layer (Layer 3)
Protocols on this layer: Internet Protocol (IP), Internet Packet
Exchange (IPX), ICMP, ARP, IPSEC, BGP, IGRP, and EIGRP etc are
used. Examples of devices: Routers, layer 3 switches.
2.5.6 Data Link Layer (Layer 2)
Examples of Layer 2 protocols, Ethernet, Token Ring, Frame
Relay, FDDI, ATM, PDN, and Examples of devices are Layer 2
Switches, Bridges, etc.
2.5.7 Physical Layer (Layer 1)
This layer defines the physical medium such as Cabling,
interface specifications such as AUI, 10Base-T, RJ45, etc. It’s
where data is turned into bits of 0 and 1’s to be sent on the
cabling medium.
2.6 LAN’s Most Vulnerable layer
Basing on the OSI model research approach to find out what layer
of the seven (7) layers is most vulnerable; I conclude that Layer 2
of the OSI model – (Data link layer) poses the most network
security vulnerabilities on the LAN. The data link layer is divided
into two sub-layer; logical link control and Media Access Control
layer. Examples of the protocols that run on this layer are; FDDI,
Ethernet, Token ring, MAC addresses, etc.
A layer 2 LAN switch performs switching and filtering based only
on the data link layer 2 MAC address. This makes layer 2 switches
completely transparent to the network protocols and user
applications. Unauthorised access to the layer 2 devices will put
the whole network resources and performance at high security
risk.
It should be noted that layer 3 switches are to be seriously
considered even though they are operating at a network layer (3).
In addition, all protocols on other layers of the OSI model are to
be secured to provide a holistic secure LAN environment for
security threats.
2.7 Most common layer 2 attacks/threats:
· MAC address spoofing- Switches populate the MAC address table
by recording the source MAC address of a frame, and associating
that address with the port on which the frame is received. This
method has lead to a vulnerability known as MAC spoofing, which
occurs when one host poses as another to receive otherwise
inaccessible data or to circumvent security configurations.
· STP manipulation attack - STP allows for redundancy, and
ensures that only one link is operational at a time and no loops
are present.
In an STP manipulation attack, the attacking host broadcasts STP
configurations, with BPDUs of a lower bridge priority in an attempt
to be elected as the root bridge by forcing spanning-tree
recalculations. If the attack is successfully done, the attacking
host becomes the root bridge and sees a number of frames wouldn’t
have been accessible.
· MAC address table overflows - MAC address tables have got a
limited memory size allocated. MAC flooding takes advantage of this
limitation by flooding the switch with fake source MAC addresses
until the switch MAC address table is full. If enough entries are
entered into the MAC address table before older entries expire, the
table fills up to the point that no new entries can be accepted. As
a result the switch begins to flood all incoming traffic to all
ports due to lack of space to learn any legitimate MAC addresses.
Its at this point the attacker can see all of the frames sent from
one host to another.
· LAN storms – This form of attack occurs when packets flood the
LAN, creating excessive traffic and degrading network performance.
Switches are cable of broadcasting especially when they are
building the MAC address tables, or when using Address Resolution
Protocols (ARP), and Dynamic Host Configuration Protocols
(DHCP).
· VLAN attacks - The attack works by taking advantage of an
incorrectly configured trunk port. Trunk ports have access to all
VLANs and pass traffic for multiple VLANs across the same physical
link, generally between switches. The attack can then: spoof DTP
messages and cause the switch to enter into trunking mode, or bring
up a rogue switch and enable trunking as a result access all the
VLANs on the victim switch.
2.8 Types of other Network Threats
In order to have a secure LAN, securing layer 2 on the OSI model
is imperative and the primary vulnerabilities for the end –users on
their personal computers for example:
· Virus –this is malicious software that attaches itself to
another program in order to execute a specific unwanted function on
a computer.
· Worm - This executes arbitrary code and installs copies of
itself in the memory of the host computer which then infects other
hosts on the network.
· Trojan horse - this is an application called a malware in the
computing world that carries out malicious operations under the
guise of a desired function. It could carry a virus or a worm.
The following shows other categories of network security threats
that can exploit the vulnerabilities on the layer 2, end user
devices, and other layers on the OSI 7 layer model.
2.8.1 Reconnaissance attacks
These types of attacks gather information on the network or
targeted devices security vulnerabilities to be exploited later by
using tools like:
· Packet sniffers - a software application that uses the network
adapter card in promiscuous mode to capture all network packets
which are sent across a LAN.
· Ping sweeps - used to scanning and determining live hosts by
use of ICMP echo requests sent to multiple hosts.
· Port Scans - this tool scans a range of TCP or UDP port
numbers on a host to detect listening services by sending messages
to ports on the host and any response indicates whether the ports
is used.
· Internet information queries - these are used to determine who
owns a given domain and the addresses that are assigned to that
domain.
2.8.2 Denial-of-service
This type of attack sends large numbers of requests over the
network in order to cause the target devices to be overwhelmed
causing them to run suboptimal and eventually becoming unavailable
to serve its legitimate access and use. Examples of DOS attacks
are:
· Ping of Death – where the attack sends an echo request in an
IP packet that is larger than the maximum packet size of 65,535
bytes that can cause the target computer to crash.
· Smurf Attack – the attack sends a large number of ICMP
requests to a directed broadcast address with spoofed source
addresses on the same network as the directed broadcast, when the
routing device forwards the broadcasts to all hosts on the
destination network all hosts will reply to each packet thus
causing degrading the network performance.
· TCP SYN Flood attack- floods of TCP SYN packets are sent by
the attack with forged sender address where each packet is handled
as a connection request causing the server to leave half-open
connections by replying with a TCP SYN-ACK packet and waiting in
vain for response, this will eventually keep the server from
responding to legitimate requests until when the attack ends.
2.8.3 Access attacks
These attacks are used to gain access to the network and
retrieve data, and escalate rights to resources. The following are
the types of this form of attack:
· Man-in-the-middle- This type of attack involves the attack
positioned in the middle of the communications between two
legitimate entities in order to read or modify the data that passes
between the two parties.
· Buffer overflow – this attack writes data beyond the memory
buffer allocated for a certain program and as a result valid data
is overwritten to execute a malicious code.
· Port Redirection- a targeted host is used as a stepping point
for an attack on other host targets on the network or other
networks.
· Password attacks – the attacker keeps guessing the passwords
of the targeted host, for example by using a dictionary attack.
· Trusted exploitation – the attacker uses or exploits the
privileges granted to a system in unauthorised way as a result
compromising the target host.
2.9 Impact of Network security breaches/ threats
Today there is an increasing urgent need to secure computer
networks due to many factors some of which are mentioned below:
· Increase in cyber crime
· Identity theft
· Child Pornography
· Theft of Telecommunication Services
· Electronic Vandalism, Terrorism and Extortion
· Fraud/Scams
· Impact on business and individuals
· Decrease in productivity
· Loss of Sales revenue
· Loss of time
· Compromise of trust and reputation
· Threats to trade secrets or formulas
· Sophistication of threats
· Proliferation of threats
· Legislation and liabilities
· Internet connectivity
In order to mitigate the LAN security threats the following
technology will be implemented to achieve a secure LAN
environment.
2.10 Cisco Security Agent Firewall (Endpoint device
security)
I will use Cisco security Agent which protects endpoints against
threats that are posed by viruses, Trojan Horses, and worms as
means to secure my end devices.
Figure 3: Cisco Security Agent Firewall
Ref: CCNA Security, Implementing Network Security book, Cisco
Press
Cisco Security Agent is host based intrusion prevention system
(HIPS) software that provides protection for servers and computers
systems. It can support over 100,000 agents,
It has two components:
· The management canter for CSA- to maintain a log of any
security violations and generate alerts.
· Cisco Security Agent firewall – to be installed on hosts to
proactively block any malicious attacks and gets updates from the
management centre, and continuously monitors local systems
activities and analyse all the operations of the system.
Cisco Security Agent provides protection by use of the following
interceptors:
· File system interceptor – Read or write requests are
intercepted and allowed or denied according to the security
policy.
· Network interceptor – This interceptor can limit the number of
network connection allowed within a specified time in order to
prevent Dos attacks.
· Configuration interceptor- Read and write requests to the
registry are intercepted because modification of the registry
configuration can have serious consequences.
· Execution space interceptor- This interceptor maintaining the
integrity of the dynamic runtime environment of each application by
detecting and blocking requests to write to memory that are not
owned by the requesting application
The following are the measures/configurations to mitigate layer
2 attacks are to be implemented to secure Layer 2 network
devices.
2.11 Port level traffic control
At this level the following are the protection configurations
that can be configured on catalyst switches:
2.12 Port Security
In order to prevent MAC table overflows and MAC Spoofing, port
security is to be configured to allow specification of MAC
addresses for a port or to permit the switch to dynamically learn a
limited number of MAC addresses as determined by the network
administrator. If a MAC address of a device attached to the port
differs from the list of secure addresses, the port either shuts
down until the administrator enables it. For example, one MAC
address can be limited one and assigned to a secure port which will
control unauthorized expansion of the network and also prevent the
port from forwarding frames with a source MAC address that is not
assigned to it or outside the group of the defined addresses on
that port. In addition, Port security aging is to be configures
either Absolute or Inactivity were its required.
2.13 Storm Control
This traffic suppression feature will prevent broadcast,
multicast, or uncast of hostile packets flooding on a LAN segment
that can cause unnecessary and excessive traffic that degrades the
network performance. It monitors inbound packets over a per second
interval and compares it to the configured storm control
suppression level using one of these methods: -
(i) Percentage of total available bandwidth of the port
allocated for broadcast ,multicast, and uncast traffic,
(ii) Traffic rate over in packets per second at which broadcast,
multicast or uncast packets are received on the interface.
(iii) Traffic rate in packets per second and for small frames
that is configured on each interface.
(iv) Traffic rate in bits per second at which broadcast,
multicast, and or uncast packets are received.
2.14 Protected VLAN edge
Based on the security policy requirement PVLAN feature will
enable the isolation of traffic by creating a firewall- like
barrier blocking any uncast, broadcast, multicast traffic among
protected ports on the same LAN segment. The PVLAN features will
achieve the following:
(i) No traffic is forwarded between ports configured as
protected. Packets must be routed via a layer 3device between
protected ports.
(ii) Forwarding behaviour between protected ports and
non-protected ports proceeds normally per default behaviour.
2.15 Access Lists
These are traffic filtering tools such as Switch ACL, Routers
ACL, Ports ACL, VLAN ACL and MAC ACL to filter IP and non-IP
traffic on the network. There are 3 types of access lists that can
be used i.e. Standard, extended, and MAC – extended.
· Port access lists – Configured on physical interface on layer
2 switch support in and out-bound traffic filtering. They can be
applied on trunk port to filter all VLANs and Voice traffic – (if
data and voice is trunked).
· Router access lists – these will filter network traffic on
switched virtual interfaces(SVI)-which are layer 3 interfaces on
VLANs on layer 3 physical interface and Ether-channel
interfaces.
· VLAN access list – these will filter all types of traffic that
are bridged or routed within a VLAN routed into or out of the
VLANs. This feature used in combination with Private VLAN feature
can filter traffic based on direction.
2.16 Spanning Tree Protocol Measures (features)2.16.1
Port-Fast
This is a spanning-tree feature that enables an interface
configured on a layer 2 access port to transition from the blocking
to the forwarding state immediately, bypassing the listening and
learning states. This feature will minimize the time taken waiting
by access port for STP to converge as a result eliminating the
vulnerability a longer waiting time a port has to transition from
blocking to forwarding state.
2.16.2 BPDU Guard
The BPDU guard feature is to be used to protect the switched
network from problems caused by the receiving of BPDUs on ports
that should not be receiving them. These BPDUs can be from an
unauthorized attempt to add a switch to the network, and if they
(BPDUs) are received on a port with this feature enabled then it
will be disabled, giving a secure response to invalid configuration
form attackers. So to prevent any rogue switch on the network by an
attacker BPDU guard will be deployed toward user-facing ports with
Port-Fast enabled.
2.16.3 Root Guard
Configuring this feature will help us to limit the switch ports
on which the root bridge can be negotiated in switched networks. It
is to be deployed on ports that connect to switches that should not
be the root bridge. When the attacker sends out spoofed BPDUs in
order to become a root bridge the switch receiving the BPDUs will
ignore them and put the port in a root-inconsistent state, and the
port will recover until the attacker stops sending BPDUs. Root
guard is the best practice even though there may be a switch with a
zero priority and a lower MAC address, and therefore a lower a
lower bridge ID.
2.16.4 Loop Guard
Loop guard feature will enabled on all switches across the
network to prevent alternative or root ports from becoming
designated ports because of a failure resulting in a unidirectional
link. A result providing additional layer of protection against
layer 2 forwarding loops (STP loops).
2.16.5 Ether Channel
Enabling this feature on switches will detect Ether Channel
miss-configurations between switches and any connected devices such
as unidentified parameters and don’t match both sides. Ether
Channel guard will place the switch interface into disabled state
or display an error message. This guard will have to be enabled on
both sides of devices.
2.16.6 VLAN Trunk Security
In order to mitigate VLAN hopping attacks, trunking is to be
enabled on ports only requiring trunking and use a dedicated native
VLAN for all trunk ports. In addition, auto trunking
negotiations-DTP will be disabled and enable trunking manually and
all unused switch ports will be disabled, and placed in an unused
VLAN.
2.17 Cisco Security Monitoring, Analysis, and Mitigation system
CS-MARS
Using Cisco Security Monitoring, Analysis, and Mitigation
appliance will enable us to monitor, identify, isolate, and counter
or mitigate any security threats on the network. In addition, this
system is so cost effective and very flexible in its use as its
features can be accessible via the web.
2.18 Port Address Translation PAT / NAT Overload
By use of the address space reserved for private use under the
RFC 1918 that include:
· 10.0.0.0 - 10. 255. 255. 255 Mask /8
· 172.16.0.0 – 172. 31. 255. 255. 255 Mask /12
· 192.168.0.0 – 192. 168. 255. 255 Mask /16
NAT overload sometimes called PAT (Port Address Translation)
maps multiple unregistered or private IP addresses to a single
registered or public IP address by using different ports. PAT uses
unique source port numbers on the inside global IP address to
distinguish between translations. This process also validates that
the incoming packets were requested, thus adding a degree of
security to the session.
Figure 4: PAT Translation
http://www.i1u.net/images/web/PAT.gif
2.19 TACACS+ / RADIUS Server
Cisco ASA supports both a Radius (Remote Authentication Dial-in
User Services) protocol, and TACACS+ protocol. Can maintain a local
database, or use external server for authentication. For
scalability, increased security I will maintain an external
/server-based AAA authentication on a Cisco Secure Access Control
Server for authentication running TACACS+ or RADIUS protocol.
In this case the Cisco Adaptive Security Appliance authenticates
itself to a Radius server with a shared secret key that is never
sent over the network, which then passes user information to the
Radius Server. The password is encrypted by hashing using a shared
secret key.
The diagram below shows this implementation running a RADIUS
protocol.
Figure 5: TACACS+ Protocol
Http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.CCServlet/LMS_ID=CNAMS,
Theme=ccna3theme,Style=ccna3,Language=en,Version=1,RootID=knet-lcms_ccnasecurity_en_10,Engine=static/CHAPID=null/RLOID=null/RIOID=null/theme/cheetah.html?cid=2000000000&l1=en&l2=none&chapter=3
Figure 6: RADIUS Protocol
Ref:[
]http://ptgmedia.pearsoncmg.com/images/chap6_9781587058196/elementLinks/ca800601.jpg
2.20 Cisco Adaptive Security Appliance (ASA) firewall
It is modelled on a self-defending Network (SDN) principle
having several protective and integrated layers such as firewalls,
intrusion prevention, and anomaly mitigation.
Cisco Adaptive Security Appliance provides state-full
application inspection of all application and services traffic
based on explicitly preconfigured polices and rules. This
inspection keeps tracks of every connection passing through the
interface making sure that they are valid connections; monitors
established, closed, resets or negotiates state of connections and
maintains a database with this information in a stable table. ASA
provides intelligent threat defence and secure communications
services that stop attacks before they affect business continuity.
Packet headers and contents of the packets are examined through up
to the application layer. Cisco Adaptive Security Appliance will be
configured to inspect the following protocols:
2.20.1 Extended Simple Mail Transfer Protocol (ESMTP)
This protocol will be used to restrict the type of SMTP commands
that can pass through Cisco ASA. Any illegal command found in
ESTMP/SMTP packet will cause a negative reply/an SMTP error code
will generated.
2.20.2 File Transfer Protocol
File transfer protocol sessions are examined to provide:
· Enhanced security while creating dynamic secondary data
connections for File Transfer Protocol transfers,
· Enforcement of File Transfer Protocol command – response
sequence,
· Generation of an audit trail for File Transfer Protocol
sessions,
· Translation of embedded IP address.
2.20.3 H TTP
The Cisco ASA HTTP inspection engine checks HTTP transaction is
compliant with RFC 2616 by checking all HTTP request messages.
Traditional firewalls and Intrusion detection systems detect only
1st round encoded HTTP URI requests, but Cisco ASA is capable of
detecting double- encoded attacks known as HTTP de-obfuscation.
2.20.4 Internet Control Massage Protocol (ICMP)
Cisco ASA support state-full inspection of Internet control
massage protocol packets will the ability to translate Internet
control message protocol error messages which contains full IP
header of the IP packet that failed sent by either intermediate
hops based on Network Address Translations configurations.
2.20.5 H.323 Standard
This standard stipulates components, protocols and procedures
that provide multimedia communication services such as Audio,
Video, and Data, that use TCP and UDP connection 2 and 6
respectively. Cisco ASA monitors TCP and dynamically allocates
ports after inspection of the messages thus making it secure.
2.20.6 Skinny Protocol (Simple Client Control Protocol
-SCCP)
This protocol is used in VOIP application, Cisco IP phones,
Cisco call manager, and Cisco call manager express. To support a
unified wired LAN (Audio and data), the Cisco ASA offers the
ability to inspect skinny transactions using this protocol that
making the wired LAN a secure unified network.
2.20.7 Simple Network Management Protocol (SNMP)
This protocol is used to manage and monitor networking devices.
The Cisco ASA can be configured to deny traffic based on the SNMP
packet versions. Early versions are less secure. This practice can
be incorporated as a security policy thus making the LAN more
secure.
2.20.8 Trivial File Transfer Protocol (TFTP)
This protocol allows systems to read and write files between a
client /server relationship. Cisco ASA TFTP application inspection
will be used to:
(i) Prevent hosts from opening invalid connections, and
(ii) Enforces the creation of a secondary channel initiated from
the server thus restricting TFTP clients creating them.
2.20.9 Real Time Streaming Protocol (RSTP)
Cisco ASA supports the inspection of this protocol which is a
multimedia streaming protocol as stipulated in RFC 2326 which could
have disastrous embedded codes. This protocol mostly use TCP port
554 application, and the applications that use RSTP are Real Audio,
Apple Quick Time, Real Player, Cisco IPTV.
2.21 DNS Implementation
Traditionally, DNS queries will require not only relying on
generic UDP handling based on activity timeouts. With the Cisco
Adaptive Security Appliance, UDP connections associated with DNS
queries and responses are torn down as soon as a reply to a DNS
query has been received (like the DNS guard feature in Cisco PIX
firewall). Cisco ASA DNS will further provide more security
measures such as:
· Guarantees that the ID’s of the DNS reply matches ID’s of DNS
query,
· Allows translation of DNS packets using NAT,
· Reassembles DNS packets to verify its length which has a
maximum of 65,553 bytes making any packets larger than that to be
dropped.
2.22 Intrusion detection and Prevention system
Intrusion detection and prevention technologies that detect
attempts from an intruder to gain unauthorised access to Network or
Host to create performance degradation or steal information are to
be implemented both at the Network edge router and on Hosts.
The Cisco Intrusion prevention system (CIPS) will effectively
mitigate a wide range of network attacks. As already mentioned
above that Cisco Adaptive Security Appliance (ASA) which is also a
network based intrusion detection solution will be used, it has got
an intrusion prevention system feature integrated. The Cisco ASA
supports Adaptive Inspection Prevention Security Service Module
running Cisco intrusion prevention system (CIPS) software V5.0 or
later that has the ability to process and analyse traffic inline or
promiscuous mode.
I will implement Inline Intrusion prevention system on the Cisco
ASA which is more secure than promiscuous mode but affects overall
throughput. In this case the Cisco ASA will direct all traffic to
the Adaptive Inspection Prevention Security Service Module for
process and analyse, dropping any malicious packets, generate an
alarm, or reset connection, before it is forwarded by the ASA. This
will mitigate network attacks such as Denial of Service (i.e. TCP
sync flood attacks, land attacks, Smurf attacks), Distributed
Denial of Service, Session Hijacking (i.e. Man- in-the-
Middle).
The system will use the following methods:
2.22.1 State-full pattern-matching recognition,
Whereby the device will search in a chronological order in a TCP
stream that is considered and keeps track of arrival order of
packets in a TCP stream and handle matching patterns across packet
boundaries. This supports all non-encrypted IP protocols, and has
the capability to directly correlate specific exploits within the
pattern.
Figure 7: Network Based- Inline Intrusion Prevention system
The following steps explain the sequence of events:
1. The Cisco ASA receives an IP packet from the Internet.
2. Because the Cisco ASA is configured in inline IPS mode, it
forwards the packet to the AIP-SSM for analysis.
3. The AIP-SSM analyzes the packet and, if it determines that
the packet is not malicious, forwards the packet back to the Cisco
ASA.
4. The Cisco ASA forwards the packet to its final destination
(the protected host).
2.23 Host- Based Intrusion Detection Systems
Cisco Security Agent software firewalls to be installed on
individual servers or client machines to safeguard critical
computer systems containing crucial data or other shared resources.
They secure Hosts against attacks targeted on resources that reside
on hosts and will intercept any attacks that have not been detected
by the other Network detection systems of firewalls. The diagram
below illustrates this implementation.
Figure 9: Host Based- Intrusion Prevention system
2.24 Demilitarized Zone (DMZ).
A DMZ network segment as a “neutral zone" between a company's
private network and the outside public network will enable
Internet/external users to access a company's public servers,
including Web and File Transfer Protocol (FTP) servers, while
maintaining security for the company's private LAN. An Example of
such a firewall to use is a Cisco ASA 5500.
Figure 8: DMZ Implementation
2.25 DHCP Snooping
In order to protect the Network against rogue DHCP servers, DHCP
snooping is to be implemented to create a logical firewall between
un-trusted hosts and DHCP servers. The switch builds and maintains
a DHCP snooping table also called DHCP binding database used to
identify and filter un-trusted message from Network. This database
contains track of DHCP addresses assigned to ports and filters DHCP
Message from un-trusted ports. Incoming packets from un-trusted
ports are dropped if the source MAC address doesn’t match MAC
address in the binding table entry.
2.25.1 Dynamic ARP inspection
By enabling Dynamic ARP inspection feature I will make sure that
valid, and only Valid ARP packet requests and responses are
forwarded by performing an IP-to-MAC mapping.
2.25.2 IP source guard
Enabling IP source guard in combination with DHCP snooping
feature on the un-trusted layer 2 interfaces will restricts IP
traffic on un-trusted layer 2 ports by filtering traffic based on
DHCP snooping binding database or manually configuring IP source
binding as result it will prevent IP spoofing attacks when hosts
tries to spoof or use IP address of another host.
Chapter 3: Aims and Objectives Aim 1: To investigate which layer
of the OSI model is most vulnerable to attacks on the Local Area
Network.Objectives
I. To secure the physical devices that operate at the physical
layer such as; Network interface cards, transceivers, repeaters,
hubs, multi-station access units.
II. To secure layer 2 protocols of the OSI model such as the
Ethernet/IEEE 802.3, token ring / IEEE 802.5, fibre distributed
data interface FDDI, point-to-point (PPP) etc.
III. To secure the addressing structure and the routing
protocols at the network layer of the OSI model for packet delivery
on the LAN and to the external networks.
IV. To have an identifiable secure and reliable transport
mechanism between two communicating devices on the Local Area
Network.
V. To provide a secure way for applications to translate data
formats, encrypt, decrypt, compress, and decompress data traversing
the network.
VI. To provide a secure platform where end users interacts with
the application and other software by securing the application
layer protocols such as HTTP,FTP,TELNET, H.323 etc.
Aim 2: To investigate and analyse the available tool and methods
to secure a wired Local Area Network.
Objectives
I. To prevent un-trusted traffic to access the network resources
and secure gateways at the session layers to control the setup and
teardown of sessions on the OSI model.
II. To provide a cost effective but efficient and reliable Local
Area Network.
Personal and Academic objectives
I. To study, and learn how to secure Local Area Networks, and
the security threats faced by these Networks in a dynamic network
technological environment.
II. To learn how to organise meaningfully my time in order to
achieve my intended goals in a given limited time.
III. To learn the techniques and approach on how to carry out a
meaningful research on specific topics.
IV. To achieve skills on how to write successfully a
well-structured report.
V. To improve my presentation skills and increase my
confidence.
VI. To prepare myself for a future carrier as a computer network
security professional.
Chapter 4: Approach and Scenario4.1 Approach
The network security strategy to follow in securing a wired LAN
is to start by securing the LAN’s network endpoints which include:
hosts, servers, or other devices that act as network clients,
including non-endpoint LAN devices such as switches, storage area
networking devices (SAN), IP telephony etc., and mitigating attacks
such as LAN storms, MAC address table overflows, STP manipulation,
and VLAN attacks. The following figure shows the endpoint
security.
Endpoint security
In addition a Virtual topology is used to show the LAN devices
that require to be secured on which this project proposal is based
as a structured guide to follow.
4.2 Scenario
As a final year student in Computer Networking at London
Metropolitan University, I am assigned with a project specification
of type research and practical work to do a project on ‘Securing
wired Local Area Networks (LANs)’. As stated in the introduction a
virtual topology is used to show how to secure LAN so that users
and programs can perform actions that have been allowed. This
topology includes the network devices that require to be secured on
the LAN. This is achieved by specifying and implementing both
software and hardware formats of network security.
In order to meet the specific requirements of the project, a
plan to secure protocols and devices on the OSI model is to be
followed with specific emphasis put on layer 2 of the OSI model
(Data link layer) and securing the internal network from un-trusted
external traffic.
4.2.1 Secured LAN Virtual Topology
Chapter 5: Project Scope, and Methodology5.1 Project Scope
Securing computer network environment involves a wide verity of
measure to be undertaken to mitigate the threats posed to the
Network from all angles such as Wired, wireless devices, voice and
video as well on both LANs and WANs. However, in this case am going
to concentrate on securing wired LANs. The following lists the
areas that are covered in this project proposal:
· Brief History of LAN evolution
· Network Security in General
· Wired LAN Security Threats
· Internal Threats
· External Threats
· Wired LAN Security Vulnerabilities
· Internal Threats
· External Threats
· Wired LAN Security Mitigation Technologies
· Secure Wired LAN Devices
· Virtual Topology to show LAN Security implementation
· Impacts of the Network Security Threats
5.2 Methodology
1. Designate a secure physical environment – Data centre that is
well ventilated, with backup power supply and controlled access to
only authorised personnel.
2. Make Use of other port level traffic control provided by
catalyst switches such as storm control, protected ports, private
virtual LAN(PVLAN),port blocking and port security.
3. Implementation of VLAN technology on the Local Area
Network.
4. Configure security access control measures using access-
lists such as router access- lists, port access- lists, Mac access-
lists, and VLAN access- lists.
5. Configure DHCP snooping and enable IP source guard to prevent
rogue DHCP on the network.
6. Use/ configure Authentication, Authorization, and Accounting
(AAA) protocol by implementing a server-based AAA authentication to
provides the necessary framework to enable scalable access security
to access a Cisco Secure Access Control Server (ACS). Use TACACS+
protocols servers to achieve this.
7. Use the Cisco Adaptive Security Appliance (ASA) firewall as a
network firewall to achieve network security between the trusted
and un-trusted network.
8. Create a demilitarized zone (DMZ) to enable external /
internet host access to company web, email, FTP servers and to
provide security systems residing within them
9. Use Network-based and Host-based intrusion prevention systems
that can provide in-depth checks of packets on layer 4 through to
layer 7.
10. By structuring the LAN in a hierarchal structure i.e. core,
distribution and access to provide redundancy, efficient, and
reliability on the LAN. Optional: use 2 layer 2, and 3 switches and
2 ASA which offer extra features at a relatively low cost compared
to buying other standalone devices such as PIX of layer 2
switches.
5.2.1 Resources
Hardware:
· 2 Layer 2 switches
· 2 layer 3 switches
· 1Cisco Adaptive Security Appliance
· 4 Personal Computers
· Perimeter Router Firewall
· RADIUS / or TACACS+ server
· Ethernet Cross over cable with RJ45 connectors
· Straight through cable with RJ45 connectors
· DHCP/DNS Server
· Web/Email/FTP Server
· Cisco Secure- MARS
Software/configuration:
· Firewall(HIPS/NIDS)
· Cisco IOS images
· GNS3
5.3 Assumptions
1. It is assumed that this model can be applied to a large
LAN.
2. The network management will continuously patch all the LAN
security software vulnerabilities by installing updating.
3.The network security professionals employees will continuously
monitoring, and testing the networks’ security using network
security auditing tools, and also researching about the new network
security threats out there.
4. A virtual topology is used that will display some devices of
a physical type but can be implemented as software on the physical
topology. For example, the Cisco ASA device offers features which I
wanted to show through the Virtual topology and which won’t
visually show.
5. Its assumed that a routing protocol is configured on the LAN
and there is connectivity from one end device to the other.
5.4 Contingency Plans
1. Instead of a Cisco ASA we can use Cisco PIX firewall
device.
2. Use RADIUS instead of TACACS+ for server-based AAA
authentication.
3. The LAN can have layer 3 switches instead of having layer 2
switches which will improve security and performance, and to
provide redundancy extra trunk links can be added and secured.
4. NAC, CSA, and IronPort, technologies can be used to in
parallel to provide protection of operating system vulnerabilities
against both direct and indirect attack.
5. Software firewall can be configured on devices that support
them if money to buy and maintain them is short.
Chapter 6 : Project Plan6.1 GANTT CHART
To have a good plan for the project in place is such a
significant measure for a successful completion of the project. it
entails what should be done, how it is gone be done, when to do it,
how long it will take to do a certain task, what measures are there
to gauge the success, and lastly a review plan of every stage.
This chart displays the tasks which will need to be completed,
and each task is allocated a specific time in which it will start
and be completed until the end of the project.
Figure 2: Project Proposal Gantt chart
6.2 WORK BREAKDOWN STRUCTURE
This is a breakdown of the list of the project tasks that have
got to be undertaken and completed in order for the project to be
completed.
Figure 1: WORK BREAKDOWN STRUCTURAL CHART
Chapter 7: Final Project report Table of Contents
Below is the structure of the contents that will be used for the
final report. All sections have been stated, including subheadings
in the literature review.
· Front Page
· Contents Page
· Introduction
· Acknowledgements
· Dedications
· What is a LAN?
· History of LANs
· Use of LANs
· What is Network Security?
· History of LAN Security
· LAN Security Threats
· LAN Security Devices
· Benefits of a Secured Wired LANs
· LAN Security Technologies
· Hardware based
· Software based
· Secured Wired LAN Topology
· Layer 2 Switches
· Layer 3 switches
· Cisco Adaptive Security Appliance
· TACACS+/Radius Server (AAA)
· Demilitarized Zone (DMZ)
· Edge Router
· End Devices
· Crossover and Straight through with RJ45 connectors cables
· Testing and Analysis
· Conclusion
· References & Bibliography
· Appendix A: Project Plans & System Models
· Appendix B: Test Plans & Results
· Appendix C: Project Proposal Report
Chapter 8: Conclusion
Over the last 25 years companies have come to realise a great
need to secure their LANs due to the increasing dynamic network
security threats that has resulted in big financial and identity
losses which have damaged company brands and individuals. As a
result companies and government have learnt the importance of
network security and they are committing a lot of money to maintain
a secure LAN environment so as to achieve the three basic principle
of network security that is to say: Confidentiality, Integrity, and
Authentication. Wired LANs security is a fundamental basic
requirement that has become an integral part of computer networks.
Many organisations, governments and businesses have put in place
network security policies are to provide a framework and guideline
for network users/employees to follow when doing their work on
company computer networks infrastructure.
Since it is impossible to have a totally secured wired LAN due
the very dynamic network security threats out there in the computer
world advanced with presence of the internet technology. It is my
advice that having put in place Network Security Policies and taken
steps to achieve them, Network Security Professionals should
continually install software patches, monitor, and test the
computer networks and also keep learning and sharing information
about the new security threats.
References:
1. Wayne Lewis, LAN Switching and Wireless, Exploration
Companion Guide
2. Hucaby, D. (2005) Cisco ASA and PIX Firewall Handbook, Cisco
Press
3. Carroll, B. (2004) Cisco Access Control Security: AAA
Administration Server, Cisco Press, 2Rev Ed.
4. CCNA Security, Implementing Network Security, Cisco Press
5.
http://www.referenceforbusiness.com/small/Inc-Mail/Local-Area-Networks-LANS.html
6. http://www.sans.org/top-cyber-security-risks/
7.
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.html#wp1046651
8.
http://flylib.com/books/2/464/1/html/2/images/1587052091/graphics/08fig14.gif
9.
http://compnetworking.about.com/library/graphics/basics_osimodel.jpg
10. http://www.orbit-computer-solutions.com
11. http://www.i1u.net/images/web/PAT.gif
12.
http://ptgmedia.pearsoncmg.com/images/0131014684/samplechapter/0131014684_ch02.pdf
13.
http://www.cisco.com/warp/public/cc/so/neso/sqso/roi1_wp.pdf
14.
http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch5_EttF.html#wp1031600
