Project Proposal Report

advertisement
SECURING WIRED LOCAL AREA NETWORK
PROJECT PROPOSAL REPORT
Mr Sentuya Francis Derrick,
ID 08051602
Module: CT3P50N
fds0008@londonmet.ac.uk
Supervisor: Dr. Shamhram Salekzamankhani
s.salekzamankhani@londonmet.ac.uk
A project proposal report as a partial fulfilment
of the requirements of London Metropolitan University for
the degree of Bachelor of Science in Computer Networking with Honours
April-13-2011
Faculty of Computing
Page 1 of 49
Table of contents
CHAPTER 1 : INTRODUCTION
4
CHAPTER 2 : LITERATURE REVIEW
5
2.1 LAN OVERVIEW,
2.2 BRIEF HISTORY
2.3 NETWORK SECURITY
2.4 EVOLUTION OF LAN SECURITY
2.5 THE OSI 7 LAYER MODEL APPROACH TO UNDERSTAND LAN VULNERABILITIES
2.5.1 APPLICATION LAYER (LAYER 7)
2.5.2 PRESENTATION LAYER (LAYER 6)
2.5.3 SESSION LAYER (LAYER 5)
2.5.4 TRANSPORT LAYER (LAYER 4)
2.5.5 NETWORK LAYER (LAYER 3)
2.5.6 DATA LINK LAYER (LAYER 2)
2.5.7 PHYSICAL LAYER (LAYER 1)
2.6 LAN’S MOST VULNERABLE LAYER
2.7 MOST COMMON LAYER 2 ATTACKS/THREATS:
2.8 TYPES OF OTHER NETWORK THREATS
2.8.1 RECONNAISSANCE ATTACKS
2.8.2 DENIAL-OF-SERVICE
2.8.3 ACCESS ATTACKS
2.9 IMPACT OF NETWORK SECURITY BREACHES/ THREATS
2.10 CISCO SECURITY AGENT FIREWALL (ENDPOINT DEVICE SECURITY)
2.11 PORT LEVEL TRAFFIC CONTROL
2.12 PORT SECURITY
2.13 STORM CONTROL
2.14 PROTECTED VLAN EDGE
2.15 ACCESS LISTS
2.16 SPANNING TREE PROTOCOL MEASURES (FEATURES)
2.16.1 PORT-FAST
2.16.2 BPDU GUARD
2.16.3 ROOT GUARD
2.16.4 LOOP GUARD
2.16.5 ETHER CHANNEL
2.16.6 VLAN TRUNK SECURITY
2.17 CISCO SECURITY MONITORING, ANALYSIS, AND MITIGATION SYSTEM CS-MARS
2.18 PORT ADDRESS TRANSLATION PAT / NAT OVERLOAD
2.19 TACACS+ / RADIUS SERVER
2.20 CISCO ADAPTIVE SECURITY APPLIANCE (ASA) FIREWALL
2.20.1 EXTENDED SIMPLE MAIL TRANSFER PROTOCOL (ESMTP)
2.20.2 FILE TRANSFER PROTOCOL
2.20.3 H TTP
2.20.4 INTERNET CONTROL MASSAGE PROTOCOL (ICMP)
5
6
7
8
9
10
10
11
11
11
11
11
11
12
14
14
15
16
16
18
19
19
20
21
21
22
22
22
22
23
23
23
24
24
25
26
27
27
28
28
Page 2 of 49
2.20.5 H.323 STANDARD
2.20.6 SKINNY PROTOCOL (SIMPLE CLIENT CONTROL PROTOCOL -SCCP)
2.20.7 SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)
2.20.8 TRIVIAL FILE TRANSFER PROTOCOL (TFTP)
2.20.9 REAL TIME STREAMING PROTOCOL (RSTP)
2.21 DNS IMPLEMENTATION
2.22 INTRUSION DETECTION AND PREVENTION SYSTEM
2.22.1 STATE-FULL PATTERN-MATCHING RECOGNITION,
2.23 HOST- BASED INTRUSION DETECTION SYSTEMS
2.24 DEMILITARIZED ZONE (DMZ).
2.25 DHCP SNOOPING
2.25.1 DYNAMIC ARP INSPECTION
2.25.2 IP SOURCE GUARD
28
28
29
29
29
29
30
31
32
33
33
34
34
CHAPTER 3: AIMS AND OBJECTIVES
35
AIM 1: TO INVESTIGATE WHICH LAYER OF THE OSI MODEL IS MOST VULNERABLE TO ATTACKS ON THE LOCAL AREA
NETWORK.
35
Objectives
35
AIM 2: TO INVESTIGATE AND ANALYSE THE AVAILABLE TOOL AND METHODS TO SECURE A WIRED LOCAL AREA
NETWORK.
36
CHAPTER 4: APPROACH AND SCENARIO
37
4.1 APPROACH
4.2 SCENARIO
4.2.1 SECURED LAN VIRTUAL TOPOLOGY
37
37
38
CHAPTER 5: PROJECT SCOPE, AND METHODOLOGY
39
5.1 PROJECT SCOPE
5.2 METHODOLOGY
5.2.1 RESOURCES
5.3 ASSUMPTIONS
5.4 CONTINGENCY PLANS
39
39
40
41
42
CHAPTER 6 : PROJECT PLAN
43
6.1 GANTT CHART
6.2 WORK BREAKDOWN STRUCTURE
43
44
CHAPTER 7: FINAL PROJECT REPORT TABLE OF CONTENTS
45
CHAPTER 8: CONCLUSION
47
REFERENCES:
48
Page 3 of 49
Chapter 1: Introduction
This project proposal is about how to secure a wired local area network. Local Area
Networks are defined as a group of computers and devices interconnected together
in a limited geographical area such as computer laboratory, home, office building, or
school. Local Area Networks enable the sharing of resources like printers, games,
files, or other applications amongst users on the network. One Local Area Network
can be connected to other Local Area Networks, and also to the internet.
By this definition it’s imperative therefore to make Local area networks secure to
provide users with Confidentiality, data Integrity, and Authentication of everyone who
is accessing the network.
Network security is such an important part of Local area networks which involves
securing protocols, technologies, and devices, by mitigating any network security
threats by use of network security tools and techniques. In addition, network security
policies are put in place to provide a framework and guideline for network
users/employees to follow when doing their work on company computer networks.
It is in my interest to investigate, analyse, learn and gain skills about the dangers and
threats computer networks are faced with, and the technology used to mitigate these
threats. Hence have a more secure Local Area Network environment.
A Virtual topology is used to show how to a secured LAN solution.
Page 4 of 49
Chapter 2 : Literature Review
2.1 LAN overview,
In the local area network, users have computer devices, that have got disk,
processor and operating systems as a platform for soft wares and other applications
run. These computers communicate with one another within a small geographical
area covered by the networked computers, usually a single building or group of
buildings. Local Area Networks may also connect to other the network of computers
with printers, server computer or mainframes with higher processing power and
memory storage, that can send information from the Local Area Network over
telephone lines to another location or network.
LANs include higher data-transfer rates, no need for a leased telecommunication
lines. In the past ARCNET, Token Ring and other technology standards have been
used in the past, but Ethernet over twisted pair cabling and Wi-Fi are the two most
common technologies currently in use.
This type of networks allows its users to have isolated or separate offices but still be
able to operate off the same system, as if they were all sitting around a single
computer.
This network can be easily installed simply, upgraded or expanded with little difficulty,
even moved or rearranged without disruption. LANs have helped in the increased
work place productivity, decreased the amount of paper used and the speeding up of
the information flow.
Page 5 of 49
It’s important to mention that on the other hand LANs have also created additional
work in terms of organization, maintenance, security and trouble-shooting.
2.2 Brief history
In 1970s and 1980s after the development of both desk operating systems bases
personal computers and Control Program for Microcomputers based personal
computers meant that one site could have a big number of computers. A need
developed to share disk space and laser printers due to the higher cost of these
devices, and as a result the idea of LAN started to be developed.
In early 1980 it was advent of Novell NetWare that provided operating systems that
support for dozens of competing card/cables types, until the mid 1990 Microsoft
introduced Windows NT, UNIX workstations from Sun Microsystems, Silicon HewlettPackard bell, Intergraph etc were using TCP/IP based networking which has since
then almost replaced other protocols used on early computers.
The introduction of the OSI model has enabled multi-vendors products that can be
compatible and work together on one single machine. As a result, users were able to
share resources regardless what operating system, network cards, cabling or
protocols being used by different software running on the different machines. This
poses numerous network security vulnerabilities that can have catastrophic results to
businesses, individuals and government organisations as well. This has intern made
network security an integral part of computer networks to secure and mitigate
network attacks.
Page 6 of 49
2.3 Network Security
Network security involves the protecting of information, systems and the hardware
that use, store, and transmit that information. It involves the steps taken to make sure
that confidentiality, integrity, and availability of data / resources is maintained form
both the internal and external networks threats.
Network security solutions started coming up form the early 1960 but didn’t have a
big impact due to the complexity of network security and the dynamic/ever changing
nature of networks not until the 2000s. Following below is a brief time line of the
network threats over the last 30 years:
 1978 - First Spam on ARPAnet
 1988 - The Morris Internet Virus
 1999 - Melissa Email Virus
 2000 - Mafiaboy DoS Attack, Love Bug Worm, L0phtCrack password cracker
released
 2001 - Code Red DoS Attack
 2004 - Botnet hits U.S. Military Systems
 2007 - Storm botnet, TJX Credit Card Data Breach
 2008 - Société Générale Stock Fraud
Due to the fact that network security become an integral part of the business,
dedicated devices to network security functions emerged. Over the last 30 years,
following network security detection systems and firewall solutions have emerged:
Page 7 of 49
 Intrusion detection system (IDS), first developed by SRI International in 1984.
 In the late 1990s, the intrusion prevention system or sensor (IPS) began to
replace the IDS solution.
 In 1988, Digital Equipment Corporation (DEC) created the first network firewall
in the form of a packet filter.
 In 1989, AT&T Bell Laboratories developed the first state-full firewall.
 In 1991 DEC SEAL Application Layer Firewall was released
 In 1994 Check Point Firewall was released.
 In 1995 NetRanger IDS was also released.
 In August 1997 RealSecure IDS firewall was released.
 In 1998 and 1999 Snort IDS and First IPS were released respectively.
 As from 2006 Cisco released Cisco Zone-based policy Firewall and
2.4 Evolution of LAN Security
LAN security threats are mostly if not all target the protocols and technologies used
on the local area network or the switched network infrastructure, and they fall into two
types: Denial of service and Spoofing attacks. The following shows the measures / or
Security technologies that have been developed over the last 13 year to mitigate LAN
types of threats.
 In 1998 measures to Mitigate MAC Address Spoofing, MAC Address Table
Overflow Attacks, and LAN Storm were released.
Page 8 of 49
 In 2000 measures to Mitigate Root Bridge Spoofing and VLAN Attacks were
released.
 In 2003 measures to Mitigate ARP Spoofing Attacks were released.
Network Security also requires that Data should be protected and secured. This is
achieved by the use of encryption and hashing mechanisms technology which the
hiding plaintext data as it traverses the network thus providing Confidentiality,
Integrity, and Authentication which are the three components of information security.
The following gives an outline of the cryptography security technology and their
timeline:
 In 1993 Cisco GRE Tunnels was released.
 In 1996 Site-to-Site IPSec VPNs was released
 In 1999 Secure Socket Layer (SSH) was released
 In 2000 Multi-Protocol Label Switching (MPLS VPNs) was released
 In 2001 Remote-Access IPSec VPN was released
 In 2002 Dynamic Multipoint VPN was released
 In 2005 Secure Socket Layer (SSL) VPN was released.
2.5 The OSI 7 Layer model Approach to understand LAN
Vulnerabilities
To understand how to secure wired LAN, I am using the (OSI) 7 layer model
approach. The OSI Model ISO model of how network protocols and equipment
should communicate and work together (interoperate). This approach helps me to
Page 9 of 49
investigate the different protocols used on each layer and the security vulnerabilities
they pose. Find a way to secure the vulnerabilities by undertaking network security
measures to mitigate any attack that may take advantage of these security loopholes.
This approach will indicate which OSI layer is the most vulnerable on the LAN.
Diagram 1 : OSI 7 Layer model
Figure 1: osi model
http://compnetworking.about.com/library/graphics/basics_osimodel.jpg
The following is the outline of some of the protocols and examples of network
devices associated with each layer of the OSI Model.
2.5.1 Application Layer (Layer 7)
Protocols on this layer: HTTP, FTP, SMTP, NTP, SNMP, EDI, Telnet etc are used.
2.5.2 Presentation Layer (Layer 6)
Page 10 of 49
Protocols on this layer: GIF and JPEG, GIF, MPEG, MIME, SSL, TLS.
2.5.3 Session Layer (Layer 5)
Protocols on this layer: NETBIOS, RPC, MAIL SLOTS, APPLETALK, WINSHOCK
etc are used.
2.5.4 Transport Layer (Layer 4)
Protocols on this layer TCP, UDP, SPX, and ICMP, etc are used.
2.5.5 Network Layer (Layer 3)
Protocols on this layer: Internet Protocol (IP), Internet Packet Exchange (IPX), ICMP,
ARP, IPSEC, BGP, IGRP, and EIGRP etc are used. Examples of devices: Routers,
layer 3 switches.
2.5.6 Data Link Layer (Layer 2)
Examples of Layer 2 protocols, Ethernet, Token Ring, Frame Relay, FDDI, ATM,
PDN, and Examples of devices are Layer 2 Switches, Bridges, etc.
2.5.7 Physical Layer (Layer 1)
This layer defines the physical medium such as Cabling, interface specifications such
as AUI, 10Base-T, RJ45, etc. It’s where data is turned into bits of 0 and 1’s to be sent
on the cabling medium.
2.6 LAN’s Most Vulnerable layer
Basing on the OSI model research approach to find out what layer of the seven (7)
layers is most vulnerable; I conclude that Layer 2 of the OSI model – (Data link layer)
Page 11 of 49
poses the most network security vulnerabilities on the LAN. The data link layer is
divided into two sub-layer; logical link control and Media Access Control layer.
Examples of the protocols that run on this layer are; FDDI, Ethernet, Token ring,
MAC addresses, etc.
A layer 2 LAN switch performs switching and filtering based only on the data link
layer 2 MAC address. This makes layer 2 switches completely transparent to the
network protocols and user applications. Unauthorised access to the layer 2 devices
will put the whole network resources and performance at high security risk.
It should be noted that layer 3 switches are to be seriously considered even though
they are operating at a network layer (3). In addition, all protocols on other layers of
the OSI model are to be secured to provide a holistic secure LAN environment for
security threats.
2.7 Most common layer 2 attacks/threats:

MAC address spoofing- Switches populate the MAC address table by
recording the source MAC address of a frame, and associating that address
with the port on which the frame is received. This method has lead to a
vulnerability known as MAC spoofing, which occurs when one host poses as
another to receive otherwise inaccessible data or to circumvent security
configurations.

STP manipulation attack - STP allows for redundancy, and ensures that
only one link is operational at a time and no loops are present.
In an STP manipulation attack, the attacking host broadcasts STP
configurations, with BPDUs of a lower bridge priority in an attempt to be
Page 12 of 49
elected as the root bridge by forcing spanning-tree recalculations. If the attack
is successfully done, the attacking host becomes the root bridge and sees a
number of frames wouldn’t have been accessible.

MAC address table overflows - MAC address tables have got a limited
memory size allocated. MAC flooding takes advantage of this limitation by
flooding the switch with fake source MAC addresses until the switch MAC
address table is full. If enough entries are entered into the MAC address table
before older entries expire, the table fills up to the point that no new entries
can be accepted. As a result the switch begins to flood all incoming traffic to
all ports due to lack of space to learn any legitimate MAC addresses. Its at this
point the attacker can see all of the frames sent from one host to another.

LAN storms – This form of attack occurs when packets flood the LAN,
creating excessive traffic and degrading network performance. Switches are
cable of broadcasting especially when they are building the MAC address
tables, or when using Address Resolution Protocols (ARP), and Dynamic Host
Configuration Protocols (DHCP).

VLAN attacks - The attack works by taking advantage of an incorrectly
configured trunk port. Trunk ports have access to all VLANs and pass traffic
for multiple VLANs across the same physical link, generally between switches.
The attack can then: spoof DTP messages and cause the switch to enter into
trunking mode, or bring up a rogue switch and enable trunking as a result
access all the VLANs on the victim switch.
Page 13 of 49
2.8 Types of other Network Threats
In order to have a secure LAN, securing layer 2 on the OSI model is imperative and
the primary vulnerabilities for the end –users on their personal computers for
example:
 Virus –this is malicious software that attaches itself to another program in
order to execute a specific unwanted function on a computer.
 Worm - This executes arbitrary code and installs copies of itself in the memory
of the host computer which then infects other hosts on the network.
 Trojan horse - this is an application called a malware in the computing world
that carries out malicious operations under the guise of a desired function. It
could carry a virus or a worm.
The following shows other categories of network security threats that can exploit the
vulnerabilities on the layer 2, end user devices, and other layers on the OSI 7 layer
model.
2.8.1 Reconnaissance attacks
These types of attacks gather information on the network or targeted devices
security vulnerabilities to be exploited later by using tools like:
 Packet sniffers - a software application that uses the network adapter
card in promiscuous mode to capture all network packets which are
sent across a LAN.
 Ping sweeps - used to scanning and determining live hosts by use of
ICMP echo requests sent to multiple hosts.
Page 14 of 49
 Port Scans - this tool scans a range of TCP or UDP port numbers on a
host to detect listening services by sending messages to ports on the
host and any response indicates whether the ports is used.
 Internet information queries - these are used to determine who owns
a given domain
and the addresses that are assigned to that domain.
2.8.2 Denial-of-service
This type of attack sends large numbers of requests over the network in order
to cause the target devices to be overwhelmed causing them to run
suboptimal and eventually becoming unavailable to serve its legitimate access
and use. Examples of DOS attacks are:

Ping of Death – where the attack sends an echo request in an IP
packet that is larger than the maximum packet size of 65,535 bytes that
can cause the target computer to crash.

Smurf Attack – the attack sends a large number of ICMP requests to a
directed broadcast address with spoofed source addresses on the
same network as the directed broadcast, when the routing device
forwards the broadcasts to all hosts on the destination network all hosts
will reply to each packet thus causing degrading the network
performance.

TCP SYN Flood attack- floods of TCP SYN packets are sent by the
attack with forged sender address where each packet is handled as a
connection request causing the server to leave half-open connections
by replying with a TCP SYN-ACK packet and waiting in vain for
Page 15 of 49
response, this will eventually keep the server from responding to
legitimate requests until when the attack ends.
2.8.3 Access attacks
These attacks are used to gain access to the network and retrieve data, and
escalate rights to resources. The following are the types of this form of attack:

Man-in-the-middle- This type of attack involves the attack positioned in
the middle of the communications between two legitimate entities in
order to read or modify the data that passes between the two parties.

Buffer overflow – this attack writes data beyond the memory buffer
allocated for a
certain program and as a result valid data is
overwritten to execute a malicious code.

Port Redirection- a targeted host is used as a stepping point for an
attack on other host targets on the network or other networks.

Password attacks – the attacker keeps guessing the passwords of the
targeted host, for example by using a dictionary attack.

Trusted exploitation – the attacker uses or exploits the privileges
granted to a system in unauthorised way as a result compromising the
target host.
2.9 Impact of Network security breaches/ threats
Today there is an increasing urgent need to secure computer networks due to many
factors some of which are mentioned below:
Page 16 of 49
 Increase in cyber crime

Identity theft

Child Pornography

Theft of Telecommunication Services

Electronic Vandalism, Terrorism and Extortion

Fraud/Scams
 Impact on business and individuals

Decrease in productivity

Loss of Sales revenue

Loss of time

Compromise of trust and reputation

Threats to trade secrets or formulas
 Sophistication of threats
 Proliferation of threats
 Legislation and liabilities
 Internet connectivity
In order to mitigate the LAN security threats the following technology will be
implemented to achieve a secure LAN environment.
Page 17 of 49
2.10 Cisco Security Agent Firewall (Endpoint device security)
I will use Cisco security Agent which protects endpoints against threats that are
posed by viruses, Trojan Horses, and worms as means to secure my end devices.
Figure 3: Cisco Security Agent Firewall
Ref: CCNA Security, Implementing Network Security book, Cisco Press
Cisco Security Agent is host based intrusion prevention system (HIPS) software that
provides protection for servers and computers systems. It can support over 100,000
agents,
It has two components:

The management canter for CSA- to maintain a log of any security violations
and generate alerts.

Cisco Security Agent firewall – to be installed on hosts to proactively block any
malicious attacks and gets updates from the management centre, and
continuously monitors local systems activities and analyse all the operations of
the system.
Page 18 of 49
Cisco Security Agent provides protection by use of the following interceptors:

File system interceptor – Read or write requests are intercepted and allowed
or denied according to the security policy.

Network interceptor – This interceptor can limit the number of network
connection allowed within a specified time in order to prevent Dos attacks.

Configuration interceptor- Read and write requests to the registry are
intercepted because modification of the registry configuration can have
serious consequences.

Execution space interceptor- This interceptor maintaining the integrity of the
dynamic runtime environment of each application by detecting and blocking
requests to write to memory that are not owned by the requesting application
The following are the measures/configurations to mitigate layer 2 attacks are to be
implemented to secure Layer 2 network devices.
2.11 Port level traffic control
At this level the following are the protection configurations that can be configured on
catalyst switches:
2.12 Port Security
In order to prevent MAC table overflows and MAC Spoofing, port security is to be
configured to allow specification of MAC addresses for a port or to permit the switch
to dynamically learn a limited number of MAC addresses as determined by the
network administrator. If a MAC address of a device attached to the port differs from
the list of secure addresses, the port either shuts down until the administrator
Page 19 of 49
enables it. For example, one MAC address can be limited one and assigned to a
secure port which will control unauthorized expansion of the network and also
prevent the port from forwarding frames with a source MAC address that is not
assigned to it or outside the group of the defined addresses on that port. In addition,
Port security aging is to be configures either Absolute or Inactivity were its required.
2.13 Storm Control
This traffic suppression feature will prevent broadcast, multicast, or uncast of hostile
packets flooding on a LAN segment that can cause unnecessary and excessive
traffic that degrades the network performance. It monitors inbound packets over a per
second interval and compares it to the configured storm control suppression level
using one of these methods: -
(i) Percentage of total available bandwidth of the port allocated for broadcast
,multicast, and uncast traffic,
(ii) Traffic rate over in packets per second at which broadcast, multicast or uncast
packets are received on the interface.
(iii) Traffic rate in packets per second and for small frames that is configured on
each interface.
(iv) Traffic rate in bits per second at which broadcast, multicast, and or uncast
packets are received.
Page 20 of 49
2.14 Protected VLAN edge
Based on the security policy requirement PVLAN feature will enable the isolation of
traffic by creating a firewall- like barrier blocking any uncast, broadcast, multicast
traffic among
protected ports on the same LAN segment. The PVLAN features will
achieve the following:
(i) No traffic is forwarded between ports configured as protected. Packets must
be routed via a layer 3device between protected ports.
(ii) Forwarding behaviour between protected ports and non-protected ports
proceeds normally per default behaviour.
2.15 Access Lists
These are traffic filtering tools such as Switch ACL, Routers ACL, Ports ACL, VLAN
ACL and MAC ACL to filter IP and non-IP traffic on the network. There are 3 types of
access lists that can be used i.e. Standard, extended, and MAC – extended.

Port access lists – Configured on physical interface on layer 2 switch support
in and out-bound traffic filtering. They can be applied on trunk port to filter all
VLANs and Voice traffic – (if data and voice is trunked).

Router access lists – these will filter network traffic on switched virtual
interfaces(SVI)-which are layer 3 interfaces on VLANs on layer 3 physical
interface and Ether-channel interfaces.

VLAN access list – these will filter all types of traffic that are bridged or routed
within a VLAN routed into or out of the VLANs. This feature used in
combination with Private VLAN feature can filter traffic based on direction.
Page 21 of 49
2.16 Spanning Tree Protocol Measures (features)
2.16.1 Port-Fast
This is a spanning-tree feature that enables an interface configured on a layer 2
access port to transition from the blocking to the forwarding state immediately,
bypassing the listening and learning states. This feature will minimize the time taken
waiting by access port for STP to converge as a result eliminating the vulnerability a
longer waiting time a port has to transition from blocking to forwarding state.
2.16.2 BPDU Guard
The BPDU guard feature is to be used to protect the switched network from problems
caused by the receiving of BPDUs on ports that should not be receiving them. These
BPDUs can be from an unauthorized attempt to add a switch to the network, and if
they (BPDUs) are received on a port with this feature enabled then it will be disabled,
giving a secure response to invalid configuration form attackers. So to prevent any
rogue switch on the network by an attacker BPDU guard will be deployed toward
user-facing ports with Port-Fast enabled.
2.16.3 Root Guard
Configuring this feature will help us to limit the switch ports on which the root bridge
can be negotiated in switched networks. It is to be deployed on ports that connect to
switches that should not be the root bridge. When the attacker sends out spoofed
BPDUs in order to become a root bridge the switch receiving the BPDUs will ignore
them and put the port in a root-inconsistent state, and the port will recover until the
attacker stops sending BPDUs. Root guard is the best practice even though there
Page 22 of 49
may be a switch with a zero priority and a lower MAC address, and therefore a lower
a lower bridge ID.
2.16.4 Loop Guard
Loop guard feature will enabled on all switches across the network to prevent
alternative or root ports from becoming designated ports because of a failure
resulting in a unidirectional link. A result providing additional layer of protection
against layer 2 forwarding loops (STP loops).
2.16.5 Ether Channel
Enabling this feature on switches will detect Ether Channel miss-configurations
between switches and any connected devices such as unidentified parameters and
don’t match both sides. Ether Channel guard will place the switch interface into
disabled state or display an error message. This guard will have to be enabled on
both sides of devices.
2.16.6 VLAN Trunk Security
In order to mitigate VLAN hopping attacks, trunking is to be enabled on ports only
requiring trunking and use a dedicated native VLAN for all trunk ports. In addition,
auto trunking negotiations-DTP will be disabled and enable trunking manually and all
unused switch ports will be disabled, and placed in an unused VLAN.
Page 23 of 49
2.17 Cisco Security Monitoring, Analysis, and Mitigation system
CS-MARS
Using Cisco Security Monitoring, Analysis, and Mitigation appliance will enable us to
monitor, identify, isolate, and counter or mitigate any security threats on the network.
In addition, this system is so cost effective and very flexible in its use as its features
can be accessible via the web.
2.18 Port Address Translation PAT / NAT Overload
By use of the address space reserved for private use under the RFC 1918 that
include:

10.0.0.0 - 10. 255. 255. 255

172.16.0.0 – 172. 31. 255. 255. 255 Mask /12

192.168.0.0 – 192. 168. 255. 255
Mask /8
Mask /16
NAT overload sometimes called PAT (Port Address Translation) maps multiple
unregistered or private IP addresses to a single registered or public IP address by
using different ports. PAT uses unique source port numbers on the inside global IP
address to distinguish between translations. This process also validates that the
incoming packets were requested, thus adding a degree of security to the session.
Figure 4: PAT Translation
Page 24 of 49
http://www.i1u.net/images/web/PAT.gif
2.19 TACACS+ / RADIUS Server
Cisco ASA supports both a Radius (Remote Authentication Dial-in User Services)
protocol, and TACACS+ protocol. Can maintain a local database, or use external
server for authentication. For scalability, increased security I will maintain an external
/server-based AAA authentication on a Cisco Secure Access Control Server for
authentication running TACACS+ or RADIUS protocol.
In this case the Cisco Adaptive Security Appliance authenticates itself to a Radius
server with a shared secret key that is never sent over the network, which then
passes user information to the Radius Server. The password is encrypted by hashing
using a shared secret key.
The diagram below shows this implementation running a RADIUS protocol.
Figure 5: TACACS+ Protocol
Page 25 of 49
Http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.CCServlet/LMS_
ID=CNAMS, Theme=ccna3theme,Style=ccna3,Language=en,Version=1,RootID=knetlcms_ccnasecurity_en_10,Engine=static/CHAPID=null/RLOID=null/RIOID=null/theme/cheetah.ht
ml?cid=2000000000&l1=en&l2=none&chapter=3
Figure 6: RADIUS Protocol
Ref:[
]http://ptgmedia.pearsoncmg.com/images/chap6_9781587058196/elementLinks/ca80
0601.jpg
2.20 Cisco Adaptive Security Appliance (ASA) firewall
Page 26 of 49
It is modelled on a self-defending Network (SDN) principle having several protective
and integrated layers such as firewalls, intrusion prevention, and anomaly mitigation.
Cisco Adaptive Security Appliance provides state-full application inspection of all
application and services traffic based on explicitly preconfigured polices and rules.
This inspection keeps tracks of every connection passing through the interface
making sure that they are valid connections; monitors established, closed, resets or
negotiates state of connections and maintains a database with this information in a
stable table. ASA provides intelligent threat defence and secure communications
services that stop attacks before they affect business continuity. Packet headers and
contents of the packets are examined through up to the application layer. Cisco
Adaptive Security Appliance will be configured to inspect the following protocols:
2.20.1 Extended Simple Mail Transfer Protocol (ESMTP)
This protocol will be used to restrict the type of SMTP commands that can pass
through Cisco ASA.
Any illegal command found in ESTMP/SMTP packet will cause
a negative reply/an SMTP error code will generated.
2.20.2 File Transfer Protocol
File transfer protocol sessions are examined to provide:

Enhanced security while creating dynamic secondary data connections for
File Transfer Protocol transfers,

Enforcement of File Transfer Protocol command – response sequence,

Generation of an audit trail for File Transfer Protocol sessions,

Translation of embedded IP address.
Page 27 of 49
2.20.3 H TTP
The Cisco ASA HTTP inspection engine checks HTTP transaction is compliant with
RFC 2616 by checking all HTTP request messages. Traditional firewalls and
Intrusion detection systems detect only 1st round encoded HTTP URI requests, but
Cisco ASA is capable of detecting double- encoded attacks known as HTTP deobfuscation.
2.20.4 Internet Control Massage Protocol (ICMP)
Cisco ASA support state-full inspection of Internet control massage protocol packets
will the ability to translate Internet control message protocol error messages which
contains full IP header of the IP packet that failed sent by either intermediate hops
based on Network Address Translations configurations.
2.20.5 H.323 Standard
This standard stipulates components, protocols and procedures that provide
multimedia communication services such as Audio, Video, and Data, that use TCP
and UDP connection 2 and 6 respectively. Cisco ASA monitors TCP and dynamically
allocates ports after inspection of the messages thus making it secure.
2.20.6 Skinny Protocol (Simple Client Control Protocol -SCCP)
This protocol is used in VOIP application, Cisco IP phones, Cisco call manager, and
Cisco call manager express. To support a unified wired LAN (Audio and data), the
Cisco ASA offers the ability to inspect skinny transactions using this protocol that
making the wired LAN a secure unified network.
Page 28 of 49
2.20.7 Simple Network Management Protocol (SNMP)
This protocol is used to manage and monitor networking devices. The Cisco ASA can
be configured to deny traffic based on the SNMP packet versions. Early versions are
less secure. This practice can be incorporated as a security policy thus making the
LAN more secure.
2.20.8 Trivial File Transfer Protocol (TFTP)
This protocol allows systems to read and write files between a client /server
relationship. Cisco ASA TFTP application inspection will be used to:
(i) Prevent hosts from opening invalid connections, and
(ii) Enforces the creation of a secondary channel initiated from the server thus
restricting TFTP clients creating them.
2.20.9 Real Time Streaming Protocol (RSTP)
Cisco ASA supports the inspection of this protocol which is a multimedia streaming
protocol as stipulated in RFC 2326 which could have disastrous embedded codes.
This protocol mostly use TCP port 554 application, and the applications that use
RSTP are Real Audio, Apple Quick Time, Real Player, Cisco IPTV.
2.21 DNS Implementation
Traditionally, DNS queries will require not only relying on generic UDP handling
based on activity timeouts. With the Cisco Adaptive Security Appliance, UDP
connections associated with DNS queries and responses are torn down as soon as a
reply to a DNS query has been received (like the DNS guard feature in Cisco PIX
firewall). Cisco ASA DNS will further provide more security measures such as:
 Guarantees that the ID’s of the DNS reply matches ID’s of DNS query,
Page 29 of 49
 Allows translation of DNS packets using NAT,
 Reassembles DNS packets to verify its length which has a maximum of
65,553 bytes making any packets larger than that to be dropped.
2.22 Intrusion detection and Prevention system
Intrusion detection and prevention technologies that detect attempts from an intruder
to gain unauthorised access to Network or Host to create performance degradation
or steal information are to be implemented both at the Network edge router and on
Hosts.
The Cisco Intrusion prevention system (CIPS) will effectively mitigate a wide range of
network attacks. As already mentioned above that Cisco Adaptive Security Appliance
(ASA) which is also a network based intrusion detection solution will be used, it has
got an intrusion prevention system feature integrated. The Cisco ASA supports
Adaptive Inspection Prevention Security Service Module running Cisco intrusion
prevention system (CIPS) software V5.0 or later that has the ability to process and
analyse traffic inline or promiscuous mode.
I will implement Inline Intrusion prevention system on the Cisco ASA which is more
secure than promiscuous mode but affects overall throughput. In this case the Cisco
ASA will direct all traffic to the Adaptive Inspection Prevention Security Service
Module for process and analyse, dropping any malicious packets, generate an alarm,
or reset connection, before it is forwarded by the ASA. This will mitigate network
attacks such as Denial of Service (i.e. TCP sync flood attacks, land attacks, Smurf
attacks), Distributed Denial of Service, Session Hijacking (i.e. Man- in-the- Middle).
The system will use the following methods:
Page 30 of 49
2.22.1 State-full pattern-matching recognition,
Whereby the device will search in a chronological order in a TCP stream that is
considered and keeps track of arrival order of packets in a TCP stream and handle
matching patterns across packet boundaries. This supports all non-encrypted IP
protocols, and has the capability to directly correlate specific exploits within the
pattern.
Figure 7: Network Based- Inline Intrusion Prevention system
The following steps explain the sequence of events:
1. The Cisco ASA receives an IP packet from the Internet.
2. Because the Cisco ASA is configured in inline IPS mode, it forwards the packet
to the AIP-SSM for analysis.
Page 31 of 49
3. The AIP-SSM analyzes the packet and, if it determines that the packet is not
malicious, forwards the packet back to the Cisco ASA.
4. The Cisco ASA forwards the packet to its final destination (the protected host).
2.23 Host- Based Intrusion Detection Systems
Cisco Security Agent software firewalls to be installed on individual servers or client
machines to safeguard critical computer systems containing crucial data or other
shared resources. They secure Hosts against attacks targeted on resources that
reside on hosts and will intercept any attacks that have not been detected by the
other Network detection systems of firewalls. The diagram below illustrates this
implementation.
Figure 9: Host Based- Intrusion Prevention system
Page 32 of 49
2.24 Demilitarized Zone (DMZ).
A DMZ network segment as a “neutral zone" between a company's private network
and the outside public network will enable Internet/external users to access a
company's public servers, including Web and File Transfer Protocol (FTP) servers,
while maintaining security for the company's private LAN. An Example of such a
firewall to use is a Cisco ASA 5500.
Figure 8: DMZ Implementation
2.25 DHCP Snooping
In order to protect the Network against rogue DHCP servers, DHCP snooping is to be
implemented to create a logical firewall between un-trusted hosts and DHCP servers.
The switch builds and maintains a DHCP snooping table also called DHCP binding
database used to identify and filter un-trusted message from Network. This database
contains track of DHCP addresses assigned to ports and filters DHCP Message from
un-trusted ports. Incoming packets from un-trusted ports are dropped if the source
MAC address doesn’t match MAC address in the binding table entry.
Page 33 of 49
2.25.1 Dynamic ARP inspection
By enabling Dynamic ARP inspection feature I will make sure that valid, and only
Valid ARP packet requests and responses are forwarded by performing an IP-toMAC mapping.
2.25.2 IP source guard
Enabling IP source guard in combination with DHCP snooping feature on the untrusted layer 2 interfaces will restricts IP traffic on un-trusted layer 2 ports by filtering
traffic based on DHCP snooping binding database or manually configuring IP source
binding as result it will prevent IP spoofing attacks when hosts tries to spoof or use
IP address of another host.
Page 34 of 49
Chapter 3: Aims and Objectives
Aim 1: To investigate which layer of the OSI model is most vulnerable to attacks
on the Local Area Network.
Objectives
I.
To secure the physical devices that operate at the physical layer such
as; Network interface cards, transceivers, repeaters, hubs, multi-station
access units.
II.
To secure layer 2 protocols of the OSI model such as the
Ethernet/IEEE 802.3, token ring / IEEE 802.5, fibre distributed data
interface FDDI, point-to-point (PPP) etc.
III.
To secure the addressing structure and the routing protocols at the
network layer of the OSI model for packet delivery on the LAN and to
the external networks.
IV.
To have an identifiable secure and reliable transport mechanism
between two communicating devices on the Local Area Network.
V.
To provide a secure way for applications to translate data formats,
encrypt, decrypt, compress, and decompress data traversing the
network.
VI.
To provide a secure platform where end users interacts with the
application and other software by securing the application layer
protocols such as HTTP,FTP,TELNET, H.323 etc.
Page 35 of 49
Aim 2: To investigate and analyse the available tool and methods to secure a
wired Local Area Network.
Objectives
I.
To prevent un-trusted traffic to access the network resources and secure
gateways at the session layers to control the setup and teardown of sessions
on the OSI model.
II.
To provide a cost effective but efficient and reliable Local Area Network.
Personal and Academic objectives
I.
To study, and learn how to secure Local Area Networks, and the security
threats faced by these Networks in a dynamic network technological
environment.
II.
To learn how to organise meaningfully my time in order to achieve my intended
goals in a given limited time.
III.
To learn the techniques and approach on how to carry out a meaningful
research on specific topics.
IV.
To achieve skills on how to write successfully a well-structured report.
V.
To improve my presentation skills and increase my confidence.
VI.
To prepare myself for a future carrier as a computer network security
professional.
Page 36 of 49
Chapter 4: Approach and Scenario
4.1 Approach
The network security strategy to follow in securing a wired LAN is to start by securing
the LAN’s network endpoints which include: hosts, servers, or other devices that act
as network clients, including non-endpoint LAN devices such as switches, storage
area networking devices (SAN), IP telephony etc., and mitigating attacks such as
LAN storms, MAC address table overflows, STP manipulation, and VLAN attacks.
The following figure shows the endpoint security.
Endpoint security
In addition a Virtual topology is used to show the LAN devices that require to be
secured on which this project proposal is based as a structured guide to follow.
4.2 Scenario
As a final year student in Computer Networking at London Metropolitan University, I
am assigned with a project specification of type research and practical work to do a
project on ‘Securing wired Local Area Networks (LANs)’. As stated in the
Page 37 of 49
introduction a virtual topology is used to show how to secure LAN so that users and
programs can perform actions that have been allowed. This topology includes the
network devices that require to be secured on the LAN. This is achieved by
specifying and implementing both software and hardware formats of network
security.
In order to meet the specific requirements of the project, a plan to secure protocols
and devices on the OSI model is to be followed with specific emphasis put on layer 2
of the OSI model (Data link layer) and securing the internal network from un-trusted
external traffic.
4.2.1 Secured LAN Virtual Topology
Page 38 of 49
Chapter 5: Project Scope, and Methodology
5.1 Project Scope
Securing computer network environment involves a wide verity of measure to be
undertaken to mitigate the threats posed to the Network from all angles such as
Wired, wireless devices, voice and video as well on both LANs and WANs. However,
in this case am going to concentrate on securing wired LANs. The following lists the
areas that are covered in this project proposal:

Brief History of LAN evolution

Network Security in General

Wired LAN Security Threats
o Internal Threats
o External Threats

Wired LAN Security Vulnerabilities
o Internal Threats
o External Threats

Wired LAN Security Mitigation Technologies

Secure Wired LAN Devices

Virtual Topology to show LAN Security implementation

Impacts of the Network Security Threats
5.2 Methodology
1. Designate a secure physical environment – Data centre that is well ventilated, with
backup power supply and controlled access to only authorised personnel.
Page 39 of 49
2. Make Use of other port level traffic control provided by catalyst switches such as
storm control, protected ports, private virtual LAN(PVLAN),port blocking and port
security.
3. Implementation of VLAN technology on the Local Area Network.
4. Configure security access control measures using access- lists such as router
access- lists, port access- lists, Mac access- lists, and VLAN access- lists.
5. Configure DHCP snooping and enable IP source guard to prevent rogue DHCP on
the network.
6. Use/ configure Authentication, Authorization, and Accounting (AAA) protocol by
implementing a server-based AAA authentication to provides the necessary
framework to enable scalable access security to access a Cisco Secure Access
Control Server (ACS). Use TACACS+ protocols servers to achieve this.
7. Use the Cisco Adaptive Security Appliance (ASA) firewall as a network firewall to
achieve network security between the trusted and un-trusted network.
8. Create a demilitarized zone (DMZ) to enable external / internet host access to
company web, email, FTP servers and to provide security systems residing within
them
9. Use Network-based and Host-based intrusion prevention systems that can provide
in-depth checks of packets on layer 4 through to layer 7.
10. By structuring the LAN in a hierarchal structure i.e. core, distribution and access
to provide redundancy, efficient, and reliability on the LAN. Optional: use 2 layer 2,
and 3 switches and 2 ASA which offer extra features at a relatively low cost
compared to buying other standalone devices such as PIX of layer 2 switches.
5.2.1 Resources
Hardware:
Page 40 of 49
 2 Layer 2 switches
 2 layer 3 switches
 1Cisco Adaptive Security Appliance
 4 Personal Computers
 Perimeter Router Firewall
 RADIUS / or TACACS+ server
 Ethernet Cross over cable with RJ45 connectors
 Straight through cable with RJ45 connectors
 DHCP/DNS Server
 Web/Email/FTP Server
 Cisco Secure- MARS
Software/configuration:
 Firewall(HIPS/NIDS)
 Cisco IOS images
 GNS3
5.3 Assumptions
1. It is assumed that this model can be applied to a large LAN.
2. The network management will continuously patch all the LAN security software
vulnerabilities by installing updating.
3.The network security professionals employees will continuously monitoring, and
testing the networks’ security using network security auditing tools, and also
researching about the new network security threats out there.
Page 41 of 49
4. A virtual topology is used that will display some devices of a physical type but can
be implemented as software on the physical topology. For example, the Cisco ASA
device offers features which I wanted to show through the Virtual topology and which
won’t visually show.
5. Its assumed that a routing protocol is configured on the LAN and there is
connectivity from one end device to the other.
5.4 Contingency Plans
1. Instead of a Cisco ASA we can use Cisco PIX firewall device.
2. Use RADIUS instead of TACACS+ for server-based AAA authentication.
3. The LAN can have layer 3 switches instead of having layer 2 switches which
will improve security and performance, and to provide redundancy extra trunk
links can be added and secured.
4. NAC, CSA, and IronPort, technologies can be used to in parallel to provide
protection of operating system vulnerabilities against both direct and indirect
attack.
5. Software firewall can be configured on devices that support them if money to
buy and maintain them is short.
Page 42 of 49
Chapter 6 : Project Plan
6.1 GANTT CHART
To have a good plan for the project in place is such a significant measure for a
successful completion of the project. it entails what should be done, how it is gone be
done, when to do it, how long it will take to do a certain task, what measures are
there to gauge the success, and lastly a review plan of every stage.
This chart displays the tasks which will need to be completed, and each task is
allocated a specific time in which it will start and be completed until the end of the
project.
Figure 2: Project Proposal Gantt chart
Page 43 of 49
6.2 WORK BREAKDOWN STRUCTURE
This is a breakdown of the list of the project tasks that have got to be undertaken and
completed in order for the project to be completed.
Figure 1: WORK BREAKDOWN STRUCTURAL CHART
Page 44 of 49
Chapter 7: Final Project report Table of Contents
Below is the structure of the contents that will be used for the final report. All sections
have been stated, including subheadings in the literature review.
 Front Page
 Contents Page
 Introduction
 Acknowledgements
 Dedications
 What is a LAN?

History of LANs

Use of LANs
 What is Network Security?

History of LAN Security
 LAN Security Threats
 LAN Security Devices
 Benefits of a Secured Wired LANs
 LAN Security Technologies

Hardware based

Software based
 Secured Wired LAN Topology

Layer 2 Switches

Layer 3 switches

Cisco Adaptive Security Appliance

TACACS+/Radius Server (AAA)

Demilitarized Zone (DMZ)
Page 45 of 49

Edge Router

End Devices

Crossover and Straight through with RJ45 connectors cables
 Testing and Analysis
 Conclusion
 References & Bibliography
 Appendix A: Project Plans & System Models
 Appendix B: Test Plans & Results
 Appendix C: Project Proposal Report
Page 46 of 49
Chapter 8: Conclusion
Over the last 25 years companies have come to realise a great need to secure their
LANs due to the increasing dynamic network security threats that has resulted in big
financial and identity losses which have damaged company brands and individuals.
As a result companies and government have learnt the importance of network
security and they are committing a lot of money to maintain a secure LAN
environment so as to achieve the three basic principle of network security that is to
say: Confidentiality, Integrity, and Authentication. Wired LANs security is a
fundamental basic requirement that has become an integral part of computer
networks. Many organisations, governments and businesses have put in place
network security policies are to provide a framework and guideline for network
users/employees to follow when doing their work on company computer networks
infrastructure.
Since it is impossible to have a totally secured wired LAN due the very dynamic
network security threats out there in the computer world advanced with presence of
the internet technology. It is my advice that having put in place Network Security
Policies and taken steps to achieve them, Network Security Professionals should
continually install software patches, monitor, and test the computer networks and
also keep learning and sharing information about the new security threats.
Page 47 of 49
References:
1. Wayne Lewis, LAN Switching and Wireless, Exploration Companion Guide
2. Hucaby, D. (2005) Cisco ASA and PIX Firewall Handbook, Cisco Press
3. Carroll, B. (2004) Cisco Access Control Security: AAA Administration Server,
Cisco Press, 2Rev Ed.
4. CCNA Security, Implementing Network Security, Cisco Press
5. http://www.referenceforbusiness.com/small/Inc-Mail/Local-Area-NetworksLANS.html
6. http://www.sans.org/top-cyber-security-risks/
7. http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.html#wp10
46651
8. http://flylib.com/books/2/464/1/html/2/images/1587052091/graphics/08fig14.gif
9. http://compnetworking.about.com/library/graphics/basics_osimodel.jpg
10. http://www.orbit-computer-solutions.com
11. http://www.i1u.net/images/web/PAT.gif
12. http://ptgmedia.pearsoncmg.com/images/0131014684/samplechapter/013101
4684_ch02.pdf
13. http://www.cisco.com/warp/public/cc/so/neso/sqso/roi1_wp.pdf
14. http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch5_EttF.html#wp10
31600
Page 48 of 49
Page 49 of 49
Download