SECURING WIRED LOCAL AREA NETWORK PROJECT PROPOSAL REPORT Mr Sentuya Francis Derrick, ID 08051602 Module: CT3P50N fds0008@londonmet.ac.uk Supervisor: Dr. Shamhram Salekzamankhani s.salekzamankhani@londonmet.ac.uk A project proposal report as a partial fulfilment of the requirements of London Metropolitan University for the degree of Bachelor of Science in Computer Networking with Honours April-13-2011 Faculty of Computing Page 1 of 49 Table of contents CHAPTER 1 : INTRODUCTION 4 CHAPTER 2 : LITERATURE REVIEW 5 2.1 LAN OVERVIEW, 2.2 BRIEF HISTORY 2.3 NETWORK SECURITY 2.4 EVOLUTION OF LAN SECURITY 2.5 THE OSI 7 LAYER MODEL APPROACH TO UNDERSTAND LAN VULNERABILITIES 2.5.1 APPLICATION LAYER (LAYER 7) 2.5.2 PRESENTATION LAYER (LAYER 6) 2.5.3 SESSION LAYER (LAYER 5) 2.5.4 TRANSPORT LAYER (LAYER 4) 2.5.5 NETWORK LAYER (LAYER 3) 2.5.6 DATA LINK LAYER (LAYER 2) 2.5.7 PHYSICAL LAYER (LAYER 1) 2.6 LAN’S MOST VULNERABLE LAYER 2.7 MOST COMMON LAYER 2 ATTACKS/THREATS: 2.8 TYPES OF OTHER NETWORK THREATS 2.8.1 RECONNAISSANCE ATTACKS 2.8.2 DENIAL-OF-SERVICE 2.8.3 ACCESS ATTACKS 2.9 IMPACT OF NETWORK SECURITY BREACHES/ THREATS 2.10 CISCO SECURITY AGENT FIREWALL (ENDPOINT DEVICE SECURITY) 2.11 PORT LEVEL TRAFFIC CONTROL 2.12 PORT SECURITY 2.13 STORM CONTROL 2.14 PROTECTED VLAN EDGE 2.15 ACCESS LISTS 2.16 SPANNING TREE PROTOCOL MEASURES (FEATURES) 2.16.1 PORT-FAST 2.16.2 BPDU GUARD 2.16.3 ROOT GUARD 2.16.4 LOOP GUARD 2.16.5 ETHER CHANNEL 2.16.6 VLAN TRUNK SECURITY 2.17 CISCO SECURITY MONITORING, ANALYSIS, AND MITIGATION SYSTEM CS-MARS 2.18 PORT ADDRESS TRANSLATION PAT / NAT OVERLOAD 2.19 TACACS+ / RADIUS SERVER 2.20 CISCO ADAPTIVE SECURITY APPLIANCE (ASA) FIREWALL 2.20.1 EXTENDED SIMPLE MAIL TRANSFER PROTOCOL (ESMTP) 2.20.2 FILE TRANSFER PROTOCOL 2.20.3 H TTP 2.20.4 INTERNET CONTROL MASSAGE PROTOCOL (ICMP) 5 6 7 8 9 10 10 11 11 11 11 11 11 12 14 14 15 16 16 18 19 19 20 21 21 22 22 22 22 23 23 23 24 24 25 26 27 27 28 28 Page 2 of 49 2.20.5 H.323 STANDARD 2.20.6 SKINNY PROTOCOL (SIMPLE CLIENT CONTROL PROTOCOL -SCCP) 2.20.7 SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP) 2.20.8 TRIVIAL FILE TRANSFER PROTOCOL (TFTP) 2.20.9 REAL TIME STREAMING PROTOCOL (RSTP) 2.21 DNS IMPLEMENTATION 2.22 INTRUSION DETECTION AND PREVENTION SYSTEM 2.22.1 STATE-FULL PATTERN-MATCHING RECOGNITION, 2.23 HOST- BASED INTRUSION DETECTION SYSTEMS 2.24 DEMILITARIZED ZONE (DMZ). 2.25 DHCP SNOOPING 2.25.1 DYNAMIC ARP INSPECTION 2.25.2 IP SOURCE GUARD 28 28 29 29 29 29 30 31 32 33 33 34 34 CHAPTER 3: AIMS AND OBJECTIVES 35 AIM 1: TO INVESTIGATE WHICH LAYER OF THE OSI MODEL IS MOST VULNERABLE TO ATTACKS ON THE LOCAL AREA NETWORK. 35 Objectives 35 AIM 2: TO INVESTIGATE AND ANALYSE THE AVAILABLE TOOL AND METHODS TO SECURE A WIRED LOCAL AREA NETWORK. 36 CHAPTER 4: APPROACH AND SCENARIO 37 4.1 APPROACH 4.2 SCENARIO 4.2.1 SECURED LAN VIRTUAL TOPOLOGY 37 37 38 CHAPTER 5: PROJECT SCOPE, AND METHODOLOGY 39 5.1 PROJECT SCOPE 5.2 METHODOLOGY 5.2.1 RESOURCES 5.3 ASSUMPTIONS 5.4 CONTINGENCY PLANS 39 39 40 41 42 CHAPTER 6 : PROJECT PLAN 43 6.1 GANTT CHART 6.2 WORK BREAKDOWN STRUCTURE 43 44 CHAPTER 7: FINAL PROJECT REPORT TABLE OF CONTENTS 45 CHAPTER 8: CONCLUSION 47 REFERENCES: 48 Page 3 of 49 Chapter 1: Introduction This project proposal is about how to secure a wired local area network. Local Area Networks are defined as a group of computers and devices interconnected together in a limited geographical area such as computer laboratory, home, office building, or school. Local Area Networks enable the sharing of resources like printers, games, files, or other applications amongst users on the network. One Local Area Network can be connected to other Local Area Networks, and also to the internet. By this definition it’s imperative therefore to make Local area networks secure to provide users with Confidentiality, data Integrity, and Authentication of everyone who is accessing the network. Network security is such an important part of Local area networks which involves securing protocols, technologies, and devices, by mitigating any network security threats by use of network security tools and techniques. In addition, network security policies are put in place to provide a framework and guideline for network users/employees to follow when doing their work on company computer networks. It is in my interest to investigate, analyse, learn and gain skills about the dangers and threats computer networks are faced with, and the technology used to mitigate these threats. Hence have a more secure Local Area Network environment. A Virtual topology is used to show how to a secured LAN solution. Page 4 of 49 Chapter 2 : Literature Review 2.1 LAN overview, In the local area network, users have computer devices, that have got disk, processor and operating systems as a platform for soft wares and other applications run. These computers communicate with one another within a small geographical area covered by the networked computers, usually a single building or group of buildings. Local Area Networks may also connect to other the network of computers with printers, server computer or mainframes with higher processing power and memory storage, that can send information from the Local Area Network over telephone lines to another location or network. LANs include higher data-transfer rates, no need for a leased telecommunication lines. In the past ARCNET, Token Ring and other technology standards have been used in the past, but Ethernet over twisted pair cabling and Wi-Fi are the two most common technologies currently in use. This type of networks allows its users to have isolated or separate offices but still be able to operate off the same system, as if they were all sitting around a single computer. This network can be easily installed simply, upgraded or expanded with little difficulty, even moved or rearranged without disruption. LANs have helped in the increased work place productivity, decreased the amount of paper used and the speeding up of the information flow. Page 5 of 49 It’s important to mention that on the other hand LANs have also created additional work in terms of organization, maintenance, security and trouble-shooting. 2.2 Brief history In 1970s and 1980s after the development of both desk operating systems bases personal computers and Control Program for Microcomputers based personal computers meant that one site could have a big number of computers. A need developed to share disk space and laser printers due to the higher cost of these devices, and as a result the idea of LAN started to be developed. In early 1980 it was advent of Novell NetWare that provided operating systems that support for dozens of competing card/cables types, until the mid 1990 Microsoft introduced Windows NT, UNIX workstations from Sun Microsystems, Silicon HewlettPackard bell, Intergraph etc were using TCP/IP based networking which has since then almost replaced other protocols used on early computers. The introduction of the OSI model has enabled multi-vendors products that can be compatible and work together on one single machine. As a result, users were able to share resources regardless what operating system, network cards, cabling or protocols being used by different software running on the different machines. This poses numerous network security vulnerabilities that can have catastrophic results to businesses, individuals and government organisations as well. This has intern made network security an integral part of computer networks to secure and mitigate network attacks. Page 6 of 49 2.3 Network Security Network security involves the protecting of information, systems and the hardware that use, store, and transmit that information. It involves the steps taken to make sure that confidentiality, integrity, and availability of data / resources is maintained form both the internal and external networks threats. Network security solutions started coming up form the early 1960 but didn’t have a big impact due to the complexity of network security and the dynamic/ever changing nature of networks not until the 2000s. Following below is a brief time line of the network threats over the last 30 years: 1978 - First Spam on ARPAnet 1988 - The Morris Internet Virus 1999 - Melissa Email Virus 2000 - Mafiaboy DoS Attack, Love Bug Worm, L0phtCrack password cracker released 2001 - Code Red DoS Attack 2004 - Botnet hits U.S. Military Systems 2007 - Storm botnet, TJX Credit Card Data Breach 2008 - Société Générale Stock Fraud Due to the fact that network security become an integral part of the business, dedicated devices to network security functions emerged. Over the last 30 years, following network security detection systems and firewall solutions have emerged: Page 7 of 49 Intrusion detection system (IDS), first developed by SRI International in 1984. In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution. In 1988, Digital Equipment Corporation (DEC) created the first network firewall in the form of a packet filter. In 1989, AT&T Bell Laboratories developed the first state-full firewall. In 1991 DEC SEAL Application Layer Firewall was released In 1994 Check Point Firewall was released. In 1995 NetRanger IDS was also released. In August 1997 RealSecure IDS firewall was released. In 1998 and 1999 Snort IDS and First IPS were released respectively. As from 2006 Cisco released Cisco Zone-based policy Firewall and 2.4 Evolution of LAN Security LAN security threats are mostly if not all target the protocols and technologies used on the local area network or the switched network infrastructure, and they fall into two types: Denial of service and Spoofing attacks. The following shows the measures / or Security technologies that have been developed over the last 13 year to mitigate LAN types of threats. In 1998 measures to Mitigate MAC Address Spoofing, MAC Address Table Overflow Attacks, and LAN Storm were released. Page 8 of 49 In 2000 measures to Mitigate Root Bridge Spoofing and VLAN Attacks were released. In 2003 measures to Mitigate ARP Spoofing Attacks were released. Network Security also requires that Data should be protected and secured. This is achieved by the use of encryption and hashing mechanisms technology which the hiding plaintext data as it traverses the network thus providing Confidentiality, Integrity, and Authentication which are the three components of information security. The following gives an outline of the cryptography security technology and their timeline: In 1993 Cisco GRE Tunnels was released. In 1996 Site-to-Site IPSec VPNs was released In 1999 Secure Socket Layer (SSH) was released In 2000 Multi-Protocol Label Switching (MPLS VPNs) was released In 2001 Remote-Access IPSec VPN was released In 2002 Dynamic Multipoint VPN was released In 2005 Secure Socket Layer (SSL) VPN was released. 2.5 The OSI 7 Layer model Approach to understand LAN Vulnerabilities To understand how to secure wired LAN, I am using the (OSI) 7 layer model approach. The OSI Model ISO model of how network protocols and equipment should communicate and work together (interoperate). This approach helps me to Page 9 of 49 investigate the different protocols used on each layer and the security vulnerabilities they pose. Find a way to secure the vulnerabilities by undertaking network security measures to mitigate any attack that may take advantage of these security loopholes. This approach will indicate which OSI layer is the most vulnerable on the LAN. Diagram 1 : OSI 7 Layer model Figure 1: osi model http://compnetworking.about.com/library/graphics/basics_osimodel.jpg The following is the outline of some of the protocols and examples of network devices associated with each layer of the OSI Model. 2.5.1 Application Layer (Layer 7) Protocols on this layer: HTTP, FTP, SMTP, NTP, SNMP, EDI, Telnet etc are used. 2.5.2 Presentation Layer (Layer 6) Page 10 of 49 Protocols on this layer: GIF and JPEG, GIF, MPEG, MIME, SSL, TLS. 2.5.3 Session Layer (Layer 5) Protocols on this layer: NETBIOS, RPC, MAIL SLOTS, APPLETALK, WINSHOCK etc are used. 2.5.4 Transport Layer (Layer 4) Protocols on this layer TCP, UDP, SPX, and ICMP, etc are used. 2.5.5 Network Layer (Layer 3) Protocols on this layer: Internet Protocol (IP), Internet Packet Exchange (IPX), ICMP, ARP, IPSEC, BGP, IGRP, and EIGRP etc are used. Examples of devices: Routers, layer 3 switches. 2.5.6 Data Link Layer (Layer 2) Examples of Layer 2 protocols, Ethernet, Token Ring, Frame Relay, FDDI, ATM, PDN, and Examples of devices are Layer 2 Switches, Bridges, etc. 2.5.7 Physical Layer (Layer 1) This layer defines the physical medium such as Cabling, interface specifications such as AUI, 10Base-T, RJ45, etc. It’s where data is turned into bits of 0 and 1’s to be sent on the cabling medium. 2.6 LAN’s Most Vulnerable layer Basing on the OSI model research approach to find out what layer of the seven (7) layers is most vulnerable; I conclude that Layer 2 of the OSI model – (Data link layer) Page 11 of 49 poses the most network security vulnerabilities on the LAN. The data link layer is divided into two sub-layer; logical link control and Media Access Control layer. Examples of the protocols that run on this layer are; FDDI, Ethernet, Token ring, MAC addresses, etc. A layer 2 LAN switch performs switching and filtering based only on the data link layer 2 MAC address. This makes layer 2 switches completely transparent to the network protocols and user applications. Unauthorised access to the layer 2 devices will put the whole network resources and performance at high security risk. It should be noted that layer 3 switches are to be seriously considered even though they are operating at a network layer (3). In addition, all protocols on other layers of the OSI model are to be secured to provide a holistic secure LAN environment for security threats. 2.7 Most common layer 2 attacks/threats: MAC address spoofing- Switches populate the MAC address table by recording the source MAC address of a frame, and associating that address with the port on which the frame is received. This method has lead to a vulnerability known as MAC spoofing, which occurs when one host poses as another to receive otherwise inaccessible data or to circumvent security configurations. STP manipulation attack - STP allows for redundancy, and ensures that only one link is operational at a time and no loops are present. In an STP manipulation attack, the attacking host broadcasts STP configurations, with BPDUs of a lower bridge priority in an attempt to be Page 12 of 49 elected as the root bridge by forcing spanning-tree recalculations. If the attack is successfully done, the attacking host becomes the root bridge and sees a number of frames wouldn’t have been accessible. MAC address table overflows - MAC address tables have got a limited memory size allocated. MAC flooding takes advantage of this limitation by flooding the switch with fake source MAC addresses until the switch MAC address table is full. If enough entries are entered into the MAC address table before older entries expire, the table fills up to the point that no new entries can be accepted. As a result the switch begins to flood all incoming traffic to all ports due to lack of space to learn any legitimate MAC addresses. Its at this point the attacker can see all of the frames sent from one host to another. LAN storms – This form of attack occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Switches are cable of broadcasting especially when they are building the MAC address tables, or when using Address Resolution Protocols (ARP), and Dynamic Host Configuration Protocols (DHCP). VLAN attacks - The attack works by taking advantage of an incorrectly configured trunk port. Trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. The attack can then: spoof DTP messages and cause the switch to enter into trunking mode, or bring up a rogue switch and enable trunking as a result access all the VLANs on the victim switch. Page 13 of 49 2.8 Types of other Network Threats In order to have a secure LAN, securing layer 2 on the OSI model is imperative and the primary vulnerabilities for the end –users on their personal computers for example: Virus –this is malicious software that attaches itself to another program in order to execute a specific unwanted function on a computer. Worm - This executes arbitrary code and installs copies of itself in the memory of the host computer which then infects other hosts on the network. Trojan horse - this is an application called a malware in the computing world that carries out malicious operations under the guise of a desired function. It could carry a virus or a worm. The following shows other categories of network security threats that can exploit the vulnerabilities on the layer 2, end user devices, and other layers on the OSI 7 layer model. 2.8.1 Reconnaissance attacks These types of attacks gather information on the network or targeted devices security vulnerabilities to be exploited later by using tools like: Packet sniffers - a software application that uses the network adapter card in promiscuous mode to capture all network packets which are sent across a LAN. Ping sweeps - used to scanning and determining live hosts by use of ICMP echo requests sent to multiple hosts. Page 14 of 49 Port Scans - this tool scans a range of TCP or UDP port numbers on a host to detect listening services by sending messages to ports on the host and any response indicates whether the ports is used. Internet information queries - these are used to determine who owns a given domain and the addresses that are assigned to that domain. 2.8.2 Denial-of-service This type of attack sends large numbers of requests over the network in order to cause the target devices to be overwhelmed causing them to run suboptimal and eventually becoming unavailable to serve its legitimate access and use. Examples of DOS attacks are: Ping of Death – where the attack sends an echo request in an IP packet that is larger than the maximum packet size of 65,535 bytes that can cause the target computer to crash. Smurf Attack – the attack sends a large number of ICMP requests to a directed broadcast address with spoofed source addresses on the same network as the directed broadcast, when the routing device forwards the broadcasts to all hosts on the destination network all hosts will reply to each packet thus causing degrading the network performance. TCP SYN Flood attack- floods of TCP SYN packets are sent by the attack with forged sender address where each packet is handled as a connection request causing the server to leave half-open connections by replying with a TCP SYN-ACK packet and waiting in vain for Page 15 of 49 response, this will eventually keep the server from responding to legitimate requests until when the attack ends. 2.8.3 Access attacks These attacks are used to gain access to the network and retrieve data, and escalate rights to resources. The following are the types of this form of attack: Man-in-the-middle- This type of attack involves the attack positioned in the middle of the communications between two legitimate entities in order to read or modify the data that passes between the two parties. Buffer overflow – this attack writes data beyond the memory buffer allocated for a certain program and as a result valid data is overwritten to execute a malicious code. Port Redirection- a targeted host is used as a stepping point for an attack on other host targets on the network or other networks. Password attacks – the attacker keeps guessing the passwords of the targeted host, for example by using a dictionary attack. Trusted exploitation – the attacker uses or exploits the privileges granted to a system in unauthorised way as a result compromising the target host. 2.9 Impact of Network security breaches/ threats Today there is an increasing urgent need to secure computer networks due to many factors some of which are mentioned below: Page 16 of 49 Increase in cyber crime Identity theft Child Pornography Theft of Telecommunication Services Electronic Vandalism, Terrorism and Extortion Fraud/Scams Impact on business and individuals Decrease in productivity Loss of Sales revenue Loss of time Compromise of trust and reputation Threats to trade secrets or formulas Sophistication of threats Proliferation of threats Legislation and liabilities Internet connectivity In order to mitigate the LAN security threats the following technology will be implemented to achieve a secure LAN environment. Page 17 of 49 2.10 Cisco Security Agent Firewall (Endpoint device security) I will use Cisco security Agent which protects endpoints against threats that are posed by viruses, Trojan Horses, and worms as means to secure my end devices. Figure 3: Cisco Security Agent Firewall Ref: CCNA Security, Implementing Network Security book, Cisco Press Cisco Security Agent is host based intrusion prevention system (HIPS) software that provides protection for servers and computers systems. It can support over 100,000 agents, It has two components: The management canter for CSA- to maintain a log of any security violations and generate alerts. Cisco Security Agent firewall – to be installed on hosts to proactively block any malicious attacks and gets updates from the management centre, and continuously monitors local systems activities and analyse all the operations of the system. Page 18 of 49 Cisco Security Agent provides protection by use of the following interceptors: File system interceptor – Read or write requests are intercepted and allowed or denied according to the security policy. Network interceptor – This interceptor can limit the number of network connection allowed within a specified time in order to prevent Dos attacks. Configuration interceptor- Read and write requests to the registry are intercepted because modification of the registry configuration can have serious consequences. Execution space interceptor- This interceptor maintaining the integrity of the dynamic runtime environment of each application by detecting and blocking requests to write to memory that are not owned by the requesting application The following are the measures/configurations to mitigate layer 2 attacks are to be implemented to secure Layer 2 network devices. 2.11 Port level traffic control At this level the following are the protection configurations that can be configured on catalyst switches: 2.12 Port Security In order to prevent MAC table overflows and MAC Spoofing, port security is to be configured to allow specification of MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses as determined by the network administrator. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down until the administrator Page 19 of 49 enables it. For example, one MAC address can be limited one and assigned to a secure port which will control unauthorized expansion of the network and also prevent the port from forwarding frames with a source MAC address that is not assigned to it or outside the group of the defined addresses on that port. In addition, Port security aging is to be configures either Absolute or Inactivity were its required. 2.13 Storm Control This traffic suppression feature will prevent broadcast, multicast, or uncast of hostile packets flooding on a LAN segment that can cause unnecessary and excessive traffic that degrades the network performance. It monitors inbound packets over a per second interval and compares it to the configured storm control suppression level using one of these methods: - (i) Percentage of total available bandwidth of the port allocated for broadcast ,multicast, and uncast traffic, (ii) Traffic rate over in packets per second at which broadcast, multicast or uncast packets are received on the interface. (iii) Traffic rate in packets per second and for small frames that is configured on each interface. (iv) Traffic rate in bits per second at which broadcast, multicast, and or uncast packets are received. Page 20 of 49 2.14 Protected VLAN edge Based on the security policy requirement PVLAN feature will enable the isolation of traffic by creating a firewall- like barrier blocking any uncast, broadcast, multicast traffic among protected ports on the same LAN segment. The PVLAN features will achieve the following: (i) No traffic is forwarded between ports configured as protected. Packets must be routed via a layer 3device between protected ports. (ii) Forwarding behaviour between protected ports and non-protected ports proceeds normally per default behaviour. 2.15 Access Lists These are traffic filtering tools such as Switch ACL, Routers ACL, Ports ACL, VLAN ACL and MAC ACL to filter IP and non-IP traffic on the network. There are 3 types of access lists that can be used i.e. Standard, extended, and MAC – extended. Port access lists – Configured on physical interface on layer 2 switch support in and out-bound traffic filtering. They can be applied on trunk port to filter all VLANs and Voice traffic – (if data and voice is trunked). Router access lists – these will filter network traffic on switched virtual interfaces(SVI)-which are layer 3 interfaces on VLANs on layer 3 physical interface and Ether-channel interfaces. VLAN access list – these will filter all types of traffic that are bridged or routed within a VLAN routed into or out of the VLANs. This feature used in combination with Private VLAN feature can filter traffic based on direction. Page 21 of 49 2.16 Spanning Tree Protocol Measures (features) 2.16.1 Port-Fast This is a spanning-tree feature that enables an interface configured on a layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states. This feature will minimize the time taken waiting by access port for STP to converge as a result eliminating the vulnerability a longer waiting time a port has to transition from blocking to forwarding state. 2.16.2 BPDU Guard The BPDU guard feature is to be used to protect the switched network from problems caused by the receiving of BPDUs on ports that should not be receiving them. These BPDUs can be from an unauthorized attempt to add a switch to the network, and if they (BPDUs) are received on a port with this feature enabled then it will be disabled, giving a secure response to invalid configuration form attackers. So to prevent any rogue switch on the network by an attacker BPDU guard will be deployed toward user-facing ports with Port-Fast enabled. 2.16.3 Root Guard Configuring this feature will help us to limit the switch ports on which the root bridge can be negotiated in switched networks. It is to be deployed on ports that connect to switches that should not be the root bridge. When the attacker sends out spoofed BPDUs in order to become a root bridge the switch receiving the BPDUs will ignore them and put the port in a root-inconsistent state, and the port will recover until the attacker stops sending BPDUs. Root guard is the best practice even though there Page 22 of 49 may be a switch with a zero priority and a lower MAC address, and therefore a lower a lower bridge ID. 2.16.4 Loop Guard Loop guard feature will enabled on all switches across the network to prevent alternative or root ports from becoming designated ports because of a failure resulting in a unidirectional link. A result providing additional layer of protection against layer 2 forwarding loops (STP loops). 2.16.5 Ether Channel Enabling this feature on switches will detect Ether Channel miss-configurations between switches and any connected devices such as unidentified parameters and don’t match both sides. Ether Channel guard will place the switch interface into disabled state or display an error message. This guard will have to be enabled on both sides of devices. 2.16.6 VLAN Trunk Security In order to mitigate VLAN hopping attacks, trunking is to be enabled on ports only requiring trunking and use a dedicated native VLAN for all trunk ports. In addition, auto trunking negotiations-DTP will be disabled and enable trunking manually and all unused switch ports will be disabled, and placed in an unused VLAN. Page 23 of 49 2.17 Cisco Security Monitoring, Analysis, and Mitigation system CS-MARS Using Cisco Security Monitoring, Analysis, and Mitigation appliance will enable us to monitor, identify, isolate, and counter or mitigate any security threats on the network. In addition, this system is so cost effective and very flexible in its use as its features can be accessible via the web. 2.18 Port Address Translation PAT / NAT Overload By use of the address space reserved for private use under the RFC 1918 that include: 10.0.0.0 - 10. 255. 255. 255 172.16.0.0 – 172. 31. 255. 255. 255 Mask /12 192.168.0.0 – 192. 168. 255. 255 Mask /8 Mask /16 NAT overload sometimes called PAT (Port Address Translation) maps multiple unregistered or private IP addresses to a single registered or public IP address by using different ports. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. This process also validates that the incoming packets were requested, thus adding a degree of security to the session. Figure 4: PAT Translation Page 24 of 49 http://www.i1u.net/images/web/PAT.gif 2.19 TACACS+ / RADIUS Server Cisco ASA supports both a Radius (Remote Authentication Dial-in User Services) protocol, and TACACS+ protocol. Can maintain a local database, or use external server for authentication. For scalability, increased security I will maintain an external /server-based AAA authentication on a Cisco Secure Access Control Server for authentication running TACACS+ or RADIUS protocol. In this case the Cisco Adaptive Security Appliance authenticates itself to a Radius server with a shared secret key that is never sent over the network, which then passes user information to the Radius Server. The password is encrypted by hashing using a shared secret key. The diagram below shows this implementation running a RADIUS protocol. Figure 5: TACACS+ Protocol Page 25 of 49 Http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.CCServlet/LMS_ ID=CNAMS, Theme=ccna3theme,Style=ccna3,Language=en,Version=1,RootID=knetlcms_ccnasecurity_en_10,Engine=static/CHAPID=null/RLOID=null/RIOID=null/theme/cheetah.ht ml?cid=2000000000&l1=en&l2=none&chapter=3 Figure 6: RADIUS Protocol Ref:[ ]http://ptgmedia.pearsoncmg.com/images/chap6_9781587058196/elementLinks/ca80 0601.jpg 2.20 Cisco Adaptive Security Appliance (ASA) firewall Page 26 of 49 It is modelled on a self-defending Network (SDN) principle having several protective and integrated layers such as firewalls, intrusion prevention, and anomaly mitigation. Cisco Adaptive Security Appliance provides state-full application inspection of all application and services traffic based on explicitly preconfigured polices and rules. This inspection keeps tracks of every connection passing through the interface making sure that they are valid connections; monitors established, closed, resets or negotiates state of connections and maintains a database with this information in a stable table. ASA provides intelligent threat defence and secure communications services that stop attacks before they affect business continuity. Packet headers and contents of the packets are examined through up to the application layer. Cisco Adaptive Security Appliance will be configured to inspect the following protocols: 2.20.1 Extended Simple Mail Transfer Protocol (ESMTP) This protocol will be used to restrict the type of SMTP commands that can pass through Cisco ASA. Any illegal command found in ESTMP/SMTP packet will cause a negative reply/an SMTP error code will generated. 2.20.2 File Transfer Protocol File transfer protocol sessions are examined to provide: Enhanced security while creating dynamic secondary data connections for File Transfer Protocol transfers, Enforcement of File Transfer Protocol command – response sequence, Generation of an audit trail for File Transfer Protocol sessions, Translation of embedded IP address. Page 27 of 49 2.20.3 H TTP The Cisco ASA HTTP inspection engine checks HTTP transaction is compliant with RFC 2616 by checking all HTTP request messages. Traditional firewalls and Intrusion detection systems detect only 1st round encoded HTTP URI requests, but Cisco ASA is capable of detecting double- encoded attacks known as HTTP deobfuscation. 2.20.4 Internet Control Massage Protocol (ICMP) Cisco ASA support state-full inspection of Internet control massage protocol packets will the ability to translate Internet control message protocol error messages which contains full IP header of the IP packet that failed sent by either intermediate hops based on Network Address Translations configurations. 2.20.5 H.323 Standard This standard stipulates components, protocols and procedures that provide multimedia communication services such as Audio, Video, and Data, that use TCP and UDP connection 2 and 6 respectively. Cisco ASA monitors TCP and dynamically allocates ports after inspection of the messages thus making it secure. 2.20.6 Skinny Protocol (Simple Client Control Protocol -SCCP) This protocol is used in VOIP application, Cisco IP phones, Cisco call manager, and Cisco call manager express. To support a unified wired LAN (Audio and data), the Cisco ASA offers the ability to inspect skinny transactions using this protocol that making the wired LAN a secure unified network. Page 28 of 49 2.20.7 Simple Network Management Protocol (SNMP) This protocol is used to manage and monitor networking devices. The Cisco ASA can be configured to deny traffic based on the SNMP packet versions. Early versions are less secure. This practice can be incorporated as a security policy thus making the LAN more secure. 2.20.8 Trivial File Transfer Protocol (TFTP) This protocol allows systems to read and write files between a client /server relationship. Cisco ASA TFTP application inspection will be used to: (i) Prevent hosts from opening invalid connections, and (ii) Enforces the creation of a secondary channel initiated from the server thus restricting TFTP clients creating them. 2.20.9 Real Time Streaming Protocol (RSTP) Cisco ASA supports the inspection of this protocol which is a multimedia streaming protocol as stipulated in RFC 2326 which could have disastrous embedded codes. This protocol mostly use TCP port 554 application, and the applications that use RSTP are Real Audio, Apple Quick Time, Real Player, Cisco IPTV. 2.21 DNS Implementation Traditionally, DNS queries will require not only relying on generic UDP handling based on activity timeouts. With the Cisco Adaptive Security Appliance, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received (like the DNS guard feature in Cisco PIX firewall). Cisco ASA DNS will further provide more security measures such as: Guarantees that the ID’s of the DNS reply matches ID’s of DNS query, Page 29 of 49 Allows translation of DNS packets using NAT, Reassembles DNS packets to verify its length which has a maximum of 65,553 bytes making any packets larger than that to be dropped. 2.22 Intrusion detection and Prevention system Intrusion detection and prevention technologies that detect attempts from an intruder to gain unauthorised access to Network or Host to create performance degradation or steal information are to be implemented both at the Network edge router and on Hosts. The Cisco Intrusion prevention system (CIPS) will effectively mitigate a wide range of network attacks. As already mentioned above that Cisco Adaptive Security Appliance (ASA) which is also a network based intrusion detection solution will be used, it has got an intrusion prevention system feature integrated. The Cisco ASA supports Adaptive Inspection Prevention Security Service Module running Cisco intrusion prevention system (CIPS) software V5.0 or later that has the ability to process and analyse traffic inline or promiscuous mode. I will implement Inline Intrusion prevention system on the Cisco ASA which is more secure than promiscuous mode but affects overall throughput. In this case the Cisco ASA will direct all traffic to the Adaptive Inspection Prevention Security Service Module for process and analyse, dropping any malicious packets, generate an alarm, or reset connection, before it is forwarded by the ASA. This will mitigate network attacks such as Denial of Service (i.e. TCP sync flood attacks, land attacks, Smurf attacks), Distributed Denial of Service, Session Hijacking (i.e. Man- in-the- Middle). The system will use the following methods: Page 30 of 49 2.22.1 State-full pattern-matching recognition, Whereby the device will search in a chronological order in a TCP stream that is considered and keeps track of arrival order of packets in a TCP stream and handle matching patterns across packet boundaries. This supports all non-encrypted IP protocols, and has the capability to directly correlate specific exploits within the pattern. Figure 7: Network Based- Inline Intrusion Prevention system The following steps explain the sequence of events: 1. The Cisco ASA receives an IP packet from the Internet. 2. Because the Cisco ASA is configured in inline IPS mode, it forwards the packet to the AIP-SSM for analysis. Page 31 of 49 3. The AIP-SSM analyzes the packet and, if it determines that the packet is not malicious, forwards the packet back to the Cisco ASA. 4. The Cisco ASA forwards the packet to its final destination (the protected host). 2.23 Host- Based Intrusion Detection Systems Cisco Security Agent software firewalls to be installed on individual servers or client machines to safeguard critical computer systems containing crucial data or other shared resources. They secure Hosts against attacks targeted on resources that reside on hosts and will intercept any attacks that have not been detected by the other Network detection systems of firewalls. The diagram below illustrates this implementation. Figure 9: Host Based- Intrusion Prevention system Page 32 of 49 2.24 Demilitarized Zone (DMZ). A DMZ network segment as a “neutral zone" between a company's private network and the outside public network will enable Internet/external users to access a company's public servers, including Web and File Transfer Protocol (FTP) servers, while maintaining security for the company's private LAN. An Example of such a firewall to use is a Cisco ASA 5500. Figure 8: DMZ Implementation 2.25 DHCP Snooping In order to protect the Network against rogue DHCP servers, DHCP snooping is to be implemented to create a logical firewall between un-trusted hosts and DHCP servers. The switch builds and maintains a DHCP snooping table also called DHCP binding database used to identify and filter un-trusted message from Network. This database contains track of DHCP addresses assigned to ports and filters DHCP Message from un-trusted ports. Incoming packets from un-trusted ports are dropped if the source MAC address doesn’t match MAC address in the binding table entry. Page 33 of 49 2.25.1 Dynamic ARP inspection By enabling Dynamic ARP inspection feature I will make sure that valid, and only Valid ARP packet requests and responses are forwarded by performing an IP-toMAC mapping. 2.25.2 IP source guard Enabling IP source guard in combination with DHCP snooping feature on the untrusted layer 2 interfaces will restricts IP traffic on un-trusted layer 2 ports by filtering traffic based on DHCP snooping binding database or manually configuring IP source binding as result it will prevent IP spoofing attacks when hosts tries to spoof or use IP address of another host. Page 34 of 49 Chapter 3: Aims and Objectives Aim 1: To investigate which layer of the OSI model is most vulnerable to attacks on the Local Area Network. Objectives I. To secure the physical devices that operate at the physical layer such as; Network interface cards, transceivers, repeaters, hubs, multi-station access units. II. To secure layer 2 protocols of the OSI model such as the Ethernet/IEEE 802.3, token ring / IEEE 802.5, fibre distributed data interface FDDI, point-to-point (PPP) etc. III. To secure the addressing structure and the routing protocols at the network layer of the OSI model for packet delivery on the LAN and to the external networks. IV. To have an identifiable secure and reliable transport mechanism between two communicating devices on the Local Area Network. V. To provide a secure way for applications to translate data formats, encrypt, decrypt, compress, and decompress data traversing the network. VI. To provide a secure platform where end users interacts with the application and other software by securing the application layer protocols such as HTTP,FTP,TELNET, H.323 etc. Page 35 of 49 Aim 2: To investigate and analyse the available tool and methods to secure a wired Local Area Network. Objectives I. To prevent un-trusted traffic to access the network resources and secure gateways at the session layers to control the setup and teardown of sessions on the OSI model. II. To provide a cost effective but efficient and reliable Local Area Network. Personal and Academic objectives I. To study, and learn how to secure Local Area Networks, and the security threats faced by these Networks in a dynamic network technological environment. II. To learn how to organise meaningfully my time in order to achieve my intended goals in a given limited time. III. To learn the techniques and approach on how to carry out a meaningful research on specific topics. IV. To achieve skills on how to write successfully a well-structured report. V. To improve my presentation skills and increase my confidence. VI. To prepare myself for a future carrier as a computer network security professional. Page 36 of 49 Chapter 4: Approach and Scenario 4.1 Approach The network security strategy to follow in securing a wired LAN is to start by securing the LAN’s network endpoints which include: hosts, servers, or other devices that act as network clients, including non-endpoint LAN devices such as switches, storage area networking devices (SAN), IP telephony etc., and mitigating attacks such as LAN storms, MAC address table overflows, STP manipulation, and VLAN attacks. The following figure shows the endpoint security. Endpoint security In addition a Virtual topology is used to show the LAN devices that require to be secured on which this project proposal is based as a structured guide to follow. 4.2 Scenario As a final year student in Computer Networking at London Metropolitan University, I am assigned with a project specification of type research and practical work to do a project on ‘Securing wired Local Area Networks (LANs)’. As stated in the Page 37 of 49 introduction a virtual topology is used to show how to secure LAN so that users and programs can perform actions that have been allowed. This topology includes the network devices that require to be secured on the LAN. This is achieved by specifying and implementing both software and hardware formats of network security. In order to meet the specific requirements of the project, a plan to secure protocols and devices on the OSI model is to be followed with specific emphasis put on layer 2 of the OSI model (Data link layer) and securing the internal network from un-trusted external traffic. 4.2.1 Secured LAN Virtual Topology Page 38 of 49 Chapter 5: Project Scope, and Methodology 5.1 Project Scope Securing computer network environment involves a wide verity of measure to be undertaken to mitigate the threats posed to the Network from all angles such as Wired, wireless devices, voice and video as well on both LANs and WANs. However, in this case am going to concentrate on securing wired LANs. The following lists the areas that are covered in this project proposal: Brief History of LAN evolution Network Security in General Wired LAN Security Threats o Internal Threats o External Threats Wired LAN Security Vulnerabilities o Internal Threats o External Threats Wired LAN Security Mitigation Technologies Secure Wired LAN Devices Virtual Topology to show LAN Security implementation Impacts of the Network Security Threats 5.2 Methodology 1. Designate a secure physical environment – Data centre that is well ventilated, with backup power supply and controlled access to only authorised personnel. Page 39 of 49 2. Make Use of other port level traffic control provided by catalyst switches such as storm control, protected ports, private virtual LAN(PVLAN),port blocking and port security. 3. Implementation of VLAN technology on the Local Area Network. 4. Configure security access control measures using access- lists such as router access- lists, port access- lists, Mac access- lists, and VLAN access- lists. 5. Configure DHCP snooping and enable IP source guard to prevent rogue DHCP on the network. 6. Use/ configure Authentication, Authorization, and Accounting (AAA) protocol by implementing a server-based AAA authentication to provides the necessary framework to enable scalable access security to access a Cisco Secure Access Control Server (ACS). Use TACACS+ protocols servers to achieve this. 7. Use the Cisco Adaptive Security Appliance (ASA) firewall as a network firewall to achieve network security between the trusted and un-trusted network. 8. Create a demilitarized zone (DMZ) to enable external / internet host access to company web, email, FTP servers and to provide security systems residing within them 9. Use Network-based and Host-based intrusion prevention systems that can provide in-depth checks of packets on layer 4 through to layer 7. 10. By structuring the LAN in a hierarchal structure i.e. core, distribution and access to provide redundancy, efficient, and reliability on the LAN. Optional: use 2 layer 2, and 3 switches and 2 ASA which offer extra features at a relatively low cost compared to buying other standalone devices such as PIX of layer 2 switches. 5.2.1 Resources Hardware: Page 40 of 49 2 Layer 2 switches 2 layer 3 switches 1Cisco Adaptive Security Appliance 4 Personal Computers Perimeter Router Firewall RADIUS / or TACACS+ server Ethernet Cross over cable with RJ45 connectors Straight through cable with RJ45 connectors DHCP/DNS Server Web/Email/FTP Server Cisco Secure- MARS Software/configuration: Firewall(HIPS/NIDS) Cisco IOS images GNS3 5.3 Assumptions 1. It is assumed that this model can be applied to a large LAN. 2. The network management will continuously patch all the LAN security software vulnerabilities by installing updating. 3.The network security professionals employees will continuously monitoring, and testing the networks’ security using network security auditing tools, and also researching about the new network security threats out there. Page 41 of 49 4. A virtual topology is used that will display some devices of a physical type but can be implemented as software on the physical topology. For example, the Cisco ASA device offers features which I wanted to show through the Virtual topology and which won’t visually show. 5. Its assumed that a routing protocol is configured on the LAN and there is connectivity from one end device to the other. 5.4 Contingency Plans 1. Instead of a Cisco ASA we can use Cisco PIX firewall device. 2. Use RADIUS instead of TACACS+ for server-based AAA authentication. 3. The LAN can have layer 3 switches instead of having layer 2 switches which will improve security and performance, and to provide redundancy extra trunk links can be added and secured. 4. NAC, CSA, and IronPort, technologies can be used to in parallel to provide protection of operating system vulnerabilities against both direct and indirect attack. 5. Software firewall can be configured on devices that support them if money to buy and maintain them is short. Page 42 of 49 Chapter 6 : Project Plan 6.1 GANTT CHART To have a good plan for the project in place is such a significant measure for a successful completion of the project. it entails what should be done, how it is gone be done, when to do it, how long it will take to do a certain task, what measures are there to gauge the success, and lastly a review plan of every stage. This chart displays the tasks which will need to be completed, and each task is allocated a specific time in which it will start and be completed until the end of the project. Figure 2: Project Proposal Gantt chart Page 43 of 49 6.2 WORK BREAKDOWN STRUCTURE This is a breakdown of the list of the project tasks that have got to be undertaken and completed in order for the project to be completed. Figure 1: WORK BREAKDOWN STRUCTURAL CHART Page 44 of 49 Chapter 7: Final Project report Table of Contents Below is the structure of the contents that will be used for the final report. All sections have been stated, including subheadings in the literature review. Front Page Contents Page Introduction Acknowledgements Dedications What is a LAN? History of LANs Use of LANs What is Network Security? History of LAN Security LAN Security Threats LAN Security Devices Benefits of a Secured Wired LANs LAN Security Technologies Hardware based Software based Secured Wired LAN Topology Layer 2 Switches Layer 3 switches Cisco Adaptive Security Appliance TACACS+/Radius Server (AAA) Demilitarized Zone (DMZ) Page 45 of 49 Edge Router End Devices Crossover and Straight through with RJ45 connectors cables Testing and Analysis Conclusion References & Bibliography Appendix A: Project Plans & System Models Appendix B: Test Plans & Results Appendix C: Project Proposal Report Page 46 of 49 Chapter 8: Conclusion Over the last 25 years companies have come to realise a great need to secure their LANs due to the increasing dynamic network security threats that has resulted in big financial and identity losses which have damaged company brands and individuals. As a result companies and government have learnt the importance of network security and they are committing a lot of money to maintain a secure LAN environment so as to achieve the three basic principle of network security that is to say: Confidentiality, Integrity, and Authentication. Wired LANs security is a fundamental basic requirement that has become an integral part of computer networks. Many organisations, governments and businesses have put in place network security policies are to provide a framework and guideline for network users/employees to follow when doing their work on company computer networks infrastructure. Since it is impossible to have a totally secured wired LAN due the very dynamic network security threats out there in the computer world advanced with presence of the internet technology. It is my advice that having put in place Network Security Policies and taken steps to achieve them, Network Security Professionals should continually install software patches, monitor, and test the computer networks and also keep learning and sharing information about the new security threats. Page 47 of 49 References: 1. Wayne Lewis, LAN Switching and Wireless, Exploration Companion Guide 2. Hucaby, D. (2005) Cisco ASA and PIX Firewall Handbook, Cisco Press 3. Carroll, B. (2004) Cisco Access Control Security: AAA Administration Server, Cisco Press, 2Rev Ed. 4. CCNA Security, Implementing Network Security, Cisco Press 5. http://www.referenceforbusiness.com/small/Inc-Mail/Local-Area-NetworksLANS.html 6. http://www.sans.org/top-cyber-security-risks/ 7. http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.html#wp10 46651 8. http://flylib.com/books/2/464/1/html/2/images/1587052091/graphics/08fig14.gif 9. http://compnetworking.about.com/library/graphics/basics_osimodel.jpg 10. http://www.orbit-computer-solutions.com 11. http://www.i1u.net/images/web/PAT.gif 12. http://ptgmedia.pearsoncmg.com/images/0131014684/samplechapter/013101 4684_ch02.pdf 13. http://www.cisco.com/warp/public/cc/so/neso/sqso/roi1_wp.pdf 14. http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch5_EttF.html#wp10 31600 Page 48 of 49 Page 49 of 49