This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Network Security is extremely important in today's environment specifically in financial sector; where valuable information like personal transactions containing private customer information, credit card numbers, social security numbers etc; as more of this information moves along data networks. In today's age the rise of this digital data now including voice and video along with data introduces large number of virus/ worms attacks, exploitation leading from vulnerabilities due to poorly written software and misconfiguration. The result of these data breaches, theft and penalties costs corporate billions of dollars every year. The everyday's increased demand for accessibility and availability generates greater demand for data security. The data needs to be protected and secured not only in storage at system but also in transmission.
In this age of information, the focus is increasingly on speed, interoperability, and interconnectedness. As such, organizations have primarily pursued a techno-centric approach when developing platforms to capture business intelligence.
The IT infrastructure in corporate is considered the IT network LAN or WAN (depending upon the geographical size of corporate) within the enterprise firewall, separating the Internet to corporate network. Network security in the corporate IT infrastructure or so called corporate LAN/ WAN was often limited to firewalls/ IDS's and physical security of Data Centers. The majority of efforts were concentrated on monitoring and protecting data traffic inbound or outbound to IT infrastructure and not particularly to the traffic flowing within IT infrastructure. The widespread use of today's social networks and other malicious internet sites pretending to serve free music, software's etc by corporate users, there is ever increasingly threat of sophisticated attacks and new worms and viruses that spread and floods the IT infrastructure in a matter of minutes. It is the IT infrastructure in enterprise which presents a critical first line of defense against security attacks in anÂ enterprise IT network. There have been various articles written and discussed protecting the corporate network from internet and more emphasis has been placed for the need of protecting corporate network from internet by corporations itself. This emphasis and policies need to change. Because most internal securityÂ attacks are originated from the inside (SANS) intentionally by disgruntle employee or unintentionally related to misconfiguration of rogue application and infected PCs.
In this paper we will analyze in details the common attacks that are launched from inside the IT infrastructure for example "Denial of Service attacks" and "Man in the middle attacks" and consideration and recommendation for technical controls that can be configured on network infrastructure switches to defend against these disruptive attacks ensuring adherence to best practices for example turning on Port Security, BPDU, DHCP snooping, Dynamic ARP Inspection and IP Source Guard etc. We will also discuss the testing methodology to validate the recommended configuration.
To achieve the above objectives, this assessment employed several qualitative methods:
One-on-one interviews with Network and Security stakeholders
Secondary research, and
Comparative analysis of research sources, tools and technologies
Understand the capabilities of current tools (i.e., Cisco Routers/ Switches)
Read best practices and analyze feedback collected
Until very recently, network security in the IT infrastructure was often limited merely to physical security. With the advent of increasingly sophisticated attacks and new worms and viruses that spread in matter of minutes, those policies need to change. Because most attacks are launched from inside the network, Its LAN infrastructure presents a critical first line of defense against security attacks in an enterprise LAN/ WAN.
One of the most common attacks is Denial of Service attack, which can interrupt the entire Enterprise network. Denial of Service can be maliciously launched or unknowingly introduced in to the network by an infected computer. The other common attack is "Man in the middle attack". This allows a hacker to snoop and intercept LAN traffic, compromising network privacy. In this attack, an unauthorized device can assume the legitimate network device (such as a Gateway) identity (MAC or IP address). All the traffic intended for this legitimate device is now passed through the unauthorized device assuming fake identity. This data traffic now can be scanned, sniffed for personal information, credit cards, passwords and probably information of other devices. Which can then, also be targeted for future attacks?
Let's look at key considerations and action-oriented remedies, which can be utilized to address and encounter these specific attacks. The various high end switches used in enterprise network address port security, which is used to prevent layer-2 (MAC) based attacks. This allows a network administrator to restrict the number of MAC addresses that can transmit from a switch port to prevent or restrict Denial of Service attack. Bridge protocol data unit (BPDU) and Storm Control can also be used in this type of attack.
To mitigate man-in-the-middle attack features like DHCP snooping, where a per port security mechanism is used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a dynamic host configuration protocol (DHCP) server or another switch. It can be enabled on a per VLAN basis.
Dynamic ARP inspection is used to prevent man-in-the-middle attack by not relaying invalid or unjustified Address Resolution Protocol (ARP) replies out to the other ports in the same VLAN. Dynamic ARP inspection intercepts all ARP requests and replies on the un-trusted ports. Each intercepted packet is verified for all valid IP-to-MAC bindings. Which are gathered through DHCP snooping. The other feature used to mitigate the IP spoofing attack is "IP Source Guard". It provides per port IP traffic filtering of the assigned source IP addresses at the wire speed. It dynamically maintains per port VLAN ACLs based on IP-to-MAC-to-switch port bindings. The binding table is populated either by the DHCP snooping feature or through static configuration of entries. IP Source Guard is typically deployed for un-trusted switch ports in the access layer.
Figure 1 - a Sample large IT-Infrastructure Network
In this age of information, the focus is increasingly on speed, interoperability, and interconnectedness due to mergers and acquisitions. The security may sometimes get overlooked, as such, organizations have primarily pursued a techno-centric approach when developing network to capture business benefits and profits. The below recommendations in existing infrastructure can greatly reduce the risk factor in IT infrastructure without adding any additional cost.
These are basic recommendations based on best practices. They can be applied to any enterprise switches/ routers etc, regardless of manufacturer. The paper below is based on Cisco gear deployed in Citi's network.
Limit Remote Access:
All remote access to these switches must be restricted to specific source IP addresses by applying access classes to the VTY lines. Open sessions are a risk if an administrator leaves its workstation and somebody else can use the open session to modify the configuration on the switch. Therefore, a time-out should be set on each session. After 2 minutes of idle time, the switch should close the session automatically
Limit Local Access
All switches are equipped with a console port to provide local access to the switch CLI. Console port connectivity requires either local access to the switch, or a terminal server that connects to the console port. Each console port must be connected to a terminal server.
Security can be provided by configuring username/password authentication on the console port. Nevertheless, for somebody who has physical access to the switch, this provides only a weak protection, because he can apply well known password recovery techniques on the switch to circumvent the local login.
Some switches additionally have an auxiliary (AUX) port. The same protection mechanisms apply as for the console port.
Open console sessions are a risk if a system engineer leaves its workstation, which is connected to a console. Somebody else could use the open session to modify the configuration on the router. Therefore, a time-out will be set on each console line. After 2 minutes of idle time, the switch will close the console session automatically.
Local User Database/ Password Policy
Each switch maintains a local database to store username and password information for the management accounts. Usually they are configured as a fall-back to RADIUS authentication, i.e. if authentication through the RADIUS server is not possible.
User account handling needs to be conform to the following guidelines, unless there is a company- wide approved security Password policy.
Both usernames and passwords of a user account on switch need to have at least 10 characters, out of which a mandate for numbers and special characters.
Passwords need to be changed every 30 days.
To protect the user passwords from being read in the configuration files, password encryption should be enabled on the switches.
System Management use SNMP to manage the switches in the network. The switches usually support both SNMP v1.0 and SNMP v2.0, which supports some security functions. Nevertheless, since the switches do support SNMP v2.0, only SNMP v2.0 should be used.
SNMP access to the switches should only be granted to system management workstations. This will be enforced by applying access classes to the SNMP profile that allows only for connections from SM IP addresses. Furthermore, trap authentication with the community strings should be turned on to help the SM workstations to verify the validity of incoming SNMP packets. The interface for outgoing SNMP packets should also be specified to facilitate creation of filtering rules on routers and firewalls.
Read community strings
Read community strings can be used to retrieve configuration information from a switch, but do not allow for configuration changes.
The read community string can be the same on all switches. It must be hard to guess and be changed every 30 days. The same rules as for the creation of passwords and usernames apply.
Write community strings
Write community strings can be used to both retrieve configuration information from a switch, as well as to do configuration changes.
The write community strings must be different on each switch of the network. They must be hard to guess and be changed every 30 days. The same rules as for the creation of passwords and usernames apply.
Disabling Unnecessary Services
By default, Cisco IOS has some services enabled, which could allow hackers to gain information about the network or perform denial of service attacks. The following services will be disabled on all Cisco switches in the network  :
no service udp small-servers
no service tcp small-servers
no service finger
no ip bootp server
no ip directed-broadcast
no ip http server
no ip source route: Some attacks use the IP source route option. The attacks rely on the ability of the attacker to specify the path a packet will take. An attacker can send a source routed packet to a victim host behind a router which will then send back packets along the same path. This allows replies to spoofed packets to return to the attacker.
no cdp run: Cisco Discovery Protocol (CDP) is a media independent protocol which, by default, runs on all Cisco equipment. The protocol is used for system management and is used to discover other Cisco devices.
no ip unreachable: By default, when an access list drops a packet, the router returns a type 3, code 13 ICMP (administratively prohibited) message. This allows potential attackers to know that the router implements access list filters. Also, most UDP scans rely on the target sending back unreachable messages. To thwart UDP scans, the switch can be configured with this command not to send ICMP type 3 (unreachable) messages. This command will be enabled on a per-interface basis.
no ip proxy-arp: If the current network architecture does not use ip proxy-arp, then it must be disabled.
no ip redirects: IP redirects must be disabled on a per-interface basis
Cisco switches support a primary and several secondary RADIUS server for authentication and authorization purposes. When a user attempts to login using ssh,, http or the console, the request is relayed to the primary RADIUS server, and then to the secondary server if the primary does not respond. If both RADIUS servers fail, the switch uses its local database as last resort. If there are no entries in the local user database, the switch will refuse all connection attempts.
OS Version Control
From a security perspective it is desirable to control the OS versions deployed in the platform, for several reasons:
Installing always the latest version of the OS on the switches guarantees that security flaws and instabilities of previous versions have been eliminated.
Different versions of an OS bear the risk that default configuration settings change without notification.
New OS versions might introduce new features that could open security vulnerabilities on the switch
Therefore, OS version control on operating system must be established, fulfilling the following functions:
Same OS version must be installed on all switches throughout the platform.
An OS upgrade should be done simultaneously on all switches on the platform.
Existing OS installations need to be audited on a regular basis for security vulnerabilities. Possible sources of information are for example the vendor web page and security news groups. If security flaws have been patched in the new OS version, this OS should be rolled-out on all switches in the network.
Switches will create log messages during operation. These messages can be logged either in its internal log file, the system console, or to an external syslog server.
The switch log tracks all configuration and fault information pertaining to the device. Each entry of the log contains the following information:
Timestamp: The timestamp records the month and day of the event, along with the time. If the event was caused by a user, the user name is also provided.
Fault level: The switch assigns four levels of importance to a fault: Critical, warning, informational and debug.
Log files are an important means to audit activity on a switch (e.g. configuration changes, log in attempts) and to determine if it has been compromised. Log files are a vital component of an intrusion. Therefore, log files must be available for analysis, both after an attack and to provide preventive security.
From a security perspective, not every log messages is of interest. Therefore, at the minimum the following messages should be sent to the syslog host:
Access list hits
Secure Shell (SSH) is a client program that offers similar functionality as telnet. It opens a terminal emulation to a VTY and allows for executing commands on that device from remote. The difference between telnet and secure shell is that secure shell encrypts all traffic between client and host, so it cannot be intercepted by someone sniffing network traffic. Secure shell is available with strong 3DES encryption. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.
The advantages of SSH over telnet are:
Encrypts usernames and passwords before sending them over the network.
Encrypts all data before sending it over the network.
Authenticates each server's identity.
Logs basic details of each connection.
Can provide the basis for a mechanism for securely copying configuration files over the network
Configuration Specific Recommendations
Broadcast Suppression, which is disabled by default, must be implemented in Client Access switches. Broadcast suppression prevents switched ports on a LAN from being disrupted by a broadcast storm on any of the ports. A LAN broadcast storm resulting from a virus outbreak or bad NIC card or misconfigured application can lead to excessive traffic in LAN directly impacting network performance.
Broadcast suppression uses filtering that measures ingress broadcast activity on a LAN over a one-second-time period and compares the measurement with a predefined threshold. If the threshold is reached, the port must be configured to go into err disable state. The following thresholds are recommended, but actual thresholds may be adjusted to suit application requirements. 10M and 100M and 1 Gigabit User Interface would recommend 1% Broadcast Threshold.
Port Security must be implemented in Client Access switches. The Catalyst switches learn the source MAC addresses dynamically. A Trojan outbreak in LAN can result in spoofed MAC address traffic leading to potential Denial of Service (DoS) attacks. In order to prevent the spoofed traffic, the switch can be configured to learn and monitor the MAC address of systems connected with every switch port. Then ports can be statically or dynamically configured to secure MAC addresses of connected devices and the age time of MAC address, if the configured threshold is reached, the port must be configured to be automatically shut down.
BPDU (Bridge Protocol Data Unit):
BPDU Guard is required and must be implemented in client access switches on host ports. BPDU guard provides secure alert of any invalid configuration, for example, such as connection of an unauthorized device. When configured at the interface level, the BPDU guard shuts down the port, when this kind of activity is detected.
DHCP Snooping must be implemented in Client Access switches. DHCP snooping refers to switch ability to create and maintain DHCP snooping binding database (table) by filtering DHCP messages. The switch considers trusted messages sourced from DHCP server or another switch and the interface connected to end user is usually designated as untrusted due to various LAN violation and attacks are originated from this source. DHCP snooping behaves like a firewall between untrusted hosts and DHCP servers.
The DHCP snooping binding database contains the IP address, MAC address, lease time, VLAN and the interface information that corresponds to the local untrusted interfaces of a switch. The database does not contain information regarding hosts interconnected with a trusted interface. When a switch receives a packet on an untrusted interface in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If there is a match the switch will forward the packet, if not, the packet is dropped.
Dynamic ARP Inspection:
Dynamic Arp Inspection is an important feature that should be implemented in Client Access switches in conjunction with DHCP Snooping. It is important to enable logging for the ARP packets that are denied by Dynamic Arp Inspection. It is a security feature that uses the binding information that is built by DHCP snooping to impose the announcement of bindings to prevent "man-in-the-middle" attacks. It verifies that the ARP packet's MAC address and IP address match the existing DHCP snooping binding table information. If static IP address assignments exist in a VLAN, one must configure the relevant ports as ARP inspection-trusted ports. Dynamic Arp Inspection enforces only valid ARP requests and responses are passed. The switch intercepts all ARP requests and responses and verifies that each of has a valid IP-to-MAC address these intercepted packets bindings. It then updates its local ARP cache and then forwards the packet to the appropriate destination all other invalid ARP packets are dropped.
Control Plane Policing:
Due to the potential of a misconfiguration resulting in an outage, this is a restricted feature and must not be deployed without consent and approval from the respective Network Architecture team. QOS must be enabled prior to applying CoPP. The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. Thus, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
Using due diligence or common phrase "Trust but Verify" all configuration and functionality must be verified and validated.
The following test equipment will be utilized:
â€¢ Linux Workstation-the workstation is loaded with the attack tools "Yersinia" and "Macof".
â€¢ Windows Laptop
â€¢ Cisco IP Phone
â€¢ Avaya IP Phone
â€¢ Windows Laptop-the laptop is loaded with Ethereal for packet capture.
Load testing tools:
1) IXIA or similar tool that is able to generate ARP and ICMP Broadcast Storm.
Required for testing Storm Control
2) MACOF or similar tool that is capable of generating and throttling the generation of random MAC addresses.
Required for testing Port Security
Required for testing:
Dynamic ARP Inspection
IP Source Guard
Execute the following test and capture aforementioned output for evidence collection and verification.
a. Storm Control Configuration Validation
1. Begin with no storm control configuration
2. Check CPU and availability of network devices
3. Begin broadcast packet storm with IXIA
4. Check CPU and availability of devices
5. Turn on storm control
6. Check CPU and availability of devices
b. Port Security Configuration Validation
1. Begin with no port security configuration
2. Plug in a sniffer on a spare port of the switch
3. Begin a ping from one of the test workstations to the tftp server
4. Check sniffer for ping packets
5. Turn on mac flooding tool
6. Check sniffer for ping packets
7. Stop test and clear mac table of switch
8. Turn on Port Security for a maximum of 10 mac addresses on all host ports
9. Begin a ping from one of the test workstations to the tftp server
10. Check sniffer for ping packets
11. Turn on mac flooding tool
12. Check sniffer for ping packets
13. Check port attached to mac flooding tool
c. DHCP Snooping Configuration Validation
1. Begin with no DHCP snooping enabled
2. Place a DHCP server on one of the access servers and one on a different network
3. Connect a DHCP enabled laptop to the switch
4. Where does the laptop get its IP ADDRESS from?
5. Enable DHCP snooping
6. Make all host ports on the access switches untrusted
7. Reconnect the DHCP client
8. Where does the laptop get its IP ADDRESS from?
9. Check DHCP binding table on the access switches
10. Failover supervisors
11. Check DHCP binding table again
d. Dynamic Arp Inspection Configuration Validation
1. Begin with no DAI enabled
2. Use the attack tools to try and poison the mac address table and catch traffic meant for the default gateway or the TFTP server
3. Turn on DAI
4. Use the attack tools to try and poison the mac address table and catch traffic meant for the default gateway or the TFTP server
5. Failover supervisors
6. Use the attack tools to try and poison the mac address table and catch traffic meant for the default gateway or the TFTP server
e. IP Source Guard Configuration Validation
1. Begin with no IP Source Guard Enabled
2. Plug in a DHCP enabled laptop to the switch
3. Obtain an IP ADDRESS from the DHCP server
4. Change the IP ADDRESS manually
5. Ping the Default Gateway or DHCP Server
6. Turn on IP Source Guard
7. Plug in a laptop with the IP ADDRESS already configured
8. Try to connect to the Default Gateway or DHCP Server
9. Disconnect Laptop and reconnect it so it can receive a DHCP address from the server
10. Ping the Default Gateway or DHCP Server
11. Change the IP ADDRESS manually
12. Ping the Default Gateway or DHCP Server
13. Check the switch logs
f. STP Security Features Configuration Validation
1. Begin with no STP security features enabled
2. Check the STP root
3. Change the root table by using attack tool
4. Check the STP root
5. Enable STP security features discussed above
6. Attempt to change the root using the attack tool
7. Check STP root
8. Check port connected to new switch
9. Check switch logs
A thorough network audit-measuring and understanding the business impact of current network performance and usage-is the critical first step in any network initiative, be it an application rollout or a data center consolidation.
The Network Audit and Benchmarking provides a general evaluation of network security and performance, based on the analysis of pre-defined key security and performance indicators. The QA team can provide valuable information regarding the current situation and identifies network security and performance points where future improvements can be achieved. These improvements can be based on the vulnerability assessment, performance of the network or on the better utilization of its resources.
Identifying improvement areas
Ensuring stability and efficiency in performance
Closing any security gaps
Define the networking standards & compliance policies
Communicate the same to all
Conduct periodic Quality Audits & raise Non Compliance Items (NCI) if any
If NCI's are raised prepare Corrective Action Plans (CAP) with deadlines
Review the CAP & sign off when implemented