Translate

Saturday, 24 January 2015

Fresh Start-Beginner

Hi,

This is Kalpesh Hadkar, welcome to world of secure network, I would like to give my small contribution to this security world.

The reason behind it is, when I came to networking world I wasnt well aware of the technology excepts few basics of OSI Layers and Functioning of Routers and Switches. Later it took sometime for me to get acquainted with Firewall Technology by collecting online material. I wanted to reduce the initial problem which starter face searching for stuffs. A small contribution made for Secure Networks.

Hope you all would enjoy learning with Secure Networks.

Wednesday, 21 January 2015

Introduction to Security


Network Security involves 3 basic Objectives-
  • Confidentiality - It means that only authorized individual can view sensitive information. The primary way of protecting the data is to encrypt it before sending it over the network. Another option is using separate network for sending confidential data.    
  • Integrity - It means the data transmitted, remain intact throughout the network. Any change made to the data are done by authorized individuals.                                                              
  • Availability - It states that data needs to be available throughout the network. Availability can be denied by Denial of Service (DOS) attack because of network failure.

Sunday, 18 January 2015

Building a Fortified Network

For Building a Fortress or Secure Network, we break networks into 3 plane considerably :-

  • Management Plane - It deals with securing the device for management purpose for communication. We can secure the management plane by using ssh, https, snmp services. Also it can be secured by restricting whom to allow to login in network. Keeping Brute force attacks away by keeping restrictions for Password attempts and time outs on devices. Providing access to restricted users for authorized privileges using Role Based CLI. Use of Secure NTP (Network time Protocol).                                                                                      
  • Control Plane - Control Plane basically deals with processor or functionality of device. They are Routing updates or Keep Alive messages. For Protecting Control plane authentication of user is must. Also we can specify number of session, device can connect at an instance and limiting the data traffic by restricting a packet size.
  • Data Plane - It is a forwarding plane, which transmits packets from one device to other. Data plane can be protected by using ACL, BPDU Guards and Root Guards to lock down STP. Also Port Security comes in handy in preventing Spoofing of MAC Address.

Thursday, 15 January 2015

Configuring aaa (using authentication method)

aaa new-model
This command changes the router model with aaa new model. If aaa server is installed it will use aaa server for authentication, else it will use local database.
If there is no local database, it will use enable passwords

How do you configure AAA in the Cisco IOS?

Here are the steps to configuring AAA:
  • Enable AAA
  • Configure authentication, using RADIUS or TACACS+
  • Define the method lists for authentication
  • Apply the method lists per line/ per interface
It is important to note that Cisco IOS software attempts authentication with the next-listed authentication method only when there is no response from the previous method. If the security server or user database responds by denying the user access, the authentication process and the user will get a denied user prompt. To configure AAA, use the following statement in global configuration mode:
Router(config)# aaa new-model
From this point, most admins start configuring AAA by setting up authentication.
Here is one example of how to configure login authentication using the enable password.
Router(config)# aaa authentication login default enable
In this you want to apply a method list only to a line console. You would create a method list and then apply it . 
Router(config)# aaa authentication login default group  tacacs+ local
Router(config)# aaa authentication login CON none
Router(config)# line console 0
Router (config-if)# login authentication CON

Securing the Management Plane (AAA)

For Securing the management plane we need to set up enable secrets, give user based privilege mode, locking down access methods and AAA.

What is AAA?
AAA method (AuthenticationAuthorization and Accounting)-
When it comes to network security, AAA is a requirement.
  • Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network. Depending on your security options, it can also support encryption.
  • Authorization:It tells what authority the logged in user has. After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
  • AccountingThe last "A" is for accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.

Why every network admin should care about AAA

 AAA is a critical piece of network infrastructure. AAA is what keeps your network secure by making sure only the right users are authenticated,  those users have access only to the right network resources.

Monday, 12 January 2015

Configuring aaa (authorization and accounting method)

For Authorization method list we will use custom list (not default one)

    Router(config)# aaa authorization command 1 TAC1 group tacacs+ local
   Router(config)# aaa authorization command 2 TAC2 group tacacs+ local


For Accounting method list

   Router(config)# aaa accounting command 1 TAC-ACT1 start-stop group tacacs+

Router(config)# aaa accounting command 2 TAC-ACT2 start-stop group tacacs+

Apply Authorization and Accounting to line vty

   Router(config)# line vty 0 4
   Router(config-line)# authorization commands 1 TAC1
   Router(config-line)# authorization commands 2 TAC2
   Router(config-line)# accounting commands 1 TAC-ACT1 
   Router(config-line)# accounting commands 2 TAC-ACT2 

Friday, 9 January 2015

Centralized Management Control using AAA (Radius & TACACS)

In Centralized Database we do not create separate user login for each user.

Client & Server based communication is made in AAA Server, where AAA server authenticates the Client login. The usernames and databases are kept in centralized Server called AAA Server. This keeps Router idle from processing all this. 

Router  --- <communicates with> ---- AAA Server
Router  --- <makes request to> ---- AAA Server
AAA Server ---- <responds back to> ---- Router

This conversation takes place through RADIUS & TACACS Server

RADIUS (Remote Authentication Dial in User Service)

  • It is an open standard method of communicating with AAA Server.
  • It encrypts login passwords, while the other communication between client & Server.
  • It uses UDP layer for Transport Protocol, hence unreliable.
  • It uses port no 1812 for Authentication, 1813-Authorization.
  • It is used for Authenticating end users.
TACACS (Terminal Access Controller Access Control System)

  • It is a Cisco Proprietary method.
  • It encrypts the entire communication between Client & Server.
  • It uses TCP port no.49 at layer 4.
  • It has separate control for communication (for authenticating & authorizing) .




Tuesday, 6 January 2015

Internet Security Issues and Prevention (DHCP Snooping)

Internet has various Security issues like

  • DNS attack- It involves no authentication as the original website has been attacked.
  • Phising - It involves in security breach of entering login information on fake websites.
  • Spams - It includes all fake emails and messages, mostly sent through botnets of infected computers.
Protecting Layer 2-

  • Attacks on Switch- DHCP Snooping is the common attack where DHCP Servers are attacked. It is the man in the middle attack which migrates the traffic going to DHCP Server, by attacking it.
  • This can be prevented by protecting switch ports by not allowing offers & acknowledgement on untrusted ports.
SW1(config)# ip dhcp snooping vlan3

SW1(config)# ip dhcp snooping

SW1(config)# int g 0/1

SW1(config)# ip dhcp snooping trust

IN DHCP Snooping, it doesnt trust all access ports, we have to specify port as trusted ones.

Saturday, 3 January 2015

Overview of DHCP Snooping

Overview of DHCP Snooping


DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.

Rate-limits DHCP traffic from trusted and untrusted sources.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.



Trusted and Untrusted Sources


The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers, and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.
A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious DHCP server. A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Some examples are desktop systems and laptop systems that are loaded with DHCP server enabled, or wireless access points honoring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage. You can detect spurious DHCP servers by sending dummy DHCPDISCOVER packets out to all of the DHCP servers so that a response is sent back to the switch.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

DHCP Snooping Binding Database

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Packet Validation

The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept DHCP packets that include option-82 information. Configure the port on the edge switch that connects to the aggregation switch as a trusted port.

Thursday, 1 January 2015

PACKET Filtering with IPV4 (protecting Data Plane)

Data Plane in network deals with Traffic in Routing Protocol called packets.
It is essential to protect this packets while its transmission.
  1. ACLS are used for Packet Filtering
      -It manages inbound traffic (getting to router interface from outside network)
      -Outbound traffic (Transit traffic going through the the router or generated by                  router)
     

   There are 2 Types of ACL

  • Standard -They are used for L3 source address based data.
  • Extended- L3/L4 source and destination Address based Data
  1. Like in case we need to block some users from accessing to internet, here we can create an access group and place the IP address of the host/network which are to block those server in that group and apply it on Interface of Router.
  2. Object Group contain multiple network which can be used for packet filtering in ACL. Instead of blocking single host we can also block entire subnet by placing a correct wild card Mask in ACL statement.