Securing Wired Local Area Networks(LANs)

Download Report

Transcript Securing Wired Local Area Networks(LANs)

By Sentuya Francis Derrick
ID 08051602
Module code:CT3P50N
BSc Computer Networking
London Metropolitan University
13th/04/11
Supervisor: Mr Shahram Salekzamankhani
Two fold: LAN & LAN Security

LANs: group of computers and devices interconnected in a limited
geographical area i.e. home, office building, or school to enable the
sharing of resources like printers, files etc. (REF 2)

LANs include higher data-transfer rates (REF 2)

It’s imperative to make LANs secure to achieve confidentiality, data
integrity, and authentication of users on the network. (REF 2)

Use OSI Model Approach to understand LAN Vulnerabilities. (REF 2)

Secure protocols, applications, technologies, and devices, with
network security tools and techniques in order to mitigate any threat
i.e. Virus, Worm, unauthorised access (REF 2)
Network Security
Network security solutions started coming up early 1960 due to
network threats:
 Reconnaissance attacks:
o Packet sniffers,
o Ping sweeps,
o Port Scans

Access attacks:
o
o
o
o

Buffer overflow ,
Man-in-the-middle,
Password attacks,
Port Redirection
Denial-of-service
o Ping of Death ,
o Smurf Attack ,
o TCP SYN Flood attack


Layer 2 of the OSI model – (Data link layer)poses the most network
security vulnerabilities on the LAN- Layer 2 Switches, Ethernet,
Token Ring, FDDI Protocols.
Imperative to secure other Protocols on other layers too.
LAN security threats
 MAC Address Spoofing,
 MAC Address Table Overflow Attacks,
 LAN Storm,
 STP manipulation attack
 VLAN attacks
Operating system basic Security (OS vulnerabilities)
 Trusted code and trusted path
 Privileged context of execution
 Process memory protection and isolation

Aim 1:To find out most OSI model is most vulnerable layer of OSI
model.
Objectives:





Secure Layer 2 Protocols
Secure Addressing Structure and Routing Protocol
Secure Identifiable and Transport mechanism
Secure ways for Applications to translate data formats. encrypt,
compress.
Secure Application layer protocols-HTTP,FTP,TELNET etc
Aim2: Investigate & Analyse tools & methods to secure LAN
Objectives
 Prevent un-trusted network traffic access to trusted networks
 To provide Reliable, efficient, & cost effective
LAN
Personal & Academic objectives
 Gain Computer Network Security Skills
 Learn to organise my time Efficiently
 To Learn & gain research skills
 To Improve report writing skills
 To improve my presentation skills and improve my confidence
 to prepare for Career in Network Security
Approach
 Secure the LAN’s endpoints i.e. hosts, servers, other network clients
devices non-endpoint LAN devices i.e. switches, storage area
networking devices (SAN),etc
Policy
Compliance
Threat
Protection
Cisco Network Control
Cisco Security Agent
REF 1
Infection Containment
Scenario
NAC,IPS,CSA
 I am assigned with a project specification of type research and
practical work to do a project on ‘Securing Wired Local Area
Networks (LANs)’. A virtual topology is used to show network
devices that require to be secured on the LAN.
Cloud
CSA Agent
Cisco Perimeter
Router1 with Firewall
Webmail
DMZ
IPS
CS-MARS/Wireshark
Email Server
Cisco ASA 5500
DHCP& DNS
Server
3560Catalyst L3 Switch
3560Catalyst L3 Switch
Management
centre Vlan99
Cisco Security Agent
AAA Radius
Server Vlan40
2960cat L2 Switch
2960cat L2 Switch
Cisco
Security
Agent
Host A Vlan2
Host B Vlan3
Host C Vlan2
Host D
Vlan3
CSA Agent
My own designed Topology:
REF1








Brief History of LAN evolution
Network Security in General
Wired LAN Security Threats
◦ Internal Threats
◦ External Threats
Wired LAN Security Vulnerabilities
◦ Internal Threats
◦ External Threats
Secure Wired LAN Devices
Wired LAN Security Mitigation Technologies
Virtual Topology Wired LAN Security implementation
Impacts of the Network Security Threats










Designate a secure physical environment – Data centre
Configure port level security for traffic control
Use VLAN technology
Configure access- lists i.e. router access- lists, port access- lists,
Mac access- lists, and VLAN access- lists.
Configure DHCP snooping and enable IP source guard
Configure Authentication, Authorization, and Accounting (AAA)
protocol on TACACS+ Server
Use the Cisco Adaptive Security Appliance (ASA) firewall
Create a demilitarized zone (DMZ)
Use Network-based and Host-based intrusion prevention systems
Structure the LAN in a 3 layer hierarchal model










Front Page
Contents Page
Introduction
Acknowledgements
Chapter 1: What is a LAN?
Chapter 2: What is Network
Security?
Chapter 3: LAN Security Threats
Chapter 4: LAN Security Devices
Chapter 5: Benefits of a Secured
Wired LANs
Chapter 6:L AN Security
Technologies

Chapter 7: Secured Wired LAN
Topology

Chapter 8: Testing and Analysis

Chapter 9: Conclusions

References & Bibliography
Appendix A: Project Plans &
System Models
Appendix B: Test Plans & Results
Appendix C: Project Proposal
Report












Carroll, B.(2004) Cisco Access Control Security: AAA Administration
Services, Cisco Press, 2Rev Ed
Hucaby, D.(2005)Cisco ASA and PIX Firewall Handbook, Cisco
Press.
Behringer, M.H.(2005) MPLS VPN Security, Cisco Press.
Wayne Lewis (2008)LAN Switching and Wireless Companion
Guide.
CCNA Fundamentals of Network Security Companion Guide, Cisco
Press (REF 2)
Secured LAN Topology Cisco lib images (Ref 1)
http://www.referenceforbusiness.com/small/Inc-Mail/Local-AreaNetworks-LANS.html(accessed 12/03/11)
http://www.sans.org/top-cyber-security-risks/ (accessed 20/03/11)
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.
html#wp1046651 (accessed04/04/2011).







http://flylib.com/books/2/464/1/html/2/images/1587052091/graphics/
08fig14.gif (accessed 05/04/11)
http://compnetworking.about.com/library/graphics/basics_osimodel.j
pg (accessed 25/03/11)
http://www.orbit-computer-solutions.com (accessed 30/03/11)
http://www.i1u.net/images/web/PAT.gif (accessed 09/03/11)
http://ptgmedia.pearsoncmg.com/images/0131014684/samplechapt
er/0131014684_ch02.pdf (accessed 02/03/11)
http://www.cisco.com/warp/public/cc/so/neso/sqso/roi1_wp.pdf
(accessed 10/03/11)
http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch5_EttF.h
tml#wp1031600 (accessed 19/03/11)