Securing Wired Local Area Networks(LANs)
Download
Report
Transcript Securing Wired Local Area Networks(LANs)
By Sentuya Francis Derrick
ID 08051602
Module code:CT3P50N
BSc Computer Networking
London Metropolitan University
13th/04/11
Supervisor: Mr Shahram Salekzamankhani
Two fold: LAN & LAN Security
LANs: group of computers and devices interconnected in a limited
geographical area i.e. home, office building, or school to enable the
sharing of resources like printers, files etc. (REF 2)
LANs include higher data-transfer rates (REF 2)
It’s imperative to make LANs secure to achieve confidentiality, data
integrity, and authentication of users on the network. (REF 2)
Use OSI Model Approach to understand LAN Vulnerabilities. (REF 2)
Secure protocols, applications, technologies, and devices, with
network security tools and techniques in order to mitigate any threat
i.e. Virus, Worm, unauthorised access (REF 2)
Network Security
Network security solutions started coming up early 1960 due to
network threats:
Reconnaissance attacks:
o Packet sniffers,
o Ping sweeps,
o Port Scans
Access attacks:
o
o
o
o
Buffer overflow ,
Man-in-the-middle,
Password attacks,
Port Redirection
Denial-of-service
o Ping of Death ,
o Smurf Attack ,
o TCP SYN Flood attack
Layer 2 of the OSI model – (Data link layer)poses the most network
security vulnerabilities on the LAN- Layer 2 Switches, Ethernet,
Token Ring, FDDI Protocols.
Imperative to secure other Protocols on other layers too.
LAN security threats
MAC Address Spoofing,
MAC Address Table Overflow Attacks,
LAN Storm,
STP manipulation attack
VLAN attacks
Operating system basic Security (OS vulnerabilities)
Trusted code and trusted path
Privileged context of execution
Process memory protection and isolation
Aim 1:To find out most OSI model is most vulnerable layer of OSI
model.
Objectives:
Secure Layer 2 Protocols
Secure Addressing Structure and Routing Protocol
Secure Identifiable and Transport mechanism
Secure ways for Applications to translate data formats. encrypt,
compress.
Secure Application layer protocols-HTTP,FTP,TELNET etc
Aim2: Investigate & Analyse tools & methods to secure LAN
Objectives
Prevent un-trusted network traffic access to trusted networks
To provide Reliable, efficient, & cost effective
LAN
Personal & Academic objectives
Gain Computer Network Security Skills
Learn to organise my time Efficiently
To Learn & gain research skills
To Improve report writing skills
To improve my presentation skills and improve my confidence
to prepare for Career in Network Security
Approach
Secure the LAN’s endpoints i.e. hosts, servers, other network clients
devices non-endpoint LAN devices i.e. switches, storage area
networking devices (SAN),etc
Policy
Compliance
Threat
Protection
Cisco Network Control
Cisco Security Agent
REF 1
Infection Containment
Scenario
NAC,IPS,CSA
I am assigned with a project specification of type research and
practical work to do a project on ‘Securing Wired Local Area
Networks (LANs)’. A virtual topology is used to show network
devices that require to be secured on the LAN.
Cloud
CSA Agent
Cisco Perimeter
Router1 with Firewall
Webmail
DMZ
IPS
CS-MARS/Wireshark
Email Server
Cisco ASA 5500
DHCP& DNS
Server
3560Catalyst L3 Switch
3560Catalyst L3 Switch
Management
centre Vlan99
Cisco Security Agent
AAA Radius
Server Vlan40
2960cat L2 Switch
2960cat L2 Switch
Cisco
Security
Agent
Host A Vlan2
Host B Vlan3
Host C Vlan2
Host D
Vlan3
CSA Agent
My own designed Topology:
REF1
Brief History of LAN evolution
Network Security in General
Wired LAN Security Threats
◦ Internal Threats
◦ External Threats
Wired LAN Security Vulnerabilities
◦ Internal Threats
◦ External Threats
Secure Wired LAN Devices
Wired LAN Security Mitigation Technologies
Virtual Topology Wired LAN Security implementation
Impacts of the Network Security Threats
Designate a secure physical environment – Data centre
Configure port level security for traffic control
Use VLAN technology
Configure access- lists i.e. router access- lists, port access- lists,
Mac access- lists, and VLAN access- lists.
Configure DHCP snooping and enable IP source guard
Configure Authentication, Authorization, and Accounting (AAA)
protocol on TACACS+ Server
Use the Cisco Adaptive Security Appliance (ASA) firewall
Create a demilitarized zone (DMZ)
Use Network-based and Host-based intrusion prevention systems
Structure the LAN in a 3 layer hierarchal model
Front Page
Contents Page
Introduction
Acknowledgements
Chapter 1: What is a LAN?
Chapter 2: What is Network
Security?
Chapter 3: LAN Security Threats
Chapter 4: LAN Security Devices
Chapter 5: Benefits of a Secured
Wired LANs
Chapter 6:L AN Security
Technologies
Chapter 7: Secured Wired LAN
Topology
Chapter 8: Testing and Analysis
Chapter 9: Conclusions
References & Bibliography
Appendix A: Project Plans &
System Models
Appendix B: Test Plans & Results
Appendix C: Project Proposal
Report
Carroll, B.(2004) Cisco Access Control Security: AAA Administration
Services, Cisco Press, 2Rev Ed
Hucaby, D.(2005)Cisco ASA and PIX Firewall Handbook, Cisco
Press.
Behringer, M.H.(2005) MPLS VPN Security, Cisco Press.
Wayne Lewis (2008)LAN Switching and Wireless Companion
Guide.
CCNA Fundamentals of Network Security Companion Guide, Cisco
Press (REF 2)
Secured LAN Topology Cisco lib images (Ref 1)
http://www.referenceforbusiness.com/small/Inc-Mail/Local-AreaNetworks-LANS.html(accessed 12/03/11)
http://www.sans.org/top-cyber-security-risks/ (accessed 20/03/11)
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.
html#wp1046651 (accessed04/04/2011).
http://flylib.com/books/2/464/1/html/2/images/1587052091/graphics/
08fig14.gif (accessed 05/04/11)
http://compnetworking.about.com/library/graphics/basics_osimodel.j
pg (accessed 25/03/11)
http://www.orbit-computer-solutions.com (accessed 30/03/11)
http://www.i1u.net/images/web/PAT.gif (accessed 09/03/11)
http://ptgmedia.pearsoncmg.com/images/0131014684/samplechapt
er/0131014684_ch02.pdf (accessed 02/03/11)
http://www.cisco.com/warp/public/cc/so/neso/sqso/roi1_wp.pdf
(accessed 10/03/11)
http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/ch5_EttF.h
tml#wp1031600 (accessed 19/03/11)