Upload
chema-alonso
View
4.001
Download
0
Embed Size (px)
DESCRIPTION
Charla impartida por Xavier Campos, de D-Link, en la Gira Summer of Security 2009, sobre seguridad en redes a nivel switching.
Citation preview
TechnetTechnet S.O.SS.O.SRed Segura con Switches DRed Segura con Switches D--LinkLink
Xavier CamposProduct Manager SP & PT
[email protected], 14 de Julio de 2009
D-Link
Firewall
Server Farm
Core SwitchSwitch
Service unstable
Challenges of Today’s Networks
Loop Connection
Switch
Switch
IP Conflict
ARP
Worms
Performance downgradeLow manageability
Security breach
ARP Spoofing
Unauthorized Access
Worm infection within Intranet
Endpoint Security Solutions of xStack Switches
• Authentication
• Authorization
• Node/Address Control
• Attack Mitigation• Attack Mitigation
• Microsoft NAP Server
Problem: Unauthorized Access• Traditionally security censorship takes place at perimeter• Intranet users can connect to network without authorization
Financial Server
ERP System
R&D
Everyone can connect to your network without
authorization!!!!Malicious User
Guest
Information Leakage
Employee
R&D Server
• Lack of proper control on the RJ45 socket outlet
GuestHacking Incident
• Client can easily go anywhere without authorization
• Lack of proper control for the wireless users
Solution for Unauthorized Access
• D-Link’s Solution 1:� 802.1x Authentication� Web-based Access Control (WAC) [Captive Portal]� Web-based Access Control (WAC) [Captive Portal]
• When to use ?� Perform user authentication to realize the user identity control � The clients must be authenticated based on user login information, regardless
of the user’s location or device.
• Benefit :� Mobility : User can get their designated privilege no matter where they are, or � Mobility : User can get their designated privilege no matter where they are, or
the devices they use� Clientless: Easy to deploy, easy to use (WAC)� Better Security Management: Pushing the security control to the edge, all the
clients must be authenticated before entering the network
Solution for Unauthorized Access
• D-Link’s Solution 2:� MAC-based Access Control (MAC)
• When to use ?� For VoIP phone, printer, router, IP camera, AP devices which doesn’t have
web browser, or 802.1x supplicant can’t be installed.� Stricter control for end user devices. Specially suitable for campus network,
public sector, or enterprises that need device control.
• All the clients are authenticated automatically and granted a specific role to the networkthe network
• Benefit :� Clientless: Easy to deploy. Totally transparent to clients� Device Management: Only allow legitimate devices to connect to the network
Endpoint Security Solutions of xStack Switches
• Authentication
• Authorization
• Node/Address Control
• Attack Mitigation• Attack Mitigation
• Microsoft NAP Server
Requirement: Authorization by user’s identity
Financial server
ERP system
The network is under granular control by segregatin g the traffic!
server system
R&D server
Sales
Accounting
RD
server
Guest• RD dep. is granted to access R&D server and internet only
• Sales dep. is granted to access ERP system and internet only
• Guest users can only connect to Internet
• Accounting dep. is granted to access Financial server and ERP system only
Solution for Authorization by user’s identity• D-Link’s Solution:
� Dynamic VLAN Assignment� Guest VLAN (Restricted network access)
� Client Attribute Designation� Client Attribute Designation• Bandwidth control per port / per flow• 802.1p priority (default value per port)• ACL that delivers user identity control as set of services *
Radius ServerBandwidth parameter
802.1p priority parameter
ACL
• The identity-based security policies provide appropriate access right for different users
* Under development
ACL
Client attributes can be designated by the Radius server after successful authentication
Endpoint Security Solutions of xStack Switches
• Authentication
• Authorization
• Node/Address Control
• Attack mitigation• Attack mitigation
• Microsoft NAP Server
Problem: Loop Connection
• Users connect their own switches and cause loop unintentionally or purposely• The loop can cause packet storm and overwhelm the whole system
PacketStorm
Loop
Solution for Loop Connection• D-Link’s Solution: Loopback Detection ( LBD v4.0 )
� STP (Spanning Tree Protocol) Independent• Unmanaged switches usually do not have Spanning Tree Protocol
function• D-Link’s design can detect loop connections even when STP is absent
V1
V1 V2
V2
• D-Link’s design can detect loop connections even when STP is absent
� Flexible Settings for Loop Prevention• Port-based or• VLAN-based
1. Port-based LBD- Port shut down, no traffic is allowed
2. VLAN-based LBD- Block the traffic from the loop happening VLAN
without shutting down the trunking port.
V1
PC1
PC2
V2
LoopLoop
Loopback Detection Scenario
INTERNET
enable loopdetectconfig loopdetect recover_timer 60 interval 10 mode port-based
Loopback
192.168.0.2/24
192.168.0.1/24
INTERNETconfig loopdetect recover_timer 60 interval 10 mode port-based config loopdetect trap bothconfig loopdetect ports 1-10 state enable
Loop
Occurred
Loopback
Detection
client
client
Problem: IP Management• Auditing Problem
Current auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control.meaningless if the IP can be changed by the users without control.
• IP Conflict ProblemIP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers.
192.168.1.100E0-0211-1111
IP ConflictAuditing Problem
00E0-0211-1111
192.168.1.200E0-0211-2222
192.168.1.100E0-0211-3333
Problem
IP Conflict
Solution for IP Management• D-Link’s solution 1:
IMP (IP-MAC-Port) Binding v3 (DHCP Snooping)
� IMP Binding v3 will automatically learn the IP and MAC address pairs and save � IMP Binding v3 will automatically learn the IP and MAC address pairs and save them into the local Database.
� Only the traffic with right address match in the White List can pass through the port
IMP Binding v3 Enabled
Assigned by DHCP
192.168.1.100E0-0211-1111
192.168.1.200E0-0211-2222
A
B
192.168.1.1 00E0-0211-1111 Port1
192.168.1.2 00E0-0211-2222 Port2
Address Learning
White List
192.168.1.100E0-0211-3333
( IP is Manually configured by user )
C
Problem & Solution – Rogue DHCP Server• Problem: Users set up their own DHCP server• Impact:
� Incorrect IP assignment� Disturb network connectivity
• D-Link’s solution: DHCP Server Screening� Screen rogue DHCP server packets from user ports to prevent
unauthorized IP assignment
DHCP Server
Sorry, you’re illegalNormal DHCP assignment
Rogue DHCP ServerPC1
PC2
I’m DHCP Server
DHCP Server Packet
Endpoint Security Solutions of xStack Switches
• Authentication
• Authorization
• Node/Address Control
• Attack Mitigation• Attack Mitigation
• Microsoft NAP Server
Problem: ARP Spoofing Attack• What is ARP Spoofing?
� Hackers use faked ARP carrying the wrong MAC/IP information to cheat network devices Router PC MAC = “attacker MAC” address
• How ARP Spoofing attacks the networks?ARP spoofing as DoS:� Popular in Internet Café� Hacker supplants a server or a router, or
cheats the clients to go to a non-existing router
� The inter subnet connection and internet access of whole network will be impacted.
Man in the middle:
Server
Man in the middle:� Popular in business environment� Hacker cheats the victim PC that it is a
router� Hacker cheats the router that it is the victim� All the traffic will be sniffed by the hacker
and users will never know
PC
Hacker
Router MAC = “attacker MAC” address
Broadcast spoofedMAC adress
Solution for ARP Spoofing Attack• D-Link’s Solution: IP-MAC-Port Binding
� Establish the database of the relationship between the IP, MAC and port � Switch blocks the illegal access immediately once the mismatched ARP
packet is found.
IP MAC PortR r 26A a 2B b 12C c 16……
packet is found.
RouterIP: RMAC: r
You’re not PC-AYou’re not Router
PC-AIP: AMAC: a
PC-BIP: BMAC: b
PC-CIP: CMAC: c
I’m PC-A Faked ARPIP: AMAC: c
I’m RouterFaked ARPIP: RMAC: c
Solution for ARP Spoofing Attack• D-Link’s Solution: ARP Spoofing Prevention
� An effective way to protect your router & servers� Simpler setup than IMPB and consumes fewer ACL rules
� Users can input the IP and MAC of the Router or important Servers� Switch will compare all inbound ARP Packets against configured MAC and IP
You’re not Router
IP MAC R rS s
� Switch will compare all inbound ARP Packets against configured MAC and IP� Used to block the invalid ARP packets which contain fake gateway’s MAC and
IPRouter
IP: RMAC: r
Server
Faked ARPIP: RMAC: c
I’m Router
PC-AIP: AMAC: a
PC-BIP: BMAC: b
PC-CIP: CMAC: c
ServerIP: SMAC: s
MITM Attack Scenario
INTERNETPublic FTP Server
ARP Scan
192.168.0.2/24
192.168.0.1/24
INTERNETPublic FTP Server
ARP Scan
ARP Poison
Routing (APR)
hacker
client
FTP Server
Cuenta Usuario: technetPassword: SOS
MITM Attack ScenarioRouter DIR-655 (192.168.0.1)
MAC: 00-1E-58-41-4C-E3
Switch: 192.168.0.2GW: 192.168.0.1
PC 1 ( Victim )IP: 192.168.0.10Default Gateway: 192.168.0.1MAC : 00:15:58:2A:EF:0A
Sniffer PCIP: 192.168.0.11 20 (Spoofed)MAC : 00-15-58-2A-E8-BD
config address_binding ip_mac ports 1-6,8-10 mode acl config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable strictconfig address_binding ip_mac ports 1-10 forward_dhcppkt enablecreate address_binding ip_mac ipaddr 192.168.0.10 mac_address 00-15-58-2A-EF-0A ports 1-10create address_binding ip_mac ipaddr 192.168.0.11 mac_address 00-15-58-2A-E8-BD ports 1-10 enable address_binding trap_logenable address_binding arp_inspectionconfig arp_spoofing_prevention add gateway_ip 192.168.0.1 gateway_mac 00-1E-58-41-4C-E3 ports 7
Endpoint Security Solutions of xStack Switches
• Authentication
• Authorization
• Node/Address Control
• Attack Mitigation• Attack Mitigation
• Microsoft NAP Server
• Advantage of Network Access Protection
� Authorized users may access systems from authorized endpoints
Microsoft NAP Support
� Authorized users may access systems from authorized endpoints
� Network Access Protection• Evaluating security compliance before connection permitted• Quarantine and remediation for non-compliance user• Identity-based network admission control
� Automatic endpoint remediation• Enforce policy before access is granted• Execute updates, programs, software services, etc.• Execute updates, programs, software services, etc.
NAP Illustration
Remediation Server
Corporate Network
Restricted Network
System Health Servers
Requesting access. Here’s my new health status
May I have access?Here’s my current health status
Should this client be restricted based on its health?
Ongoing policy updates to NPS Policy Server
Can I have updates?
Here you go
health status
Microsoft Network Policy Server
Client
xStack Series Switches
health status
You are given restricted accessuntil fix-up.
According to policy, the client is not up to date. Quarantine client and request it to update.
Client is granted access to full intranet
According to policy, the client is up to date
Grant access!!!
NAP 802.1X Flow Chart
Enable port-based 802.1X with Guest VLANon xStack Switch
Client stays in Guest VLAN
802.1X Authentication
Fail
Success
Remediation process completed
If client compliance status or company policy is changed
Yes
Client is assigned to Non-compliance VLAN
for remediation
Policy Compliance Check
Not Compliant CompliantClient is assigned to Compliance VLAN
Necessary Policies in 802.1X NAP Scenario
• There are 3 type of polices should be configured un der Network Policy Server, which is a component within Microsoft Windo ws Server 2008.
– Connection Request Policy• This policy determines which connection request is acceptable.• In 802.1X NAP scenario, only connection requesting from xStack Switch is
acceptable.
– Health Policy• System Health Validator (SHV) determines which element is needed when
validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on.
• Health Policy adopts SHVs to determine which criteria is healthy, passing all the SHV checks is considered healthy. SHV checks is considered healthy.
– Network Policy• Network Policy determines which action is going to take based on the health
status.
How to implement NAP
• Microsoft Active Directory– Install Active Directory Certificate Services
• Microsoft Windows Server 2008• Microsoft Windows Server 2008– Install Network Policy Server (new version RADIUS server) – Configure RADIUS setting, correlated with xStack– Configure polices, rules and actions
• Connection Request Policy • Health Policy ( System Health Validator )• Network Policy
• Microsoft Windows Vista or XP SP3 with NAP client• Microsoft Windows Vista or XP SP3 with NAP client– Enable NAP client enforcement feature
• D-Link xStack DES-3500, DES-3800, DGS-3200, DGS-3400 or DGS-3600 Series
– Configure RADIUS setting, correlated with Windows 2008
– Enable Port-based 802.1X with Guest VLAN
NAP Server Scenario
INTERNET
Administrator192.168.0.2/24
192.168.0.1/24
INTERNET
Authentication Server
(Windows Server 2008)client
192.168.0.3/24
192.168.0.14/24
NAP 802.1X ScenarioSW IP : 192.168.0.2/24
Client: 192.168.0.14/24AD/ NPS/Radius Server
192.168.0.3/24
Guest VLAN
VLAN 2
VLAN 3
The client is put in Guest VLAN originally. If it comply all requirement, the port connecting by the client will be transfer to Compliance VLAN (VLAN 2 in the example). Otherwise, the port is put in VLAN 3 and wait for remediation. After remediation, the port will be authenticated again and transfer to VLAN 2.
Before remediation
After remediation
Client in NoCumple VLAN VID3
Client in Cumple VLAN VID2
Before remediation
After remediation
DGS-3200-10 Configuration
# 8021X Command
enable 802.1xenable 802.1xconfig 802.1x auth_mode port_basedconfig 802.1x capability ports 1-4 authenticatorconfig 802.1x capability ports 5-10 none
# Setup Radiusconfig radius add 1 192.168.0.3 key secreto default
# Create two VLANs. One for Cumple (VLAN 2), another for NoCumple (VLAN 3)
config vlan default delete 7-8create vlan Cumple tag 2con vlan Cumple add untag 7 create vlan Nocumple tag 3con vlan NoCumple add untag 8
# Config System IP addressconfig ipif System ipaddress 192.168.0.2/24 vlan default state enable
# Guest VLAN configurationcreate 802.1x guest_vlan defaultconfig 802.1x guest_vlan ports 1-4 state enable
Network Access Protection - Resources
• Network Access Protection Web site– http://technet.microsoft.com/zh-tw/network/bb545879(en-us).aspx
• Introduction to Network Access Protection– http://www.microsoft.com/technet/network/nap/napoverview.mspx
• Network Access Protection Platform Architecture– http://www.microsoft.com/technet/network/nap/naparch.mspx
• Step By Step Guide: Demonstrate 802.1X NAP Enforcem ent in a Test Lab
– http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=enbba2-07605eff0608&displaylang=en
• Network Access Protection: Frequently Asked Questio ns– http://www.microsoft.com/technet/network/nap/napfaq.mspx
• Network Access Protection - TechNet Forums– http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads/
http://www.dlink.es
ftp://213.27.252.114User: technet
Password: SOS