[SOS 2009] D-Link: Red Segura L2 L3

Technet S.O.S Red Segura con Switches D-Link D- Xavier Campos Product Manager SP & PT xavier.campos@dlink.es Barcelona, 14 de Julio de 2009 D-Link

Challenges of Today’s Networks Firewall Service unstable Server Core Switch Farm Loop Switch Connection Switch Security breach Switch Performance downgrade IP Low manageability Conflict Worm s ARP Spoofing Unauthorized Access Worm infection within Intranet

Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack Mitigation • Microsoft NAP Server

Problem: Unauthorized Access • Traditionally security censorship takes place at perimeter • Intranet users can connect to network without authorization Financial Information ERP Server Leakage System Employee Everyone can connect Malicious to your network without authorization！ User Guest R&D Hackin g Server Incident • Lack of proper control on the RJ45 socket outlet • Lack of proper control for the wireless users • Client can easily go anywhere without authorization

Solution for Unauthorized Access • D-Link’s Solution 1: 802.1x Authentication Web-based Access Control (WAC) [Captive Portal] • When to use ? Perform user authentication to realize the user identity control The clients must be authenticated based on user login information, regardless of the user’s location or device. • Benefit : Mobility : User can get their designated privilege no matter where they are, or the devices they use Clientless: Easy to deploy, easy to use (WAC) Better Security Management: Pushing the security control to the edge, all the clients must be authenticated before entering the network

Solution for Unauthorized Access • D-Link’s Solution 2: MAC-based Access Control (MAC) • When to use ? For VoIP phone, printer, router, IP camera, AP devices which doesn’t have web browser, or 802.1x supplicant can’t be installed. Stricter control for end user devices. Specially suitable for campus network, public sector, or enterprises that need device control. • All the clients are authenticated automatically and granted a specific role to the network • Benefit : Clientless: Easy to deploy. Totally transparent to clients Device Management: Only allow legitimate devices to connect to the network

Requirement: Authorization by user’s identity The network is under granular control by segregating the traffic! Financial ERP server system RD Accounting Sales R&D server • RD dep. is granted to access R&D server and internet only Guest • Accounting dep. is granted to access Financial server and ERP system only • Sales dep. is granted to access ERP system and internet only • Guest users can only connect to Internet

Solution for Authorization by user’s identity • D-Link’s Solution: Dynamic VLAN Assignment Guest VLAN (Restricted network access) Client Attribute Designation • Bandwidth control per port / per flow • 802.1p priority (default value per port) • ACL that delivers user identity control as set of services * Radius Server Bandwidth parameter 802.1p priority parameter ACL Client attributes can be designated by the Radius server after successful authentication • The identity-based security policies provide appropriate access right for different users * Under development

Endpoint Security Solutions of xStack Switches • Authentication • Authorization • Node/Address Control • Attack mitigation • Microsoft NAP Server

Problem: Loop Connection • Users connect their own switches and cause loop unintentionally or purposely • The loop can cause packet storm and overwhelm the whole system Packet Storm Loop

Solution for Loop Connection • D-Link’s Solution: Loopback Detection ( LBD v4.0 ) STP (Spanning Tree Protocol) Independent • Unmanaged switches usually do not have Spanning Tree Protocol function • D-Link’s design can detect loop connections even when STP is absent Flexible Settings for Loop Prevention • Port-based or • VLAN-based V1 V2 V1 V2 PC1 Loop Loop PC2 1. Port-based LBD 2. VLAN-based LBD - Port shut down, no traffic is allowed - Block the traffic from the loop happening VLAN without shutting down the trunking port.

Loopback Detection Scenario enable loopdetect config loopdetect recover_timer 60 interval 10 mode port-based INTERNET config loopdetect trap both config loopdetect ports 1-10 state enable 192.168.0.1/24 192.168.0.2/24 Loopback Detection client client Loop Occurred

Problem: IP Management • Auditing Problem Current auditing mechanisms, for example, syslog, application log, firewall log, etc, are mainly based on IP information. The log information is meaningless if the IP can be changed by the users without control. • IP Conflict Problem IP conflict is the most popular problem in today’s networks, cause sometimes users change the IP address manually and conflict with other resources, such as others’ PCs, core switches, routers or servers. Auditing IP Conflict Problem 192.168.1.1 00E0-0211-1111 192.168.1.2 00E0-0211-2222 192.168.1.1 IP Conflict 00E0-0211-3333

Solution for IP Management • D-Link’s solution 1: IMP (IP-MAC-Port) Binding v3 (DHCP Snooping) IMP Binding v3 will automatically learn the IP and MAC address pairs and save them into the local Database. Only the traffic with right address match in the White List can pass through the port IMP Binding v3 Enabled A 192.168.1.1 00E0-0211-1111 Assigned by DHCP B 192.168.1.2 00E0-0211-2222 192.168.1.1 C 00E0-0211-3333 Address Learning ( IP is Manually configured by user ) White List 192.168.1.1 00E0-0211-1111 Port1 192.168.1.2 00E0-0211-2222 Port2

Problem & Solution – Rogue DHCP Server • Problem: Users set up their own DHCP server • Impact: Incorrect IP assignment Disturb network connectivity • D-Link’s solution: DHCP Server Screening Screen rogue DHCP server packets from user ports to prevent unauthorized IP assignment DHCP Server Normal DHCP assignment Sorry, you’re illegal DHCP Server Packet I’m DHCP Server PC1 Rogue DHCP Server PC2

Problem: ARP Spoofing Attack • What is ARP Spoofing? Hackers use faked ARP carrying the wrong MAC/IP information to cheat network Router PC MAC = “attacker MAC” address devices • How ARP Spoofing attacks the networks? ARP spoofing as DoS: Popular in Internet Café Hacker supplants a server or a router, or cheats the clients to go to a non-existing router The inter subnet connection and internet access of whole network will be impacted. Server Man in the middle: Popular in business environment Hacker Hacker cheats the victim PC that it is a Broadcast spoofed router PC MAC adress Router MAC = “attacker MAC” address Hacker cheats the router that it is the victim All the traffic will be sniffed by the hacker and users will never know

Solution for ARP Spoofing Attack • D-Link’s Solution: IP-MAC-Port Binding Establish the database of the relationship between the IP, MAC and port Switch blocks the illegal access immediately once the mismatched ARP packet is found. Router IP MAC Port IP: R R r 26 A a 2 MAC: r B b 12 C c 16 You’re not Router You’re not PC-A … … Faked ARP R IP: A I’m Router I’m PC-A MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c

Solution for ARP Spoofing Attack • D-Link’s Solution: ARP Spoofing Prevention An effective way to protect your router & servers Simpler setup than IMPB and consumes fewer ACL rules Users can input the IP and MAC of the Router or important Servers Switch will compare all inbound ARP Packets against configured MAC and IP Used to block the invalid ARP packets which contain fake gateway’s MAC and IP Router IP MAC R r IP: R S s MAC: r You’re not Router Server IP: S MAC: s Faked ARP IP: R I’m Router MAC: c PC-A PC-B PC-C IP: A IP: B IP: C MAC: a MAC: b MAC: c

MITM Attack Scenario INTERNET ARP Scan Public FTP Server 192.168.0.1/24 ARP Poison Routing (APR) 192.168.0.2/24 FTP Server Cuenta Usuario: technet client Password: SOS hacker

MITM Attack Scenario Router DIR-655 (192.168.0.1) MAC: 00-1E-58-41-4C-E3 Switch: 192.168.0.2 GW: 192.168.0.1 PC 1 ( Victim ) Sniffer PC IP: 192.168.0.10 IP: 192.168.0.11 20 (Spoofed) Default Gateway: 192.168.0.1 MAC : 00-15-58-2A-E8-BD MAC : 00:15:58:2A:EF:0A config address_binding ip_mac ports 1-6,8-10 mode acl config address_binding ip_mac ports 1-6,8-10 state enable config address_binding ip_mac ports 1-6,8-10 state enable strict config address_binding ip_mac ports 1-10 forward_dhcppkt enable create address_binding ip_mac ipaddr 192.168.0.10 mac_address 00-15-58-2A-EF-0A ports 1-10 create address_binding ip_mac ipaddr 192.168.0.11 mac_address 00-15-58-2A-E8-BD ports 1-10 enable address_binding trap_log enable address_binding arp_inspection config arp_spoofing_prevention add gateway_ip 192.168.0.1 gateway_mac 00-1E-58-41-4C-E3 ports 7

Microsoft NAP Support • Advantage of Network Access Protection Authorized users may access systems from authorized endpoints Network Access Protection • Evaluating security compliance before connection permitted • Quarantine and remediation for non-compliance user • Identity-based network admission control Automatic endpoint remediation • Enforce policy before access is granted • Execute updates, programs, software services, etc.

NAP Illustration Corporate Network System Health Servers Restricted Network Remediation Server Ongoing policy updates to NPS Policy Server Can I have updates? Here you go May I have access. Requesting access? Should this client be restricted Here’s my new current based on its health? health status According to policy, the client You are given xStack Series is not to date up up to date. Quarantine Microsoft Network restricted access Switches client and request it to Policy Server until fix-up. Grant access!!! update. Client Client is granted access to full intranet

NAP 802.1X Flow Chart Enable port-based 802.1X with Guest VLAN on xStack Switch 802.1X Fai Client stays in Ye Authentication l Guest VLAN s Remediation If client compliance status or process completed company policy is changed Success Client is assigned to Not Compliant Policy Compliance Compliant Compliance VLAN Client is assigned to Non-compliance VLAN Check for remediation

Necessary Policies in 802.1X NAP Scenario • There are 3 type of polices should be configured under Network Policy Server, which is a component within Microsoft Windows Server 2008. – Connection Request Policy • This policy determines which connection request is acceptable. • In 802.1X NAP scenario, only connection requesting from xStack Switch is acceptable. – Health Policy • System Health Validator (SHV) determines which element is needed when validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on. • Health Policy adopts SHVs to determine which criteria is healthy, passing all the SHV checks is considered healthy. – Network Policy • Network Policy determines which action is going to take based on the health status.

How to implement NAP • Microsoft Active Directory – Install Active Directory Certificate Services • Microsoft Windows Server 2008 – Install Network Policy Server (new version RADIUS server) – Configure RADIUS setting, correlated with xStack – Configure polices, rules and actions • Connection Request Policy • Health Policy ( System Health Validator ) • Network Policy • Microsoft Windows Vista or XP SP3 with NAP client – Enable NAP client enforcement feature • D-Link xStack DES-3500, DES-3800, DGS-3200, DGS-3400 or DGS-3600 Series – Configure RADIUS setting, correlated with Windows 2008 – Enable Port-based 802.1X with Guest VLAN

NAP Server Scenario INTERNET 192.168.0.1/24 192.168.0.2/24 Administrator 192.168.0.3/24 client Authentication Server 192.168.0.14/24 (Windows Server 2008)

NAP 802.1X Scenario SW IP : 192.168.0.2/24 Guest VLAN VLAN 2 Client: 192.168.0.14/24 VLAN 3 AD/ NPS/Radius Server 192.168.0.3/24 The client is put in Guest VLAN originally. If it comply all requirement, the port connecting by the client will be transfer to Compliance VLAN (VLAN 2 in the example). Otherwise, the port is put in VLAN 3 and wait for remediation. After remediation, the port will be authenticated again and transfer to VLAN 2. Before remediation Client in NoCumple VLAN VID3 After remediation Client in Cumple VLAN VID2

DGS-3200-10 Configuration # 8021X Command enable 802.1x config 802.1x auth_mode port_based config 802.1x capability ports 1-4 authenticator config 802.1x capability ports 5-10 none # Setup Radius config radius add 1 192.168.0.3 key secreto default # Create two VLANs. One for Cumple (VLAN 2), another for NoCumple (VLAN 3) config vlan default delete 7-8 create vlan Cumple tag 2 con vlan Cumple add untag 7 create vlan Nocumple tag 3 con vlan NoCumple add untag 8 # Config System IP address config ipif System ipaddress 192.168.0.2/24 vlan default state enable # Guest VLAN configuration create 802.1x guest_vlan default config 802.1x guest_vlan ports 1-4 state enable

Network Access Protection - Resources • Network Access Protection Web site – http://technet.microsoft.com/zh-tw/network/bb545879(en-us).aspx • Introduction to Network Access Protection – http://www.microsoft.com/technet/network/nap/napoverview.mspx • Network Access Protection Platform Architecture – http://www.microsoft.com/technet/network/nap/naparch.mspx • Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab – http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb- bba2-07605eff0608&displaylang=en • Network Access Protection: Frequently Asked Questions – http://www.microsoft.com/technet/network/nap/napfaq.mspx • Network Access Protection - TechNet Forums – http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads/

http://www.dlink.es ftp://213.27.252.114 User: technet Password: SOS

http://www.elladodelmal.com	217
http://elladodelmal.blogspot.com	108
http://www.slideshare.net	5

[SOS 2009] D-Link: Red Segura L2 L3

by Chema Alonso

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 330

Statistics

[SOS 2009] D-Link: Red Segura L2 L3 Presentation Transcript