Module 10

Module Objectives

Module Title: LAN Security Concepts

Module Objective: Explain how vulnerabilities compromise LAN security

Endpoint Security: Explain how to use endpoint security to mitigate attacks, focusing on various methods for securing endpoints against the evolving landscape of threats.

Access Control: Explain how AAA (Authentication, Authorization, Accounting) and the 802.1X protocol are used to authenticate LAN endpoints and devices, including methods of enforcement and the implications of weak access control mechanisms.

Layer 2 Security Threats: Identify common vulnerabilities at Layer 2, detailing the potential impact of each vulnerability on the overall security of the network.

MAC Address Table Attack: Explain how a MAC address table attack compromises LAN security, including the mechanics of the attack and the consequences of its execution on network operations.

LAN Attacks: Explain how various LAN attacks can compromise network security, categorizing them and providing examples of real-world implications.

10.1 Endpoint Security

Network Attacks Today

Frequent reports indicate that enterprise networks are under continuous threat, emphasizing the importance of robust security measures to protect against potential breaches.

Common Types:

• Distributed Denial of Service (DDoS): Coordinated attacks designed to overwhelm network resources, rendering services unavailable to users, which can have serious reputational and monetary consequences.

• Data Breach: Instances involving unauthorized access to critical and sensitive information, often leading to legal penalties and loss of consumer trust.

• Malware: Malicious software that damages or disrupts operations, with significant variants including ransomware attacks, such as WannaCry, which encrypts user data and holds it hostage until a ransom is paid.

Network Security Devices

Essential components necessary for safeguarding the network perimeter include:

• VPN Router: Establishes a secure connection for remote users, ensuring data transmission is encrypted and private.

• Next-Generation Firewall (NGFW): Beyond basic filtering, this firewall provides stateful inspection, application awareness, and advanced malware protection, crucial for modern threats.

• Network Access Control (NAC): Implements stringent access policies and integrates AAA services to enforce security compliance across devices connecting to the network.

Endpoint Protection

Endpoints, including laptops, desktops, servers, and IP phones, are particularly vulnerable to malware threats that often infiltrate through emails and web browsing activities.

Effective endpoint protection must encompass a multifaceted approach, which combines:

• NAC to regulate and monitor device access.

• Advanced Malware Protection (AMP) software that provides comprehensive visibility and control over threats.

• Email Security Appliance (ESA) that safeguards against phishing and malware-laden emails.

• Web Security Appliance (WSA) that protects organizations from web-based threats with enhanced malware detection capabilities and content filtering.

Cisco Email Security Appliance (ESA)

Monitors SMTP traffic and is updated in real-time to block known threats, remediate malware, and prevent data loss through data leakage prevention mechanisms.

Cisco Web Security Appliance (WSA)

Secures organizations from web-based threats, employing cutting-edge technology for advanced malware detection and traffic control to manage user access effectively.

10.2 Access Control

Authentication with Local Passwords

A basic method of securing device access through local user accounts, offering simplicity but presenting significant limitations in scalability and redundancy, particularly in larger environments.

AAA Components

AAA encapsulates the core principles governing network access:

• Authentication: Verifies who can access the network or services, critical for establishing trust.

• Authorization: Determines what authenticated users are permitted to do, ensuring appropriate resource access levels.

• Accounting: Involves tracking user actions and device interactions for auditing and troubleshooting purposes, essential for compliance and security evaluations.

AAA Authentication Methods

Two primary approaches are recognized:

• Local AAA: Utilizes usernames and passwords stored within the device for networks of limited size.

• Server-Based AAA: Employs centralized management using protocols such as RADIUS or TACACS+ for larger networks, facilitating efficient user and device management.

Authorization and Accounting

Automatic user privilege management following authentication is referred to as authorization. Conversely, accounting logs session data to track actions, crucial for auditing and recovery in case of errors or breaches.

802.1X Protocol

A port-based access control mechanism that restricts unauthorized devices on a LAN via an authentication server, playing a pivotal role in network security by enforcing stringent access controls.
Roles include:

• Client (Supplicant): The device requesting network access, needing valid credentials.

• Switch (Authenticator): Functions as a mediator, facilitating the communication between the client and the authentication server.

• Authentication Server: Validates the client's identity and grants or denies access based on predefined policies.

10.3 Layer 2 Security Threats

Vulnerabilities

Compromises at Layer 2 layers have repercussions on higher layers due to the interconnected nature of network protocols.
Common attack types include:

• MAC Table Attacks: Disrupt communication by overwhelming switches with fake MAC addresses.

• VLAN Attacks: Exploit misconfigurations to access traffic on different VLANs.

• DHCP Attacks: Malicious activities aimed at undermining the DHCP process.

• ARP Attacks: Manipulation of ARP requests to redirect traffic or perform MITM (Man-in-the-Middle) attacks.

• Spoofing Attacks: Involve impersonating a device to gain unauthorized access.

• STP Attacks: Target Spanning Tree Protocol to create loops or disrupt network stability.

Switch Attack Mitigation Techniques

To defend against these vulnerabilities, implementing robust strategies such as:

• Port Security: Limits MAC address learning, helping to prevent unauthorized device connections.

• DHCP Snooping: Protects against malicious DHCP server attacks by allowing only trusted sources.

• Dynamic ARP Inspection (DAI): Mitigates ARP spoofing attacks by ensuring only valid ARP requests are processed.

• IP Source Guard (IPSG): Prevents address spoofing by filtering out incorrect IP-MAC address pairings.

10.4 MAC Address Table Attack

Switch Operations

Switches maintain MAC address tables derived from the source MAC addresses of frames to ensure efficient data forwarding.

MAC Address Table Flooding

In this attack, malicious actors overload the switch with numerous fake MAC addresses creating a condition where the switch can no longer function correctly, leading to broadcast storms that compromise the confidentiality of inter-device communication within the LAN or VLAN.

Mitigation Strategies

Implementing port security allows network operators to restrict the number of MAC addresses that can be learned, effectively protecting against flooding attacks and maintaining network integrity.

10.5 LAN Attacks

VLAN Hopping Attacks

In these attacks, perpetrators manipulate VLAN configurations to gain visibility into VLAN traffic without the need for routers, which can expose sensitive data and bypass security barriers in place.

VLAN Double-Tagging Attacks

This sophisticated technique involves embedding an additional VLAN tag within a primary tag, facilitating the unauthorized reach of traffic to sensitive VLANs.

DHCP Attacks

These attacks manifest in various forms:

• DHCP Starvation: Where the attacker leases all available IP addresses, effectively denying service to legitimate users.

• DHCP Spoofing: A rogue server is introduced into the network, providing harmful IP configurations that can disrupt connectivity and expose sensitive data.

10.6 Module Practice and Quiz

Key Takeaways

Endpoints are inherently vulnerable to various forms of malware and require a comprehensive strategy of protective measures to strengthen security.
The AAA framework is fundamental for maintaining robust network access controls.
Awareness of Layer 2 attack types is crucial, and organizations must develop and implement effective mitigative strategies to prevent potential breaches.

New Terms and Commands

Terms such as Data Breach, Malware, NGFW, AAA, ISE, HIPS, ESA, WSA, DHCP Snooping, among others, are critical to understand. Familiarity and proper implementation of these concepts are vital to strengthen an organization's security posture and response capabilities.