Securing network infrastructures: meshed topographies simultaneously preserve security and accessibility. (Storage Networking).Over the past six years, malicious Internet attacks to corporate networks have increased 87%. This alarming growth of unauthorized network access clearly shows that the initial goal of creating shared, open infrastructures was not accompanied by an equally strong commitment to network security. Let's take a pragmatic look at network security, while focusing on preventing network violations at the access point and discussing some practical recovery options. Growing Security Threats In the past, external security breaches represented a small percentage of violations, with most violations coming from within the network. From 1996 to 2001, the source of network attacks has shifted from internal to external violations. While the number of intrusions by hackers has increased, internal security breaches--often by disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees--still represent the greatest number of computer crimes. Over the last two years, growth in the technology industry has slowed dramatically, resulting in large-scale layoffs. This, m turn, has made corporate networks the target of many disgruntled employees. In 2001, for example, technology and manufacturing companies reported $151 million in intellectual property theft, accounting for 41% of the losses related to computer crimes. But, Internet crimes are not just about stealing intellectual property, than can also disrupt network service. A healthy network depends on specific services--bandwidth, disk space, CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. services, and transmission of data to other computers and networks--to function properly. If these core infrastructure services are compromised on a corporate network, where thousands of clients may rely on them, it is possible to bring business to a screeching halt--resulting in millions of dollars in lost productivity. Although there is no way to ensure 100% security, most experts agree that a comprehensive approach to network security can go a long way toward safeguarding your infrastructure. The simplest, most effective way to guard against network violations is to control network access at the edge. Prevention The two key ways to avoid network breaches are to prevent unauthorized access to the LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. and by restricting access to network devices. Let's look at LAN access first. Network Access Control: Preventing unauthorized access to a network is vital to keeping it secure. While access for authorized persons authorized person Lab medicine A person–eg a physician, who orders tests and receives test results on persons for whom payment is sought under Medicare. See CLIA 88. should be easy, uncontrolled access by an unauthorized person should not. Access to the core infrastructure of the network can be easily gained through access to devices at the edge. The wide deployment of Internet access See how to access the Internet. points in public areas--such as campuses, airports, and hotels--presents a virtual breeding ground for hackers. Networks are often deployed in a manner that allows clients to access their services without having to present credentials or proof of identification. A network switch in an open and easily accessible area is vulnerable to unauthorized clients, which can connect to any unused port. To prevent such network violations, you must know who is accessing your network and what areas are being accessed. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. is the process used to ensure that the person trying to access the network is actually who he or she claims to be. Authentication: Port-based access control (IEEE 802.1X IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if ) is a networking standard intended to help secure switch port access by requiring the client to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. itself before being granted access to the network. By blocking port access to the LAN until the client has been authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. , port-based access control blocks communication at the switch port level. Data cannot pass through the switch and onto the LAN until the client's identification has been verified. Secure authentication See authentication token and SecurID card. through implementing this protocol on all edge switches offers three main benefits: 1) Allows clients to be recognized and granted access rights from wherever they log on. In a campus environment, this allows for mobile, secure LAN access as a client travels with his or her laptop to different buildings; 2) Gives clients specific access rights to services on the network; 3) Allows for dynamic assignment of a port to a VLAN See virtual LAN. VLAN - Virtual Local Area Network , based on the user profile. Standard 802.1X can be implemented in the switch on a stand-alone basis using a local client name/password database, but administering 802.1X over multiple switches is much more efficient using a remote authentication dial-in user service (RADIUS) server. A RADIUS server simplifies the implementation and management of network security at the switch level by maintaining the master database of all user profiles. Since authentication parameters for clients remain the same regardless of how the clients attach to the network, a RADIUS server can provide common authentication parameters for a client that connects to the network via 802.11 wireless links and remote, dial-up modem connections. By addressing the security needs of mobile environments, this approach maximizes productivity. Standard 802.1X is basically a challenge handshake protocol. It relies on the exchange of extensible authentication protocol Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined by RFC 3748. (EAP (Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control ) and extensible authentication protocol over LAN (EAPOL See EAP. ) messages between the client and the authenticator The device in an authentication system that physically allows or blocks access to the network. It is typically an access point in a wireless system or a network access server (NAS) in a dial-up system. See 802.1X and authentication. over a point-to-point link. To understand how 802. LX works in a campus environment, imagine a typical dorm room where an open switch port connects the resident to the local network. In that room lives Bob, who wants to download his mid-term results from his professor's website. Here's how the process works: 1 The switch notices a state change in the port and blocks access to the LAN. 2 Bob initiates a request for access. 3 The switch issues an identification challenge. 4 Using the 802.1X client (supplication) software installed on Bob's client PC, the client responds with the proper identification reply. 5 The switch forwards the reply to the RADIUS server for verification and a request for authentication. At this point, the switch merely observes these exchanges and waits for an EAP success frame. 6 RADIUS server issues an authentication challenge. 7 The supplicant In an authentication system, supplicant refers to the client machine that wants to gain access to the network. See 802.1x. forwards its credentials. 8 If the credentials are accepted, the RADIUS server passes the EAP success message back through the switch. Once the success message is seen by the switch, it will open the port and allow the client access to the LAN. Unauthenticated use: The 802.1X standard was developed to provide a secure, dedicated connection for a single client. directly attached to a single switch port. But what happens when it is used in a shared environment? The specification clearly states. Again, using the example of our college student, Bob could easily plug a hub into the switch port and share his network access with friends. Once Bob logs on to the network, his pals can simply plug into the hub and piggyback piggyback 1. A broker trading in his or her personal account after trading in the same security for a customer. The broker may believe the customer has access to privileged information that will cause the transaction to be profitable. 2. on Bob's access rights. To avoid this type of access abuse, HP's Procurve switches provide an added layer of security using HP Procurve port security. HP port security uses a MAC address lock-down scheme to deny port access to any device that is not registered to that port. Simply put, a MAC address is assigned to a specific switch port and only the device that has the correct MAC address can transmit data over that port. By restricting port access to only authorized MAC addresses, piggybacking Gaining access to a restricted communications channel by using the session another user already established. Piggybacking can be defeated by logging out before leaving a workstation or terminal or by initiating a protected mode, such as via a screensaver, that requires re-authentication on a valid user's rights, through the use of a hub, is avoided. Additionally, this feature can be easily configured by allowing the first MAC address learned on the switch port to be automatically "locked-down" and allowing no others. Because only 802.1X authenticated users will be allowed port access to the switch, no authorized users will be locked out. Authorization: Authentication is a vital first step in network security. But to continue to protect the network once a client has already gained access, the services that client accesses should be based on need. One way to restrict access rights is through the use of VLANs, which ensure that clients with common access rights can communicate easily with each other, but aren't allowed to stray into other VLANs. For example, in a campus environment, the network manager may want to restrict student access to the administration VLAN. A client profile typically contains the client identification and access right. Using authorization through 802.1X, you can limit network access based on 'a client profile. Let's look again at Bob, who is only allowed to talk to other clients within the same VLAN. The exchange between the RADIUS server and Bob would look like this: * The RADIUS server looks up Bob in its database and identifies which VLAN Bob belongs to. * The switch then uses this information to enforce Bob's access rights. Guest authorization: The ability to work anytime, anywhere is being greatly encouraged by the use of mobile devices. Adding a guest user onto a network is not a trivial event, especially in a large corporate environment, and it creates some obvious security risks. One problem is how to securely offer Internet services to unauthenticated guests without giving them access to the internal LAN. The Procurve lab team developed a way to offer Internet services to an unauthorized users while segmenting them from' the rest of the LAN. To do this, the network administrator can create a special "guest VLAN." In this scenario, rather than denying any data exchanges when an unauthenticated client attempts to log onto the network, the client is granted "guest" status with the ability to communicate with the Internet, but without access to the LAN. Accounting: Dynamic, anytime,, anywhere access can greatly increase productivity. On the other hand, the ability to track client access patterns can be key in determining responsibility for violations. Through the use of a RADIUS server, accounting enables the following activities. * Network accounting tracks a client's packet counts, byte counts, and active session time. * Connection accounting reports on outbound connections, such as Telnet sessions, made from the network access server. * EXEC 1. (language) EXEC - An early batch language for the IBM VM/CMS systems. [SC19-6209 Virtual Machine/ System Product CMS Command and Macro Reference, Appendix F. CMS EXEC Control Statements]. 2. exec - /eg-zek'/ * System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off). * Command accounting provides information about the EXEC shell commands for a specified privilege level The concept of privilege level refers to protecting resources on a CPU. Different execution threads can have different privilege levels that grant access to resources such as memory regions, I/O ports, and special instructions. that are executed on a network access server. Each command accounting record lists the commands executed for that privilege level, and date, time, and user associated with each executed command. Secure LAN Devices So far, we've focused on restricting LAN access and user accounting. The next, obvious step is secure management of networking devices through passwords, authorized managers, and encryption. Once someone gains access to the management console A terminal or workstation used to monitor and control a network. See Microsoft Management Console. of a switch, he or she has complete control over the parameters of the switch. Passwords and management access: After securing physical access to the device (through the use of locked enclosures), your first line of defense is to password-protect access to the device's management console. This is the simplest way to avoid unauthorized managers. Once a user connects to a switch, the switch requests login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. and a password. If the value returned is correct, management access is granted. On a network with many network devices, the use of a terminal access controller access control system (TACACS (Terminal Access Controller Access Control System) An access control protocol used to authenticate a user logging into the network. TACACS is a simple username/password system. +) server allows a remote access server to communicate with an authentication server A device used in network access control. It stores the usernames and passwords that identify the clients logging in, or it may hold the algorithms for token access (see authentication token). in order to determine if the user has access to the network. Password information is submitted through the switch and passed up to the TACACS+ server. If the information is valid, the server will authorize access. By maintaining all user rights in its database, a TACACS+ server can simplify the administration of multiple device passwords. Encryption: You can achieve out-of-band switch access (access without 'network dependencies) by physically restricting access to network infrastructure devices. However, in-band intrusion, accomplished by placing a probe on the network and sniffing for management packets, is still easy. if the switch and management station exchange data in clear text, a hacker on the network can easily read the network administrator's client identification and password and use this information to access the device. SSH (Secure SHell) A security protocol for logging into a remote server. SSH provides an encrypted session for transferring files and executing server programs. Also serving as a secure client/server connection for applications such as database access and e-mail, SSH supports a is the de facto standard Hardware or software that is widely used, but not endorsed by a standards organization. Contrast with de jure standard. de facto standard - A widespread consensus on a particular product or protocol which has not been ratified by any official standards body, such as ISO, for securing remote. access connections over IP networks by encrypting all transmitted confidential data, including passwords, binary files, and administrative commands. This security feature is widely used to manage network hosts over the Internet, giving the administrator direct access to the firewall. SSH protects a network from attacks such as IP spoofing Inserting the IP address of an authorized user into the transmission of an unauthorized user in order to gain illegal access to a computer system. Routers and other firewall implementations can be programmed to identify this discrepancy. See firewall. , IP source routing source routing - source route , and DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. and provides strong authentication and secure communication over insecure channels such as the Internet. When using SSH "slogin" (instead of rlogin), the entire login session In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. On Unix and Unix-like systems, a login session takes one of two main forms: Recovery: Even though, all the appropriate steps to secure access to the network have been taken, no network is immune from attack. An especially popular way to create havoc on a network these days is to deny access to services by creating an enormous amount of traffic, typically in the form of a broadcast storm, on a network, commonly referred to as a distributed denial of service attack An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. (DDOS See denial of service attack. ). The goal of this type of malicious activity is to halt production on a network by clogging up network links. In this scenario, it is no longer just security that is important but also recovery. Spanning tree protocol Based on an algorithm invented by Radia Perlman while working for Digital Equipment Corporation[1][2], Spanning Tree Protocol Is an OSI layer-2 protocol which ensures a loop free topology for any bridged LAN. (STP--IEEE 802.1D) was initially targeted to stop broadcast storms from occurring in the case of a multiple looped (multi-looped) environment. The algorithm monitors link status between the primary links (active) and redundant links (blocked). The redundant backup links are blocked from transmitting data but become active when a primary link fails. Unfortunately, in large, complex networks, the recovery time of STP STP or standard temperature and pressure, standard conditions for measurement of the properties of matter. The standard temperature is the freezing point of pure water, 0°C; or 273.15°K;. can take up to 45 seconds--an eternity in networking. Enter stage left, rapid spanning tree (RSTP--IEEE 802.1w) an alternative to the original 802.1d specification, 802.1w with a recovery time, depending on network complexity, of as little as one second. Completely backwards-compatible with the old 802.1D, it allows for scalability with legacy 802.1D devices. Spanning tree, in all its versions (Multi-instance Spanning Tree, 802.1s, is pending approval in the IEFT IEFT International Electronic Funds Transfer as this article goes to print) is a vital feature to all switches. However, STP is dependent upon redundant links that are blocked (unable to forward traffic), therefore it effectively causes a port to be unutilized, wasting precious bandwidth that is available on the switch. The problem then became how to create a layer 2 redundancy story that allowed all ports to be functional, forwarding ports that were intelligent enough to load balance traffic over the switch links. To solve this, HP Procurve introduced switch meshing in 1998. Switch meshing is the ability to create a redundant, meshed topology between switches, using all port links in the mesh to dynamically load balance traffic. In addition to offering multiple open paths between switch links, switch meshing improves upon the concept of redundancy by dynamically load balancing The fine tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and/or processing across available resources. For example, in clustering, load balancing might distribute the incoming transactions evenly to all servers, or it might redirect them at layer 2. Unlike RIP and OSPF (Open Shortest Path First) A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters. (which determines the best path through either hop count The number of point-to-point links in a transmission path. Since each link is terminated at a network device such as a router or gateway, the processing performed within the device to determine how to forward the packet adds overhead to the transmission. or link speed, respectively), switch meshing is able to load balance based on link latency and, since this is done at layer 2, it can load balance all non-routable protocols. For example, five HP switches are used to create a meshed topology, also known as a meshed domain. After initial calculation of their best path options, the switches share their table forwarding tables to enable intelligent forwarding decisions within the mesh. To maintain link status, a recalculation re·cal·cu·late tr.v. re·cal·cu·lat·ed, re·cal·cu·lat·ing, re·cal·cu·lates To calculate again, especially in order to eliminate errors or to incorporate additional factors or data. of the link cost is done every 30 seconds. If a link fails within the mesh, a new path is recalculated in less than a second, increasing link recovery. In addition to offering this highly available and redundant topology, each switch in the mesh will determine a path for broadcast traffic. This, not only improves network performance, but offers a way to control DDOS attacks by isolating broadcast and multicast traffic, thus preventing broadcast traffic from being repeatedly flood ed over redundant links. Providing link redundancy, through spanning tree or switch meshing, is key to lowering network downtime and increasing recovery of network resources. There are probably few businesses today that can afford to go an entire day without access to key computing resources. Pragmatic Network Security Review network access policies with your IT staff. Are the policies in place as stringent as you'd like them to be? Are your user profiles and passwords kept current? Are you controlling access to all parts of the network by restricting user rights? What is your recovery plan in the case of link failure? Are there redundant paths between vital servers and network devices? All these issues need to be addressed by IT managers who are seriously concerned about the integrity of their network. www.hp.com [GRAPH OMITTED]
2001 - Computer Crimes
IP Theft $9,041,000
Insider abuse of Net $8,849,000
Unauthorized Insider $151,230,100
Telecom eavesdropping $5,183,100
Denial of Service $889,000
Laptop theft $19,066,600
Sabotage of Data $35,001,650
Financial Fraud $92,935,500
Telecom Fraud $4,283,600
System penetration by $45,288,150
Virus $6,064,000
CSI/FBI 2001 Computer Crime and Securit Survey
Source: Computer Security Institute
Note: Table made from pie chart
Likely Sources of Attack
1997 1998 1999 2000 2001
Foreign 22 21 21 21 25
Government
Foreign 24 29 30 26 31
Corporation
Independent 73 72 74 77 81
Hackers
U.S. 51 48 53 44 49
Commpetitors
Disgrunlied 87 86 86 81 76
Employees
CSI/FBI 2001 Computer Crime and Security Survey
Source: Computer Security Institute
Note: Table made from bar graph
Cecilia Ross is worldwide technical training, manager at HP (Roseville, Calif.) |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion