Securing network infrastructures: meshed topographies simultaneously preserve security and accessibility. (Storage Networking).
Let's take a pragmatic look at network security, while focusing on preventing network violations at the access point and discussing some practical recovery options.
Growing Security Threats
In the past, external security breaches represented a small percentage of violations, with most violations coming from within the network. From 1996 to 2001, the source of network attacks has shifted from internal to external violations.
While the number of intrusions by hackers has increased, internal security breaches--often by disgruntled employees--still represent the greatest number of computer crimes. Over the last two years, growth in the technology industry has slowed dramatically, resulting in large-scale layoffs. This, m turn, has made corporate networks the target of many disgruntled employees. In 2001, for example, technology and manufacturing companies reported $151 million in intellectual property theft, accounting for 41% of the losses related to computer crimes.
But, Internet crimes are not just about stealing intellectual property, than can also disrupt network service. A healthy network depends on specific services--bandwidth, disk space, CPU services, and transmission of data to other computers and networks--to function properly. If these core infrastructure services are compromised on a corporate network, where thousands of clients may rely on them, it is possible to bring business to a screeching halt--resulting in millions of dollars in lost productivity.
Although there is no way to ensure 100% security, most experts agree that a comprehensive approach to network security can go a long way toward safeguarding your infrastructure. The simplest, most effective way to guard against network violations is to control network access at the edge.
The two key ways to avoid network breaches are to prevent unauthorized access to the LAN and by restricting access to network devices. Let's look at LAN access first.
Network Access Control: Preventing unauthorized access to a network is vital to keeping it secure. While access for authorized persons should be easy, uncontrolled access by an unauthorized person should not.
Access to the core infrastructure of the network can be easily gained through access to devices at the edge. The wide deployment of Internet access points in public areas--such as campuses, airports, and hotels--presents a virtual breeding ground for hackers. Networks are often deployed in a manner that allows clients to access their services without having to present credentials or proof of identification. A network switch in an open and easily accessible area is vulnerable to unauthorized clients, which can connect to any unused port.
To prevent such network violations, you must know who is accessing your network and what areas are being accessed. Authentication is the process used to ensure that the person trying to access the network is actually who he or she claims to be.
Authentication: Port-based access control (IEEE 802.1X) is a networking standard intended to help secure switch port access by requiring the client to authenticate itself before being granted access to the network. By blocking port access to the LAN until the client has been authenticated, port-based access control blocks communication at the switch port level. Data cannot pass through the switch and onto the LAN until the client's identification has been verified.
Secure authentication through implementing this protocol on all edge switches offers three main benefits: 1) Allows clients to be recognized and granted access rights from wherever they log on. In a campus environment, this allows for mobile, secure LAN access as a client travels with his or her laptop to different buildings; 2) Gives clients specific access rights to services on the network; 3) Allows for dynamic assignment of a port to a VLAN, based on the user profile.
Standard 802.1X can be implemented in the switch on a stand-alone basis using a local client name/password database, but administering 802.1X over multiple switches is much more efficient using a remote authentication dial-in user service (RADIUS) server. A RADIUS server simplifies the implementation and management of network security at the switch level by maintaining the master database of all user profiles. Since authentication parameters for clients remain the same regardless of how the clients attach to the network, a RADIUS server can provide common authentication parameters for a client that connects to the network via 802.11 wireless links and remote, dial-up modem connections. By addressing the security needs of mobile environments, this approach maximizes productivity.
Standard 802.1X is basically a challenge handshake protocol. It relies on the exchange of extensible authentication protocol (EAP) and extensible authentication protocol over LAN (EAPOL) messages between the client and the authenticator over a point-to-point link.
To understand how 802. LX works in a campus environment, imagine a typical dorm room where an open switch port connects the resident to the local network. In that room lives Bob, who wants to download his mid-term results from his professor's website. Here's how the process works:
1 The switch notices a state change in the port and blocks access to the LAN.
2 Bob initiates a request for access.
3 The switch issues an identification challenge.
4 Using the 802.1X client (supplication) software installed on Bob's client PC, the client responds with the proper identification reply.
5 The switch forwards the reply to the RADIUS server for verification and a request for authentication. At this point, the switch merely observes these exchanges and waits for an EAP success frame.
6 RADIUS server issues an authentication challenge.
7 The supplicant forwards its credentials.
8 If the credentials are accepted, the RADIUS server passes the EAP success message back through the switch. Once the success message is seen by the switch, it will open the port and allow the client access to the LAN.
Unauthenticated use: The 802.1X standard was developed to provide a secure, dedicated connection for a single client. directly attached to a single switch port. But what happens when it is used in a shared environment? The specification clearly states. Again, using the example of our college student, Bob could easily plug a hub into the switch port and share his network access with friends. Once Bob logs on to the network, his pals can simply plug into the hub and piggyback on Bob's access rights.
To avoid this type of access abuse, HP's Procurve switches provide an added layer of security using HP Procurve port security. HP port security uses a MAC address lock-down scheme to deny port access to any device that is not registered to that port. Simply put, a MAC address is assigned to a specific switch port and only the device that has the correct MAC address can transmit data over that port. By restricting port access to only authorized MAC addresses, piggybacking on a valid user's rights, through the use of a hub, is avoided.
Additionally, this feature can be easily configured by allowing the first MAC address learned on the switch port to be automatically "locked-down" and allowing no others. Because only 802.1X authenticated users will be allowed port access to the switch, no authorized users will be locked out.
Authorization: Authentication is a vital first step in network security. But to continue to protect the network once a client has already gained access, the services that client accesses should be based on need.
One way to restrict access rights is through the use of VLANs, which ensure that clients with common access rights can communicate easily with each other, but aren't allowed to stray into other VLANs. For example, in a campus environment, the network manager may want to restrict student access to the administration VLAN. A client profile typically contains the client identification and access right. Using authorization through 802.1X, you can limit network access based on 'a client profile.
Let's look again at Bob, who is only allowed to talk to other clients within the same VLAN. The exchange between the RADIUS server and Bob would look like this:
* The RADIUS server looks up Bob in its database and identifies which VLAN Bob belongs to.
* The switch then uses this information to enforce Bob's access rights.
Guest authorization: The ability to work anytime, anywhere is being greatly encouraged by the use of mobile devices. Adding a guest user onto a network is not a trivial event, especially in a large corporate environment, and it creates some obvious security risks. One problem is how to securely offer Internet services to unauthenticated guests without giving them access to the internal LAN. The Procurve lab team developed a way to offer Internet services to an unauthorized users while segmenting them from' the rest of the LAN.
To do this, the network administrator can create a special "guest VLAN." In this scenario, rather than denying any data exchanges when an unauthenticated client attempts to log onto the network, the client is granted "guest" status with the ability to communicate with the Internet, but without access to the LAN.
Accounting: Dynamic, anytime,, anywhere access can greatly increase productivity. On the other hand, the ability to track client access patterns can be key in determining responsibility for violations. Through the use of a RADIUS server, accounting enables the following activities.
* Network accounting tracks a client's packet counts, byte counts, and active session time.
* Connection accounting reports on outbound connections, such as Telnet sessions, made from the network access server.
* EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and access server IP address.
* System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
* Command accounting provides information about the EXEC shell commands for a specified privilege level that are executed on a network access server. Each command accounting record lists the commands executed for that privilege level, and date, time, and user associated with each executed command.
Secure LAN Devices
So far, we've focused on restricting LAN access and user accounting. The next, obvious step is secure management of networking devices through passwords, authorized managers, and encryption. Once someone gains access to the management console of a switch, he or she has complete control over the parameters of the switch.
Passwords and management access: After securing physical access to the device (through the use of locked enclosures), your first line of defense is to password-protect access to the device's management console. This is the simplest way to avoid unauthorized managers. Once a user connects to a switch, the switch requests login and a password. If the value returned is correct, management access is granted.
On a network with many network devices, the use of a terminal access controller access control system (TACACS+) server allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Password information is submitted through the switch and passed up to the TACACS+ server. If the information is valid, the server will authorize access. By maintaining all user rights in its database, a TACACS+ server can simplify the administration of multiple device passwords.
Encryption: You can achieve out-of-band switch access (access without 'network dependencies) by physically restricting access to network infrastructure devices. However, in-band intrusion, accomplished by placing a probe on the network and sniffing for management packets, is still easy. if the switch and management station exchange data in clear text, a hacker on the network can easily read the network administrator's client identification and password and use this information to access the device.
SSH is the de facto standard for securing remote. access connections over IP networks by encrypting all transmitted confidential data, including passwords, binary files, and administrative commands. This security feature is widely used to manage network hosts over the Internet, giving the administrator direct access to the firewall. SSH protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing and provides strong authentication and secure communication over insecure channels such as the Internet.
When using SSH "slogin" (instead of rlogin), the entire login session, including transmission of the client's password, is encrypted. This makes it virtually impossible for an outsider to collect passwords. The only option for an attacker who has managed to take over a network is to force SSH to disconnect. When encryption is enabled using SSH, network traffic can't be played back, nor can the connection be hijacked.
Recovery: Even though, all the appropriate steps to secure access to the network have been taken, no network is immune from attack. An especially popular way to create havoc on a network these days is to deny access to services by creating an enormous amount of traffic, typically in the form of a broadcast storm, on a network, commonly referred to as a distributed denial of service attack (DDOS). The goal of this type of malicious activity is to halt production on a network by clogging up network links. In this scenario, it is no longer just security that is important but also recovery.
Spanning tree protocol (STP--IEEE 802.1D) was initially targeted to stop broadcast storms from occurring in the case of a multiple looped (multi-looped) environment. The algorithm monitors link status between the primary links (active) and redundant links (blocked). The redundant backup links are blocked from transmitting data but become active when a primary link fails.
Unfortunately, in large, complex networks, the recovery time of STP can take up to 45 seconds--an eternity in networking. Enter stage left, rapid spanning tree (RSTP--IEEE 802.1w) an alternative to the original 802.1d specification, 802.1w with a recovery time, depending on network complexity, of as little as one second. Completely backwards-compatible with the old 802.1D, it allows for scalability with legacy 802.1D devices.
Spanning tree, in all its versions (Multi-instance Spanning Tree, 802.1s, is pending approval in the IEFT as this article goes to print) is a vital feature to all switches. However, STP is dependent upon redundant links that are blocked (unable to forward traffic), therefore it effectively causes a port to be unutilized, wasting precious bandwidth that is available on the switch.
The problem then became how to create a layer 2 redundancy story that allowed all ports to be functional, forwarding ports that were intelligent enough to load balance traffic over the switch links. To solve this, HP Procurve introduced switch meshing in 1998. Switch meshing is the ability to create a redundant, meshed topology between switches, using all port links in the mesh to dynamically load balance traffic.
In addition to offering multiple open paths between switch links, switch meshing improves upon the concept of redundancy by dynamically load balancing at layer 2. Unlike RIP and OSPF (which determines the best path through either hop count or link speed, respectively), switch meshing is able to load balance based on link latency and, since this is done at layer 2, it can load balance all non-routable protocols.
For example, five HP switches are used to create a meshed topology, also known as a meshed domain. After initial calculation of their best path options, the switches share their table forwarding tables to enable intelligent forwarding decisions within the mesh. To maintain link status, a recalculation of the link cost is done every 30 seconds. If a link fails within the mesh, a new path is recalculated in less than a second, increasing link recovery.
In addition to offering this highly available and redundant topology, each switch in the mesh will determine a path for broadcast traffic. This, not only improves network performance, but offers a way to control DDOS attacks by isolating broadcast and multicast traffic, thus preventing broadcast traffic from being repeatedly flood ed over redundant links.
Providing link redundancy, through spanning tree or switch meshing, is key to lowering network downtime and increasing recovery of network resources. There are probably few businesses today that can afford to go an entire day without access to key computing resources.
Pragmatic Network Security
Review network access policies with your IT staff. Are the policies in place as stringent as you'd like them to be? Are your user profiles and passwords kept current? Are you controlling access to all parts of the network by restricting user rights? What is your recovery plan in the case of link failure? Are there redundant paths between vital servers and network devices? All these issues need to be addressed by IT managers who are seriously concerned about the integrity of their network.
2001 - Computer Crimes IP Theft $9,041,000 Insider abuse of Net $8,849,000 Unauthorized Insider $151,230,100 Telecom eavesdropping $5,183,100 Denial of Service $889,000 Laptop theft $19,066,600 Sabotage of Data $35,001,650 Financial Fraud $92,935,500 Telecom Fraud $4,283,600 System penetration by $45,288,150 Virus $6,064,000 CSI/FBI 2001 Computer Crime and Securit Survey Source: Computer Security Institute Note: Table made from pie chart Likely Sources of Attack 1997 1998 1999 2000 2001 Foreign 22 21 21 21 25 Government Foreign 24 29 30 26 31 Corporation Independent 73 72 74 77 81 Hackers U.S. 51 48 53 44 49 Commpetitors Disgrunlied 87 86 86 81 76 Employees CSI/FBI 2001 Computer Crime and Security Survey Source: Computer Security Institute Note: Table made from bar graph
Cecilia Ross is worldwide technical training, manager at HP (Roseville, Calif.)
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Aug 1, 2002|
|Previous Article:||Data protection SLA's: measuring their effectiveness. (Storage Networking).|
|Next Article:||Summer of scandal: accounting tricks, software scams, price fixing make 2002 a tech summer to forget. (Business of Technology).|