SRWE Module 10: LAN Security Concepts
What is the Cisco version of Advanced Malware Protection?
- Cisco AMP for Endpoints
What are the 2 main limitations of using a local database for console logins? What method is better that this?
- accounts have to be configured on each device, so its timely to scale - there's no backup authentication method, so if the administrator forgets, password recovery is required - have all devices refer to the same database on a central server for usernames/passwords
Describe the 3 different roles in 802.1X port-based authentication.
- Client (Supplicant) + device running 802.1X-compliant client software (wired or wireless) - Switch (Authenticator) + acts a intermediary between client and authentication server + requests identifying information from the client, verifies it against authentication server, and relays that response to the client + could be a wireless access point - Authentication Server + validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services
Describe an STP attack. What is used to prevent against this type of attack?
- a threat actor uses STP bridge protocol data units (BPDUs) to spoofs themselves as a bridge with a low priority value, enabling them to become the root bridge and changing the topology of a network - as the root bridge they can capture all traffic for the immediate switched domain - can even occur when someone adds an Ethernet switch to the network without any malicious intent - BPDU Guard implementation on all access ports
How can you improve the effectiveness of Layer 2 attack mitigation techniques? What are some of the insecure Layer 2 protocols? - Syslog - SNMP (Simple Network Management Protocol) - Trivial File Transfer Protocol (TFTP) - Telnet - File Transfer Protocol (FTP)
- Use secure management protocols + SSH + Secure Copy Protocol (SCP) + Secure FTP (SFTP) + SSL/TLS (Secure Socket Layer/Transport Layer Security) - Use out-of-band management to manage devices - Use dedicated management VLAN where nothing but management traffic resides - Use ACLs to filter unwanted access
What is phishing? What is spear phishing? Describe the Cisco application designed to protect against phishing.
- an attack that entices the user to click a link or open an attachment - an attack that targets high-profile employees or executive that may have elevated login credentials (95% of all attacks on enterprise networks result from spear phishing) -Cisco ESA + device designed to monitor Simple Mail Transfer Protocol (SMTP) + updated every 3-5 mins from feeds from Cisco intelligence group Cisco Talos, which detects and correlated worldwide in its database
How is an ARP attack conducted? What is the name of the attack that unfolds as a result of ARP attacks? What are the common tools used to create ARP man-in-the-middle attacks? What is the IPv6 message used in a similar manner to ARP spoofing? What is the attack for IPv6 called? What is used to mitigate ARP spoofing and ARP poisoning?
- attacker sends a "gratuitous ARP" request, as if it were simply conducting an ARP reply + with its spoofed MAC address, it claims to be the owner of the IP/MAC combination (usually with it's MAC and the default gateway's IP) + switch and host on the subnet update their ARP tables with this faulty information + subsequent messages intended for the IP address then are sent the attacker with the spoof MAC address -ARP man-in-the-middle attack - tools + dsniff + Cain & Abel + ettercap + Yersinia - Neighbor Advertisement + Neighbor Advertisement spoofing - Dynamic ARP Inspection (DAI)
How does a MAC address flooding attack take advantage of the limited sizes of MAC tables? What is a network attack tool tool that is used for this type of attack? How does a switch treat frame received after the MAC table is full? How does this help a threat actor? How does Port Security mitigate this type of attack
- bombards the switch with fake source MAC addresses until the switch MAC address table is full - macof - switch treats all incoming traffic as unknown unicast and floods all incoming traffic out all ports on the same VLAN without referencing the MAC table - allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN - Port security only allows a specified number of source MAC addresses to be learned on a port
What are the ways that endpoints are best protected today? How does this differ by endpoint protection in the past?
- combination of: + NAC + host-based AMP (Advanced Malware Protection) software + email security appliance (ESA) + web security appliance (WSA) - traditionally protected by host-based security: + antivirus/antimalware + host-based firewalls + host-based intrusion prevention systems (HIPS)
What is the simplest method of remote access authentication ? What are the 2 main cons of only using this method? What is the better method to use and why is it better?
- configure a login and password combination on console, vty lines, and aux ports - cons + provides no accountability and the password is sent in plaintext + anyone with the password can gain entry to the device - SSH + it requires a username and password, which are both encrypted during transmission + the username/password combo can be authenticated against a local database + accountability, since the username is recorded when a user logs in
What kind of data might AAA accounting collect and report? How might it combine this data with AAA authentication?
- date + auditing/billing + start/stop connection times + executed commands + number of packets + number of bytes -AAA server keeps a detailed log of exactly what the authenticated user does on the device (username, date, time, commands entered) + uses it for troubleshooting + uses it for evidence against users that doing malicious acts
How is IP and MAC address spoofing mitigated?
- IPSG (IP Source Guard)
What is the primary framework to set up access control on a network device? Describe the 3 functions that this framework serves?
- AAA (Authentication. Authorization, and Accounting) - Authenticate + control who is permitted to access a network + Authorize + what they can do while they are there + Accounting + audit what actions they performed while accessing the network
What are the functions of Cisco ESA?
- Block known threats - Remediate against stealth malware that evaded initial detection - Discard emails with bad links - Block access to newly infected sites - Encrypt content in outgoing email to prevent data loss - firewalls forward emails to the ESA - monitors SMTP traffic to block threats and encrypts outgoing messages to prevent data loss
What does Cisco WSA stand for? What are the 4 functions that Cisco WSA combines to mitigate web-based threats and secure and control web traffic? What are the common restrictions that it places on web traffic?
- Cisco Web Security Appliance - combines + advanced malware protection + application visibility and control + acceptable use policy controls + reporting - common restrictions + which content allowed/blocked + time restrictions + bandwidth restrictions + blacklisting of URLs + URL-filtering + malware scanning + URL categorization + Web application filtering + encryption/decryption of web traffic
What is CDP? What is the vender-neutral version of CDP? Why are CDP/LLDP useful? Why would you want to disable them? Which command would you use to disable them?
- Cisco proprietary Layer 2 link discovery protocol enabled on all Cisco devices by default + used to automatically discover other CDP-enabled devices and help auto-configure their connection + used to help configure and troubleshoot network devices (if you can't ping, but get CDP information, it means Lay 1-2 is good, look at higher Layers of OSI) - the information provided by CDP can also be used by a threat actor to discover network infrastructure vulnerabilities (IP address of the device, IOS software version, platform, capabilities, and the native VLAN) - commands to disable CDP + "no cdp run" configuration command + "no cdp enable" interface configuration command + "no lldp run" global config command + "no lldp transmit" interface config command + "no lldp receive" interface config command
Describe the 2 types of DHCP attacks. Why is Port security ineffective against one of these attacks?
- DHCP Starvation Attack + tool, such as Gobbler, sees the entire scope of leasable IP addresses + tool creates DHCP discovery messages with bogus MAC addresses, to try to lease all IPs + creates DoS for connecting clients - DHCP Spoofing Attack 1) rogue DHCP server is connected to the network 2) rogue DHCP server provides false IP configuration parameters to legitimate clients such as: a) wrong default gateway (man-in-the-middle attack) b) wrong DNS-server (to nefarious website) c) wrong IP address (DoS for the DHCP client) - Port security doesn't mitigate DHCP spoofing + because Gobbler can be configured to use the actual legitimate interface MAC address as the source Ethernet address, but specify a different address in the DHCP payload
Describe the 3 most common types of attacks on networks?
- Distributed Denial of Service (DDOS) + coordinated attack from many devices (zombies) + intent of degrading/halting public access to an organization's website and resources - Data breach + attack in which an organization's data servers or hosts are compromised to steal confidential information - Malware + attack in which an organization's hosts are infected with malicious software that cause a variety of problems + Ransomware, such as WannaCry
Describe the IEEE port-based access control and authentication protocol.
- IEEE 802.1X + restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports + authenticates workstations on those ports before making services available from the switch or LAN
Which layers of the OSI Model do VPNs, firewalls, and IPS devices protect? Why is it important to protect Layer 2 infrastructure?
- Layer 3-7 - if Layer 2 is compromised, all layers above it are also affected + captured Layer 2 frames indicated all security implemented on layer above Layer 2 are useless
Describe the 2 common methods of implementing AAA Authentication.
- Local AAA Authentication + stores usernames and passwords locally in a network device such as the Cisco router + authenticate against local database + ideal for small networks - Server-Based AAA Authentication + router access AA server that contains usernames/passwords + router uses to communicate with AAA server a) RADIUS (Remote Authentication Dial-In User Service) OR b) TACACS+ (Terminal Access Controller Access Control System) protocols + better method when the are multiple routers/switches
Give examples for each of the 6 Layer 2 attacks.
- MAC Table Attacks + MAC address flooding attacks - VLAN Attacks + VLAN hopping + VLAN double-tagging attacks + attacks between devices on same VLAN - DHCP Attacks + DHCP starvation + DHCP spoofing - ARP Attacks + ARP spoofing + ARP poisoning - Address Spoofing Attacks + MAC address spoofing + IP address spoofing - STP Attacks + Spanning Tree Protocol manipulation
Describe the Cisco solutions to protect against Layer 2 attacks.
- Port security + prevents many types of attacks (MAC address flooding, DHCP starvation) - DHCP Snooping + prevents DHCP starvation + prevents DHCP spoofing - Dynamic ARP Inspection (DAI) + prevents ARP spoofing + prevents ARP poisoning attacks - IP Source Guard (IPSG) + prevents MAC spoofing + prevents IP address spoofing
Describe a VLAN hopping attack.
- threat actor configures a host to act like a switch (using 802.1Q signaling and DTP signaling) to take advantage of the automatic trunking port feature enabled by default on most switch ports - enables traffic from one VLAN to be seen by another VLAN without the aid of a router
Describe a VLAN double-tagging attack. How does it occur? Why does the first switch in this type of attack not retag the frame with the original VLAN tag? Which trunk security guidelines mitigate this type of attack?
- threat actor embeds a hidden 802.1Q tag inside the frame that already has an 802.1Q tag - tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify - how + outer header has the VLAN tag of the native VLAN number of the trunk port + receiving switch sees native VLAN tag and floods out all ports in native VLAN, but stripping the outer header off first, exposing the inner VLAN header tag + next receiving switch either forwards that frame to the target, or floods it if their is no MAC address table entry for that target - it is not retagged because it is a part of the native VLAN - Mitigation + Disable trunking on all access ports + Disable auto trunking on trunk links, so that trunks must be manually enabled. + Be sure that the native VLAN is only used for trunk links
Describe IP address spoofing.
- threat actor hijacks a valid IP address of another device on the subnet OR uses a random IP address - difficult to mitigate + especially when it is inside a subnet in which the IP belongs
What are network security devices used for? Describe the 3 main types.
- to protect the network perimeter from outside access - VPN (virtual private network) enabled router + secure connection to remote users across a public network and into the enterprise network + VPN services can be integrated into the firewall - Next-generation firewall (NGFW) + stateful packet inspection + application visibility and control + NGIPS (next-generation intrusion prevention system) + AMP (advanced malware protection) + URL filtering - Network access control (NAC) + AAA (Authentication, Authorization, and Accounting) services + larger enterprises use appliances that manage access policies across a wide variety of users and devices types + ex. Cisco ISE (Identity Services Engine)
How does AAA Authorization govern what a user can and cannot do on a network after they are authenticated?
- uses a set of attributes, in coordination with a AAA server, to determine the privileges and restrictions for that user
Describe how MAC address spoofing occurs. How does a threat actor ensure the switch maintains the correct information, instead of it being corrected by a frame from the correct host?
1) Threat actor alters the MAC address of their host to match another known MAC address of a target host 2) Attacking host sends a frame throughout the network with the newly-configured MAC address 3) Switch receives the frame, examines the source MAC address, overwrites the current MAC table entry with the MAC address to the new port 4) Switch then inadvertently forwards frames destined for the target host to the attacking host - the threat actor creates a program or script that will constantly send frames to the switch
