Thursday, 29 September 2016

Network Foundation Protection

Nowadays even people with no hacking skills can be a threat for our networks , thanks to automated tools almost anybody can launch an attack causing damage and loss of revenue to a company.

Common Threats
  • Denial Of Service and Distributed Denial Of Service Attacks (DOS , DDOS) 
  • Session Hijacking , Unauthorized Access , Privilege Escalation
  • Man In The Middle attacks (MiTM) 
  • Botnets
  • Routing Protocol attacks
  • Spanning Tree attacks
  • Layer 2 attacks : MAC Flooding, ARP Spoofing 

To be able to secure our network we can use the Network Foundation Protection (NFP).

 The NFP is a framework designed to help us manage by breaking down the functions in a network environment allowing us to focus on the specific security measures to better protect it.

In Cisco IOS Routers and Switches the NFP is comprised by :

  • Management Plane
 Here we have the protocols and traffic used to manage the network by the administrator .ex SNMP , SSH etc..
Note that a failure / compromise on management plane can cause the administrator to lose the ability to manage a device !

  • Control Plane
In this plane belong all the protocols and traffic used by the network devices to communicate between them without the direct interaction of a human. Routing protocols for example .
  • Data Plane
Here we have the Transit traffic the data that users and their applications are using. E-mails , VoIP etc..
 Important Note:
Each plane can impact other planes , if for example Control Plane fails or gets compromised Data Plane and Management Plane also fail as you will probably lose control if a routing protocol fails or even route the traffic in a malicious way causing MiTM attacks etc...
You can learn more about NFP here

Now we have an idea about the NFP Planes we can start by using some best practices to secure our infrastructure

Basic Security Guidelines

  • Ports: Limit who can access the available network ports , if you don't need them make sure you assign them to a blackhole lan, Turn off the negotiation Feature using the nonegotiate command under interface configuration and disable them. Ports should be configured with port security to allow only the devices required to access your network were possible.
  • Passwords: Enable automatic password encryption using the service password-encryption global command to ensure passwords are encrypted.
  • Use a  AAA protocol  (TACACS+ is preferred as it supports command authorization) where possible to enforce Authentication, Authorization and Accounting.
  • Use SSH instead of telnet , use a modulus of at least 1024 bit
  • Use SNMP v3 if possible as it is more secure than previous versions
  • Restrict unnecessary traffic to your network  : Allow only the minimum protocols that are required for your network to function and provide end users access to legitimated services only , this greatly increases the security as it restricts the attack surface also protects your network from bogus traffic.
  • Use a different VLAN for managing your network     
  •  Mitigating Common attacks : 
      • Use DAI (Dynamic ARP Inspection) in switches to protect from ARP Spoofing 
      • Use DHCP Snooping in switches to protect from rogue DHCP servers
      • Port Security prevents MAC Flooding attacks

No comments:

Post a Comment