enterprise network security in smb environments
TRANSCRIPT
Enterprise network security in SMB environments...
Brian Whelton
QUICK INTRODUCTION!
Oscar the Grouch is from Sesame Street
20 years in the IT, started by cable pulling, terminating, testing then network hardware installation
Whelton Network Solutions specialise in:
• Network design.
• Security.
• Auditing.
• Incident response.
• Vulnerability testing.
• IPv6
Owner and technical director of Whelton Network Solutions since 2004.
Brian Whelton
Passed my first CCNA in 2003, now hold multiple vendor and industry certifications.
Before, during and after…..
▪ No such thing as a standard network topology, no ‘one size fits all’, Cisco has Cisco Validated Designs, Juniper has Juniper Validated Solutions.
▪ Using terms like ‘it’ll work’ or ‘that’ll do’ at a design stage means you will hear ‘we have a workaround for that’ at a support stage.
▪ Business don’t like risk (ask Associated Press!), don’t introduce any unnecessary risk, this means from attackers, users, managers and from administrators!
▪ All suggestions in this presentation should be available on managed ‘small business’ switch ranges from Cisco, HP and Netgear etc. Vendors codes are not created equal, some are better and securer then others!
▪ No traffic on a Local Area Network should be unpredictable, it is under YOUR control.
▪ Not everything will be available to everyone.
Design is everything!
http://www.bbc.co.uk/news/world-us-canada-21508660 Fake tweet from Associated Press crashes stocks
Open Systems Interconnection model
International Organization for Standardization Open Systems Interconnection https://www.iso.org/ics/35.100/x/
Physical
Data-Link
Network
Transport
Session
Presentation
Application
DATA
Bits
Frames
Packets
Segments
DSL, ISDN, Wi-Fi, ‘x’BaseT, Cabling, Hardware
ARP, LLDP, MAC addresses, CDP/EDP, DTP, MPLS, STP, VLANs, VTP, 802.1q
IPv4, IPv6, ICMP, IGMP, GRE, IPSec, EIGRP, OSPF
AH, ESP, BGP, RIP, iSCSI, TCP, UDP
L2TP, PAP, PPTP, SMB, SIP, SOCKS, SSH
SSL, TLS, ASCII
DNS, BitTorrent, BOOTP, FTP, HTTP, HTTPS, SNMP, SMTP, DHCP, FTP, TFTP, NTP
1
2
3
4
5
6
7
Layer One – Physical
▪ ONLY defence against attacks is to prevent them.
▪ Document what you have, you can’t support or defend what you don’t know!
▪ The is no defence against equipment failure, have spares!
▪ Restrict access to network equipment.
▪ Be proactive, remove all unused cables, administratively close unused interfaces.
▪ Use 802.11w Management Frame Protection on Wi-Fi networks.
▪ You can’t prevent or fix stupid.
Attacks to Layer One on a network are primarily aimed at denial of, or disruption to, service.
PhysicalBitsDSL, ISDN, Wi-Fi, ‘x’BaseT,
Cabling, Hardware1
Layer Two – Data Link
▪ Server guys finally get it! – Many benefits to Virtualization.
▪ VLANs - Separate traffic into scalable, identifiable, manageable, securable and logical groups.
▪ VLAN 1 – Never use VLAN 1, if you haven’t configured any VLANs, you’re using VLAN 1.
▪ Trunks – Assign a dedicated native VLAN.
Can you guess what’s coming?
VLAN – Virtual Local Area Network
Data-LinkFramesARP, LLDP, MAC addresses, CDP/EDP, DTP,
MPLS, STP, VLANs, VTP, 802.1q2
Layer Two – Data LinkAttacks to layer two mostly rely on the insecurity of L2 protocols, physical access is not required.
Data-LinkFramesARP, LLDP, MAC addresses, CDP/EDP, DTP,
MPLS, STP, VLANs, VTP, 802.1q2
▪ CAM table protection - Instigate Port Security limiting the number of MAC addresses allowed
on switch interfaces.
▪ Port Security - Set static devices MAC addresses
▪ DHCP protection - Disable user interfaces from sending DHCP responses (DHCP Trust).
▪ Private VLANs/Isolated interfaces – Force communication from Layer 2 to Layer 3.
▪ Spanning Tree Protocol (STP). Configure STP Root, on user interfaces configure BPDU
Guard and on non Root switches, configure BPDU Root Guard.
▪ Link Local Discovery Protocols – Disable LLDP on user facing interfaces.
Layer Three – Network
▪ IP Address Schemas - Avoid using 192.168.0.0 255.255.255.0 if you want to use VPNs!
▪ Implement Access Control Lists – More on this is a bit!
▪ Virtual Private Networks (VPNs). IPSec anything that requires access from outside your
LAN to your LAN.
▪ Routing Notification Protection – EIGRP, OSPF and RIP all can be secured via MD5.
L3 protocols, it’s all about maths! Physical access is not required.
NetworkPacketsIPv4, IPv6, ICMP, IGMP, GRE,
IPSec, EIGRP, OSPF3
Perimeter Protection – External
▪ Anti-spoofing – Deny RFC1918 IP addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
▪ Prevent reconnaissance - Deny ICMP time exceeded, Unreachables and Echo-Reply.
Access rules for ISP/Partner facing devices.
Inbound
Inbound and Outbound
▪ Deny NetBIOS, SMB and RDP - Deny UDP and TCP 135, 137, 138, 139, 445, 3389
▪ Deny Management traffic, SNMP and Syslog - Deny UDP 161,162 and 514.
▪ Deny data exfiltration using FTP, SSH and TFTP - Deny TCP 20, 21, 22, 23 and UDP 69.
Ensure you log any violations so that you can proactively fix any issues.
Perimeter Protection – Internal
▪ Anti-spoofing – Deny VLAN IP address range from entering VLAN.
▪ Prevent reconnaissance - Deny ICMP Echo-Reply from servers to user and wireless VLANs.
Internal access rules, block from any IP source to any IP destination.
Inbound on VLANs
Outbound on user VLANs
▪ Deny FTP, SSH, Telnet and TFTP, and access to iLO/DRACs and network management,
especially if you have BYOD (Bring Your Own Disaster) policy, from user and Wi-Fi VLANs.
▪ Remember the need to know principle! - Only allow what needs to communicate, to
communicate.
▪ Not a one time thing – Access Lists should be reviewed on a periodic basis to ensure that
they are working for you, not against you.
▪ Deny or Permit first – A decision only you can decide! Don’t forget to log violations!
Logical Traffic Flow
Web Server VLAN 100172.16.0.16 255.255.255.0
Database Server VLAN 101192.168.0.2 255.255.255.0
Users VLAN 1010.0.0.53 255.255.255.0
TCP 443
TCP 443
TCP 1433
TCP 1433
Protecting a database server
Further Reading!
▪ Larry Zeltser – How To Suck At Information Security.
https://zeltser.com/media/docs/suck-at-security-cheat-sheet.pdf
▪ Computer Network Defence Ltd Cyber Threat Intelligence Page.
http://www.securitywizardry.com/radar.htm
▪ Jeremy Stretch - Packet Life Cheat Sheets on various topics.
http://packetlife.net/library/cheat-sheets/
▪ SANS Internet Storm Centre
https://isc.sans.edu/
Badger Badge – brianwhelton
This deserves a BADGER BADGE!!!!!!
Badger Badge – Ste Maunder
This deserves a BADGER BADGE!!!!!!
Badger Badge – craig_of_snyde
This deserves a BADGER BADGE!!!!!!
Badger Badge - Andy8633
This deserves a BADGER BADGE!!!!!!
Badger Badge - Samricharduk
This deserves a BADGER BADGE!!!!!!
I know you want another cat picture!
© Lemmy the cat
