Design and Implementation of a Network Security

Design and Implementation of a Network Security Model using Static VLAN and AAA Server Salah A. Jaro Alabady College of Engineering / Computer Engineering Department University of Mosul / Iraq [email protected] Abstract – This paper gives the details of typical network security model using static VLAN technology and TACACS+ AAA server, also discusses security issues, and their risks, caused by different types of vulnerability, threat, attacks and misconfiguration for VLAN technology, and how prevent it and protect the network by using TACACS+ AAA server, switch and router.

Keywords - Computer Network Security, VLAN, Static virtual networks, AAA server, TACACS+, attacks

I.

INTRODUCTION

Computer security is one important field of computer science concerned with the control of risks related to computer use. Rapidly evolving technological world is always more dependent on computer networks. In the present time, computer networks have key position in many communication services. Computer network security is necessary to understand not as stabilized state but as a continuous process which is necessary to improve. For this reason it is important to constantly review the security, reliability of computer networks and then reacts on identified problems. Computer networks can be used by unauthorized people, and this will lead to misuse of the network violations and privacy. In the present information era is necessary to provide quick access to information and their availability from any place. For that purpose networks are used as different distributed channels giving possibility to spread information. No mater how secure the network is, there are always some parts of the network that are vulnerable to network attacks, therefore it is necessary to choose components and arrangements concerning on the restrictions of the particular network elements. Designed network model increases the stations mobility, virtual circuit security in local area networks forcefully on centralized management and authentication. II. VLAN TECHNOLOGIES OVERVIEW An important feature of Ethernet switching is the ability to create virtual LANs (VLANs). A VLAN is a logical group of network stations and devices. VLANs

can be grouped by job functions or departments, regardless of physical location of users. Traffic between VLANs is restricted. Switches and bridges forward unicast, multicast, and broadcast traffic only on LAN segments that serve the VLAN to which the traffic belongs. In other words, devices on a VLAN only communicate with devices that are on the same VLAN and this improves the overall network performance. [1, 3] VLANs can enhance scalability, security, and network management. VLAN support provides network administrators with the flexibility to define the network by the needs of the users on each segment. VLANs reduce broadcast traffic, enhance traffic control and security, and provide the ultimate flexibility in locating and relocating devices on IP network. This flexibility enables network administrators to group users according to the network services they use most frequently. Comprehensive monitoring tools enable network administrators to maintain efficient communication paths throughout the switched infrastructure, thereby preserving network bandwidth and reducing network response time for network users. [2, 5] Routers provide connectivity between different VLANs, broadcast filtering, security, and traffic flow management. Also the Routers are an important part of a network, and their security is a vital part of the overall security for the networks they serve. Properly designed and configured VLANs are powerful tools for network administrators. Proper VLAN configuration and implementation is critical to the network design process. VLANs allow network administrators to organize LANs logically instead of physically. This is a key benefit. This allows network administrators to perform several tasks: Easily move workstations on the LAN, Easily add workstations to the LAN, Easily change the LAN configuration, easily control network traffic, and Improve security. [7, 8] There are three basic VLAN memberships for determining and controlling how a packet gets assigned. They include port-based VLANs (static VLAN), MAC address based VLANs (dynamic VLAN), and protocol based VLANs. Inter-Switch Link (ISL), 802.1Q are a method of frame tagging this provides a mechanism for controlling the flow of broadcasts and applications while not interfering with the network and applications. However, VLAN tagging was not designed as a security measure. One should

Authorized licensed use limited to: Iraq Virtual Science Library. Downloaded on June 28, 2009 at 13:42 from IEEE Xplore. Restrictions apply.

take this into account when implementing VLANs to achieve security. III.

VULNERABILITY, THREAT AND ATTACKS ON LAYER 2

When discussing network security, three common terms used are vulnerability, threat, and attack. Vulnerability is a weakness which is inherent in every network and device. This includes routers, switches, desktops, and servers. There are three primary vulnerabilities or weaknesses: Technology weaknesses, Configuration weaknesses, Security policy weaknesses. Threats are the people eager, willing, and qualified to take advantage of each security weakness, and they continually search for new exploits and weaknesses. The threats use a variety of tools, scripts, and programs to launch attacks against networks and network devices. There are four primary classes of threats to network security, Unstructured threats, Structured threats, External threats and Internal threats, This threat (Internal threats) occupies for 60 to 80 percent of reported incidents .[10] In addition, there are 4 primary classes of attacks: ●Reconnaissance: Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. That consist of the following (Packet sniffers, Port scans, Ping sweeps, Internet information queries). It is also known as information gathering and, in most cases, it precedes an actual access or Denial of Service (DoS) attack. [11] ●Access: System access is the ability for an unauthorized intruder to gain access to a device for which the intruder does not have an account or a password. Entering or accessing systems to which one does not have access usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked.

● Denial of Service (DoS): Denial of service (DoS) implies that an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable. But DoS can also be as simple as deleting or corrupting information. In most cases, performing the attack simply involves running a hack or script. The attacker does not need prior access to the target because a way to access it is all that is usually required. For these reasons, DoS attacks are the most feared. ●Worms, Viruses, and Trojan Horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or denies services or access to networks, systems, or services.

Like routers, both Layer 2 and Layer 3 switches have their own sets of network security requirements. Often, little consideration is given to the network security risks in switches and what can be done to mitigate those risks. Switches are susceptible to many of the same Layer 3 attacks as routers. However, switches, and Layer 2 of the OSI reference model in general, are subject to network attacks in unique ways. These attacks include: [9, 10] a) VLAN hopping attacks: VLAN hopping is a network attack whereby an attacking system sends out packets destined for a system on a different VLAN that cannot normally be reached by the attacker. This traffic is tagged with VLAN ID for a VLAN other than the one on which the attacking system belongs.The attacking system can also attempt to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between multiple VLANs. There are two different types of VLAN hopping attacks: Switch spoofing— the network attacker configures a system to spoof itself as a switch by emulating either ISL or 802.1q, and DTP signaling. This makes the attacker appear to be a switch with a trunk port and therefore a member of all VLANs. Double tagging— another variation of the VLAN hopping attack involves tagging the transmitted frames with two 802.1q headers. b) Private VLAN vulnerabilities: Private VLANs are a common mechanism to restrict communications between systems on the same logical IP subnet. Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN. In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port, such as on a router. c) Spanning-Tree Protocol vulnerabilities: Another attack against switches involves intercepting traffic by attacking the Spanning-Tree Protocol. By attacking the Spanning-Tree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology, and then the network attacker can change the topology of a network so that it appears that the attacking host is a root bridge with a higher priority. To do this, the network attacker broadcasts out Spanning-Tree Protocol Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an attempt to force spanning-tree recalculations. The


attacker can then see a variety of frames forwarded from other switches to it. d) CAM table overflow attack: In a CAM table overflow attack, an attacker sends thousands of bogus MAC addresses from one port, which looks like valid hosts’ communication to the switch. When the content addressable memory (CAM) table threshold is reached, the switch operates as a hub and simply floods traffic out all ports. CAM table overflow only floods traffic within the local VLAN so the intruder will see only traffic within the local VLAN to which he or she is connected. e) DHCP starvation attacks: A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as gobbler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. The network attacker can then set up a rogue DHCP server on their system and respond to new DHCP requests from clients on the network. a network attacker can provide clients with addresses and other network information. Since DHCP responses typically include default gateway and DNS server information, the network attacker can supply their own system as the default gateway and DNS server resulting in a manin-the-middle attack. [12] f) MAC spoofing – man in the middle attacks: MAC spoofing involves the use of a known MAC address of another host that is authorized to access the network. The attacker attempts to make the target switch forward frames destined for the actual host to the attacker device instead. This is done by sending a frame with the other host’s source Ethernet address with the objective to overwrite the CAM table entry. After the CAM is overwritten, all the packets destined for the actual host will be diverted to the attacker. Another method of spoofing MAC addresses is to use Address Resolution Protocol (ARP), which is used to map IP addressing to MAC addresses residing on one LAN segment.[4] IV. AAA SERVER The heart of the proposed security model is the AAA server. AAA is the acronym for authentication, authorization, and accounting. Authentication controls access by requiring valid user credentials, which are typically a username and password. Authentication asks the user who they are. Authorization controls access per user after users authenticate, asks the user what privileges they have, and controls the services and commands available to each authenticated user. Accounting tracks traffic that passes through the security appliance, enabling you to have a record of user activity. If you enable authentication for that

traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session. The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. Examples of these types are: RADIUS Server, TACACS+ Server, SDI Server, NT Server, Kerberos Server, LDAP Server Support and Local Database Support. Depending on the size of the network and available resources, AAA can be implemented on a device locally or can be managed from a central server running RADIUS or TACACS+ (Terminal Access Controller Access Control System Plus) protocols. The most functionally server type is the TACACS+ Server and it is chosen here for that purpose. Configuring a local database of usernames and passwords on the switch has already been covered in this paper. The AAA server first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy. If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password. If the authentication fails, the AAA server reports the failure to the user and prompts the user for a configurable number of retries. Using AAA for device logins offers three main advantages: provides scalability, AAA supports standardized protocols, AAA allow for multiple backup systems. Overall, these benefits mean that AAA provides scalability, as well as increased flexibility and control of access configuration. The security server maintains a password and username database, as well as authorization configurations, and stores accounting information. (TACACS+) is a security application used with AAA that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides the most comprehensive and flexible security configurations when using Cisco routers and switches. AAA provides an extra level of protection and control for user access than using ACLs alone. For example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server and you might not always know IP addresses of these users, you can enable AAA to allow only authenticated and/or authorized users to make it through the security appliance. The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. TACAC+ is generally considered superior because of the following reasons:


•

TACACS+ encrypts the entire TACACS+ packet, while RADIUS only encrypts the shared secret password portion.

•

TACACS+ separates authentication and authorization, making possible distributed security services.

The comparison of features between TACACS+ and RADIUS, listed in table (1) TABLE 1. COMPARISON OF FEATURES BETWEEN TACACS+ AND RADIUS TACACS + RADIUS Combines Authentication, Functionality Separates AAA Authorization Transport TCP UDP protocol CHAP Bidirectional Unidirectional Multi- Protocol Protocol Support No ARA No NetBEUI support Entire Packet Confidentiality Password- Encrypted Encrypted Accounting limited Extensive

V. NETWORK SECURITY MODEL STRUCTURE The main goal of the network security model is to protect against the mentioned types of vulnerabilities, threats and attacks in Layer 2 of the OSI reference model. But on the other hand, the added security methods should not affect seriously on the network management or its performance. As a suggestion to achieve these goals, the AAA server and router should be added to the network security model. Figure (1) shows the structure of the suggested network security model. VLAN 2 VLAN 3 VLAN 4

The primary security issue with VLANs is poor configuration. There are many configuration issues that need to be addressed during the configuration process in a switching architecture. The philosophy of the suggested security solutions is based on using multiple techniques of protection and it could be explained as followed: 1-Any access to the network or between VLAN must pass through the AAA server. Any connection request is checked by the AAA server and only the authorized users can access to the network according to their policies. The AAA server is configured to authenticate the following items: • All administrative connections to the security appliance including the following sessions: (Telnet, SSH, Serial console, ASDM" using HTTPS ", VPN management access). • The enable command. • Network access. • VPN access. • Management commands. 2- Each device at every layer of the model should have a plan for physical security, password protection, and privilege levels. 3- Disabling all non-IP-based remote access protocols, and using SSH, SSL, or IP Security (IPSec) encryption for all remote connections to the switch and router can provide complete vty protection 4- Controlling vtys, any vty should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a vty that was expected to receive only Telnet sessions would be configured with transport input telnet, while a vty permitting both Telnet and SSH sessions would have transport input telnet ssh. 5- Disabling any unnecessary services on the network devices such as IP directed broadcasts, TCP small services, UDP small services. To deny access to minor TCP/IP services available from hosts on the network. Also to deny access to minor UDP services available from hosts on the network.

AAA Server

6- Disabling some protocols on the network devices, to prevent attacks and hackers used it, but without affects on the performance of the networks, such as finger protocol requests, Network Time Protocol, Cisco Discovery Protocol (when used Cisco network device), Internet Control Message Protocol (ICMP), multicast route caching Protocol , proxy ARP Protocol. Major security gains can be obtained with simple configuration changes like always disabling VTP and not using the default VLAN for anything.

Figure 1.Structure of the suggested network security model.


7- The router, switch and AAA server are supplied with an extended access lists. These lists are made up of one or more Access Control Entries (ACE). An ACE is a single entry in an access list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and the source and destination ports [1]. Each device has its own rules on which the access lists were written in order to control the traffic inside the network. Router ACLs filter routed traffic between VLANs, VLAN ACLs, also called VLAN maps, filter both bridged and routed packets. VLAN maps can be used to filter packets exchanged between devices in the same VLAN. ACLs can filter traffic as it passes through a router and permit or deny packets from crossing specified interfaces. 8-Apply the ACLs to allow TACACS+ traffic to the inside interface from the AAA server. Also allow outbound Internet Control Message Protocol (ICMP) traffic as well as FTP and WWW traffic. Block all other inside initiated traffic. 9- To prevent and mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to non-trunking mode by explicitly turning off DTP on those ports. Do not use VLAN1 for any thing or as the management VLAN. Use all tagged mode for the native VLAN on trunks. 10- Using AAA server on the network additions to these ACLs can be configured on the router port to prevent private VLAN attacks. VLAN ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks. 11-To prevent Spanning-Tree Protocol manipulation, use the root guard and the BPDU guard features to enforce the placement of the root bridge in the network as well as enforce the Spanning-Tree Protocol domain borders. 12- Apply port security on the switch to mitigate CAM table overflow attacks. We can apply port security in three ways: Static secure MAC addresses Dynamic secure MAC addresses, Sticky secure MAC addresses, The type of action taken when a port security violation occurs falls into the following three categories: Protect, Restrict, Shutdown. 13-The techniques that are used to mitigate CAM table flooding can also be used to mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. DHCP snooping feature can be used to help guard against a DHCP starvation attack. DHCP snooping is a security feature that filters untrusted DHCP messages and builds and maintains a DHCP snooping binding

table. IP source guard also is used to provide additional defense against attacks. IP source guard initially blocks all IP traffic except for DHCP packets captured by DHCP snooping process. Another way to prevent a rogue DHCP server from responding to DHCP requests is to use VLAN ACLs (VACL). You can use VACLs to limit DHCP replies to legitimate DHCP servers and deny them to all others. You should use this type of configuration if the network does not support DHCP snooping. 14- use the port security interface configuration command to prevent MAC spoofing attacks , also holddown timers, that you can use to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache, dynamic ARP inspection (DAI) and DHCP snooping . VI. EXPERIMENTS AND RESULTS NETWORK CONFIGURATION In order to test the correctness of the network configuration after considering the proposed security methods, an experimental test bed represents the network was built. The purpose was to test the network security robustness against different types of attacks. The following procedures were taken to examine the network operation: 1- A correctly monitoring network can give warning of a number of network security violations ethereal program one program was used to monitor traffic over the network and between the VLANs. 2- Used some programs and tools such as Dsniff (a collection of tools to do ARP spoofing and MAC flooding), Macof tools to do MAC spoofing and CAM table overflow attacks. Also used ettercap , DHCP gobbler programs to do DHCP starvation attacks , arpspoof tools, IP and ports scan, and sniffer program (as the hacker does before his attack), This action was detected and prevented by the AAA server, and techniques security that applied on switch and router. 3- The illegal log in to the network as well as unauthorized access to some services and resources was prevented by the AAA server. 4-Trying to use the TELNET service or PING command was stopped by the switches AAA server access lists. Also, several additional tests were made on the network to check the activity of the other security methods (the author have the detailed documented lab tests in addition to the configuration files). It was found that protection of a network could not be achieved by a single technique but with an integrated bundle of solutions.


VII. CONCLUSION This paper presents a Network Security Model using Static VLAN and AAA Server, Today VLANs are not only used as an integral part of the LAN environment, they are now also being used as a means of providing WAN (Wide Area Network) / MAN (Metropolitan Area Network) services. Common problems associated with this technology, these realized as network administrator should take this into account when implementing VLANs to achieve security on network and protect against the types of threats and attacks. This paper presents a methodology to securest the network. And explains the advantages of AAA from where provides an extra level of protection and control for user access than using ACLs alone. TACACS+ encrypts the entire TACACS+ packet, while RADIUS only encrypts the shared secret password portion. AAA security is one of the primary components of the overall network security policy of an organization. AAA is essential to providing secure remote access to the network and remote management of network devices. Using AAA for device logins offers three main advantages: provides scalability, AAA supports standardized protocols. One of the primary security issues with VLANs is poor configuration in network devices. There are many configuration issues that need to be addressed during the configuration process in a switching architecture. After doing test to the network security model, showed a very efficient security performance keeping a high performance of the network speed and services. On the other hand, the added security methods should not affect seriously on the network management or its performance.

[6] Rajaravivma, V.; "Virtual local area network technology and applications," Proceeding of the Twenty-Ninth Southeastern Symposium on, 9-1 1 March 1997 Pages49 – 52. [7] Tomohiro Otsuka, "A Switch-tagged VLAN Routing Methodology for PC Clusters with Ethernet", Proceedings of the 2006 International Conference on Parallel Processing (ICPP'06) [8] T. Kudoh, H. Tezuka, M. Matsuda, Y. Kodama, O. Tatebe,and S. Sekiguchi. "VLAN-based Routing: Multi-path L2 Ethernet Network for HPC Clusters". In Proc. Of 2004 IEEE International Conference on Cluster Computing (Cluster2004), Sept. 2004. [9] 802.1Q-2005 IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks. IEEE Standard No 802.lQ-2005. http://www.ieee8o2.org/1/pages/802.lQ.html [10] Cole E., Krutz R. and Conley J., Network Security Bible, 1’st Edition, Wiley Publishing Inc., 2005. [11] David Barnes, Basir Sakandar, Cisco LAN Switching Fundamentals, Cisco Press, July 15, 2004 [12] R. Khoussainov and A. Patel. "LAN security: Problems and solutions for ethernet networks". Computer Standards and Interfaces, 22:191–202, 2000.

REFERENCES [1] R. Farrow. (2007, Jan. 4). "VLAN Insecurity "[Online]. Available:http://www.spirit.com/Network/net0103.html [2] S. Wooldridge. (2006, Aug. 6). "Application Security," Electric Energy T&D Magazine, [Online]. Available:http://www.electricenergyonline.com/article.asp?m =5&mag=29&article=235 [3] Minli Zhu, Mart Molle, and Bala Brahmam, "Design and Implementation of Application-based Secure VLAN", Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN’04) [Online].Available:ieeexplore.ieee.org/iel5/9433/29935/0136 7248.pdf [4] S. Rouiller. Virtual LAN security: Weaknesses and countermeasures. Technical report, SANS Institue, 2003 [5] T. Hamano et. al., "Forwarding Model of Backplane Ethernet for Open Architecture Router, " 2006 Workshop on High Performance Switching and Routing, Poznan, Poland, June 7 - 9, 2006.
