standard security layer 2

ADMINISTRATIVE, PHYSICAL, AND TECHNICAL CONTROL STANDARD SECURITY POLICIES AND ANALYSIS OF DATA-LINK LAYER

CONFIGURATION TO PREVENT ATTACKER IN PT.KRAKATAU POSCO

About the Author:

Yeni Sulastri is 24 Years old who has a dream as a fighter in all aspect. Her motto “perfect or stop” being motivation to do the best. She works in PT.POSCO ICT Indonesia as a Security Network Engineer. Absolutely it will be a hard job because the basic education of author is not come from IT (Information Technology Engineer), but from English. The author believe that even comes from different educational background, she can compete with other members. None knowledge which is useless, it will be useful one day.

6th Project: June – Security Networking (Update)

2

A.INTRODUCTION

Switch is one of the Network OSI models. It is placed in Layer 2 – Data Link Layer. The Data link layer is one of the least secured and most often forgotten elements of networks. It's quite common that administrators simply connect the switches, configure them to work and then never worry about them. Pen-testing often reveals switches, which use a vulnerable version of IOS and are not hardened in any way.

It is also commonly thought, that implementing VLAN in a network keeps malicious attackers away. However, VLAN architecture can just as well be defeated and therefore all higher OS layer attacks such as sniffing passwords, Man-in-the-Middle are possible across VLANs.

Switched act as arbiters to forward and control all the data flowing across the network. It provides the functional and procedural means to transfer data between network entities with interoperability and interconnectivity to other layers, but from a security perspective, the data link layer presents its own challenges. Network security is only as strong as the weakest link, and layer 2 is no exception. There are some weaknesses in Layer 2 OSI model, so that’s why Device in Layer 2 should be secured.

Security is generally defined as the freedom from danger or as the condition of safety. Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the computer system itself against unauthorized use, modification, or denial of service. Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and system operations and administrative personnel work to achieve a satisfactory balance between security and productivity.

Controls for providing information security can be physical, technical, or administrative. These three categories of controls can be further classified as either preventive or detective. Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred. Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept. Effective security awareness programs can help increase users’ level of tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems. Common detective controls include audit trails, intrusion detection methods, and checksums.

B. TYPES OF CONTROLS

There are three types of control; Administrative, Physical, and Technical. The actions of these controls are preventive and detective. Preventative controls are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. However, preventative controls do not require significant ongoing investments. While, Detective controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets

Administrative Control Physical Control Technical Control- Routine security awareness

training programs- Clearly defined security policies- A change management system,

which notifies appropriate parties of a system changes

- Logging configuration changes- Properly screening potential

- Security System to monitor for intruders

- Physical security barrier (for example, locked door)

- Climate protection systems, to maintain proper temperature and humidity, in addition for alerting personnel in the event of fire

- Security appliances (for example, firewalls, IPSs, and VPN)

- Authorization applications (for example, RADIUS or TACACS+ server, one-time password (OTP), and biometric security scanner)

- Detail configuration- Encryption

Document Type: Analysis, Testing, Compare Subject : Layer 2 Switch and Data CenterProject : 2nd project Date : 18 March 2015

3

employees ( for example, performing criminal background checks )

- Disaster preparedness and recovery plan

- Security personnel to guard the data

Type of ControlTypes of Actions

Preventive DetectiveAdministrative

Control- Security awareness and technical training- Separation of duties- Procedures for recruiting and terminating

employees- Security policies and procedures- Supervision- Disaster recovery, contingency, and

emergency plans- User registration for computer access- Standby monitoring non workdays

- Security reviews and audits- Performance evaluations- Required vacations- Background investigations- Rotation of duties

Physical Control - Backup files and documentation- Fences- Security Guards- Badge systems- Double door system- Locks and keys- Backup power- Biometric access controls- Site selectionFire extinguishers

- Motion Detectors- Fire and Smoke Detectors- Close-Circuit Television Monitor- Sensor and Alarms

Technical Control

- Access control software- Antivirus software- Library control system- Passwords- Smart cards- Encryption- Dial-up access control and callback systems

- Audit trails- Intrusion detection system

C. CONTROLLING ASPECTS1. Administrative Control

Administrative controls are primarily policy-centric. 1.1. Preventive controla. Security awareness and technical training

Security awareness training is a preventive measure that helps users to understand the benefits of security practices. If employees do not understand the need for the controls being imposed, they may eventually circumvent them and thereby weaken the security program or render it ineffective. Technical training can help users prevent the most common security problem — errors and omissions — as well as ensure that they understand how to make appropriate backup files and detect and control viruses. Technical training in the form of emergency and fire drills for operations personnel can ensure that proper action will be taken to prevent such events from escalating into disasters.

b. Separation of duties


4

This administrative control separates a process into component parts, with different users responsible for different parts of the process. Judicious separation of duties prevents one individual from obtaining control of an entire process and forces collusion with others in order to manipulate the process for personal gain.

c. Procedures for recruiting and terminating employeesAppropriate recruitment procedures can prevent the hiring of people who are likely to violate security policies. A thorough background investigation should be conducted, including checking on the applicant’s criminal history and references. Although this does not necessarily screen individuals for honesty and integrity, it can help identify areas that should be investigated further.Three types of references should be obtained: (1) employment, (2) character, and (3) credit. Employment references can help estimate an individual’s competence to perform, or be trained to perform, the tasks required on the job. Character references can help determine such qualities as trustworthiness, reliability, and ability to get along with others. Credit references can indicate a person’s financial habits, which in turn can be an indication of maturity and willingness to assume responsibility for one’s own actions.In addition, certain procedures should be followed when any employee leaves the company, regardless of the conditions of termination. Any employee being involuntarily terminated should be asked to leave the premises immediately upon notification, to prevent further access to computing resources. Voluntary terminations may be handled differently, depending on the judgment of the employee’s supervisors, to enable the employee to complete work in process or train a replacement.All authorizations that have been granted to an employee should be revoked upon departure. If the departing employee has the authority to grant authorizations to others, these other authorizations should also be reviewed. All keys, badges, and other devices used to gain access to premises, information, or equipment should be retrieved from the departing employee. The combinations of all locks known to a departing employee should be changed immediately. In addition, the employee’s log-on IDs and passwords should be canceled, and the related active and backup files should be either deleted or reassigned to a replacement employee. Any special conditions to the termination (e.g., denial of the right to use certain information) should be reviewed with the departing employee; in addition, a document stating these conditions should be signed by the employee. All terminations should be routed through the computer security representative for the facility where the terminated employee works to ensure that all information system access authority has been revoked.

d. Security policies and proceduresAppropriate policies and procedures are key to the establishment of an effective information security program. Policies and procedures should reflect the general policies of the organization as regards the protection of information and computing resources. Policies should cover the use of computing resources, marking of sensitive information, movement of computing resources outside the facility, introduction of personal computing equipment and media into the facility, disposal of sensitive waste, and computer and data security incident reporting. Enforcement of these policies is essential to their effectiveness. An outside people who will access in Data Center (Crucial Data) must follow the security policies and do the procedures. The important aspects are what kinds of policy and procedure should be create? - Security Policies, Make sure the policies include the specific identity of the guest, the law threat, what they

carry in, - Procedures, Standardizations of guest access are no capture picture, attach stickers in all mobile phone or

camera, and check hazardous tools. Operator has a big role in a procedure, they have to supervise or monitor the process what the guess does for preventing the human error.

e. Supervision


5

Often, an alert supervisor is the first person to notice a change in an employee’s attitude. Early signs of job dissatisfaction or personal distress should prompt supervisors to consider subtly moving the employee out of a critical or sensitive position.Supervisors must be thoroughly familiar with the policies and procedures related to the responsibilities of their department. Supervisors should require that their staff members comply with pertinent policies and procedures and should observe the effectiveness of these guidelines. If the objectives of the policies and procedures can be accomplished more effectively, the supervisor should recommend appropriate improvements. Job assignments should be reviewed regularly to ensure that an appropriate separation of duties is maintained, that employees in sensitive positions are occasionally removed from a complete processing cycle without prior announcement, and that critical or sensitive jobs are rotated periodically among qualified personnel.

f. Disaster recovery, contingency, and emergency plansThe disaster recovery plan is a document containing procedures for emergency response, extended backup operations, and recovery should a computer installation experience a partial or total loss of computing resources or physical facilities (or of access to such facilities). The primary objective of this plan, used in conjunction with the contingency plans, is to provide reasonable assurance that a computing installation can recover from disasters, continue to process critical applications in a degraded mode, and return to a normal mode of operation within a reasonable time. A key part of disaster recovery planning is to provide for processing at an alternative site during the time that the original facility is unavailable.Contingency and emergency plans establish recovery procedures that address specific threats. These plans help prevent minor incidents from escalating into disasters. For example, a contingency plan might provide a set of procedures that defines the condition and response required to return a computing capability to nominal operation; an emergency plan might be a specific procedure for shutting down equipment in the event of a fire or for evacuating a facility in the event of an earthquake.

g. Standby monitoring out workdaysIn Weekend or holiday, there is no any usual activity in working area. That’s why standby monitoring employee (called Operator) is needed. They can monitoring and reporting a vulnerabilities and trouble of network or system device

h. User registration for computer accessFormal user registration ensures that all users are properly authorized for system and service access. In addition, it provides the opportunity to acquaint users with their responsibilities for the security of computing resources and to obtain their agreement to comply with related policies and procedures.

1.2. Detective controla. Security reviews and audits

Reviews and audits can identify instances in which policies and procedures are not being followed satisfactorily. Management involvement in correcting deficiencies can be a significant factor in obtaining user support for the computer security program.

b. Performance evaluationsRegularly conducted performance evaluations are an important element in encouraging quality performance. In addition, they can be an effective forum for reinforcing management’s support of information security principles.

c. Required vacationsTense employees are more likely to have accidents or make errors and omissions while performing their duties. Vacations contribute to the health of employees by relieving the tensions and anxieties that typically develop from long periods of work. In addition, if all employees in critical or sensitive positions are forced to take vacations, there will be less opportunity for an employee to set up a fraudulent scheme that depends on the employee’s presence (e.g., to maintain the fraud’s continuity or secrecy). Even if the employee’s


6

presence is not necessary to the scheme, required vacations can be a deterrent to embezzlement because the employee may fear discovery during his or her absence.

d. Background investigationsBackground investigations may disclose past performances that might indicate the potential risks of future performance. Background investigations should be conducted on all employees being considered for promotion or transfer into a position of trust; such investigations should be completed before the employee is actually placed in a sensitive position. Job applicants being considered for sensitive positions should also be investigated for potential problems. Companies involved in government-classified projects should conduct these investigations while obtaining the required security clearance for the employee.

e. Rotation of dutiesLike required vacations, rotation of duties (i.e., moving employees from one job to another at random intervals) helps deter fraud. An additional benefit is that as a result of rotating duties, employees are cross-trained to perform each other’s functions in case of illness, vacation, or termination.

2. Physical Control2.1. Preventive controlsa. Backup files and documentation

Should an accident or intruder destroy active data files or documentation, it is essential that backup copies be readily available. Backup files should be stored far enough away from the active data or documentation to avoid destruction by the same incident that destroyed the original. Backup material should be stored in a secure location constructed of noncombustible materials, including two-hour-rated fire walls. Backups of sensitive information should have the same level of protection as the active files of this information; it is senseless to provide tight security for data on the system but lax security for the same data in a backup location

b. FencesAlthough fences around the perimeter of the building do not provide much protection against a determined intruder, they do establish a formal no trespassing line and can dissuade the simply curious person. Fences should have alarms or should be under continuous surveillance by guards, dogs, or TV monitors

c. Security GuardsSecurity guards are often stationed at the entrances of facilities to intercept intruders and ensure that only authorized persons are allowed to enter. Guards are effective in inspecting packages or other hand-carried items to ensure that only authorized, properly described articles are taken into or out of the facility. The effectiveness of stationary guards can be greatly enhanced if the building is wired with appropriate electronic detectors with alarms or other warning indicators terminating at the guard station. In addition, guards are often used to patrol unattended spaces inside buildings after normal working hours to deter intruders from obtaining or profiting from unauthorized access

d. Badge systemsPhysical access to computing areas can be effectively controlled using a badge system. With this method of control, employees and visitors must wear appropriate badges whenever they are in access-controlled areas. Badge-reading systems programmed to allow entrance only to authorized persons can then easily identify intruders.

e. Double door systemDouble door systems can be used at entrances to restricted areas (e.g., computing facilities) to force people to identify themselves to the guard before they can be released into the secured area. Double doors are an excellent way to prevent intruders from following closely behind authorized persons and slipping into restricted areas.


7

f. Locks and keysLocks and keys are commonly used for controlling access to restricted areas. Because it is difficult to control copying of keys, many installations use cipher locks (i.e., combination locks containing buttons that open the lock when pushed in the proper sequence). With cipher locks, care must be taken to conceal which buttons are being pushed to avoid a compromise of the combination.

g. Backup powerBackup power is necessary to ensure that computer services are in a constant state of readiness and to help avoid damage to equipment if normal power is lost. For short periods of power loss, backup power is usually provided by batteries. In areas susceptible to outages of more than 15–30 min., diesel generators are usually recommended. Including the High Voltage (HV) Substation, Standby generators, and Uninterruptable Power Supply (UPS) systems

h. Biometric access controlsBiometric identification is a more sophisticated method of controlling access to computing facilities than badge readers, but the two methods operate in much the same way. Biometrics used for identification include fingerprints, handprints, voice patterns, signature samples, and retinal scans. Because biometrics cannot be lost, stolen, or shared, they provide a higher level of security than badges. Biometric identification is recommended for high-security, low-traffic entrance control.

i. Site selectionThe site for the building that houses the computing facilities should be carefully chosen to avoid obvious risks. For example, wooded areas can pose a fire hazard, areas on or adjacent to an earthquake fault can be dangerous and sites located in a flood plain are susceptible to water damage. In addition, locations under an aircraft approach or departure route are risky, and locations adjacent to railroad tracks can be susceptible to vibrations that can precipitate equipment problems.

j. Fire extinguishersThe control of fire is important to prevent an emergency from turning into a disaster that seriously interrupts data processing. Computing facilities should be located far from potential fire sources (e.g., kitchens or cafeterias) and should be constructed of noncombustible materials. Furnishings should also be noncombustible. It is important that appropriate types of fire extinguishers be conveniently located for easy access. Employees must be trained in the proper use of fire extinguishers and in the procedures to follow should a fire break out.Automatic sprinklers are essential in computer rooms and surrounding spaces and when expensive equipment is located on raised floors. Sprinklers are usually specified by insurance companies for the protection of any computer room that contains combustible materials. However, the risk of water damage to computing equipment is often greater than the risk of fire damage. Therefore, carbon dioxide extinguishing systems were developed; these systems flood an area threatened by fire with carbon dioxide, which suppresses fire by removing oxygen from the air. Although carbon dioxide does not cause water damage, it is potentially lethal to people in the area and is now used only in unattended areas.Current extinguishing systems flood the area with Halon, which is usually harmless to equipment and less dangerous to personnel than carbon dioxide. At a concentration of about 10%, Halon extinguishes fire and can be safely breathed by humans. However, higher concentrations can eventually be a health hazard. In addition, the blast from releasing Halon under pressure can blow loose objects around and can be a danger to equipment and personnel. For these reasons and because of the high cost of Halon, it is typically used only under raised floors in computer rooms. Because it contains chlorofluorocarbons, it will soon be phased out in favor of a gas that is less hazardous to the environment.


8

2.2. Detective Controla. Motion Detectors.

In computing facilities that usually do not have people in them, motion detectors are useful for calling attention to potential intrusions. Motion detectors must be constantly monitored by guards.

b. Fire and Smoke DetectorsFire and smoke detectors should be strategically located to provide early warning of a fire. All fire detection equipment should be tested periodically to ensure that it is in working condition.

c. Close-Circuit Television MonitorClosed-circuit televisions can be used to monitor the activities in computing areas where users or operators are frequently absent. This method helps detect individuals behaving suspiciously.

d. Sensor and AlarmsSensors and alarms monitor the environment surrounding the equipment to ensure that air and cooling water temperatures remain within the levels specified by equipment design. If proper conditions are not maintained, the alarms summon operations and maintenance personnel to correct the situation before a business interruption occurs

3. Technical Control3.1. Preventive Controlsa. Access control software

The purpose of access control software is to control sharing of data and programs between users. In many computer systems, access to data and programs is implemented by access control lists that designate which users are allowed access. Access control software provides the ability to control access to the system by establishing that only registered users with an authorized log-on ID and password can gain access to the computer system.After access to the system has been granted, the next step is to control access to the data in the system. The data or program owner can establish rules that designate who is authorized to use the data or program.

b. Antivirus softwareViruses have reached epidemic proportions throughout the micro computing world and can cause processing disruptions and loss of data as well as significant loss of productivity while cleanup is conducted. In addition, new viruses are emerging at an ever-increasing rate — currently about one every 48 hours. It is recommended that antivirus software be installed on all microcomputers to detect, identify, isolate, and eradicate viruses. This software must be updated frequently to help fight new viruses. In addition, to help ensure that viruses are intercepted as early as possible, antivirus software should be kept active on a system, not used intermittently at the discretion of users.

c. Library control systemThese systems require that all changes to production programs be implemented by library control personnel instead of the programmers who created the changes. This practice ensures separation of duties, which helps prevent unauthorized changes to production programs

d. PasswordsPasswords are used to verify that the user of an ID is the owner of the ID. The ID-password combination is unique to each user and therefore provides a means of holding users accountable for their activity on the system.Fixed passwords that are used for a defined period of time are often easy for hackers to compromise; therefore, great care must be exercised to ensure that these passwords do not appear in any dictionary. Fixed passwords are often used to control access to specific data bases. In this use, however, all persons who have authorized access to the data base use the same password; therefore, no accountability can be achieved.


9

Currently, dynamic or one-time passwords, which are different for each log-on, are preferred over fixed passwords. Dynamic passwords are created by a token that is programmed to generate passwords randomly.

e. Smart cardsSmart cards are usually about the size of a credit card and contain a chip with logic functions and information that can be read at a remote terminal to identify a specific user’s privileges. Smart cards now carry prerecorded, usually encrypted access control information that is compared with data that the user provides (e.g., a personal ID number or biometric data) to verify authorization to access the computer or network.

f. EncryptionEncryption is defined as the transformation of plaintext (i.e., readable data) into cipher text (i.e., unreadable data) by cryptographic techniques. Encryption is currently considered to be the only sure way of protecting data from disclosure during network transmissions.Encryption can be implemented with either hardware or software. Software-based encryption is the least expensive method and is suitable for applications involving low-volume transmissions; the use of software for large volumes of data results in an unacceptable increase in processing costs. Because there is no overhead associated with hardware encryption, this method is preferred when large volumes of data are involved.

g. Dial-up access control and callback systemsDial-up access to a computer system increases the risk of intrusion by hackers. In networks that contain personal computers or are connected to other networks, it is difficult to determine whether dial-up access is available or not because of the ease with which a modem can be added to a personal computer to turn it into a dial-up access point. Known dial-up access points should be controlled so that only authorized dial-up users can get through.Currently, the best dial-up access controls use a microcomputer to intercept calls, verify the identity of the caller (using a dynamic password mechanism), and switch the user to authorized computing resources as requested. Previously, call-back systems intercepted dial-up callers, verified their authorization and called them back at their registered number, which at first proved effective; however, sophisticated hackers have learned how to defeat this control using call-forwarding techniques.

3.2. Detective Controlsa. Audit Trails

An audit trail is a record of system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of final results. Violation reports present significant, security-oriented events that may indicate either actual or attempted policy transgressions reflected in the audit trail. Violation reports should be frequently and regularly reviewed by security officers and data base owners to identify and investigate successful or unsuccessful unauthorized accesses.

b. Intrusion Detection SystemsThese expert systems track users (on the basis of their personal profiles) while they are using the system to determine whether their current activities are consistent with an established norm. If not, the user’s session can be terminated or a security officer can be called to investigate. Intrusion detection can be especially effective in cases in which intruders are pretending to be authorized users or when authorized users are involved in unauthorized activities.

D.TYPES OF ATTACK TECHNIQUES

The attack techniques on Layer 2 can be so efficient and "invisible", because there is a fundamental problem in the OSI model which was built to allow different layers to work without knowledge of each other and the


10

information flows up and down to the next subsequent layer as data is processed. If one layer is hacked, the communications are compromised without the other layers being aware of the problem. In this case the Layer 3 and Layer 1 will not be aware if Layer 2 is attacked. There are three main classes of attacks, namely; Spanning Tree Protocol, Trunking Protocol, Other attack

1. Spanning Tree ProtocolMany redundant links can potentially cause Layer 2 loops, which can result in broadcast storm. Fortunately, STP (read: Spanning Tree Protocol) can allow to physically have redundant links while logically have a loop-free topology for preventing the potential broadcast storm. One of STP in a switch can be a root bridge to influence which switch with the lowest cost or priority. Another topology which closest to the root bridge being a root port.The attack technique of this protocol, the Spanning Tree Protocol manipulation attack, within this framework the attacker sends BPDUs to become “root” bridge (or switch) in the network. Therefore the attacker can influence the flow of data. Requires attacker is dual homed to two different bridges (or switches) or one of the two connections is WLAN access point which is not connected to the same bridge (or switch). Attacker can eavesdrop all messages of victims; he can inject new ones in MITM position.

Notice PC2 and PC3. If an attacker gained access to the switch ports of these two PCs, he could introduce a rogue switch that advertised superior BPDUs, causing the rogue switch to be elected as the new root bridge. The new data path between PC1 and Server1, as shown in Figure 6-4, now passes through the attacker’s rogue switch. The attacker can configure one of the switch ports as a Switch Port Analyzer (SPAN) port. A SPAN port can receive a copy of traffic crossing another port or VLAN. In this example, the attacker could use the SPAN port to receive a copy of traffic crossing the switch destined for the attacker’s PC.

2. Cisco VLAN/ Trunking ProtocolsVLAN's allow a network manager to logically segment a LAN into different network of departments such as marketing, sales, accounting, and research. There are lots of VLANs over the backbone switches of Internet


11

connecting different site of company. VLAN hopping attack allows traffic from one VLAN to pass into another VLAN without first being routed. The attacker has two method of VLAN hopping attack in order to be a member of other VLANs:

a. VLAN hopping/ Switch SpoofingThe switches connected to a trunk link, which has access to all VLANs by default. The attacker station can spoof as a switch with DTP signaling, and the station will be a rogue switch – member of all VLANs and all traffic can be monitored. DTP Automates (802.1q/ISL) trunk configuration and operates between switches. DTP usually enabled by default. 802.1q is the networking standard that supports VLANs on an Ethernet network. ISL is a Cisco proprietary protocol that maintains VLAN information.

b. Double tagging VLAN hopping attack Widely used VLAN networks operate with an additional 802.1q header, or VLAN tag to distinguish the VLANs. VLAN tag changes the information frame. The service-provider infrastructures are double tagged, with the outer tag containing the customer's access VLAN ID, and the inner VLAN ID being the VLAN of the incoming traffic. When the double-tagged packet enters another trunk port in a service-provider core switch, the outer tag is stripped as the packet is processed inside the switch. The attacker sends “Double tagging” frame. The first belongs to the own VLAN and the second one belongs to the target VLAN. The switch performs only one level decapsulation (strip off first tag) and the attacker can use unidirectional traffic to the Victim. This method works if trunk has the same VLAN as the attacker and the trunk operates with 802.1q.

3. Other Attacks3.1. Cisco Discovery Protocol (CDP) attack

The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection in some cases. CDP messages are not encrypted. Most Cisco routers and switches have CDP enabled in the default configuration. Can be used to learn sensible information about the CDP sender (IP address, Cisco IOS software version, router model, capabilities).Besides the information gathering benefit CDP offers an attacker, there was vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus CDP packets. CDP is unauthenticated: an attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device. If the attacker can get access to the router via Telnet, he can use the CDP information to discover the entire topology of your network at Layer 2 and 3, and he could launch a very effective attack against your network.


12

3.2. CAM table (MAC address table) floodingMAC address flooding is an attack technique used to exploit the memory and hardware limitations in a switch's CAM table. Different switches are able to store numerous amounts of entries in the CAM table, however, once the resources are exhausted, the traffic is flooded out on the VLAN, as the CAM table can no longer store MAC addresses, thus is no longer able to locate the MAC destination MAC address within a packet.Due to hardware restrictions, all CAM tables have a limited size. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker is able to exploit this limitation by flooding the switch with an influx of (mostly invalid) MAC addresses, until the CAM tables resources are depleted. When the aforementioned transpires, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This is due to the fact that it cannot find the switch port number for a corresponding MAC address within the CAM table. By definition, the switch, acts like, and becomes a hub.In order for the switch to continue acting like a hub, the intruder needs to maintain the flood of MAC addresses. If the flooding stops, the timeouts that are set on the switch will eventually start clearing out the CAM table entries, thus enabling the switch return to normal operation. Traffic is only flooded within the local VLAN when a CAM table overflow occurs, albeit the attacker will only be able to sniff traffic belonging to the local VLAN on which the attack occurs.

3.3. MAC Spoofing (ARP poisoning) attackIn short words, Client PC is sending DHCP request on the network. This request is a broadcast and all host on the LAN will receive it. Only DHCP server knows what this request means and in the normal situation only the REAL DHCP server will reply to that request.DHCP server is then replying to the Client with messages that will configure the host CLIENT PC with IP address, Subnet mask and Default Gateway.When we have attacker PC in the network he will simulate DHCP server on his host PC. With this action he will be able to reply to DHCP request before the REAL DHCP server because it closer to the CLIENT host. It will configure the Client host with IP address of that subnet but it will also give to host false Default Gateway address and maybe even false DNS server address. DNS server address and Default Gateway address will both be IP address of Attacker computer. In this manner, he will point all the communication of the Client host to himself. Later he will make possible to forward the frames from Client host to real destinations in


13

order to make communication of Client possible. Client will not know that his communication is always going across Attacker PC and that Attacker can easily sniff frames.

3.4. DHCP Server SpoofingThe DHCP server is used to configure network devices so that they can communicate on computer network. The clients and a server are operating in a client-server model. DHCP client sends a query requesting necessary information (IP address, default gateway25, and so on) to a DHCP server. On receiving a valid request, the server assigns the computer an IP address, and other IP configuration parameters.This is special kind of attack where attacker sends tons of requests to the DHCP server with a false MAC address. If enough requests flooded onto the network, the attacker can completely exhaust all of the available DHCP addresses. Clients of the victim network are then starved of the DHCP resource. The network attacker can then set up a Rogue DHCP Server on the network and reply modified IP configurations to the victims. (Figure 9.) These parameters ensure the MITM possibilities to the attacker.


14

E. TECHNICAL CONTROL ASPECTS

1. Security Appliance Device1.1. Firewall

A Firewall is a security device that can be a software program or a dedicated network appliance. The main purpose of a firewall is to separate a secure area from a less secure area and to control communications between the two. Firewalls can perform a variety of other function, but are chiefly responsible for controlling inbound and outbound communications on anything from a single machine to an entire network

1.2. VPNA virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption.A VPN connection across the Internet is similar to a wide area network (WAN) link between websites. From a user perspective, the extended network resources are accessed in the same way as resources available within the private network. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location

1.3. IPSAn Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.

2. Point of Configuration for preventing Attacker2.1. Spanning Tree Protocol

All of switch port either in blocking state (data not forward), and in the forwarding state (data forward), and the port transitions from blocking, to listening, to learning, and to forwarding. STP is divided into two approaches to avoid network from STP attacker, namely;

1) Root GuardThe Root Guard feature can enable on all switch ports in the network off of which the root bridge should not appear. If a port configure for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. It also prevent a port becoming a root port. While a port is in the root-inconsistent state, no user data is sent across it. However after BPDUs stop, the port returns to the forwarding state.


15

Cisco (config) # interface fast Ethernet 0/3

Cisco (config-if) # spanning-tree guard root

2) BPDU GuardProtecting STP by BPDU (read: Bridge Protocol Data Units) guard feature is enabled on port configured with the Cisco Portfast feature. The portfast feature is enabled on ports that connect to end-user devices, such as PCs. It reduces the amount of time required for the port to go into forwarding state after being connected. The logic portfast is that a port that connects to an end-user device does not have the potential to create a topology loop. Therefore, the port can go active sooner by skipping STP’s listening and learning state, which by default take 15 seconds each. Because these portfast ports are connected to end-user devices, they should never receive a BPDU. Therefore, if a port enabled for BPDU guard receives a BPDU, the port is disabled.Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # spanning-tree portfast bpduguard

2.2. Trunking Protocol- Switch Spoofing Enabling VLAN


Cisco (config-if) # switchPort mode access

Cisco (config-if) # switchPort access vlan 8

Preventing the use of DTPCisco (config) # interface fast Ethernet 0/3

Cisco (config-if) # switchPort trunk encapsulation dot1q

Cisco (config-if) # switchPort nonegotiate

- Double Tagging Disabling trunking


Cisco (config-if) # switchPort trunk native vlan 8

2.3. Other Attack2.3.1. CDP attack

Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol designed to facilitate the administration and troubleshooting of network devices by providing information on neighboring equipment. With CDP enabled, network administrators can execute CDP commands that provide them with the platform, model, software version, and even the IP addresses of adjacent equipment.CDP is a useful protocol, but potentially could reveal important information to an attacker. CDP is enabled by default, and can be disabled globally or for each interface. The best practice is to disable CDP globally when the service is not used, or per interface when CDP is still required. In cases where CDP is used for troubleshooting or security operations, CDP should be left enabled globally, and should be disabled only on those interfaces on which the service may represent a risk, for example, interfaces connecting to the Internet. As a general practice, CDP should not be enabled on interfaces that connect to external networks, such as the Internet. Disable CDP globally

Cisco (config) # no cdp run

Disable CDP on one or more interfacesCisco (config-if) # no cdp enable

2.3.2. CAM table floodingFor avoiding CAM table flooding, MAC address registered or sticky permanently are needed to prevent it. The switchport also must be protected to avoid send/receive traffic to other ports.

Cisco (config) # interface fastEthernet 0/1Cisco (config-if) # switchport mode accessCisco (config-if) # switchport port-security


16

Cisco (config-if) # switchport port-security maximum {max_addresses}Cisco (config-if) # switchport port-security mac-address {mac_address | sticky}Cisco (config-if) # switchport port-security violation {protect| restrict| shutdown}

2.3.3. DHCP server snoopingThe DHCP snooping feature on Cisco Catalyst switches can be used to combat a DHCP server spoofing attack. With this solution, Cisco Catalyst Switch ports are configured in either the trusted or untrusted site. If a port is trusted, it is allowed to receive DHCP responses (for example, DHCPOFFER, DHCPACK, and DHCPNAK). Conversely, if a port is untrusted, it is not allowed to receive DHCP responses, and if a DHCP response attempts to enter an untrusted port, the port is disabled.Fortunately, not every switchPort needs to be configures to support DHCP snooping. If a port is not explicitly configured as a trusted port, it is implicitly considered to be an untrusted port. To configure DHCP snooping, the feature must first be enabledCisco (config) # ip dhcp snoopingCisco (config) ip dhcp snooping vlan 1, 10, 13-15 (for specific vlan)

2.3.4. Access LoginAccess login or access to remote should be secured as strong as possible because access login is the first gate for attacker to do more actions in case attacking the network data. The function of remote access or access login is to manage a restrictive functions. An access can be restricted with those 5 ways:

1) Privilege Mode (EXEC)Cisco # configure terminal

Cisco (config) # enable secret admin

2) Password An administrators can access a router for administrative purposes in a variety ways. There are user mode and privilege mode. This two modes must have different password to protect a router from unauthorized access, a ‘strong’ password should be selected. A strong password is one that is difficult for an attacker to guess or compromise: Select at least 10 character. The security password min-length 10 global configuration mode

command can be used to enforce attacker Use a mixture of alphabetic (both uppercase and lowercase), Numeric, and special characters (pass-

phrase character) The password should not be common word found in dictionary Create a policy that dictates how and when password are to be changed

Cisco (config-line) # password azsNYs13@!

Complex passwordCiscorouter (config) # username Cisco password azsNYs13@!

Enable password (activated password by default)Ciscorouter (config) # enable password azsNYs13@!

Service-password encryption (console, auxiliary, and vty line password appear in encrypted format) Ciscorouter (config) # service password-encryption

Disable password recovery (rommon will no longer be accessible)Ciscorouter (config) # no service password-recovery

3) Telnet & ConsoleAdministrator can connect to a L2SW (read: Layer 2 Switch) using telnet. Unfortunately, Telnet is not a secure protocol. If an attacker intercepted the telnet packets, he might be able to glean the password credentials necessary to gain administrative access to switch. Therefore, Secure Shell (SSH) is preferred as an alternative to Telnet, because it offers confidentially and data integrity. Administrator can configure the switch via a switch’s console port (Telnet=line vty, and Console switch= line console) Cisco (config) # line console 0



17

Cisco (config-line) # login

Cisco (config-line) # line vty 0 15

Cisco (config-line) # login


4) Banner MessageWhen someone connects to one of our router, he sees some short of message of prompt. For legal reason, banner message is needed to warn potential attacker not to attempt a login-The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.-Use a delimiting character before and after the banner text to indicate where the text begins and ends.

The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.

-After configure the MOTD, log out of the switch to verify that the banner displays when it log back in.Cisco (config) # banner motd %authorized text%

Cisco (config) # end

****! WARNING! - AUTHORIZED ACCESS ONLY - ! WARNING! ****

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have an explicit permission to access this device

All activities performed on this device are logged and

Violations of this policy result will be forward as a disciplinary action

********************************************************

5) SNMPSNMP (read: Simple Network Management Protocol) is often used to collect information about network device. The first two Lack Security versions (V1 and V2c) is not a secure mechanism. If it would be used, please consider to allow SNMP only read information, NOT read-write information. Using SNMP Version 3 (V3) is a strong security (more secure) to be implement in switchPort Security. The preceding brief introduction to SNMP should raise a few issues for the security professional. As mentioned, the default SNMP community strings are public for read-only access and private for read-write. Most system and network administrators do not change these values. Consequently, any user, authorized or not, can obtain information through SNMP about the device and potentially change or reset values. For example, if the read-write community string is the default, any user can change the device’s IP address and take it off the network. However, the common SNMP security issues include:-Well-known default community strings-Ability to change the configuration information on the system where the SNMP agent is running-Multiple management stations managing the same device-Denial-of-service attacksAs mentioned previously, there are two SNMP access policies, read-only and read-write, using the default community strings of public and private, respectively. Many organizations do not change the default community strings. Failing to change the default values means it is possible for an unauthorized person to change the configuration parameters associated with the device. Consequently, SNMP community strings should be treated as passwords. The better the quality of the password, the less likely an unauthorized person could guess the community string and change the configuration.

6) Disable unused port


18

Cisco (config) # interface fastEthernet 0/1Cisco (config) # shutdown

F. TESTING OF MATERIAL

No Detailed Testing Command Verify KP

1 ARP poisoningIP ARP Inspection (DAI):a. Inter vlanb. Inter switch

a.Cisco (config) # ip arp inspection vlan {vlan_ID | vlan_range}

b. Cisco (config) # interface gigabit Ethernet 0/1

c. Cisco (config) # ip arp inspection trust

a. Show ip arp inspection vlan {vlan_ID | vlan_range} | begin vlan

b. Show ip arp inspection interface Gi0/1

√

2 Spanning treea. Root Guardb. BPCU guard

a. Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # spanning-tree guard root

b. Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # spanning-tree portfast bpduguard

Show spanning-tree

(normal 300 MAC) √

3 Trunking Protocola. Enable VLANb. Preventing DTPc. Disable trunking

(double tagging)

a. Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # switchport mode accessCisco (config-if) # switchport access vlan 8

b. Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # spanning-tree portfast bpduguard

c. Cisco (config) # interface fast Ethernet 0/3Cisco (config-if) # switchPort trunk native vlan 8

a. Show runb. Show spanning-treec. Show run

√

4 CDP attacka. Disable CDP globallyb. Disable CDP on

one/more interfaces

a. Cisco (config) # no cdp runb. Cisco (config) # interface fast Ethernet 0/3

Cisco (config-if) # no cdp enableShow cdp neighbor √

5 CAM table floodinga. Sticky MAC address

-Cisco (config) # interface fastEthernet 0/1-Cisco (config-if) # switchport mode access-Cisco (config-if) # switchport port-security-Cisco (config-if) # switchport port-security maximum {max_addresses}

-Cisco (config-if) # switchport port-security mac-address {mac_address | sticky}

-Cisco (config-if) # switchport port-securityviolation {protect| restrict| shutdown}

Show run √

6 DHCP server spoofinga. DHCP snooping

-Cisco (config) # ip dhcp snooping-Cisco (config) ip dhcp snooping vlan 1, 10, 13-15 (for specific vlan)

Show ip dhcp snooping √

7 Access Logina. Privilege Modeb. Enable passwordc. Passwordd. Password encryptione. Disable password

a. Cisco # configure terminal Cisco (config) # enable secret admin

b. Ciscorouter (config) # enable password azsNYs13@!

c. Ciscorouter (config) # username Cisco password azsNYs13@!

Show run √


19

recoveryf. Password telnetg. Password consoleh. Banner messagei. SNMP communityj. Disable unused port

d. Ciscorouter (config) # service password-encryption

e. Ciscorouter (config) # no service password-recovery

f. Cisco (config) # line console 0Cisco (config-line) # password azsNYs13@!Cisco (config-line) # login

g. Cisco (config-line) # line vty 0 15Cisco (config-line) # loginCisco (config-line) # password azsNYs13@!

h. Cisco (config) # banner motd %authorized textCisco (config) # end

i. Cisco (config) # snmp community …j. Cisco (config) # interface fastEthernet 0/1

Cisco (config) # shutdown

G.ANALYSIS OF CONFIGURATION

Not standard (unsecured)

Not full standard (less secure)

1. ADMINISTRATIVE CONTROL

NoSolution

of ControlStandard Policies PT.KP Standardization

1 Preventive

Security awareness and technical training Training CCNA and CCNA security for security awareness

Separation of duties

Procedures for recruiting and terminating employees

Human Resource has recruited employee from aspects health performance, Law Data from police, educational background and experience

Security policies and procedures

1. Create security Pledge form2. Create list of access form3. Create list of device carry in form4. Sticker for hiding all kinds of camera5. Create the rule before accessing Data Center6. Operator supervise the guess access

Supervision

1. Supervisor press employee distress by creating some jokes or share what the difficult things to do in working

2. Check the form of security policies and procedures every month

Disaster recovery, contingency, and emergency plans

Standby monitoring out workdays

In Data Center, Operator has working in Shift. Even in weekend or holiday, Operator standby for monitoring and reporting the trouble happen to the engineer. They work 24 Hours a day, 7 days a week

2 Detective Security reviews and audits Security review every month, audits not yetPerformance evaluations Create working progress and plan a year


20

Required vacationsINFRA team has already done a team building (NOT holiday) once

Background investigationsRotation of duties

2. PHYSICAL CONTROL

NoSolution of

ControlStandard Policies PT.KP Standardization

1 Preventive

Backup files and documentations

1. Before testing device configuration, backup files first to avoid the loose of previous files

2. Backup an active configuration every month3. Unused paper printed must be thrown out into rubbish

Security Guard

1. Double door for entering Data Center (1st only standard which after work hours finished, it will be locked by operator. 2nd door is a limited access using finger print, only authorized employee entering the door. For the others should push the open button and tell what will be done inside)

2. In Data Center, the backdoor and side door are locked using padlock steel and the windows close the screen and locked permanently

Badge SystemUsing fingerprint with camera which can be monitored and communicate from inside

Double door system

Double door for entering Data Center (1st only standard which after work hours finished, it will be locked by operator. 2nd door is a limited access using finger print, only authorized employee entering the door. For the others should push the open button and tell what will be done inside)

Lock and KeysUsing Fingerprint for the restricted access to avoid duplicating key, but the first door and UPS&TR rooms using a standard key which can be duplicated by attacker

Backup Power and Device

1. Almost all important devices have a backup device to maintain the failures of active device

2. For a backup power, two units of UPS prepared as a backup power. An active device is connected to 1st PDU, for backup device is connected to 2nd PDU

Biometric Access Control

Using Fingerprint, scan the registered finger for access in Data Center

Site Selection

1. Location of Data Center is in 2nd floor2. Near the sea3. Wood composition only 30 % (desk and the wall for separating

engineer with data room)

Fire extinguisherAll inside data center contain electric and device, the compositions of fire extinguish is Powder (Natrium Carbonat Na2CO3) which is pressed by Nitrogen (N2)


21

2 Detective

Motion DetectorLog failure by speaker. The sound seems like ambulance or police with a loud sound which monitored by operator

Fire and Smoke Detector

1. Fire Detector = applied 8 units2. Smoke Detector = 20 units

CCTV and Lighting 1. CCTV only one2. Lighting standard 80 %

Sensor and Alarms Sensor Alarm ACB panel

3. TECHNICAL CONTROL

NoSolution of

Control Detailed Testing PT.KP STANDARDIZATION

1 Preventive

ARP poisoning:IP ARP Inspection (DAI)Spanning treea. Root Guardb. BPCU guardTrunking Protocola. Enable VLANb. Preventing DTPc. Disable trunking (double tagging)

a. PT.KP using static VLAN (10-99)b. DTP only implement in Layer 3 (Backbone)c. Trunking is disabled in Layer 2 switch

CDP attacks:a. Disable CDP globallyb. Disable CDP on one/more interfacesCAM table flooding:Sticky MAC addressDHCP server spoofing:DHCP snoopingAccess Logina. Privilege Modeb. Enable passwordc. Passwordd. Password encryptione. Disable password recoveryf. Password telnetg. Password consoleh. Banner messagei. SNMP communityj. Disable unused port

a. Has implementedb. Has implementedc. Has implementedd. Has implementede. Not yet implementf. Has implementedg. Has implementedh. Has implementedi. Using V2c (own community)j. Not yet implement

2 Detective

Security Appliance – Firewall

Has implemented, in PT.KP for firewall using 2 types, Firewall Internet and Firewall for Data Center, Model of Firewall is ASA 5585x 4 eA (Internal Firewall active-standby, Data Center Firewall active-standby)

Security Appliance – VPN VPN has implemented in PT.KP, using model Big IP F5 1600 series 2 eA (active-standby)

Security Appliance – IPS Has implemented in PT.KP. using model Tipping point 660N 2 eA (active-standby)


standard security layer 2

Documents

network security

information security

security practitioners

security perspective

security network engineer

data link layer

preventive controls

security networking