Saturday, December 26, 2009

How to write up Network Security , part II ?

This is continuation of part I
  • Consultant/guest access to network - How they separate guest/consultant subnet from the rest of the network ? Well, VLAN is not a good answer. One of the best is probably use of VRF Lite (creating virtual routers, virtual routing tables for guest traffic) for traffic and host segmentation. It's very important from PCI standpoint
  • Internet vlan -Are servers connected to the same switch where internet is ? How they mitigate the 'risk of mistyping'(sounds funny, isn't it:) vlan name or number and moving the server to Internet, in front of firewall..? Let's say internet is connected to the outside interface on vlan 100 ,  server assigned to port on vlan 101. The good answer is change control (very often routers and firewalls are in scope, not switches;) , but better is to have segmentation in place (internet, backbone routers on separate switch and VTP setup correctly)
  • Packet storms - What is the strategy to avoid 'miscabling' (technician connecting two switches, instead plugging PC to a switch), is STP on ?  Look for storm-control command at the interface level, see example below (3560 switch g0/1 interface):
interface gigabitethernet0/1
storm-control unicast level 89 67
storm-control broadcast level 20
It enables Unicast Storm-Control on a switch port with an 89% rising suppression level and a 67% falling suppression. It´ll also enable Broadcast Storm-Control on a port to a level of 20%. When the Broadcast exceeds the configured level of 20% of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval
  • NOC access - How Network Operating Center operators  access routers ? What accounts are they using ? They shouldn't be able to see full configuration file, only part of it (i.e. interface configuration). Verify their privileges.
  • BGP adjacency security – TCP based BGP is vulnerable to TCP spoofing attacks, for example a TCP reset attack which exploits the fact that TCP considers valid any packet with a sequence number within a session's current receive window. You should see keywords like 'bgp ttl 2' in configuration files (under ‘bgp router’) to mitigate BGP DOS attacks
  • Rogue AP - The presence of rogue access points is a major threat to company. Employees have relatively free access to a company's facility, which makes it possible for them to inadvertently (or mischievously) install a rogue access point. An employee, for example, may purchase an access point at an office supply store and install it without coordinating with their IT organization in order to support wireless printing or access to the network from a conference room. Are regular scans for rogue AP performed ?  One method of detecting rogues involves the use of wireless sniffing tools (e.g., AirMagnet or NetStumber) that capture information regarding access points that are within range of where you're using the tool.
  • Are configuration changes logged ? This could be achieved either by enabling  AAA accounting and logging changes to Tacacs server (i.e. Cisco ACS) or enabling ‘archive’ and sending changes to syslog server:
log config
  logging enable
  logging size 1000
  notify syslog contenttype plaintext
‘hidekeys’  suppress output (e.g. passwords) when displaying logged commands
To be continued…

No comments: