Security Basics mailing list archives
Re: Unauthorised switchport access
From: Kern <timetrap () gmail com>
Date: Wed, 15 Nov 2006 03:18:53 -0500
Having open switchports near a comfortable sitting place (a WC) is a major physical security risk. Your LAN becomes a major target to anyone who has interest (and seeing that you work for the government, Lot's of people have an interest). So I can go over a few ideas that will help you conceptualize the risk. 1. Unauthorized access, imagine the worst. A contractor or other non-governmental employ hooks up to your LAN and hits his favorite kidde porn site. It does not take much, getting a DHCP address is very easy, the only hurdle that they may have to overcome is the proxy server, which if they have any login privileges anyway will probably already know, from there it may be a simple hop skip and jump to some other bounce proxy or anonomysing web site. 2. Malicious access, again imagine the worst. ARP poisoning, someone can site at the switch and posion the ARP cache redirecting all LAN traffic to itself, resolving DNS queries for localized phishing schemes, DoS (in the form of a rouge DHCP server, tcp RST packets, or possible exploits on the switch itself.) 3. The list goes on and on. And don't be pacified into a false sense of security by VLANs they are very easy enough to defeat in a lab (or WC) environment. cisco wrote a GREAT white paper on Layer 2 Security http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf What I would do IMMEDIATELY is this: 1. Lock all non used switchports and enable a "sticky" MAC learning ability for the ones in current use. 2. Read that cisco paper 3. Look into Network Access Control (NAC), even if you don't want to use it at least be aware of it 4. In the long run it would be ideal, if you can map all known switchports to known MAC addresses, but if you have a large network and small staff this may not be possible. Network Security in my opinion should follow the OSI Layers from most important; 1. Physical - Lock your doors, shred your papers, educate your users 2. Data Link - Lock your local switchports 3. Network - Lock your ports, filter and monitor your traffic, encrypt inter agency traffic, IDS 4. Transport - filter and monitor your traffic, IDS 5. Session - filter and monitor, use SSH for local admin purposes NOT telnet 6. Presentation - filter out unwanted or unneeded file types from your LAN traffic and LAN storage 7. Application - Limit user access, patch, patch, patch Layer 2 is a fertile ground for all manner and methods of attack. Defend your Layer 2 like you would the door of your office if someone were trying to break in. On 14 Nov 2006 09:36:29 -0000, gary.shaw () dfpni gov uk <gary.shaw () dfpni gov uk> wrote:
Guys I am responsible for several LANs that include sharing WCs with other organisations, and therefore access to my 3750 switches in unlocked cabinets. I have no port security enabled and the ports are not shut down. I would like to know the security implications of having unused switchports available to anyone eg with a laptop & DHCP configured? Are there any simple pentests i could complete myself? Is my organisation's network a sitting duck?? Thanks in advance! --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- //jkern//timetrap// --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Unauthorised switchport access gary . shaw (Nov 14)
- Re: Unauthorised switchport access Aaron Howell (Nov 15)
- Re: Unauthorised switchport access Kern (Nov 15)
- RE: Unauthorised switchport access David Gillett (Nov 15)
- Re: Unauthorised switchport access MaddHatter (Nov 15)
- RE: Unauthorised switchport access Murda Mcloud (Nov 15)
- <Possible follow-ups>
- RE: Unauthorised switchport access Scott Ramsdell (Nov 15)
- RE: Unauthorised switchport access Erick Jensen (Nov 15)
- RE: Unauthorised switchport access dholton1 (Nov 16)