17. 14.16 Forensic Concepts
As we are securing our network. It’s great to have devices like a firewall and intrusion prevention system, sensor use, strong hashing and encryption algorithms. But something that often gets overlooked or we don’t give it enough attention is physical security. We want to make sure that somebody doesn’t go in and tamper with or walk off with some equipment that we have or gain access to sensitive information. And as a personal confession, I did that at one time when I was working at a university, I left unlocked a storage room. And I thought, nobody’s going to go in that storage room where this equipment is stored because they would have to go through three different doors to get there.
It’s very out of the way, but somebody did and they walked off with a lot of expensive networking gear, some a big proponent of physical security. What can we do to detect something that might be going on? Well, we could put motion detectors in close proximity to doorways or equipment cabinets, places where somebody should not be without authorization. We could also put asset tracking tags on our gear, not just for inventory purposes, but some of these asset tracking tags have passive RFID chips in them. So if somebody carries a piece of equipment through a doorway that’s set up to be a portal, it can detect that that RFID tag went through the door and alert someone.
We could have video surveillance keeping an eye on things. In addition to detecting if somebody has tampered with a piece of equipment. As an example, you might have seen something like this when you’re traveling. If you’re traveling internationally, some people put a walk on the zipper pools on their suitcase, or maybe the travel agency in the country for traveling internationally, they might put a wire tie or a zip tie on the zipper pools. So if somebody were to open that suitcase up and access the contents or add something to the contents, it would be evident that somebody had tampered with it. Well, we can use this kind of thing for our networking gear as well. We could have some sort of a sticker or a seal closing the chassis of perhaps a server.
And if somebody were to open that up, or maybe a router chassis. If somebody were to open that up, they would have to break that sticker or that seal. Or we might put a zip tie as well to make sure that nobody has access this without our knowledge. And those are a few detection methods for physical security. How do we prevent it, though? Well, to better prevent any sort of physical security breaches, we can have badges where an employee might have to swipe in to enter a doorway. And that badge not only opens the door, it also logs the fact that this employee was at this doorway at this particular time. If somebody’s going back and trying to figure out who is in close proximity to a particular event. Maybe somebody has to use biometrics like a fingerprint or a retinal scan to get access to a door.
One of the big prevention mechanisms, though, is actually employee training, making sure employees know what to watch out for and not to let unauthorized or unknown personnel access an area or access documents or equipment that they should not be accessing. And one way some bad actors get access to locations they should not have access to is called tailgating. They just walk casually behind somebody that’s going through a door and that person they’re following, they have access. They use their badge or their biometrics. They open the door and this person might be pretending to be a delivery person.
They might have a box and say, hey, can you hold the door for me? And they go in and they get through that secure door. To better protect against that, we can have man traps outside of sensitive areas. With a man trap, we have at least two doors in this room, also known as an access control vestibule, by the way. But we have at least two doors. And when you open one door, the other door is locked until the first door is closed. You can only have one door unlocked at any one time. That’s going to prevent somebody from just following you through an open door. And sometimes there may be somebody sitting in that access control vestibule to check credentials of people passing through. That’s called a man trap or an access control vestibule. And of course, let’s lock things up.
That was one of my big mistakes when I let that networking gear walk away. Not only locking doors, but we can lock equipment racks or different cabinets containing equipment. You may have also heard of a smart locker. This is a locker where equipment can be stored. And this equipment might be for disaster recovery or equipment that’s going to be sent out for repair. But it’s going to require somebody to authenticate themselves before they can unlock that locker. They might authenticate themselves using something like a badge or a barcode or a QR code. But we’re going to be able to track when a certain person accessed that smart locker because they authenticated themselves. And when it’s time to get rid of equipment, we don’t want somebody to be browsing through the hard drive laying out of the dumpster and gain access to sensitive information.
So before you throw out equipment that has configurations, documents, anything that might be sensitive, you probably want to erase it. You might want to reset it to a factory default configuration, for example, if it’s a piece of networking gear, because that piece of networking gear might be hard coded with a pre shared key, different access control list configurations, things that you would not want to be made public. And it’s not enough if you’re getting rid of a computer, for example, to just format the hard drive, even though it appears to be erased, most of the data is still there. And a knowledgeable attacker that gains access to that hard drive, they might be able to read a good bit of the information on that hard drive. So we need to sanitize our devices.
For example, a couple of things that I’ve done personally. If I’m getting rid of a server that has hard drives, I often use something called DBAN for Derek’s boot and Nuke, and that’s going to write data over top of any existing data on that hard drive. So there’s not going to be any residual data still lying there. Or sometimes if I’m not going to reuse this hard drive or give it to somebody, if I’m just really wanted to get rid of it, I often take a hammer and I will just hit that hard drive until it rattles inside. I want to shatter those platters on the hard drive, and that’s another way of doing deep sanitation on that device. So in this video, we’ve taken a look at a few ways to detect somebody that might be trying to physically access something they should not access. We talked about ways to prevent that access and how to properly dispose of our networking gear.
18. 14.17 Securing STP
We know that we can have STP or the spanning tree protocol protect us from layer two topological loops. We could take a topology like this which does have redundancy built in and prevent any sort of looping or broadcast storms on the network by having spanning tree calculate a loopfree path as highlighted here. However, we want to be able to protect this from somebody that might try to influence their switch that they add to the network to become the root bridge and thereby be able to intercept a lot of the traffic flowing through the network. After all, if somebody can attach a switch to the network and convince the network that that switch is the root bridge, then that malicious user that installed that switch, they could set up port mirroring and capture just a whole lot of traffic going through our network. And we don’t want that. So let’s take a look in this video and a couple of ways of securing spanning tree protocol. The first step is Bpdu guard and Bpdus.
Those are bridge protocol data units. Those are sent from Ethernet switches that are configured for spanning tree protocol. This is the way that a switch knows that the root bridge is still there. It’s still available. There are hello messages sent out. These Bpdus are used in the election of the root bridge. But let’s say that we had a port on this access layer. Switch, switch SW four. Let’s say that gig two was configured for a feature called Portfast, at least that’s what it’s called in the Cisco world. And Portfast says, I am promising that on this port I am only going to connect an end station like a PC or a printer. I promise I’m not going to connect an Ethernet switch which might potentially cause a loop.
And in return for my solemn vowel, I want you to not make me wait through the listening and the learning states and go active almost immediately. And that’s called Portfast and it’s a great way for PCs to boot up and get on the network quicker without having to wait for the Spania tree timers to expire. However, let’s say that a malicious user or maybe just accidentally, somebody connected a switch that we promised would never be connected to a switch. Let’s imagine that switch SW five comes along and we connect it into gigabit zero two. And as part of being a switch configured for spanning tree, it’s going to send out a Bpdu, this bridge protocol data unit that’s going to go into gigabit zero two on SW four. Well, if we have Bpdu guard configured on that port, on that switch, that port is going to say, hey, I was promised that I would never ever see a Bpdu arrive on this port and guess what I just did. And in response to that, I’m going to go into an unusable state on Cisco catalyst switches. That state is called the Air Disabled State. Where it is not going to be forwarding user traffic and it’s going to remain in that state until there is an absence of those Bpdus that are coming from SW five. And again, this kind of scenario might happen by accident. But let’s say that someone is intentionally trying to make their switch the root bridge. Let’s say that we had a malicious user connect switch, SWB Three to a couple of other switches.
They connected to SW One and to SW Two and they went in and they configured SW Three with a very low priority such that it would have the lowest priority and therefore the lowest bridge ID of all of the different switches. And it should be elected as the route based on that bridge ID. However, if we have configured our infrastructure to know that we should never see a root bridge off of gig two on SW One or SW Two, we know that that should never be the path to a root bridge. What we could do as administrators is configure a feature called root guard. With root guard, if we ever do see what is called a superior Bpd, a Bpdu with a bid, a bridge ID, that would make it the route, if we ever see that coming in to a port configured for root guard, we are not going to believe it. That’s what’s happening here. Switch SW three is sending a superior Bpdu with a lower bridge ID than anybody else into gigabit zero two on SW one. But fortunately, gig zero two on SW one, it is configured with the root guard feature. And as a result it says, I’m going to go into what is called a root inconsistent state until I stop seeing those superior Bpdus. So even though somebody got access to two different switches in the network and they made their priority really low, so they thought that they would win the root bridge election, we’re not going to allow them to, because we, as administrators, know that in our infrastructure we should never see a superior Bpdu and therefore a root bridge off specific ports. And we enforce that with a feature called root guard.
19. 14.18 Router Advertisement (RA) Guard
In this video, we want to consider a feature that can help protect our IPV Six networks. Consider PC one on screen. Let’s say that it’s going to try to give itself an IP address. IPV six clients can do that using something called slack. Stateless address auto configuration. And to do that, it wants to go out and talk to a router on its local link and ask the router, can you give me some information about this link? Such as, what is the prefix of this link? Remember, an IPV Six client can generate its own Eui 64 address, giving it the last 64 bits of its 128 bit IPV Six address. Or it can go ask the router, can you give me the first 64 bits? And it’s going to do that with a router solicitation message.
And that’s going to be destined for the multicast address of FF Two. That goes just to IPV six routers. And since PC One requested that of R One, r One can specifically reply to PC One with an RA message, a router advertisement saying, yeah, here’s some information about this link, and that can include the different prefixes on that link, how long those prefixes are valid. This re information can also tell a client what default router to use. That kind of information is sent inside of a router advertisement. And even though R One specifically replied to PC One, in that case, periodically R One is going to announce that router advertisement information to all nodes on this segment. That sounds a lot like a broadcast, doesn’t it? But technically it’s not. Technically, it is a multicast destined for FF Two, which is the all nodes IPV Six multicast address. Now, let’s think about some threats that this might introduce. For example, we might have an attacker connect to the network and convince a client that the attacker’s laptop is the default router. Much like a man in the middle or an on path attack. We could respond to those router solicitation messages coming out from clients and give incorrect information that a client is going to be using for Slack.
So how do we protect ourselves from a malicious user attaching to the network and sending RA information that is incorrect that could be destructive to our network? Well, we can enable a feature called Raguard or Root advertisement guard. What that’s going to do is when an RA message comes into an interface, if RA guard is enabled on that Ethernet switch, then it’s going to check that router advertisement against an interfaces policy. And if it doesn’t meet that interfaces policy, it’s going to discard that packet, thus protecting us from any malicious RA messages.