More reason’s to secure your LAN
Security always comes at the expense of userabilty. It is a balancing act which changes according to the security threats that you are likely to face, and the ease of use/management.
Take for example your Local Area Network. It is best practice to “shutdown” Ethernet ports when not in use, then to un-patch Ethernet ports which have not been used for a period of time. However it is seldom done due to the fact that it is a pain to suddenly make the port live when users require access. Most network admins want users to be able to just plug into the network without hindrance. Even worse, this same practice is also used on wireless networks (No WEP, WPA security). This allows network admins to sit at their workstations and enable access to network resources by enabling user accounts or changing group permissions.
Hopefully what I’m about to show you will encourage you to elevate your threat level and increase your security systems to combat a new type of threat. This threat increases the number of attacks to disrupt your network and in some case’s compromise your IT systems. It can accomplish all this without a username or password, or even a TCP/IP address, all it needs is a live network port or a open wireless
network.
It uses infrastructure protocols which are often overlooked. Most of the security attention tends to be on the higher level protocols which travel via routers and across the Internet. The infrastructure Layer 2
protocols (STP , DHCP,CDP,VTP,HSRP etc) although local are vital to the functioning of a network.
A software network analysis tool named after the bacteria which causes plague (“Yersinia pestis”)can cause everything which I have just described. It has been designed to be a penetration testing tool,however in the wrong hands it can be devastating.
There are defenses against these form of attacks, but it takes time and effort.
- Keep your physical network points secure, and make staff
aware of network security - Keep a map of your network updated. This can be used to
determine “quiet areas” for plug in attacks. - Use STP Port fast sparingly
- Use Authentication in your HSRP groups
- Keep your switch firmware updated.
- Disable Cisco Discovery Protocol
The best defenses are the physical ones. It does add more management time, but at least your network security will have increased.
Comments:
Search
Recent Posts
- Everybody hates ubuntu January 22, 2017
- Client integration with IPBrick.OS and openSUSE Leap 42.1 March 5, 2016
- Vmware VSAN virtualised storage area networks February 26, 2016
- Distorted audio with Yealink Phones and alaw g711a January 19, 2016
- How to connect Symfony2 with IPBrick LDAP using KnpUGuard August 28, 2015
- reset local accounts on IPBrick August 21, 2015
- Add new storage to your IPBrick August 20, 2015
- Asterisk Comedian Mail menu map August 19, 2015
- Configure UK console keyboard on IPBrick August 19, 2015
- Configure QOS on your IPBrick August 18, 2015
Recent Comments
- on Using IPset with IPtables in Ubuntu LTS 10.04 to block large IP ranges
- on How to get Yealink phones connecting over VPN
- on How to get Yealink phones connecting over VPN
- on How to get Yealink phones connecting over VPN
- on How to get Yealink phones connecting over VPN
- on Distorted audio with Yealink Phones and alaw g711a
- on How to get Yealink phones connecting over VPN
- on How to get Yealink phones connecting over VPN
Older Posts
- January 2017
- March 2016
- February 2016
- January 2016
- August 2015
- January 2015
- November 2013
- September 2013
- December 2012
- November 2012
- July 2012
- April 2012
- February 2012
- December 2011
- October 2011
- August 2011
- April 2011
- July 2010
- June 2010
- May 2010
- March 2010
- December 2009
- June 2009
- October 2008
- September 2008
- July 2008
- June 2008
- January 2008
- December 2007
- April 2007
- February 2007
- January 2007
- September 2006
- April 2006
- November 2005
- October 2005
- August 2005
- June 2005
- May 2005