Advertisment

Implementing security on enterprise IP network

author-image
Deepa
Updated On
New Update

BANGALORE, INDIA: Enterprise network is expanding due the increase in network users. The deployments of switched networks are in the enterprise and in other areas of network infrastructure, such as service providers.

Advertisment

Security on these switches is very critical as that of servers and end user computer equipment. A breach in security on a core switch can bring large networks to a complete standstill. When installing networking equipment into an environment that exposes it to unauthorized access attempts and malicious attacks, it is important that it is configured in a way that blocks attacks.

The best practice guidelines for configuring switch for maximum protection against attacks, and maximum network stability includes:

1. Securely configure management services that must be available, and disable ones that are not required.

2. Use filters to block undesirable traffic.

3. Configure the switch against Layer 2 attacks.

4. Securely configure Layer 3 protocols.

5. Protect the network from unauthorized access.

6. Configure the switches to be resilient to network loops.

Advertisment

Securely configuring management services such as:

1. Simple Network Management Protocol V3

The SNMPv3 protocol provides the opportunity to configure SNMP in a much more secure way than was possible with previous versions of SNMP. In particular, with SNMPv3 can:

1. Encrypt the SNMP messages being sent across the network.

2. Check that SNMP message are not tampered with during transit across the network.

3. Set up restricted views, that is, limited sets of MIB variables that can be accessed by particular users.

These users need to enter a password to get access to their view.

1. Disable Telnet access to all the network equipments.

2. Enable Secure Shell (SSH) for administrating the Network equipments.

3. Configure and use IPV4 and IPV6 ACLs to block undesirable traffic.

4. Block Network attacks.

Advertisment

2. Network attacks can be blocked by

1. Secure configuration of Spanning Tree Protocol.

2. Protect against Root Bridge spoofing attacks.

3. Enable STP root guard.

4. Enable STP BPDU guard.

5. Protecting against MAC-flooding attacks by limit MAC address learning.

6. Protecting against DoS attacks in the LAN.

3. Securely configuring Layer 3 protocols

Configure L3 routing protocol viz. OSPF, RiPV2, BGP with MD5 authentication.

4. Protect the network against unauthorised access

The combination of these three methods enables you to create a network in which every device connected to the network can be authenticated.

* 802.1x port authentication

* MAC-based authentication

* Web-based authentication

Advertisment

5. Configure storm protection as flows

* Loop detection

* Thrash limiting

If the switch detects that certain MAC addresses are being rapidly relearned on different ports, then that is an indication that a network loop is occurring.

When there is a loop in the network, packets from the same source MAC arrive at switches from two directions, so the source MAC is learnt repeatedly on one port then the other-this is called MAC thrashing. If the switch detects MAC thrashing, it knows there is a problem.

Advertisment

Note that thrash limiting can be configured on per interface basis.

* Storm control

The switch can be configured to put an upper limit on the rate at which it will forward broadcast, multicast, or unknown unicast packets. This controls the level of traffic that a network loop will cause to be flooded in the network.

Advertisment

Note that storm control can be configured on per interface basis.

6. Control Plane bandwidth control and Control plane Security

To ensure that the CPU processing capability will never be oversubscribed by the data arriving from the switching fabric, a strict limit can be imposed on the rate at which data is transmitted from the Fabric-to-CPU channel. This works because network management and control traffic, whilst vital, is not high in volume.

If high volumes of data are coming up to the switch's CPU, most of this data will not be valid control plane packets. For instance, they could be packets generated by deliberate DoS (Denial of Service) attacks, or sustained high levels of broadcasts caused by a loop or a faulty device on the network.

Advertisment

Limiting the rate of data transfer to the CPU will not penalise normal control plane communications, but will combat the effect of DoS attacks and storms.

7. Configure your network monitoring

* Configure logging to a syslog server

It is highly advisable to log all activity on the switch to a syslog server, as this will provide a detailed audit trail in the event of a suspected security breach, or other problem.

* Configure NTP

For investigating any events that happen on the network, it is highly desirable for the system time on all the switches to be synchronized.

The most effective way to synchronize the time on all the switches is to use NTP. Synchronise all network devices for Network Timer synchnonising with NTP Server.

All above security protections can be configured through configuration scripts.

The author is country manager, India & SAARC at Allied Telesis.

tech-news experts