Corporate wireless LAN security: threats and an effective security
Security threats in the LAN
-
Upload
agora-group -
Category
Technology
-
view
163 -
download
0
description
Transcript of Security threats in the LAN
![Page 1: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/1.jpg)
Febr 2014Febr 2014Febr 2014Febr 2014
Security threats in the LANSecurity threats in the LAN
![Page 2: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/2.jpg)
Perimeter defensePerimeter defense
![Page 3: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/3.jpg)
![Page 4: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/4.jpg)
Security threatsSecurity threats
Security threats in the LANSecurity threats in the LAN
![Page 5: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/5.jpg)
Information stealingInformation stealing
![Page 6: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/6.jpg)
Information stealingInformation stealing
![Page 7: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/7.jpg)
Information stealing /DoSInformation stealing /DoS
Rogue DHCP Server
![Page 8: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/8.jpg)
DoSDoS
![Page 9: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/9.jpg)
Information stealing/ DoSInformation stealing/ DoS
![Page 10: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/10.jpg)
Information stealing / DoSInformation stealing / DoS
Spanning tree attack
![Page 11: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/11.jpg)
Oh no!!!! What do we do??????Oh no!!!! What do we do??????
![Page 12: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/12.jpg)
Look who’s knockingLook who’s knocking
![Page 13: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/13.jpg)
AAAAAA
A
A
A
uthentication
uthorization
ccounting
![Page 14: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/14.jpg)
IntroducingIntroducing 802.1x802.1x
» 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
![Page 15: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/15.jpg)
Component ProtocolsComponent Protocols
Two protocols involved in authentication conversation
EAPoL exchanged between Supplicant and Authenticator
EAPoL - Extensible Authentication Protocol over LAN is the protocol defined in IEEE802.1x
RADIUS exchanged between Authenticator and Authentication Server
RADIUS has received specific extensions to interoperate with EAPoL
![Page 16: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/16.jpg)
Example Message SequenceExample Message Sequence
![Page 17: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/17.jpg)
Dynamic Vlan Assigment / Guest VlanDynamic Vlan Assigment / Guest Vlan
Router
Core Switches(stacked)
Authentication Switches
PCVlan 10
LinuxVLAN20
PrinterVLAN20
IP PhoneVLAN30PC VLAN20PC
Vlan 10
Link Aggregation
Link Aggregation
RADIUSServer
IP PhoneVLAN30
VoiceVLAN 30
GuestVlan 10
DataVLAN 20
![Page 18: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/18.jpg)
Allied Telesis & Microsoft NAPAllied Telesis & Microsoft NAP
802.1x Authentication Supplicant MAC
Core Switches(stacked)
Authentication Switches
PrinterVLAN30
IP PhoneVLAN40
Windows VistaVLAN30
Windows VistaVLAN10
Link Aggregation
NIC TEAMING/802.3ad
RADIUSServer
Windows Server 2008( Network Policy Server (NPS), Domain Controller)
![Page 19: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/19.jpg)
NAC OverviewNAC Overview
Remediation Server
![Page 20: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/20.jpg)
What about him ?What about him ?
Disgruntled employee
![Page 21: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/21.jpg)
DHCP snooping + ARP securityDHCP snooping + ARP security
![Page 22: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/22.jpg)
Port securityPort security
![Page 23: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/23.jpg)
DHCP snoopingDHCP snooping
![Page 24: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/24.jpg)
Ingress filterIngress filter
![Page 25: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/25.jpg)
Spanning tree defense
BPDU Guard / Root GuardBPDU Guard / Root Guard
![Page 26: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/26.jpg)
This is a switch:This is a switch:
![Page 27: Security threats in the LAN](https://reader033.fdocuments.us/reader033/viewer/2022061220/54ba89694a79591a7d8b4651/html5/thumbnails/27.jpg)
Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11
© 2011 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.