Posts
VMware Infrastructure has one of the most widely deployed software suite for optimizing and managing IT environments through virtualization — from the desktop to the data center. Virtualization has become one of the red-hot trends now and its pace will only pickup as people look at cutting operational costs.
Naturally, we should look at wether virtualization, although good for cost cutting, would result in any compromise with security. When used properly, VMware can provide equivalent security and isolation compared to a physical environment. I have noticed that the main problems that seem to arise are from the fact that the right peoplt are NOT managing the right things. Example, the server team manging both the network and servers without the networks team knowing about it. Therefore it is important that roles and responsibilites are assigned and distirbuted properly according to skill set from the beginning.
In any case, I thought I might point out some of the intersting features that ESX Server can protect against some common LAN attacks:
• Virtual switches do not learn from the network in order to populate their forwarding tables. This eliminates a likely vector for deinal-of-service (DoS) or leakage attacks, either as a direct DoS attempt or, more likely, as a side effect of some other attack, such as a worm or virus, as it scans for vulnerable hosts to infect..
• Virtual switches also make private copies of any frame data used to make forwarding or filtering decisions. This is a critical feature and is unique to virtual switches.
It is important to ensure that frames are contained within the appropriate VLAN on a virtual switch. ESX Server does so in the following ways:
• VLAN data is carried outside the frame as it passes through the virtual switch. Filtering is a simple integer comparison. This is really just a special case of the general principle that the system should not trust user accessible data.
• Virtual switches have no dynamic trunking support.
• Virtual switches have no support for what is referred to as native VLAN.
Dynamic trunking and native VLAN are common features in which an attacker may find vulnerabilities that could open isolation leaks. These can lead to a number of attacks that use VLAN hopping to break network security zones.
This is not to say that these features are inherently insecure, but even if they are implemented securely, their complexity may lead to misconfiguration and open an attack vector. Hence once again, the need to match the right skillset with the right job.
Friday, December 19, 2008
Saturday, December 6, 2008
LAN Security with Cisco
In a LAN evironment, MAC flooding and MAC spoofing attacks can be extremely effective. Gone are the times where hubs use to dominate the network. Switches have gone a long way in mitigating Man-in-the-middle attacks. If you are still using hubs in your network, then its time to put that budget focus on getting some switches.
However, it is still quite easy to carry out attacks in a switches environment. These attacks can help an attacker collect valuable information, such as usernames and passwords, or simply impact the proper operation of your LAN.
Fortunately there are some easy ways to protect ourselves from these attacks. One of these provided by Cisco switches is Port Security.
Port Security protects us by recognising spoofed mac addresses. A security violation occurs when the source MAC address of a frame differs from the list of secure addresses.
At that point, three actions are possible:
• The port error-disables for a specified duration. (It can be unlimited, but if not, automatic recovery can be performed.) An Simple Network Management Protocol (SNMP) trap can also be generated to notify about this.
• The port drops frames from unknown addresses (protect mode).
• The port drops frames from unknown addresses and increments a violation counter.
SNMP traps generation is possible on some releases/Cisco switches (restrict mode).
Details about how to configure Port Security can be seen here for CatOS and here for IOS switches.
However, it is still quite easy to carry out attacks in a switches environment. These attacks can help an attacker collect valuable information, such as usernames and passwords, or simply impact the proper operation of your LAN.
Fortunately there are some easy ways to protect ourselves from these attacks. One of these provided by Cisco switches is Port Security.
Port Security protects us by recognising spoofed mac addresses. A security violation occurs when the source MAC address of a frame differs from the list of secure addresses.
At that point, three actions are possible:
• The port error-disables for a specified duration. (It can be unlimited, but if not, automatic recovery can be performed.) An Simple Network Management Protocol (SNMP) trap can also be generated to notify about this.
• The port drops frames from unknown addresses (protect mode).
• The port drops frames from unknown addresses and increments a violation counter.
SNMP traps generation is possible on some releases/Cisco switches (restrict mode).
Details about how to configure Port Security can be seen here for CatOS and here for IOS switches.
Wednesday, December 3, 2008
Welcome
Hi all, my name is Ejaz and I'm excited to start this blog. Security has become an increasingly important topic for everyone. The vast amount of possiblities that computers and internet have provided to benefit us have also increased the various and creative ways we can be harmed and damaged as well
Heavy financial losses, breaches of privacy, and even the downfall of corporations have recently been attributed to the inability of corporations to protect themselves from cyber-risks. Individuals have been victims to identify thefts and credit card frauds. Sometimes the losses can be even more serious, such as with the much hyped cyber-terrorism scenarios.
However, this blog will not be about a philosophical approach to security (although it might inadvertently include some from time to time :) ). I will be providing my insights and research into various tools that can be used by people to improve their security posture and other interesting things related to security and networking.
Heavy financial losses, breaches of privacy, and even the downfall of corporations have recently been attributed to the inability of corporations to protect themselves from cyber-risks. Individuals have been victims to identify thefts and credit card frauds. Sometimes the losses can be even more serious, such as with the much hyped cyber-terrorism scenarios.
However, this blog will not be about a philosophical approach to security (although it might inadvertently include some from time to time :) ). I will be providing my insights and research into various tools that can be used by people to improve their security posture and other interesting things related to security and networking.
Subscribe to:
Posts (Atom)