Options
Real World Secuirty Mitigation
Hi,
I'm studying my CCNA secuirty (Exam on Monday) and I wondered if some of the things I have learned to mitigate security threats/Vulnerabliltes are actually used in real environments. I can see the benefits of them but I'm not sure if the actual overhead warrants implementing them. Here are a few that I think are good ideas and could be suggested at my company as service improvements
Port Security. Great for protecting against inside cam overflow attacks man in the middle etc. I think this would only work if you had your switch environment managed really well. I.E first 8 ports accounting vlan next 10 ports another vlan a vlan for laptop users who come in and out etc and then you tied the port down to one mac address. In our environment pc's move a lot and the switch stacks are not blocked into vlans the vlans are all over the stack. So I think to manage this could cause quite an overhead. Just wondered if anyone out there does use Port Security in any way.
Storm Control. In the example Jeremy gives he has to sort out a pc that has a root kit installed and it starts sending out broadcast of some type and the switch starts running a 100% and the network grinds to a halt. Storm control can block a port if broadcast traffic goes over a certain level so this seems like a good idea. I know that most laptop should have av on that should remove the root kit. For a while though some of our laptops had no AV and then their is third partys that come in who may not have av installed.
I'm studying my CCNA secuirty (Exam on Monday) and I wondered if some of the things I have learned to mitigate security threats/Vulnerabliltes are actually used in real environments. I can see the benefits of them but I'm not sure if the actual overhead warrants implementing them. Here are a few that I think are good ideas and could be suggested at my company as service improvements
Port Security. Great for protecting against inside cam overflow attacks man in the middle etc. I think this would only work if you had your switch environment managed really well. I.E first 8 ports accounting vlan next 10 ports another vlan a vlan for laptop users who come in and out etc and then you tied the port down to one mac address. In our environment pc's move a lot and the switch stacks are not blocked into vlans the vlans are all over the stack. So I think to manage this could cause quite an overhead. Just wondered if anyone out there does use Port Security in any way.
Storm Control. In the example Jeremy gives he has to sort out a pc that has a root kit installed and it starts sending out broadcast of some type and the switch starts running a 100% and the network grinds to a halt. Storm control can block a port if broadcast traffic goes over a certain level so this seems like a good idea. I know that most laptop should have av on that should remove the root kit. For a while though some of our laptops had no AV and then their is third partys that come in who may not have av installed.
Comments
-
Options
it_consultant
Member Posts: 1,903
You will find most layer 2 attacks can be easily mitigated by a locked door. Data leakage by employees is probably the most concerning. People who have the skill to burrow, undetected, through the open ports on a firewall are few and far between. Focus on making your users security conscience, since they are the biggest risk. -
Options
rwmidl
Member Posts: 807 ■■■■■■□□□□
One thing to consider in regards to third party laptops (I'm going to guess they are guests, etc), do they need access to your production network? If so why do they? If they do not, have you considered setting up a guest network, completely separate and isolated from your production network (ie just grant them internet access).CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Options
eansdad
Member Posts: 775 ■■■■□□□□□□
It would also depend on how much security is actually needed. A government system will need a lot more security then a mom and pop store. I've seen large scale companies use port lock down and separate VLans but although I would enjoy locking down the ports where I'm at it just wouldn't be practical. -
Options
Paul Boz
Member Posts: 2,620 ■■■■■■■■□□
Port security doesn't scale very well beyond a few hundred systems and if you have a lot of adds, moves, and changes, it becomes a nightmare. On the other hand, port security is GREAT for data centers, where adds, moves, and changes are far less frequent. This is also a more secure environment where you want to have additional security. I always recommend sticky macs and a strict MAC count for data center switchports.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
Options
cjthedj45
Member Posts: 331 ■■■□□□□□□□
Uhmm I had a feeling that they would not be used real world. I do like the idea of having a managed switch environment where each group of ports is assigned to a each vlan and colour coded or mark to identify. And port security enabled on all the business Vlans perhaps with a vlan allocated for guests with no port security. If the a machine has to be moved or users move then as part of the change request the port security needs to be reconfigured. However as we know in reality it never works like that users sometimes move themselves etc. We do have a guest vlan already at work with just internet access and no access to the production network but this is still Susceptible to the broadcast attack that Jeremy mentioned. Not sure how well storm control would work though as it could be hard to determine what an acceptable level of broadcasts are for each port. Thanks for all your comments though its good to hear how other people mitiagte these threats