Announcement

Collapse
No announcement yet.

Ethernet LAN Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ethernet LAN Security

    Hi All,

    I recently read an post on this forums entitled "how to catch/block a sniffer on my network!!?", I was very interested in the fact the there are problems with the way Ethernet works and the fact that any thing connecting to the network doesn't require authentication.

    After reading through the information on grc.com about ARP Cache Poisoning, I thought about doing my final year's project (Final year at University that is) on Ethernet LAN Security. The project is just in planning stages as I'm still trying to figure out if it's viable to do and it is subject to approval by my course lecturer.


    I have done a little research into the subject and found out some interesting information about LAN that my University have not taught me. I have found the following problems:
    • Weekness in broadcasts (the root of ARP poisoning so I understand)
    • Sniffing is easy on networks with network hubs (easily prevented with L2 Switches so I understand)
    Are there any other problems any one can think of?


    I have looked into and am going to continue to research into the following topics:
    • LSA - Lan Security Architecture
    • L2TP - Layer 2 Tunneling Protocol
    • IPSec - Internet Protocol Security
    • Kerebos (for authentications)
    Is there any thing else I should look into? any anternatives to these?

    If any one has any suggestions or if I've got something wrong here please feel free to reply, I am happy to receive any advice.

    Though I will try to focus on a Windows network I would like to take in consideration other OS networks/protocols like AppleTalk etc.

    Thanks in advance to any one who replys.

    Regards,

    Richard

  • #2
    Re: Ethernet LAN Security

    IPSec is the security mechanism which you should use if you would like to use internal security.
    Also IPsec can be used for VPN's between for example ISA - PIX etc.
    L2TP (tunneling protocol) is used for vpn connections between Microsoft boxes, for example ISA - ISA or ISA -XP clients. L2TP is microsoft proprietary
    Kerebos is an autothentication mechanism but if you want to go deeper in security I would have a look to authenticate with certificates.

    LSA, don't know...
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Ethernet LAN Security

      Originally posted by Dumber View Post
      IPSec is the security mechanism which you should use if you would like to use internal security.
      Also IPsec can be used for VPN's between for example ISA - PIX etc.
      L2TP (tunneling protocol) is used for vpn connections between Microsoft boxes, for example ISA - ISA or ISA -XP clients. L2TP is microsoft proprietary
      Kerebos is an autothentication mechanism but if you want to go deeper in security I would have a look to authenticate with certificates.

      LSA, don't know...

      Thanks for the info,

      I think I would focus the project on internal security, possibly adding a bit of information about WANs and VPN.

      As for Kerebos and certufcate based authentication I think I will compare the two in the project stating the advantages and disadvantages of both.

      Regards,

      Richard

      Comment


      • #4
        Re: Ethernet LAN Security

        Kerberos is handy if you have to encrypt traffic in your forest.
        However you also can use certificates or preshared keys.

        70-299 is quite nice to read if you want to go deeper into it.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Ethernet LAN Security

          Originally posted by Dumber View Post
          Kerberos is handy if you have to encrypt traffic in your forest.
          However you also can use certificates or preshared keys.

          70-299 is quite nice to read if you want to go deeper into it.
          Thanks again for the info Dumber, you're providing a good overview for me to begin my research.

          The "70-299" you mentioned is it (70-299) Implementing and Administering Security in a Microsoft Windows Server 2003 Network?
          Definately seems like I'll find something useful in it, thanks.

          I've had a quick look at 802.1x, Network Access control, and Remote Authentication Dial In User Service servers, and they seem like good topics to research into, any first thoughts?

          Regards,

          Richard

          Comment


          • #6
            Re: Ethernet LAN Security

            802.1x is quite interesting to read about it.
            It gaves me some quite interesting thoughts about open wireless authentication using certificates, IAS/RADIUS and so on.
            Indeed it's covered in the Microsoft exam 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network.
            From that point you always can dig deeper in the subjects. I think it a good starting point

            I would suggest to buy the book or/and even have a look at the cbt nuggets.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Ethernet LAN Security

              Originally posted by Dumber View Post
              802.1x is quite interesting to read about it.
              It gaves me some quite interesting thoughts about open wireless authentication using certificates, IAS/RADIUS and so on.
              Indeed it's covered in the Microsoft exam 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network.
              From that point you always can dig deeper in the subjects. I think it a good starting point

              I would suggest to buy the book or/and even have a look at the cbt nuggets.
              Thanks again, you've been a great help.

              As for buying a book, depending on cost I might just go to the library or use an elibrary

              Regards,

              Richard

              Comment


              • #8
                Re: Ethernet LAN Security

                The book costs over here about € 44,00. I don't know how much is costs over there
                If you have any more questions, please let me know
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Ethernet LAN Security

                  Will do thanks,

                  I've done a quick search, and found what I think is the book on amazon.co.uk, is this the book you were refering to?

                  Regards,

                  Richard

                  Comment


                  • #10
                    Re: Ethernet LAN Security

                    Yes, but remember your university should be able to get it on inter-library loan
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Ethernet LAN Security

                      Originally posted by RAustin View Post
                      Will do thanks,

                      I've done a quick search, and found what I think is the book on amazon.co.uk, is this the book you were refering to?

                      Regards,

                      Richard

                      Yes, thats the one!
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Ethernet LAN Security

                        Originally posted by Dumber View Post
                        IPSec is the security mechanism which you should use if you would like to use internal security.
                        Also IPsec can be used for VPN's between for example ISA - PIX etc.
                        L2TP (tunneling protocol) is used for vpn connections between Microsoft boxes, for example ISA - ISA or ISA -XP clients. L2TP is microsoft proprietary
                        Kerebos is an autothentication mechanism but if you want to go deeper in security I would have a look to authenticate with certificates.

                        LSA, don't know...
                        L2TP is a standard based on PPP and L2F (Cisco propriety)

                        PPTP although supported and partially developed by them it is not Microsoft proprietary.

                        Comment


                        • #13
                          Re: Ethernet LAN Security

                          Sorry I was a bit in a hurry.
                          However PPTP and is Microsoft proprietary or at least used to be for PPTP.
                          Also Microsoft provided a Key role in the PPTP.

                          http://technet.microsoft.com/en-us/l...chNet.10).aspx
                          Microsoft's attempt at this was Point-to-Point Tunneling Protocol (PPTP), which was essentially Microsoft's proprietary solution to tunneling over the Internet, la L2TP. PPTP combined the encryption and the tunneling together. Because the protocol defines all of that as one, you have to use Microsoft's point-to-point encryption.
                          Last edited by Dumber; 30th July 2008, 22:18.
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Ethernet LAN Security

                            Also look into switch types, many can be programed to force authentication at the port level.
                            This is useful to keep people from just plugging into an empty network jack and going to work.
                            Stacey Smith
                            Sr. Systems Engineer

                            The rule is perfect: in all matters of opinion our adversaries are insane --Samuel Clemens

                            Comment


                            • #15
                              Re: Ethernet LAN Security

                              So here's the current outcome of how things are going:

                              I've had to alter my project slightly in that I now have a client and it is now going to be a research project based on a case study.

                              I'll be gathering information from my client and seeing where I can improve their network (effeciency and all that stuff) and also looking at the security side of things. My Mini-paper will also be based on security with windows domain networks in mind (so all the information on this page is still applicable :-p)

                              Currently I'm at the Project Proposal stage, filling in a gantt chart, oh the joys!

                              Regards,

                              Richard

                              Comment

                              Working...
                              X