Routers and switches play a vital role in today’s network security. If they are compromised due to insecure configuration or software vulnerability, any network traversing trough them is given at the mercy of an attacker. However, their proper configuration can significantly improve network security, which is the topic of this thesis, which focuses on improving the security of network devices managed by the Institute.
Hardening network devices, provides a deep insight into the issue of network devices hardening. Possible vulnerable parts of configurations are specified along with the appropriate countermeasures. Maintaining compliance with security guidelines, presents some available tools which could be used for improving the security of configurations, while the following chapter, Router assessment tool (RAT), focuses on the tool that has been selected as eligible to perform an audit of the portion of the router. Router assessment tool (RAT) In chapter 5, Data storage, data storage for information about the network, mainly its devices, is presented. This is followed by another chapter, which describes the structure of the implemented library (Pyrage) and associated
Python scripts which facilitate the audit by enabling the customization of a RAT rulebase and generating the limited extent of a new devices configuration (Pynecog). The security guideline and results of an audit of the selected devices are presented in the chapter on Security audit of the network. The last chapter, Conclusion and future work, summarizes the results and presents the possibilities for future work.
1.1. Virtual LAN (VLAN)
VLANs have been defined within the IEEE 802.1Q standard, which enables the partitioning of a single Ethernet network by including a 4-Byte 802.1Q header which consists (besides other things) of a numeric VLAN identifier (VID) which is used by a 802.1Q capable network hardware to logically separate the traffic. An 802.1Q aware switch typically distinguishes
between these two types of ports:
• access/edge — a port which is a member of exactly one VLAN. The incoming traffic is appropriately tagged (with the particular VID), so it can reach only SVI3 interface or another port assigned with the same VID. Outgoing traffic on an access interface is usually stripped of the 802.1Q tag.
• trunk — a port mode typically used to interconnect the switches. A range of allowed VLANs (VIDs) on a port could be specified, along with the so-called native VLAN, frames of which are stripped of the 802.1Q tag as they enter a trunk link.
1.2. Access Control List (ACL)
Generally, an Access Control List is a collection of rules describing the access limitation applied on a given object. Regarding network devices, the term ACL is used to describe an ordered set of rules, syntactic rules of which are defined in a way to be used as a definition of a simple packet filter (with a very limited sense of state in the case of TCP, otherwise fully stateless) on a particular interface of a device. Besides that, ACLs are typically used for purposes of limiting the route redistribution and Control plane policing. The expressiveness of ACLs varies with the vendors and the ACL types which they define, but the usual set of matched attributes is as follows:
• Source IP address and subnet mask.
• Destination IP address and subnet mask.
• Source and destination ports.
• Used protocol (typically one of — IP, ICMP, TCP, UDP).
• State (new, established) in the case of TCP.
1.3 Man in the middle (MitM)
MitM refers to a type of an attack in which the attacker achieves a state in which the communication of a victim flows through a device under the attacker’s control. The attacker could simply eavesdrop the communication, but could also tamper with the transmitted data (in some scenarios), for example force the communicating entities to use different cryptographic keys, so the attacker is then able to decrypt the subsequent communication.
1.4 Denial of Service attack
In the case of (Distributed) Denial of Service ((D)DoS) attack, an attacker typically aims to make a given resource (server, network,. . . ) unavailable to its intended users. In the distributed variant of the attack, an attacker is typically using a botnet or by some means achieves that the attack itself is driven by a rather large number of entities.