Unauthorized Access

1.       What is an unauthorized access?  

It is the act when someone is gaining access to a network, system, application or other resource without permission. Unauthorized access could occur if a user attempts to access an area of a system that is not allowed to be accessed by this particular user. This can be a result of unmodified default access policies or lack of clearly defined access policy documentation in the company / institution.

2.       First steps: the usage of a firewall.

A way to protect our computers is by a network firewall. It may be a hardware device, software program, or a combination of the two. Network firewalls guard an internal computer network against malicious access from the outside. Network firewalls may also be configured to restrict access to the outside from internal users.

3.       Why and How to mitigate the risk?

If someone were to gain unauthorized access to your organization’s internal network, that person could cause damage in many ways, perhaps by accessing sensitive files from a host, by planting a virus, or by hindering network performance by flooding your network with illegitimate packets.

This risk can also apply to a person within your network attempting to access another internal network such as a Research and Development subnetwork with sensitive and critical data. That person could intentionally or inadvertently cause damage; for example, that person might access confidential files or tie up a time-critical printer.

To prevent unauthorized access, you can require users to be authenticated before they gain access into a network. When users attempt to access a service or host (such as a web site or file server) within the protected network, they must first enter certain data such as a username and password, and possibly additional identification information. After successful authentication (depending on the method of authentication), users will be assigned specific privileges, allowing them to access specific network assets. In most cases, this type of authentication would be facilitated by using specific access protocols in conjunction with an authentication protocol, such as TACACS+ or RADIUS.

Just as in preventing unauthorized access to specific network devices, you need to decide whether or not you want the authentication database to reside locally or on a separate security server. A local security database is useful if you have very few routers providing network access. Local security database does not require a separate (and costly) security server. A remote, centralized security database is convenient when you have a large number of devices providing network access because it prevents you from having to update each router with new or changed username authentication and authorization information for potentially hundreds of thousands of dial-in users. A centralized security database also helps establish consistent remote access policies throughout a corporation.

Centralized access control server also prevents unauthorized access to the whole network if a single device is compromised. If a malicious user obtains unauthorized access to a device configuration and reveals local credentials they could not be used to access the device or other devices in the network, because credentials are stored on the authentication server.

3.1. Traffic Access Lists

You can use access lists to filter traffic at networking devices. Basic access lists allow only specified traffic through the device; other traffic is simply dropped. You can specify individual hosts or subnets that should be allowed into the network, and you can specify what type of traffic should be allowed into the network. Basic access lists generally filter traffic based on source and destination addresses, and protocol type of each packet.

Advanced traffic filtering is also available, providing additional filtering capabilities; for example, the Lock-and-Key Security feature requires each user to be authenticated via a username/password before that user’s traffic is allowed onto the network.

Mitigation Commands:

ip access-list {extended|standard} name

{permit|deny} tcp <source> <source-wildcard> [operator [port]]

<destination> <destination-wildcard> [operator [port]]

3.2. Firewall Rules

Firewalls are networking devices that control access to your organization’s network assets. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control. Stateful Packet Inspection (SPI) is at the heart of Cisco IOS Firewall, providing a per-application control mechanism across network perimeters, as well as within networks through the Transparent Firewall capability. Stateful Packet Inspection was known as Context-Based Access Control (CBAC) in early versions of Cisco IOS Firewall, but the name was changed as the feature set was enhanced and augmented far beyond the original CBAC capability. The inspection engine tracks the state and context of network connections to secure traffic flow.

CBAC examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall

3.3. PVLANs

Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs all devices on a Layer 2 VLAN can communicate freely. Networking situations exist where security can be aided by limiting communication between devices on a single VLAN. For example, PVLANs are often used in order to prohibit communication between servers in a publicly accessible subnet. Should a single server become compromised, the lack of connectivity to other servers due to the application of PVLANs may help limit the compromise to the one server.

Mitigation Commands:

vlan 11

 private-vlan isolated

!

vlan 12

 private-vlan community

!

vlan 20

 private-vlan primary

 private-vlan association 11-12

interface FastEthernet 1/1

 description *** Port in Isolated VLAN ***

 switchport mode private-vlan host

 switchport private-vlan host-association 20 11

!

interface FastEthernet 1/2

 description *** Port in Community VLAN ***

 switchport mode private-vlan host

 switchport private-vlan host-association 20 12

!

interface FastEthernet 1/12

 description *** Promiscuous Port ***

 switchport mode private-vlan promiscuous

 switchport private-vlan mapping 20 add 11-12

3.4. Access Port Authentication (802.1x)

The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a port before making available any services offered by the device or the network.

Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN – though the term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

Mitigation Commands:

Switch# configure terminal

Switch(config)# dot1x system-auth-control

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# interface <interface_id>

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x pae authenticator

Switch(config-if)# dot1x port-control auto