The trilogy of illegal terminal access control: Control, check, guide

The trilogy of illegal terminal access control: Control, check, guide

Jack Zhai

First, the issue of the proposed:

intruders want to bypass the network's border measures, direct intrusion into the network inside, there are generally two ways: one is the internal host "active" to establish a new channel, connected to the outside network, the intruder along this uncontrolled "channel" into the network, and the other is the external intruder can find a new way to circumvent the border security measures ( such as administrative vulnerabilities, etc. )and into the network.

these two types of intrusion attacks have a very loud name in the academic world. --- "Stealth channel".

The first "internal active" covert channel produced many reasons, such as infected Trojan horse or worm terminal, factory backdoor, was bought "inside Ghost", the other sent spy ... the idea of protection is mostly from the control angle of the internal terminal host, install the monitoring software on the terminal, close the external channel, do not install will not allow access to the network.

The second kind of "external active" covert channel, which originates from the loopholes of network management, must work hard from the supervision. Let's take a look at where the problem is:

1. access Methods for external hosts:

2. wired access: The external host directly accesses the network on the switch interface ( switch interface available

4. Wireless access:

   Intruder Decipher legal ap password, via wireless access network;

     on the internal host terminal to open the wireless agent established "illegal ap

     ap

2. Protection difficulties:

1. External host does not install our host security measures, will not actively report its information, found to be difficult;

2. in the MAC , IP address can be modified in the case, the network level is often unable to confirm the access to the host is impersonating;

Second, the external host illegal access security protection idea design

External host can be illegal access, generally using network management links on the loopholes, to obtain a "legitimate" access point. Management involves many aspects, and the protection must also be combined in many ways:

• Control: Terminal Access network controls

• Check:

  Illegal terminal monitoring

  Wireless Space Monitoring

• Guide: Third-party operation and maintenance access Management --- Fortress Machine

to all the terminal access network to control, to ensure that non-authorized people can not enter the network at will, this is the "control", control is the premise, is the basis of management, for not in accordance with the requirements of access, to have the ability to discover, which is "check", check is to prevent the management of defects in the means, This includes the discovery of the illegal terminal of wired network access, also includes the discovery of the illegal terminal of wireless space access; Finally, good management should be channeled, not just interception. For the business needs to access the network external terminal, to establish a specific area, in the prescribed environment for use, which is "guide".

1. The method of "control"

Network access must have a network access point, for the wired network, is to have access to the switch interface. In order to achieve unauthorized terminal access, the switch refuses to work for it, and it realizes the purpose of controlling its illegal access. There are several main control techniques:

• Port Bindings MAC : Disables the switch port MAC address learning function, manually put MAC address is written to the switch, allowing only the MAC The terminal can access the port;

650) this.width=650; "style=" width:349px;height:385px; "title=" 1.gif "alt=" Wkiol1z3zuaw0yzcaabt6jv9sby443.gif "src= "Http://s3.51cto.com/wyfs02/M02/78/34/wKioL1Z3zuaw0yzCAABt6jv9sBY443.gif" width= "305" height= "359"/>

• It is suitable for the network with few terminals, and is simple;

• operation and maintenance management costs are high, and can not restrict the intruder to modify their network card MAC The address is legal, also cannot prevent the intruder to try to modify the configuration of the switch first, let own terminal to enter legally;

• Open 802.1x protocol: The port of the switch is only allowed to pass the authentication packet, when the user is authenticated, it is allowed to forward the packet, thus shielding the network layer from arbitrary access;

650) this.width=650; "style=" width:364px;height:432px; "title=" 2.gif "alt=" Wkiol1z3zy3y3ulhaac-1dd5via832.gif "src= "Http://s2.51cto.com/wyfs02/M01/78/34/wKioL1Z3zy3y3UlHAAC-1DD5VIA832.gif" width= "544" height= "592"/>

• convenient management, suitable for larger networks. At the same time in the identity authentication, the use of IP,MAC, Identity ID binding, further increase the control of the terminal, to resolve the intruder to modify the MAC ,IP posing as an identity problem;

• This method can be applied to a wireless network, such as Wifi , in wireless access AP on the Open 802.1x , or connect to AC , intruders are only allowed to enter the internal network after identity authentication;

• All edge access switches are required to be network-managed, and a unified identity authentication management system is required.

• if part of the Edge Access switch security is not controllable, or easily modified configuration, the general use of the convergence switch on the open 802.1x , can ensure that the upper network access can be controlled, but the lower network is still in danger, the intruder can infect the legitimate terminal, and then as a springboard to invade the upper network.

In the Terminal access Network control scheme, the intruder is restricted by confirming the identity of the access device or the user. However, the network is large, multi-departmental management, Edge switch configuration management is often not in place, wireless access point of the private build, all for intruders to provide access points available. Therefore, it is necessary to find out the external login terminal in time.

2. "Check" Method: Wired Network

mac address (the intruder is generally configured to be internally legitimate ip address). But mac address only appears in the same network segment and cannot be monitored in the core network ( layer three ) , there are two ways to deal with it:

• join in the identity verification process MAC information. That is, when the user authentication, the terminal MAC address as the identity of the device, along with the user identity sent to the authentication server, and after authentication is bound together. This way in the last section of the Terminal Access Network control scheme, the switch to open the 802.1x protocol, together to achieve The control of the terminal MAC address;

• Establish MAC resource pool to monitor illegal MAC the presence of the address. There are two ways to find a MAC address:

• using network management to read the edge switch FDB table to find the latest MAC address. The method is simple and easy, but when the network is large, the access switch is more, it needs to design the area query, then summarizes the information Escalation Monitoring Center;

• A listening port is located in each network segment, mirroring the link traffic in the gateway direction, analyzing all traffic packets within the network segment, and discovering new MAC address;

because intruders generally steal legitimate users ' IP and further intrusion into the various applications within the network, so in addition to monitoring illegal MAC , it is necessary to analyze the behavior of the terminal and find the impostor.

On the analysis, the scheme of illegal terminal monitoring can be divided into two parts:

• Illegal terminal scanning system: through regular query access to the switch, the discovery of the new terminal, and the asset database query is illegal access terminal;

• Terminal anomaly Behavior Analysis System: is a big data analysis system, through the illegal terminal monitoring to the terminal location information, as well as the identity authentication system obtains the terminal and the user identity information, establishes the user's behavior baseline, discovers its unusual behavior information. If the login location, login time, the terminal and the user is unified, and so on, so as to find intruders to use legitimate user information login behavior.

650) this.width=650; "style=" width:602px;height:454px; "title=" 3.gif "alt=" Wkiom1z3z0fq_ucgaaju5oxsswu134.gif "src= "Http://s3.51cto.com/wyfs02/M01/78/35/wKiom1Z3z0fQ_UCgAAJU5OXsswU134.gif" width= "902" height= "601"/>

3. "Check" Method: Wireless network

in the network, "illegal AP "It is often a springboard for intrusion into the network. Because of the "illegal AP", more users for their own convenience, such as mobile internet, mobile devices, Internet access, through their own legitimate access points, set up a proxy server, so that their multiple devices can work at the same time. Network managers often can only see legitimate terminal access, not directly through the network to find other illegal access devices. "Illegal AP" Security configuration is simple, it is easy to decipher, and thus become the intruder's intrusion springboard. 650) this.width=650; "style=" width:713px;height:201px; "title=" 4.gif "alt=" Wkiom1z3z2qshl_ Taackvkr8rdm418.gif "src=" Http://s5.51cto.com/wyfs02/M02/78/35/wKiom1Z3z2qSHL_TAACkvkr8rDM418.gif "width=" 614 " height= "108"/>

The wireless Space Monitoring scheme is the deployment of wireless in the network area IDS , detecting various wireless signals within the network space, and distinguishing between the legitimate internal AP , or illegal AP . Once an illegal apis found, it can prevent the illegal ap from working properly by means of a wireless interference signal, so that the terminal that accesses the AP cannot communicate properly. Thus blocking the illegal terminal through the illegal AP access Network.

because wireless signals are susceptible to distance limitations or are susceptible to blocking isolation, consider deploying wireless IDS , pay attention to the coverage area of the wireless signal, in principle, covering all the network access nodes.

4. "Guide" method: third-party operation and maintenance area

The rapid development of information technology, technical update faster, whether it is the system, network, and even security, often rely on third-party operators, fault handling, configuration changes, daily maintenance ... .. Therefore, it is not possible to not allow third-party operators to access the network, and often with their own terminal, operation and maintenance needs a lot of testing software and tool equipment, need to access the network and run.

Since it is necessary to have an external terminal to access the network, it is not possible to require third-party personnel to install a variety of security software, the terminal according to their own security management, you need to give them a specific operational management area, so that they in a specific space, can not only complete the operation of the work, but also do not affect the network security management

650) this.width=650; "title=" 5.gif "alt=" Wkiol1z3z5vjutluaafdnabipyu570.gif "src=" http://s1.51cto.com/wyfs02/M00/ 78/34/wkiol1z3z5vjutluaafdnabipyu570.gif "width=" 593 "height=" 382 "/>

Fortress Machine, is the operation and Maintenance management agent system commonly known. The principle is simple: third-party operators in the designated operations area, access to their own terminal equipment, must first log on to the fortress machine, and then access to operational equipment or systems. The Fortress machine not only manages the login password of the device, but also records all operations of the third-party operators, including command line, graphical interface, special CS client, etc.

because of the isolation of the fortress machine, the network can not scan the third-party personnel terminal MAC address, they just need to know the device or system to be maintained. IP address, login password is free to work.

• Summary

Prevent external illegal terminal access to the network, not only can prevent the external intruder direct intrusion, but also can reduce the intruder's ability to destroy, and solve the current security management of the majority of users only rely on people, no technical support of the problem.

Protection against external host unauthorized access from four aspects, deployed security measures:

1. Access control of the external terminal network, so that intruders can not enter;

2. Illegal terminal monitoring, so that the intruder can not survive;

3. Wireless space monitoring, allowing intruders to disappear from our cyberspace;

4. Operational Fortress Machine, to give foreign access to a legitimate working space.

The trilogy of illegal terminal access control: Control, check, guide