Trilogy of illegal Terminal Access Control: control, query, and guide

Trilogy of illegal Terminal Access Control: control, query, and guide

I. Question proposal:
Intruders want to bypass network boundary measures and directly intrude into the network through two channels: first, internal hosts "actively" create new channels and connect them to external networks, intruders follow this uncontrolled channel to enter the network. Second, external intruders can find new ways to bypass border security measures (such as vulnerability management) and enter the network.
These two types of intrusion attacks have a resounding academic name-"Secret channel ".
There are many reasons for the first "Internal Active" Secret channel, such as terminals infected with Trojans or worms, factory backdoors, purchased "moles", and spies sent by the other party ...... Most of the Protection ideas are from the perspective of the control of internal terminal hosts. When the monitoring software is installed on the terminal and the external channel is closed, network access is not allowed.
The second "external active" hidden channel is derived from network management vulnerabilities. Therefore, efforts must be made to monitor the vulnerabilities. Let's take a look at the problem first:
 
1. Access Method for external hosts:
Wired Access: The vswitch interface that the external host directly accesses to the network (the vswitch interface is available );
Wireless Access:
Intruders decrypt the passwords of valid AP and connect to the network via wireless connection;
Enable wireless proxy on the internal Host terminal to create an "illegal AP", which is accessed by external hosts, and then connected to the network through the internal host proxy;
By exploiting the vulnerability of vswitch management, intruders establish illegal aps to form uncontrollable wireless access points;
2. Protection difficulties:
The external host does not install our host security measures and does not actively report its information, which is difficult to find;
When both the MAC address and IP address can be modified, the network layer often cannot determine whether the accessed host is impersonating;
 
Ii. Design of security protection ideas for illegal access to external hosts
External hosts can be accessed illegally. Generally, they obtain a "valid" Access Point by exploiting vulnerabilities in network management. Management involves multiple aspects, and protection must also be combined in multiple aspects:
Control: Terminal Access Network Control
Query:
Illegal terminal monitoring
Wireless space monitoring
Guide: third-party O & M Access Management --- bastion host
Control all terminal access networks to ensure that non-authorized users are not allowed to access the network at will. This is "control". Control is a prerequisite and is the basis of management, to be able to discover, this is "querying", and "querying" is a means to prevent management defects, including the discovery of illegal terminals connected to wired networks, it also involves the discovery of illegal terminals connected to wireless spaces. Finally, it is necessary to facilitate management, not just interception. For external terminals that need to be connected to the network, establish a specific area and use it within the specified environment. This is "Guide ".
 
1. "control" Method
Network Access must have a network access point. For a wired network, there must be a vswitch interface that can be accessed. In order to achieve access to terminals without authorization, the switch will refuse to work for it, thus achieving the purpose of controlling its illegal access. There are several main control technologies:
Port binding MAC: Disable MAC address learning for the switch port. Manually write the MAC address to the switch so that only the MAC terminal can access the port;

Suitable for networks with few terminals, which is easy to use;
The O & M management cost is high, and it is impossible to restrict intruders from modifying the MAC address of their network card to a valid one, or prevent intruders from trying to modify the switch configuration to make their terminals legally accessible;
Enable 802.1x protocol: the port of the switch can only pass the authentication packet. After the user passes the identity authentication, the packet forwarding is allowed. This shields the random access at the network layer;

Easy to manage and suitable for large-scale networks. At the same time, during identity authentication, IP, MAC, and ID binding are used to further increase control over the terminal and solve the problem of intruders modifying MAC and IP impersonating identities;
This method can be applied to wireless networks, such as Wifi. 802.1x can be activated on Wireless Access AP or connected to AC. Intruders can access the internal network only after identity authentication;
All edge access switches must adopt the network-manageable type, and a unified identity authentication management system must be established throughout the network;
If the security of some edge access switches is uncontrollable or it is easy to modify the configuration, 802.1x is usually enabled on the aggregation switch to ensure the control of upper-layer network access, however, the lower-layer network is still in danger. Intruders can first infect legitimate terminals and then intrude into the upper-layer network as a springboard.
 
In the terminal access network control scheme, the identity of the access device or user is confirmed to restrict the intrusion of outsiders. However, the network is relatively large. In multi-department management, the configuration management of edge switches is often not in place, and the wireless access points are built in disorder, providing available access points for intruders. Therefore, it is necessary to promptly discover external login terminals.
 
2. "query": wired network
When an intruder's terminal accesses the network, it can find its trace. The main characteristic is its MAC address (intruders usually configure it as a valid internal IP address ). However, the MAC address only appears in the same network segment and cannot be monitored in the core network (layer-3). There are two solutions:
Add MAC information during identity authentication. That is, when a user authenticates, the terminal MAC address is used as the device identity, sent together with the user identity to the authentication server, and bound together after authentication. In the above-mentioned Terminal Access Network Control Scheme, the switch enables 802.1x protocol to control the MAC address of the terminal;
Create a MAC resource library to monitor the appearance of invalid MAC addresses. You can find the MAC address in two ways:
Use Network Management to read the FDB table of the edge switch and find the latest MAC address. The method is simple, but when the network is large, there are many access switches. You need to design a Region Query and report the summary information to the monitoring center;
Set a listening port in each CIDR block to mirror the link traffic of the gateway, analyze all traffic packets in the CIDR block, and find the new MAC address;
As intruders generally steal the IP addresses of legitimate users and further intrude into various applications in the network, in addition to monitoring illegal MAC addresses, they also need to perform abnormal Analysis on terminal behavior to find fraudsters.
 
In summary, the illegal terminal monitoring solution can be divided into two parts:
Illegal terminal scanning system: periodically queries access switches to find new terminals and checks with the asset database for illegal access terminals;
Terminal Abnormal Behavior Analysis System: A big data analysis system that monitors terminal location information through illegal terminals, as well as terminal and user identity information obtained by the identity authentication system, establishes a user behavior baseline to discover abnormal behavior information. Such as the logon location, logon time, whether the terminal and the user are consistent, and so on, to find that intruders use legitimate user information to log on.

 
 
3. "query" method: Wireless Network
Illegal AP in the network is often a stepping stone for network intrusion. Because the creator of the "illegal AP", most users establish proxy servers through their own valid access points for their own convenience, such as accessing the Internet through mobile phones and using mobile devices, allows multiple devices to work simultaneously. Network administrators can only access valid terminals and cannot directly access other illegal devices through the network. The "illegal AP" security configuration is simple and can be easily deciphered, and thus becomes the stepping stone for intruders to intrude.

The wireless space monitoring solution is to deploy wireless IDS in the network area to detect various wireless signals in the network space, and distinguish between valid internal AP and illegal AP. Once an illegal AP is found, the wireless interference signal can be used to prevent the AP from working properly, so that the terminal connected to the AP cannot communicate normally, thus blocking the illegal terminal from accessing the network through the illegal AP.
Because wireless signals are easily limited by distance or blocked and isolated, when deploying wireless IDS, pay attention to the coverage area of wireless signals. In principle, all access nodes of the network are covered.
 
4. "Pilot" method: third-party O & M Zone
The rapid development of information technology and rapid technological updates, both systems, networks, and even security, often rely on third-party O & M personnel, troubleshooting, configuration changes, and routine maintenance... Therefore, it is impossible for third-party O & M personnel to access the network, and they often use their own terminals. O & M requires a lot of testing software and tools and equipment to access and run the network.
Since there must be external terminals to access the network and it is impossible for third-party personnel terminals to install various security software according to their own security management regulations, they need to open up a specific O & M management area for them, they can complete O & M in a specific space without affecting network security management.

Bastion host is commonly known as the O & M management agent system. The principle is simple: third-party O & M personnel must log on to the bastion host before accessing the device or system to be operated and maintained in the specified O & M area. Bastion hosts not only manage the logon passwords of devices, but also audit all operations performed by third-party O & M personnel, including command lines, graphical interfaces, and dedicated CS clients.
Due to the isolation of the bastion host, the network does not need to scan the MAC address of the third-party personnel terminal. As long as they know the IP address and logon password of the device or system to be maintained, they can work freely.
Summary
Blocking external illegal terminals from accessing the network can not only prevent external intruders from intruding directly, but also reduce the damage capability of intruders. It also solves the problem that most users only rely on people to manage security management, there is no technical support.
Security measures deployed to prevent unauthorized access of external hosts are as follows:
1. Access Control for external terminals to access the network, preventing intruders from accessing the network;
2. Illegal terminal monitoring prevents incoming intruders from surviving;
3. Wireless space monitoring allows intruders to disappear from our internet space;
4. O & M of the bastion host provides a valid workspace for external users.