Shulou(Shulou.com)06/01 Report--

The Trilogy of illegal Terminal access Control: control, investigation and guidance

Jack zhai

First, the question is raised:

If you want to bypass the boundary measures of the network, you can go directly to the inside of the network in two ways: one is that the internal host "actively" establishes a new channel and connects to the external network, and the * * user enters the network through this uncontrolled "channel". Second, external users can find new ways to bypass boundary security measures (such as management loopholes, etc.) and enter the network.

These two ways of * have a resounding academic name-"covert channel".

The first kind of "internal active" covert channel can be caused by many reasons, such as the terminal of infected or worm, the manufacturer's back door, the bribed "mole", the spy sent by the other party. The idea of protection is mostly from the point of view of the control of the internal terminal host, install monitoring software on the terminal, close the outreach channel, do not allow access to the network if not installed.

The second kind of "external active" covert channel mostly comes from the loopholes of network management, so we must make efforts from supervision. Let's first look at what the problem is:

1. Access method of external host:

Wired access: the external host is directly connected to the switch interface of the network (switch interface is available)

Wireless access:

* users decipher the password of legitimate AP and access the network wirelessly

Open a wireless agent on the internal host terminal to establish an "illegal AP", which is accessed by an external host, and then connected to the network through an internal host agent.

Taking advantage of the loophole in the management of the switch, the user sets up an "illegal AP" to form an uncontrollable wireless access point.

2. Protection difficulties:

The external host does not install our host security measures and will not actively report its information, which is found to be difficult.

When both MAC and IP addresses can be modified, the network level is often unable to confirm whether the connected host is impersonated.

Second, the design of security protection for illegal access of external hosts.

External hosts can access illegally, generally taking advantage of loopholes in network management to obtain a "legitimate" access point. Management involves many aspects, and protection must be combined with each other:

Control: terminal access network control

Check:

Illegal terminal monitoring

Wireless space monitoring

Guide: third-party operation and maintenance access management-fortress machine

It is necessary to control all terminal access to the network to ensure that unauthorized persons cannot enter the network at will, which is "control", which is the premise and the basis of management; for those who do not access as required, we must have the ability to find out, which is "check". Check is a means to prevent management defects, including the discovery of illegal terminals for wired network access, as well as the discovery of illegal terminals for wireless space access. Finally, good management requires guidance, not just interception. For external terminals whose services need to be connected to the network, a specific area is established and used in a specified environment, which is called "guidance".

1. The method of "control"

There must be a network access point for network access, and for wired networks, there is a switch interface that can be accessed. To achieve unauthorized terminal access, the switch refuses to work for it, so it achieves the purpose of controlling its illegal access. There are several main control technologies:

Port binding MAC: disable the MAC address learning function of the switch port, and manually write the MAC address to the switch, so that only the MAC terminal can access the port

Suitable for networks with few terminals, it is simple and easy.

The cost of operation and maintenance is high, and it is impossible to restrict those who change the MAC address of their network cards to be legal, nor can they prevent them from trying to modify the configuration of the switch to allow their terminals to enter legally.

Enable 802.1x protocol: at the beginning, only authentication packets are allowed to pass through the port of the switch, and packets are only allowed to be forwarded after the user has been authenticated, thus blocking the random access of the network layer.

It is easy to manage and suitable for large-scale network. At the same time, in identity authentication, IP, MAC and identity ID binding are adopted to further increase the control over the terminal and solve the problem that the user modifies MAC and IP to impersonate his identity.

This method can be applied to wireless networks, such as Wifi, to open 802.1x on wireless access AP, or to connect to AC. * users can enter the internal network only after identity authentication.

All edge access switches need to be networked and managed, and a unified network-wide identity authentication management system needs to be established.

If part of the edge access switch is uncontrollable or the configuration is easily modified, 802.1x is generally used on the aggregation switch to ensure controllable access to the upper layer network, but the lower layer network is still in danger. * those who are in danger can first infect the legitimate terminal and then serve as a springboard to the upper layer network.

In the terminal access network control scheme, the outsider is restricted by confirming the identity of the access device or user. However, the network is relatively large, when multi-department management, the configuration management of edge switches is often not in place, and the private construction of wireless access points provide available access points for users. Therefore, it is a necessary security measure to find external login terminals in time.

2. The method of "checking": wired network

When the user's terminal is connected to the network, it can be found, which is mainly characterized by its MAC address (it is generally configured as an internal legal IP address). However, the MAC address only appears in the same network segment and cannot be monitored in the core network (layer 3). There are two ways to deal with it:

Add MAC information to the authentication process. That is, in the process of user identity authentication, the terminal MAC address is taken as the identity of the device, sent to the identity authentication server together with the user identity, and bound together after authentication. In the terminal admission network control scheme in the previous section, the switch turns on the 802.1x protocol to realize the control of the terminal MAC address.

Establish a MAC resource library to monitor the emergence of illegal MAC addresses. There are two ways to discover MAC addresses:

Use the network management method to read the FDB table of the edge switch and find the latest MAC address. The method is simple and easy, but when the network is large, there are more access switches, so it is necessary to design a regional query, and then summarize the information and report it to the monitoring center.

Set up a listening port in each network segment to mirror the link traffic in the direction of the gateway, analyze all traffic packets in the network segment, and discover new MAC addresses.

Since * * users generally steal the IP of legitimate users and further * various applications in the network, in addition to monitoring illegal MAC, it is also necessary to analyze the behavior of terminals to find impostors.

To sum up, the scheme of illegal terminal monitoring can be divided into two parts:

Illegal terminal scanning system: by regularly querying the access switch, we can find the new terminal and check with the asset database whether it is an illegal access terminal.

Terminal abnormal behavior analysis system: is a big data analysis system, through the illegal terminal monitoring terminal location information, as well as the identity authentication system to obtain terminal and user identity information, establish the user behavior baseline, find its abnormal behavior information. For example, the login location, login time, whether the terminal and the user are unified, and so on, so as to find the behavior that the user pretends to log in with legitimate user information.

3. The method of "checking": wireless network

The "illegal AP" in the network is often the springboard to enter the network. Because the founders of "illegal AP" are mostly users for the convenience of their own work, such as mobile Internet access, mobile devices Internet access, etc., through their own legal access points, establish proxy servers, so that their multiple devices can work at the same time. Network managers often can only see the access of legitimate terminals and cannot find other illegal access devices directly through the network. The security configuration of "illegal AP" is simple and easy to be deciphered, thus becoming a springboard for those who are involved.

The wireless space monitoring scheme is to deploy wireless IDS in the network area, detect all kinds of wireless signals in the network space, and distinguish between legal internal AP and illegal AP. Once an illegal AP is found, the illegal AP can be prevented from working properly through wireless interference signals, so that the terminal connected to the AP cannot communicate normally, thus blocking the illegal terminal from accessing the network through the illegal AP.

Because the wireless signal is easily limited by distance or easily blocked and isolated, when considering the deployment of wireless IDS, we should pay attention to the coverage area of the wireless signal, which in principle covers all the access nodes of the network.

4. The method of "guiding": the third-party operation and maintenance area.

The rapid development of information technology, rapid technological updates, whether it is the system, network, or even security, often rely on third-party operation and maintenance personnel, fault handling, configuration changes, daily maintenance … Therefore, it is impossible to prevent third-party operators from accessing the network, and often use their own terminals. Operators need a lot of testing software and tools, which need to be connected to the network and run.

Since there must be external terminals to access the network, and it is impossible to require the terminals of third-party personnel to install all kinds of security software according to their own security management regulations, it is necessary to open up a specific operation and maintenance management area for them, so that they can not only complete the operation and maintenance work in a specific space, but also do not affect the network security management.

Fortress machine is the common name of operation and maintenance management agent system. The principle is simple: when the third-party operation and maintenance personnel access their own terminal equipment in the designated operation and maintenance area, they must first log on to the fortress machine, and then access the equipment or system to be operated and maintained. The fortress machine not only manages the login password of the equipment, but also records all the operations of the third-party operation and maintenance personnel, including the command line, graphical interface, dedicated CS client and so on.

Because of the isolation of the fortress machine, the network does not have to scan the MAC address of the terminal of the third party personnel, they can work freely as long as they know the IP address and login password of the equipment or system to be maintained.

Summary

Preventing illegal external terminals from connecting to the network can not only prevent the direct access of external users, but also reduce their destructive ability, and also solve the problem that most users' security management is implemented only by managing people. there is no technical support.

Security measures to protect against illegal access of external hosts from four aspects:

1. Access control of external terminals to the network, making it impossible for those who have access to the network.

2. The monitoring of illegal terminals makes it impossible for those who come in to survive

3. Wireless space monitoring to make people disappear from our cyberspace.

4. Operation and maintenance fortress machine, which provides a legal working space for external visitors.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.