Intranet Security Design

The access layer is the edge of a campus network, which provides various access modes to PCs, network cameras, printers, IP phones, and wireless terminals. It is the first layer of the campus network, and needs to meet access demands of various terminals. The access layer also needs to protect the entire network by preventing unauthorized users and applications from connecting to the network, so it must provide security without compromising network availability. The suggestions at the access layer are as follows:

• It is recommended that broadcast storm control be enabled.

  When a Layer 2 Ethernet interface on a device receives broadcast, multicast, or unknown unicast packets, the device forwards these packets to other Layer 2 Ethernet interfaces in the same VLAN if the outbound interfaces cannot be determined based on the destination MAC addresses of these packets. As a result, a broadcast storm may be generated, degrading forwarding performance of the device. On downlink interfaces of the access layer, configure suppression of broadcast, multicast, unknown unicast packets to effectively reduce broadcast storms.

• It is recommended that DHCP snooping be enabled and the uplink interfaces that directly or indirectly connect access switches to the DHCP server be configured as trusted interfaces.

  DHCP snooping defends against bogus DHCP server attacks, DHCP server DoS attacks, bogus DHCP packet attacks, and other DHCP attacks. DHCP snooping allows administrators to configure trusted interfaces and untrusted interfaces, so DHCP clients can obtain IP addresses from authorized DHCP servers. A trusted interface forwards DHCP messages it receives, whereas an untrusted interface discards DHCP ACK messages and DHCP Offer messages received from a DHCP server.

  An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients only obtain IP addresses from authorized DHCP servers and prevents bogus DHCP servers from assigning IP addresses to DHCP clients.

• You are advised to enable IP source guard and DAI.

  Unauthorized users often send bogus packets with the source IP address and MAC address of authorized users to access or attack the network. Then authorized users cannot access stable and secure networks. To address this problem, you can configure IP source guard. IP source guard prevents unauthorized hosts from using IP addresses of authorized hosts or specified IP addresses to access or attack the network.

  You can configure DAI to defend against Man-in-the-Middle (MITM) attacks, preventing authorized user information from being intercepted. When a device receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows it to pass through. Otherwise, the device discards the packet.

• You are advised to enable port isolation.

  You are advised to configure port isolation on the interface connecting the access switch to the terminal. This configuration secures user communication and prevents invalid broadcast packets from affecting user services.

On a WLAN, service data is transmitted through radio signals. Such open channels are vulnerable to service data eavesdropping and tampering during transmission, such as rogue STAs, spoofing APs, and denial of service (DoS) attacks of malicious terminals. As shown in Figure 3-21, WLAN security design covers the following aspects:

• Air interface security: Identifies and defends against attacks such as rogue APs, rogue STAs, unauthorized ad-hoc networks, and DoS attacks.
• STA access security: Ensures the validity and security of STAs' access to the WLAN.
• Service security: Protects service data of authorized users from being intercepted by unauthorized users during transmission.
  Figure 3-21 WLAN security diagram

  • Air Interface Security Design

    To prevent intrusion of unauthorized devices or interference devices, enable the Wireless Intrusion Detection System (WIDS) and Wireless Intrusion Prevention System (WIPS) functions of the WLAN to detect and contain rogue devices.

    Enable the WLAN spectrum analysis function to identify interference sources on the network, locate them, and eliminate interference on the network.

    The spectrum analysis architecture is composed of the spectrum sampling engine, spectrum analyzer, and interference visualization module. The function of each component is as follows:

    • Spectrum sampling engine: Collects spectrum information on the WLAN and forwards the information to the spectrum analyzer.
    • Spectrum analyzer: Analyzes spectrum data, identifies interference resource types, and sends the report on interference devices to the interference visualization module.
    • Interference visualization module: Displays interference resource information in graphs, including real-time spectrum graphs.
    Figure 3-22 Spectrum analysis system

    To prevent unauthorized attacks, you are advised to enable the illegal attack detection function in public areas and student dormitories with high security requirements to detect flood, weak-vector, and spoofing attacks, automatically add attackers to the dynamic blacklist, and send alarms to notify the administrator.

  • STA Access Security
    Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including link authentication used to establish a wireless link, user authentication used when users attempt to connect to a wireless network, and data encryption used during data transmission. The following table lists the WLAN security policies.

    Table 3-22 Comparison of WLAN security policies

    Security Mechanism	Characteristics
    WEP	WEP shared key authentication requires that the same static key be preconfigured on the server and client. Both the encryption mechanism and the encryption algorithm are vulnerable to security threats. Therefore, this authentication mode is not recommended.
    WPA/WPA2	WPA and WPA2 provide almost the same security. WPA/WPA2 has two editions: enterprise edition and personal edition. WPA/WPA2-Enterprise requires an authentication server and is recommended for employee access on large- and medium-sized campus networks. WPA/WPA2-Personal does not require an authentication server and is recommended for guest access on large- and medium-sized campus networks. The WPA/WPA2-PPSK (PPSK is short for Private PSK) enhances network security while ensuring the convenience.
    WAPI	WAPI is a WLAN security standard proposed in China and provides higher security than WEP and WPA.

    STA access security design aims to properly plan STA access security policies and ensure both security and convenience. For example, in an enterprise, the WPA/WPA2 security policy is recommended.

    In addition, if users do not need to communicate with each other, it is recommended that user isolation be configured.

  • Service Security Design

    The wired network between APs and WACs also faces common security threats, for example, interception, tampering, and spoofing, on IP networks. To improve data transmission security, CAPWAP tunnels between the WAC and AP support DTLS encryption, including:

    • DTLS encryption for management packets in CAPWAP tunnels
    • DTLS encryption for service data packets in CAPWAP tunnels
    • Sensitive information encryption: When sensitive information is transmitted between an AP and a WAC, the information can be encrypted to ensure security. Sensitive information includes the FTP user name, FTP password, AP login user name, AP login password, and service configuration key. The sensitive information encryption function can also be configured to protect data transmitted between WACs.
    • Integrity check: When CAPWAP packets are transmitted between an AP and a WAC, these packets may be forged, tampered with, or used by attackers to construct malformed packets to launch attacks. Integrity check can protect CAPWAP packets between the AP and WAC.

      If the AP and WAC are both located on the internal network, this security function does not need to be enabled. It is recommended that this function be enabled when the AP is connected to the WAC across the Internet or the WACs are located across the Internet.

Aggregation devices are responsible for Layer 2 forwarding of service traffic, for example, transparent transmission of VLAN packets or authentication packets. Typically, terminals are not directly connected to the aggregation layer, so only port isolation needs to be configured.

If terminals are connected to the aggregation layer, perform security design according to Access Layer.

If the aggregation device functions as the user gateway or authentication point, perform security design according to Core Layer.

Core devices are located at key positions of the network, and the security of the core devices is critical. When the core device functions as the centralized authentication point, the CPU performance must meet requirements of processing protocol packets when a large number of users access the network. When the core device functions as the gateway, ARP security must be considered.

To ensure that the CPU can process services in a timely manner, switches provide the local attack defense function. When a device is undergoing an attack, this function ensures uninterrupted service transmission and minimizes the impact on network services.

Local attack defense includes CPU attack defense, attack source tracing, port attack defense, and user-level rate limiting. By default, the switch is enabled with the functions.

• CPU attack defense

  CPU attack defense can limit the rate of packets sent to the CPU so that only a limited number of packets are sent to the CPU within a certain period of time. This ensures that the CPU can properly process services.

  The core of CPU attack defense is Control Plane Committed Access Rate (CPCAR). CPCAR limits the rate of protocol packets sent to the control plane to ensure security of the control plane.

• Attack source tracing

  Attack source tracing defends against denial of service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics about the packets, and specifies a threshold for the packets. Excess packets are considered to be attack packets. The device finds the source user address or source interface of the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the network administrator can take measures to defend against the attacks or configure the device to discard packets from the attack source.

• Port attack defense

  Port attack defense is an anti-DoS-attack method. It defends against attacks based on ports and prevents protocol packets on ports from occupying bandwidth and causing other packets to be discarded.

  By default, the device is enabled with interface attack defense for common protocol packets, such as ARP, ICMP, DHCP, and IGMP packets. When an attack occurs, the device isolates the attack impact within the interface that receives attack packets, reducing the impact on other interfaces.

• User-level rate limiting

  User-level rate limiting identifies users based on MAC addresses, and rate-limits specified protocol packets, such as ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets. If a user undergoes a DoS attack, other users are not affected. The core of user-level rate limiting is host CAR. By default, user-level rate limiting is enabled.

When a switch functions as an access gateway, it receives a large number of ARP packets requesting the interface MAC address of the switch. If all these ARP Request packets are sent to the MPU for processing, the CPU usage of the MPU will increase and other services cannot be processed promptly.

The optimized ARP reply function addresses this issue. After this function is enabled, the LPU directly returns ARP Reply packets if the ARP Request packets are destined for the local interface. This function helps the switch defend against ARP flood attacks. This function is applicable to the scenario where a modular switch is configured with multiple LPUs or fixed switches constitute a stack.

By default, the optimized ARP reply function is enabled on a switch. Do not disable the function.