Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 13: Endpoint Security - Coggle Diagram
Module 13: Endpoint Security
13.1 Endpoint Security Overview
LAN Elements Security
examples of attacks:
DoS attacks on an organization’s network to degrade or even halt public access to it
Breach of an organization’s Web server to deface their web presence
Breach of an organization’s data servers and hosts to steal confidential information
Various network security devices are required to protect the network perimeter from outside access
Specifically, there are two internal LAN elements to secure:
Endpoints
Network infrastructure
Traditional Endpoint Security
traditional host-based security measures
Antivirus/Antimalware Software
This is software installed on a host to detect and mitigate viruses and malware.
Host-based IPS
This is software that is installed on the local host to monitor and report on the system configuration and application activity, provide log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting.
Host-based firewall
This is software that is installed on a host that restricts incoming and outgoing connections to those initiated by that host only
Security for Endpoints in the Borderless Network
Larger organizations now require protection before, during, and after an attack.
Organizations must also protect their endpoints from new threats and provide the protection
Network-Based Malware Protection
New security architectures for the borderless network address security challenges by having endpoints use network scanning elements.
Network-based malware prevention devices are also capable of sharing information among themselves to make better informed decisions.
The following are examples of devices and techniques that implement host protections at the network level.
Advanced Malware Protection (AMP)
Email Security Appliance (ESA)
Web Security Appliance (WSA)
Network Admission Control (NAC)
Hardware and Software Encryption of Local Data
Endpoints are also susceptible to data theft.
he solution is to locally encrypt the disk drive with a strong encryption algorithm such as 256-bit AES encryption.
The encryption protects the confidential data from unauthorized access. The encrypted disk volumes can only be mounted for normal read/write access with the authorized password.
Operating systems such as MAC OSX natively provide encryption options.
The Microsoft Windows 10 operating system also provides encryption natively. Individual files, folders, and drives can be configured to encrypt data.
Network Access Control
The purpose of network access control (NAC) is to allow only authorized and compliant systems, whether managed or unmanaged, to access the network.
NAC systems can have the following capabilities:
Profiling and visibility
Guest network access
Security posture checking
Incident response
NAC systems should extend NAC to all network access methods, including access through LANs, remote-access gateways, and wireless access points.
NAC Functions
The goal of NAC systems is to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network.
Network access devices can function as the enforcement layer
They force the clients to query a RADIUS server for authentication and authorization. The RADIUS server can query other devices, such as an antivirus server, and reply to the network enforcers.
Network Access Devices Enforce Security
13.2 802.1X Authentication
Security Using 802.1X Port-Based Authentication
The IEEE 802.1X standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports.
The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.
802.1X Topology
The 802.1x roles include:
Supplicant (Client)
Authenticator (Switch)
Authentication server
Until the workstation is authenticated, 802.1X access control enables only Extensible
Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.
The switch port state determines whether the client is granted access to the network. When configured for 802.1X port-based authentication, the port starts in the unauthorized state.
While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol, STP, and CDP packets.
When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally. If the switch requests the client identity (authenticator initiation) and the client does not support 802.1X, the port remains in the unauthorized state, and the client is not granted access to the network.
802.1X Message Exchange
If the client is successfully authenticated (the switch receives an “accept” frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are enabled through the port.
If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the switch can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a client logs out, it sends an EAPOL-logout message, causing the switch port to transition to the unauthorized state.
Control the 802.1X Authorization State
It may be necessary to configure a switch port to override the 802.1X authentication process.
To do this, use the authentication port-control interface configuration command to control the port authorization state.
The individual port on the authenticator switch is configured with this command, in this case, port F0/1 of S1. By default, a port is in the force-authorized state meaning it can send and receive traffic without 802.1x authentication.
The
auto
keyword must be entered to enable 802.1X authentication. Therefore, to enable 802.1X on the port, use the
authentication port-control auto
interface configuration command.
13.2.3 802.1X Configuration
Configuring 802.1X requires a few basic steps:
Step 1.
Enable AAA using the aaa new-model command. :explode:
Step 2.
Designate the RADIUS server and configure its address and ports. :!!:
Step 3.
Create an 802.1X port-based authentication method list using the aaa authentication dot1x command. :!:
Step 4.
Globally enable 802.1X port-based authentication using the dot1x system-auth-control command. :!!:
Step 5.
Enable port-based authentication on the interface using the authentication port-control auto command. :!?:
Step 6.
Enable 802.1X authentication on the interface using the dot1x pae command. The authenticator options sets the Port Access Entity (PAE) type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant. :checkered_flag:
An example configuration is shown below.
