Securing Network Access

Wednesday, March 18, 2015 @ 01:03 PM gHale


By Heather MacKenzie and Mark Cooksley
In an environment where folks are sometimes more comfortable programming PLCs than implementing cyber security measures, there are ways to do both by understanding the security functions built into network devices.

Yes, there are ways to control the types of messages any device or computer can send or receive on a network.

RELATED STORIES
Defense in Depth: Substation Communications
Defending ICS Against Dragonfly Attacks
Securing Industrial Wireless Applications
7 Questions for Industrial Wireless Security

In the category of “basic, but easily overlooked controls,” is the simple matter of turning off or disabling the unused ports on managed network devices. This prevents unauthorized users or devices from connecting to the network.

Let’s consider other means of network access. This is usually controlled using an authentication standard called 802.1x. The “x” refers to different sections of the standard.

There are numerous implementations of this standard, the most common of which is the RADIUS protocol.

802.1x defines these roles:
• Supplicant: The device that wants access to the network.
• Authenticator: A device on the network, such as a switch that allows or blocks messages from the supplicant. It uses information from the Authentication Server (such as a RADIUS server) to determine whether or not to accept transmissions from the supplicant. RADIUS allows access depending on the log-in credentials of a device or the device’s MAC address.

If log-in is not possible – such as the case with IO, a drive or other device that does not have a user interface device to enter log-in credentials – then the device’s MAC address is used. To facilitate ease of replacement, the first three bytes used to identify the manufacturer can be used. For example, all network devices sold by Schneider Electric have the same first three bytes in their MAC addresses.

If configured to allow traffic to and from MAC addresses that contain Schneider’s first three bytes, then you have a network access rule that permits all Schneider Electric devices. If a PLC fails, you can replace it with one from the same manufacturer and it will be allowed to transmit packets right away. All traffic from non-conforming devices will be blocked.

An additional means of deploying security in an existing network is to take advantage of port security, which allows a user to define the MAC or IP address of a device allowed to connect to a given port. The ability to allow access by common first three bytes or IP address range allows for easy device replacement and deployment. Any violation can lock down the port and trigger an alarm (relay output and/or SNMP trap).

DHCP-Based Network Attacks
DHCP servers distribute network configuration parameters, such as IP addresses, for interfaces and services. Here are some types of attacks that target DHCP communications:
• Adding another DHCP server to the network that distributes false IP addresses, “DHCP server spoofing”
• Requesting all available IP addresses, “DHCP Exhaustion Attack”
• Taking over the IP address of an existing device, “IP Address Hijacking”

Such attacks can be prevented by:
• Accepting only DHCP server packets from trusted ports
• Comparing the client hardware address in the DHCP tables with the source MAC address of the packet
• Comparing DHCP release communications from untrusted ports with settings in the “bindings table”

The bindings table correlates the IP and MAC addresses of devices. If someone is hijacking an IP address, the bindings table will show the MAC address of the hijacker is not what it is supposed to be.

Some network devices provide additional IP address spoofing through a capability called “IP Source Guard.” When an IP packet is received on an untrusted port, it is compared with the entries in the binding tables. If the source IP address is not located on the port, or optionally if the source MAC address is not located on the port, the packet is discarded.

Access Control Lists
Another way of regulating network access and traffic is to use the Access Control List (ACL) feature common in switches and routers. This feature filters IPv4 packets based on a number of parameters, such as source and destination IP address. ACLs can also filter Ethernet frames based on criteria, including the source and destination MAC address.

ACLs and firewalls can both filter on:
• Source and destination address
• Source and destination port
• Protocol

There is, however, a major difference between them – only firewalls can do Stateful Inspection. Stateful Inspection involves interpreting a communication using data from the previous information exchange. This includes things like which device started the session, which device last sent a message and was the last message rejected because of error.

While ACLs evaluate a packet based on its real-time evaluation of it, firewalls look at bigger picture information exchanges and then determine which communications are valid and which are not.

Even though ACLs provide a piece of the cyber security puzzle, they do not replace firewalls.
Heather MacKenzie is with Tofino Security, a Belden company. Mark Cooksley is a product manager with Hirschmann Automation and Control and an expert on industrial cyber security. Click here to view Heather’s blog.



Leave a Reply

You must be logged in to post a comment.