1 00:00:06,562 --> 00:00:10,870 - [Instructor] NAC or network access control is a technology 2 00:00:10,870 --> 00:00:13,940 that is specifically designed to interrogate endpoints 3 00:00:13,940 --> 00:00:18,070 before they join a wired or wireless network. 4 00:00:18,070 --> 00:00:20,400 And basically, it is typically used in conjunction 5 00:00:20,400 --> 00:00:23,740 with 802 dot one x, for identity management, 6 00:00:23,740 --> 00:00:25,890 and for enforcement. 7 00:00:25,890 --> 00:00:29,640 Now, in short, network access control is actually done, 8 00:00:29,640 --> 00:00:34,620 within switches, or by wireless access points. 9 00:00:34,620 --> 00:00:37,820 And they can be configure to authenticate end users, 10 00:00:37,820 --> 00:00:41,010 and then perform other security posture assessments, 11 00:00:41,010 --> 00:00:43,850 on the endpoint device to enforce that policy. 12 00:00:43,850 --> 00:00:46,120 So for example, it can check whether you actually 13 00:00:46,120 --> 00:00:49,320 have a security software like an antivirus anti malware, 14 00:00:49,320 --> 00:00:51,800 or personal firewall before it allows 15 00:00:51,800 --> 00:00:53,200 you to join the network. 16 00:00:53,200 --> 00:00:56,960 You can also check to see if you have a specific version 17 00:00:56,960 --> 00:01:00,120 of an operating system or specific patch. 18 00:01:00,120 --> 00:01:03,030 Whether you have a patch, or have patch 19 00:01:03,030 --> 00:01:05,233 for specific vulnerability unsewn. 20 00:01:06,180 --> 00:01:09,780 Now, many neck solutions actually use a client base agent 21 00:01:09,780 --> 00:01:12,840 to perform endpoint security posture assessments. 22 00:01:12,840 --> 00:01:15,690 And actually to prevent an endpoint from joining 23 00:01:15,690 --> 00:01:19,100 the network until it is actually evaluated. 24 00:01:19,100 --> 00:01:23,700 Also, some switches can be configure to send an SNMP trap 25 00:01:23,700 --> 00:01:27,440 when a new Mac address is actually registered with a certain 26 00:01:27,440 --> 00:01:31,690 switch port and to trigger the neck process. 27 00:01:31,690 --> 00:01:36,610 Now NAC implementations can allow you to configure specific 28 00:01:36,610 --> 00:01:39,300 notes like printers, IP phones and video 29 00:01:39,300 --> 00:01:43,310 conferencing equipment, to join the network by using 30 00:01:43,310 --> 00:01:46,660 a white list of MAC addresses corresponding 31 00:01:46,660 --> 00:01:48,120 to those devices. 32 00:01:48,120 --> 00:01:51,400 That process is known as the Mac Auth 33 00:01:51,400 --> 00:01:54,603 or a Mac authentication bypass. 34 00:01:55,470 --> 00:01:57,780 Now a network administrator can actually pre configure 35 00:01:57,780 --> 00:02:01,160 or manually change these access levels. 36 00:02:01,160 --> 00:02:04,550 For example, a device access in a specific VLAN 37 00:02:04,550 --> 00:02:08,670 let's say VLAN 10, must be manually predefined 38 00:02:08,670 --> 00:02:11,510 for a specific port by an administrator. 39 00:02:11,510 --> 00:02:15,120 And this actually makes, this a little bit more complex 40 00:02:15,120 --> 00:02:16,810 because they're deploying a dynamic 41 00:02:16,810 --> 00:02:20,890 network policy across multiple ports, using port security 42 00:02:20,890 --> 00:02:22,893 is extremely difficult to maintain. 43 00:02:23,770 --> 00:02:26,880 Now an attacker can easily spoofed 44 00:02:26,880 --> 00:02:29,520 an authorized MAC address, let's say a MAC address 45 00:02:29,520 --> 00:02:34,410 of an IP phone of a switch or a printer and potentially 46 00:02:34,410 --> 00:02:39,410 bypass any NAC or network access control policies, 47 00:02:39,720 --> 00:02:41,693 that may be on that switch port. 48 00:02:42,690 --> 00:02:46,070 And this is because a port for which Mac Auth bypasses 49 00:02:46,070 --> 00:02:49,670 actually enable can be dynamically enable or disable based 50 00:02:49,670 --> 00:02:51,660 on the MAC address of the device 51 00:02:51,660 --> 00:02:53,830 it is actually connecting to. 52 00:02:53,830 --> 00:02:56,340 Another thing that I want to actually share with you, 53 00:02:56,340 --> 00:03:00,980 is how to perform or what are VLAN hopping attacks, right. 54 00:03:00,980 --> 00:03:02,980 And what is actually VLAN hopping? 55 00:03:02,980 --> 00:03:05,320 Now, if you're not familiar with the VLAN, 56 00:03:05,320 --> 00:03:08,290 basically a VLAN stands for virtual LAN. 57 00:03:08,290 --> 00:03:11,570 And it's another name for layer two broadcast domain. 58 00:03:11,570 --> 00:03:14,780 Now a VLAN is actually controlled by a switch. 59 00:03:14,780 --> 00:03:19,050 The switch also controls ports that are associated 60 00:03:19,050 --> 00:03:22,090 with which VLANs are configure. 61 00:03:22,090 --> 00:03:27,090 Now in this example, if the switchers are in their default 62 00:03:27,130 --> 00:03:29,700 configuration, all ports, by default, 63 00:03:29,700 --> 00:03:33,010 are assigned to VLAN one, which actually means 64 00:03:33,010 --> 00:03:36,860 that all the devices, including the two users, 65 00:03:36,860 --> 00:03:41,120 and the router that is actually connected, to the switch, 66 00:03:41,120 --> 00:03:46,120 or in the same broadcast domain, or the same VLAN . 67 00:03:46,400 --> 00:03:48,840 Now, as you start adding hundreds of users, 68 00:03:48,840 --> 00:03:53,400 you may actually want to separate those groups of users 69 00:03:53,400 --> 00:03:56,930 into individual subnets and associate 70 00:03:56,930 --> 00:04:01,000 individual VLANs to those entities. 71 00:04:01,000 --> 00:04:03,750 Now to do this, you actually assign the switch port 72 00:04:03,750 --> 00:04:06,540 to the VLAN, and then any device that actually connects 73 00:04:06,540 --> 00:04:11,360 to that specific port is a member of that VLAN. 74 00:04:11,360 --> 00:04:14,550 Now, hopefully, all the devices actually are connected 75 00:04:14,550 --> 00:04:18,870 to the switch ports are assigned to a given VLAN. 76 00:04:18,870 --> 00:04:22,400 And also have a common IP network address configure, 77 00:04:22,400 --> 00:04:24,320 so that they can actually communicate with each other 78 00:04:24,320 --> 00:04:26,580 in the same VLAN. 79 00:04:26,580 --> 00:04:30,860 Now often Dynamic Host control Configuration Protocol 80 00:04:30,860 --> 00:04:33,980 or DHCP, is used to assign IP addresses 81 00:04:33,980 --> 00:04:37,650 from a, common subnet range, to the devices 82 00:04:37,650 --> 00:04:39,240 in a specific VLAN, right? 83 00:04:39,240 --> 00:04:42,860 So that provisioning is a little bit easier, 84 00:04:42,860 --> 00:04:45,190 in many implementations. 85 00:04:45,190 --> 00:04:47,730 Now one problem is actually whenever you have two users 86 00:04:47,730 --> 00:04:51,570 in the same VLAN, but not on the same physical switch, 87 00:04:51,570 --> 00:04:55,360 how switch one will actually tell switch two, 88 00:04:55,360 --> 00:04:57,110 that a broadcast or a unicast, 89 00:04:57,110 --> 00:04:58,860 actually frame is actually supposed 90 00:04:58,860 --> 00:05:01,890 to be let's say, for VLAN 10. 91 00:05:01,890 --> 00:05:05,090 Now the solution is pretty simple for connections between 92 00:05:05,090 --> 00:05:09,390 two switches that contain ports in VLANs, that basically 93 00:05:09,390 --> 00:05:12,870 assist on both switches, you configure a specific 94 00:05:12,870 --> 00:05:16,570 trunk ports instead of configuring access ports. 95 00:05:16,570 --> 00:05:21,570 So again, trunking is a methodology that allows you to share 96 00:05:23,130 --> 00:05:27,620 the VLAN information between multiple switches. 97 00:05:27,620 --> 00:05:31,070 Now, if the two switch ports are configured as trunks, 98 00:05:31,070 --> 00:05:34,900 they include additional information, which actually is often 99 00:05:34,900 --> 00:05:36,840 referred to as a tag. 100 00:05:36,840 --> 00:05:40,440 And that tag identifies which VLAN 101 00:05:40,440 --> 00:05:43,350 each frame will belong to. 102 00:05:43,350 --> 00:05:45,600 Now, there's a standard protocol 103 00:05:45,600 --> 00:05:48,270 for doing this type of tagging. 104 00:05:48,270 --> 00:05:52,410 And that protocol is called the 802 dot one Q protocol. 105 00:05:52,410 --> 00:05:57,410 Of the most critical piece of information, for this example, 106 00:05:57,680 --> 00:06:00,193 in this tag is that VLAN ID. 107 00:06:01,610 --> 00:06:04,400 Now host A and host B communicate with each other. 108 00:06:04,400 --> 00:06:06,780 And they can communicate with other devices 109 00:06:06,780 --> 00:06:08,160 in the same VLAN. 110 00:06:08,160 --> 00:06:11,850 Which is also the same IP subnet. 111 00:06:11,850 --> 00:06:15,160 Now, but they cannot communicate with devices outside 112 00:06:15,160 --> 00:06:20,160 their local VLAN without the assistance of a gateway, 113 00:06:20,660 --> 00:06:22,640 right, or a router. 114 00:06:22,640 --> 00:06:26,390 Now a router can actually be implemented with two physical 115 00:06:26,390 --> 00:06:30,110 interfaces, one connecting to an access port on the switch 116 00:06:30,110 --> 00:06:32,410 that is actually been assigned to VLAN 10. 117 00:06:32,410 --> 00:06:37,100 And another one connected to a different access port 118 00:06:37,100 --> 00:06:39,970 that has been configured for a different VLAN. 119 00:06:39,970 --> 00:06:43,370 And then basically, it can route packets between those two 120 00:06:44,340 --> 00:06:47,120 distinct broadcast domains or broke 121 00:06:47,120 --> 00:06:48,763 or VLANs in this example. 122 00:06:49,730 --> 00:06:52,960 Now with two physical interfaces, and a different IP address 123 00:06:52,960 --> 00:06:55,920 on each of those interfaces. 124 00:06:55,920 --> 00:06:58,400 The router then can perform that routing 125 00:06:58,400 --> 00:07:00,440 between those two VLANs. 126 00:07:00,440 --> 00:07:03,260 Now that you're familiar with VLANs and their purpose, 127 00:07:03,260 --> 00:07:05,600 Let's actually go over of what is actually 128 00:07:05,600 --> 00:07:06,930 VLAN Hopping right? 129 00:07:06,930 --> 00:07:10,020 VLAN hopping is a method of gaining access 130 00:07:10,020 --> 00:07:15,020 to traffic on other VLANs that you will not typically 131 00:07:15,020 --> 00:07:16,800 will have access to. 132 00:07:16,800 --> 00:07:21,800 Now there are two primary methods to do VLAN hopping. 133 00:07:21,930 --> 00:07:25,930 One is actually by doing switch spoofing, and the other one 134 00:07:25,930 --> 00:07:29,003 is a methodology called double tagging. 135 00:07:30,120 --> 00:07:32,940 Now, whenever you perform a switch spoofing attack, 136 00:07:32,940 --> 00:07:36,640 you imitate the trunking switch by sending the respective 137 00:07:36,640 --> 00:07:41,180 VLAN tag and their specific trunking protocol. 138 00:07:41,180 --> 00:07:44,670 Now, several best practices actually can help mitigate 139 00:07:44,670 --> 00:07:47,570 this VLAN hopping and other layer two attacks. 140 00:07:47,570 --> 00:07:50,670 And these are a few examples of those type 141 00:07:50,670 --> 00:07:51,930 of integrations, right? 142 00:07:51,930 --> 00:07:54,690 First one is actually to select an unused VLAN 143 00:07:54,690 --> 00:07:57,860 other than VLAN one, so don't leave your switch. 144 00:07:57,860 --> 00:08:01,330 Just running VLAN one and use it as the native VLAN 145 00:08:01,330 --> 00:08:04,410 for all your trunk, so let's say you select VLAN 10, 146 00:08:04,410 --> 00:08:07,400 then use that as the VLAN that is native 147 00:08:07,400 --> 00:08:09,890 or native VLAN for all your trunks. 148 00:08:09,890 --> 00:08:11,830 Do not use this native VLANs 149 00:08:11,830 --> 00:08:16,080 for any of your enable access ports. 150 00:08:16,080 --> 00:08:20,290 Now also configure switch ports as access ports 151 00:08:20,290 --> 00:08:23,270 so that users cannot negotiate a trunk. 152 00:08:23,270 --> 00:08:25,983 Also disable the negotiation of trunking. 153 00:08:26,850 --> 00:08:28,570 That means that you don't allow 154 00:08:28,570 --> 00:08:31,070 the dynamic trunking protocol or DTP. 155 00:08:31,070 --> 00:08:33,140 You also can limit the number of MAC addresses 156 00:08:33,140 --> 00:08:37,110 that are learned on a given port with port security, 157 00:08:37,110 --> 00:08:39,280 or the port security feature. 158 00:08:39,280 --> 00:08:42,490 You can also control spanning tree to stop users 159 00:08:42,490 --> 00:08:47,490 or rogue devices or unknown devices from manipulating it. 160 00:08:48,180 --> 00:08:51,820 You can also do this by using their BPDU guard 161 00:08:51,820 --> 00:08:55,520 and Root Guard features in many different switches, 162 00:08:55,520 --> 00:08:57,970 including Cisco switches as well. 163 00:08:57,970 --> 00:08:59,570 Now another best practice is actually 164 00:08:59,570 --> 00:09:02,600 that whenever you should get a new switch, 165 00:09:02,600 --> 00:09:06,560 you should shut down all ports and assign them to a VLAN 166 00:09:06,560 --> 00:09:08,990 that is actually not used for anything else. 167 00:09:08,990 --> 00:09:11,870 And that's what we actually call VLAN parking 168 00:09:11,870 --> 00:09:13,630 or a parking lot, right? 169 00:09:13,630 --> 00:09:16,450 And then you actually bring those ports up 170 00:09:16,450 --> 00:09:21,450 whenever you have a, legitimate device actually connected 171 00:09:21,790 --> 00:09:25,390 to it, and then assign those to the correct VLAN, 172 00:09:25,390 --> 00:09:27,870 as the ports are actually allocated. 173 00:09:27,870 --> 00:09:29,660 Now, in many different complex environments, 174 00:09:29,660 --> 00:09:31,640 I know that this is actually easier said than done 175 00:09:31,640 --> 00:09:35,870 just because of the dynamic nature of devices, 176 00:09:35,870 --> 00:09:38,090 and many things actually being connected 177 00:09:38,090 --> 00:09:40,120 now into corporate environments. 178 00:09:40,120 --> 00:09:43,920 So a lot of people actually are using mostly a wireless 179 00:09:43,920 --> 00:09:46,550 communication for their users 180 00:09:46,550 --> 00:09:48,120 and the user population, right? 181 00:09:48,120 --> 00:09:51,130 But whenever you actually have things like a call center, 182 00:09:51,130 --> 00:09:54,460 whether you have static workstations, 183 00:09:54,460 --> 00:09:58,280 that they actually don't move out of that call center. 184 00:09:58,280 --> 00:10:00,740 That's actually something that you can use 185 00:10:00,740 --> 00:10:01,900 some of these best practices. 186 00:10:01,900 --> 00:10:05,703 So you protect against VLAN hopping attacks.