Endpoint Security

Endpoint Security Overview

13.1.1 LAN Elements Security

News media commonly cover external network a acks on enterprise networks. These are some
examples of such a acks:

 DoS a acks on an organiza on’s network to degrade or even halt public access to it

 Breach of an organiza on’s Web server to deface their web presence

 Breach of an organiza on’s data servers and hosts to steal confiden al informa on

Various network security devices are required to protect the network perimeter from outside access.
As shown in the figure, these devices could include a hardened ISR that is providing VPN services, an
ASA firewall appliance, an IPS, and a AAA server.

The figure shows a topology with security devices securing the perimeter of the network.

Many a acks can, and do, originate from inside the network. Therefore, securing an internal LAN is
just as important as securing the outside network perimeter. Without a secure LAN, users within an
organiza on are s ll suscep ble to network threats and outages that can directly affect an
organiza on’s produc vity and profit margin. A er an internal host is infiltrated, it can become a
star ng point for an a acker to gain access to cri cal system devices, such as servers and the
sensi ve informa on they contain.

Specifically, there are two internal LAN elements to secure:

  Endpoints - Hosts commonly consist of laptops, desktops, servers, and IP phones which are
suscep ble to malware-related a acks. Endpoints also include video cameras, point-of-sale
devices, and devices on the Internet of Things.

 Network infrastructure - LAN infrastructure devices interconnect endpoints and typically

include switches, wireless devices, and IP telephony devices. Most of these devices are
suscep ble to LAN-related a acks including MAC address table overflow a acks, spoofing
a acks, DHCP related a acks, LAN storm a acks, STP manipula on a acks, and VLAN
a acks.

This module focuses on securing endpoints.

13.1.2 Tradi onal Endpoint Security

Historically, employee endpoints were company-issued computers which resided within a clearly
defined LAN perimeter. These hosts were protected by firewalls and IPS devices which worked well
with hosts that were connected to the LAN and behind the firewall.

The endpoints also used tradi onal host-based security measures:

 An virus/An malware So ware - This is so ware installed on a host to detect and mi gate
viruses and malware. Companies that provide an -virus so ware include Norton, TotalAV,
McAfee, MalwareBytes and many others.

 Host-based IPS - This is so ware that is installed on the local host to monitor and report on
the system configura on and applica on ac vity, provide log analysis, event correla on,
integrity checking, policy enforcement, rootkit detec on, and aler ng. Examples include
Snort IPS, OSSEC, and Malware Defender, among others.

 Host-based firewall - This is so ware that is installed on a host that restricts incoming and
outgoing connec ons to those ini ated by that host only. Some firewall so ware can also
prevent a host from becoming infected and stop infected hosts from spreading malware to
other hosts. Included in some opera ng systems such as Windows, or produced by
companies such as NetDefender, Zone alarm, Comodo Firewall, and many others.

13.1.3 The Borderless Network

The network has evolved to include tradi onal endpoints and new, lightweight, portable,
consumerized endpoints such as smartphones, tablets, wearables, and others. The new bring-your-
own-device (BYOD) needs of workers require a different way of approaching endpoint security. These
new endpoints have blurred the network border because access to network resources can be
ini ated by users from many loca ons using various connec vity methods at any me.

There are some problems with the tradi onal method of securing endpoints. In many networks, the
network-based devices are disparate and typically do not share informa on among themselves.
Addi onally, new endpoint devices are not good candidates for the tradi onal host-based endpoint
security solu ons because of the variety of devices and the variety of opera ng systems available on
those devices.

The challenge is allowing these heterogeneous devices to connect to enterprise resources securely.
13.1.4 Security for Endpoints in the Borderless Network

Larger organiza ons now require protec on before, during, and a er an a ack. IT administrators
must be able to answer the following ques ons:

 Where did the a ack come from?

 What was the exploit method and point of entry?

 What systems were affected?

 What did the exploit do?

 How do we recover from the exploit?

 How can we mi gate the vulnerability and root cause?

Organiza ons must also protect their endpoints from new threats and provide the protec on
measures that are outlined in the table below.

Measure Purpose

an malware so ware Protect endpoints from malware.

spam filtering Prevent spam emails from reaching endpoints.

Prevent endpoints from connec ng to websites with bad reputa ons by

blocklis ng
immediately blocking connec ons based on the latest reputa on intelligence.

data loss preven on (DLP) Prevent sensi ve informa on from being lost or stolen.

13.1.5 Network-Based Malware Protec on

New security architectures for the borderless network address security challenges by having
endpoints use network scanning elements. These devices provide many more layers of scanning than
a single endpoint possibly could. Network-based malware preven on devices are also capable of
sharing informa on among themselves to make be er informed decisions.

Protec ng endpoints in a borderless network can be accomplished using network-based, as well as

host-based techniques, as shown in the figure.

The figure shows generic icons for the following sec ons: next genera on firewalls, intrusion
preven on systems, network access control, gateway security, and endpoint security.
The following are examples of devices and techniques that implement host protec ons at the
network level.

 Advanced Malware Protec on (AMP) – This provides endpoint protec on from viruses and
malware.

 Email Security Appliance (ESA) – This provides filtering of SPAM and poten ally malicious
emails before they reach the endpoint. An example is the Cisco ESA.

 Web Security Appliance (WSA) – This provides filtering and blocking of websites to prevent
hosts from reaching dangerous loca ons on the web. The Cisco WSA provides control over
how users access the internet and can enforce acceptable use policies, control access to
specific sites and services, and scan for malware.

 Network Admission Control (NAC) – This permits only authorized and compliant systems to
connect to the network.

These technologies work in concert with each other to give more protec on than host-based suites
can provide, as shown in the figure.
13.1.6 Hardware and So ware Encryp on of Local Data

Endpoints are also suscep ble to data the . For instance, if a corporate laptop is lost or stolen, a
thief could scour the hard drive for sensi ve informa on, contact informa on, personal informa on,
and more.

The solu on is to locally encrypt the disk drive with a strong encryp on algorithm such as 256-bit
AES encryp on. The encryp on protects the confiden al data from unauthorized access. The
encrypted disk volumes can only be mounted for normal read/write access with the authorized
password.

Opera ng systems such as MAC OSX na vely provide encryp on op ons. The Microso Windows 10
opera ng system also provides encryp on na vely. Individual files, folders, and drives can be
configured to encrypt data. In Windows, BitLocker provides drive encryp on, as shown in the figure.
Files can also be encrypted, but because applica ons can create unencrypted back up files, the en re
folder that the file is stored in should be encrypted.

13.1.7 Network Access Control

The purpose of network access control (NAC) is to allow only authorized and compliant systems,
whether managed or unmanaged, to access the network. It unifies endpoint security technologies
with user or device authen ca on and network security policy enforcement. A NAC system can deny
network access to noncompliant devices, place them in a quaran ned area, or give them only
restricted access to compu ng resources, thus keeping insecure nodes from infec ng the network.
NAC systems can have the following capabili es:

 Profiling and visibility - This recognizes and profiles users and their devices before malicious
code can cause damage.

 Guest network access - This manages guests through a customizable, self-service portal that
includes guest registra on, guest authen ca on, guest sponsoring, and a guest management
portal.

 Security posture checking - This evaluates security-policy compliance by user type, device
type, and opera ng system.

 Incident response - This mi gates network threats by enforcing security policies that block,
isolate, and repair noncompliant machines without administrator a en on.

NAC systems should extend NAC to all network access methods, including access through LANs,
remote-access gateways, and wireless access points.

The Cisco Iden ty Services Engine (ISE) combines AAA and network device profiling into a single
system.

13.1.8 NAC Func ons

The goal of NAC systems is to ensure that only hosts that are authen cated and have had their
security posture examined and approved are permi ed onto the network. For example, company
laptops used offsite for a period of me might not have received current security updates or could
have become infected from other systems. Those systems cannot connect to the network un l they
are examined, updated, and approved.

Network access devices can func on as the enforcement layer, as shown in the figure. They force the
clients to query a RADIUS server for authen ca on and authoriza on. The RADIUS server can query
other devices, such as an an virus server, and reply to the network enforcers.

The figure shows network access devices enforcing security by requiring users to query a RADIUS
server for authen ca on and authoriza on.

Network Access Devices Enforce Security

802.1X Authen ca on
13.2.1 Security Using 802.1X Port-Based Authen ca on

The IEEE 802.1X standard defines a port-based access control and authen ca on protocol that
restricts unauthorized worksta ons from connec ng to a LAN through publicly accessible switch
ports. The authen ca on server authen cates each worksta on that is connected to a switch port
before making available any services offered by the switch or the LAN.

The figure shows that with 802.1X port-based authen ca on, the devices in the network have
specific roles.

The figure is a topology diagram showing 8 0 2.1 X roles. There is a switch labeled authen cator
connected to a server labeled authen ca on server (radius). the switch is also connected to two
individual computers labeled supplicant. text under the switch says controls physical access to the
network based on client authen ca on status. text under the server is performs client
authen ca on. text under the supplicant computer states requires access and responds to requests
from the switch.

802.1X Topology

The 802.1x roles include:

 Supplicant (Client) - The device (worksta on) that requests access to LAN and switch
services and then responds to requests from the switch. The worksta on must be running
802.1X-compliant client so ware. (The port that the client is a ached to is the
supplicant [client] in the IEEE 802.1X specifica on.)

 Authen cator (Switch) - This device controls physical access to the network based on the
authen ca on status of the client. The switch acts as an intermediary (proxy) between the
client (supplicant) and the authen ca on server, reques ng iden fying informa on from the
client, verifying that informa on with the authen ca on server, and relaying a response to
the client. The switch uses a RADIUS so ware agent, which is responsible for encapsula ng
and de-encapsula ng the EAP (Extensible Authen ca on Protocol) frames and interac ng
with the authen ca on server.
  Authen ca on server - This server performs the actual authen ca on of the client. The
authen ca on server validates the iden ty of the client and no fies the switch whether the
client is authorized to access the LAN and switch services. Because the switch acts as the
proxy, the authen ca on service is transparent to the client. The RADIUS security system
with EAP extensions is the only supported authen ca on server.

Un l the worksta on is authen cated, 802.1X access control enables only Extensible Authen ca on
Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic
through the port to which the worksta on is connected. A er authen ca on succeeds, normal traffic
can pass through the port.

The switch port state determines whether the client is granted access to the network. When
configured for 802.1X port-based authen ca on, the port starts in the unauthorized state. While in
this state, the port disallows all ingress and egress traffic except for 802.1X protocol, STP, and CDP
packets. When a client is successfully authen cated, the port transi ons to the authorized state,
allowing all traffic for the client to flow normally. If the switch requests the client iden ty
(authen cator ini a on) and the client does not support 802.1X, the port remains in the
unauthorized state, and the client is not granted access to the network.

In contrast, when an 802.1X-enabled client connects to a port and the client ini ates the
authen ca on process (supplicant ini a on) by sending the EAPOL-start frame to a switch that is not
running the 802.1X protocol, no response is received, and the client begins sending frames as if the
port is in the authorized state.

The figure shows the complete message exchange between the supplicant, authen cator, and the
authen ca on server. The encapsula on occurs as follows:

 Between the supplicant and the authen cator - EAP data is encapsulated in EAPOL frames.

 Between the authen cator and the authen ca on server - EAP data is encapsulated using
RADIUS.

The figure shows the 8 0 2.1 X message exchange process.

802.1X Message Exchange

If the client is successfully authen cated (the switch receives an “accept” frame from the
authen ca on server), the port state changes to authorized, and all frames from the authen cated
client are enabled through the port.

If the authen ca on fails, the port remains in the unauthorized state, but authen ca on can be
retried. If the authen ca on server cannot be reached, the switch can retransmit the request. If no
response is received from the server a er the specified number of a empts, authen ca on fails, and
network access is not granted.

When a client logs out, it sends an EAPOL-logout message, causing the switch port to transi on to
the unauthorized state.

13.2.2 Control the 802.1X Authoriza on State

It may be necessary to configure a switch port to override the 802.1X authen ca on process. To do
this, use the authen ca on port-control interface configura on command to control the port
authoriza on state. The parameters for this command are shown below. The individual port on the
authen cator switch is configured with this command, in this case, port F0/1 of S1. By default, a port
is in the force-authorized state meaning it can send and receive traffic without 802.1x
authen ca on.

The figure is a topology diagram showing the Authen cator switch between the authen ca on
server and the supplicant.

Parameter Descrip on

Enables 802.1X port-based authen ca on and causes the port to begin in the
unauthorized state. During this me only EAPOL, STP, and CDP frames are the only
auto
type of frames that can be sent or received through the port un l the client device
has been authen cated.

The port sends and receives normal traffic without 802.1x-based authen ca on of
force-authorized
the client. This is the default se ng.
 Parameter Descrip on

Causes the port to remain in the unauthorized state, ignoring all a empts by the
force-unauthorized client to authen cate. The switch cannot provide authen ca on services to the
client through the port.

The auto keyword must be entered to enable 802.1X authen ca on. Therefore, to enable 802.1X on
the port, use the authen ca on port-control auto interface configura on command.

If the client is successfully authen cated (receives an Accept frame from the authen ca on server),
the port state changes to authorized, and all frames from the authen cated client are allowed
through the port. If the authen ca on fails, the port remains in the unauthorized state, but
authen ca on can be retried. If the authen ca on server cannot be reached, the switch can resend
the request. If no response is received from the server a er the specified number of a empts,
authen ca on fails, and network access is not granted.

When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the
unauthorized state.

If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.

13.2.3 802.1X Configura on

This scenario is implemented the same topology as above. A PC is a ached to F0/1 on the switch and
the device is will be authen cated via 802.1X with a RADIUS server. Unlike in previous AAA scenarios
in which administrators were authen cated to the router configura on lines, in this scenario, an
endpoint is authen cated before access is granted to the network.

Configuring 802.1X requires a few basic steps:

Step 1. Enable AAA using the aaa new-model command.

Step 2. Designate the RADIUS server and configure its address and ports.
Step 3. Create an 802.1X port-based authen ca on method list using the aaa authen ca on
dot1x command.
Step 4. Globally enable 802.1X port-based authen ca on using the dot1x system-auth-
control command.
Step 5. Enable port-based authen ca on on the interface using the authen ca on port-control
auto command.
Step 6. Enable 802.1X authen ca on on the interface using the dot1x pae command.
The authen cator op ons sets the Port Access En ty (PAE) type so the interface acts only as an
authen cator and will not respond to any messages meant for a supplicant.

An example configura on is shown below.

Configure a RADIUS server on S1 using the following instruc ons:

 Enable AAA.

 Enter RADIUS server configura on mode and name the configura on NETSEC.

 Configure the RADIUS server address to 10.1.1.50 with the authen ca on port of 1812 and
the accoun ng port of 1813.

 Configure the shared secret key RADIUS-Pa55w0rd.

 Exit RADIUS configura on mode.

S1(config)#aaa new-model

S1(config)#radius server NETSEC

S1(config-radius-server)#address ipv4 10.1.1.50 auth-port 1812 acct-port 1813

S1(config-radius-server)#key RADIUS-Pa55w0rd

S1(config-radius-server)#exit

Complete the following steps to configure 802.1x port-based authen ca on:

 Specify an 802.1x port-based default authen ca on method list with the primary op on
RADIUS.

 Globally enable 802.1x port-based authen ca on.

S1(config)#aaa authen ca on dot1x default group radius

S1(config)#dot1x system-auth-control

Complete the following steps to enable 802.1X authen ca on on the interface:

 Enter interface configura on mode for F0/1.

 Configure the interface as an access switchport.

 Enable port-based authen ca on on the interface with the auto parameter.

 Enable 802.1x authen ca on with the Port Access En ty (PAE) type so the interface acts only
as an authen cator.
  Use the end command to exit from configura on mode.

S1(config)#interface F0/1

S1(config-if)#switchport mode access

S1(config-if)#authen ca on port-control auto

S1(config-if)#dot1x pae authen cator

S1(config-if)#end

*Mar 3 18:22:23.443: %SYS-5-CONFIG_I: Configured from console by console

You successfully configured 802.1x port-authen ca on on a 2960 switch.

Endpoint Security Summary

13.3.1 What Did I Learn in this Module?

Introducing Endpoint Security

Tradi onally endpoints included PCs, servers, and printers. However, in today’s network, endpoints
also include phones, tablets, laptops, Internet of Things devices, network video cameras and many
other things. Endpoint security used to depend on host-based security measures such as
an malware so ware, host-based IPS, and host-based firewall so ware. Many devices and
technologies enhance host-based endpoint protec ons. Some of them are email security appliances,
web security appliances, NAC, and the Cisco Iden ty Services Engine. Another way that endpoints
can be protected from data loss is through the use of encryp on of local data at the file, folder, or
drive level. So ware such as BitLocker is included with Microso Windows 10 for this purpose.

Network Access Control is a system that can check whether endpoints that a empt to the network
comply with network security policies. It handles user authen ca on and can take ac on against
devices that violate security policies by having out date security so ware. It can even take ac on to
bring devices up to compliance standard before allowing access. NAC can also provide easy to
manage methods of providing network access to guest computers that require connec vity to the
network. Cisco ISE combines AAA and NAC and into a single system.

802.1X Authen ca on
802.1X provides a means by which authen cator network access switch can act as an intermediary
between a client and an authen ca on server. The switch forwards authen ca on informa on from
the client to the server. If authen ca on is successful, the client will be allowed to access the
network through the connected switch port. If authoriza on fails, the switch will not permit the
client endpoint to connect to the network. The system uses the EAP and EAPOL to carry
authen ca on traffic between the switch and the authen cator switch. The switch uses EAP and
RADIUS to communicate with the authen ca on server. The 802.1X authen ca on process can be
control by configuring the authen cator port with the authen ca on port-control command. The
port can be set carryout the authen ca on process, provide authorized access, or to be in
unauthorized state. In this state no device will be able to connect to the network.

802.1X port-based authen ca on is configured by first globally ac va ng AAA and by specifying the
RADIUS server name, address, and ports. A er that the authen cator interface is configured with
802.1X parameters.