The recent WannaCry outbreak highlighted just how vulnerable machines are within the LAN, even behind the perimeter firewall. The attack took advantage of a vulnerability in SMBv1 but also in the way we traditionally look at network security whereby the things on the outside are untrusted, but everything inside is trusted. This attitude allowed the quick proliferation of the infection across machines on the LAN or corporate networks interconnected without firewalls – a massive attack surface all within the trusted realm.
Several vendors immediately jumped on this sales opportunity to peddle AV products and so on, but pretty much all of these are reactive to the encryption behaviour – don’t do the encryption and you won’t get spotted. Worryingly there could be infected machines that have already exploited SMBv1 running other payloads (such as this far more lucrative BitCoin miner).
Because we can never know when the next attack could happen or whether it’ll trigger behaviour based AV products we need to think about alternative ways to secure the LAN, reducing the risk while keeping the packets flowing.
Step in “Protected Ports”.
Using protected ports on your Cisco switches will allow traffic from clients to continue onto the server farms, edge routers or printers while preventing clients communicating between themselves… after all why should they?
To set this up you’ll want to audit which switchports belong to the printers, servers, routers etc and then issue the below commands:
Interface <interface #>