Stopping the Spread of WannaCry within the LAN

The recent WannaCry outbreak highlighted just how vulnerable machines are within the LAN, even behind the perimeter firewall. The attack took advantage of a vulnerability in SMBv1 but also in the way we traditionally look at network security whereby the things on the outside are untrusted, but everything inside is trusted. This attitude allowed the quick proliferation of the infection across machines on the LAN or corporate networks interconnected without firewalls – a massive attack surface all within the trusted realm.

Several vendors immediately jumped on this sales opportunity to peddle AV products and so on, but pretty much all of these are reactive to the encryption behaviour – don’t do the encryption and you won’t get spotted. Worryingly there could be infected machines that have already exploited SMBv1 running other payloads (such as this far more lucrative BitCoin miner).

Because we can never know when the next attack could happen or whether it’ll trigger behaviour based AV products we need to think about alternative ways to secure the LAN, reducing the risk while keeping the packets flowing.

Step in “Protected Ports”.

Using protected ports on your Cisco switches will allow traffic from clients to continue onto the server farms, edge routers or printers while preventing clients communicating between themselves… after all why should they?

To set this up you’ll want to audit which switchports belong to the printers, servers, routers etc and then issue the below commands:

Enable

Configure Terminal

Interface <interface #>

Switchport Protected

End

 

More reading here: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010010.html

 

 

Advertisements

One thought on “Stopping the Spread of WannaCry within the LAN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s