Blog

IP and Mobile Trends and Education

 

Does your network have these features enabled? – Part 1

Author:


03.07.2017

Many people wonder why good design and implementation of corporate LAN and Edge features is necessary. There are many answers to this simple question and among them, we require a good network to be least vulnerable to unwanted intrusions along with it to be able to support all our requirements.

We have compiled a list which you can check to know how you can mitigate many risks by using out of the box features that are often supported at no extra license cost and in which cases you should use these features.

 

1. VLANs

This might come as a surprise or sound funny to some experienced engineers. But, in fact, there is nothing funny about this.. from my professional experience many systems administrators don’t even know what exactly VLAN is or does! Yes, that’s the sad truth, so to the point:

Potential risks:

  • One broadcast domain for whole network or only user network can lead to unnecessary broadcast traffic, which upon a traffic loop might cause complete service outage.
  • Secondly, but even  more important, large broadcast domains are vulnerable to traffic sniffing and easier man in the middle kind of attacks.
  • Lastly, lack of VLANs can cause an administration mess.

Solution:

Consider segmenting your network with VLANs. VLANs often works in relation with IP  subnetting, so a good approach is to plan and design your segments first and then make changes. Remember that good design is proficient even many years after, so think about the IP addressing summarization, design subnets that will be large enough but not too big. Make VLANs and subnets self-explanatory, for example, give the third IP octet the id of VLAN Id:

– for subnet 10.20.10.0/24 allocate VLAN 10

– for subnet 10.20.11.0/24 allocate VLAN 11

grandmetric.com LAN Segmentation What is VLAN

LAN Segmentation with VLANs

 

2. Anti-Loop Mechanisms; Delays, drops, annoyance and more.

When switching loops in the network arise the troubleshooting game begins as services and systems start showing delays, browsers stop responding eventually leading to user complaints and increased pressure on IT departement. When we add broadcast affect on top of this the network can go completely out of order.

Potential risks:

  • A human error by an IT admin plugging the cable in wrong port can cause the loop formation.
  • Lack of Spanning Tree in operation is additional risk that leads to loop effect.
  • Even if the network is working well, one could be a victim of virtualization administrator making a mistake. An example could be mistake with interface bundling on the vSwitch. This can cause switching loops as well. I know one large outage of large e-commerce that was caused by loop on virtual machines level (that was “test & dev” environment 😉 hitting production).
  • Another risk is when network is physically redundant and switch port stops receiving BDPU frames then it transitions to forwarding state causing loop. As an example the lack of BPDU could be caused by unidirectional link failure.
grandmetric.com Loop Guard Delays Packet Drops Service Unavailable

Switching Loop anatomy

Solution:

Features like Loop Guard could avoid the loop formations by taking additional check and putting port in STP loop-inconsistent state when loop condition is in place. Loop inconsistent state behaves like STP blocking state.

 

3. ARP Inspection. Are your sure your data is not intercepted?

ARP is something that is still not understood by all as it should be. As I wrote here: ARP – what is it for ? this is fundamental requirement to understand for every network specialist and to better understand the problem, please read the post first. Because of ARP’s broadcast behavior it can be used to violate user confidentiality by making man in the middle attack.

Potential risks:

Malicious user (or hacker) working in Ethernet segment can use a few techniques to  poison the ARP table of other device’s in the same segment so that they start thinking that the malicious computer will be the trusted gateway.  When they start sending traffic to malicious MAC address (instead of real gateway MAC address), hacker can intercept the session and listen to real traffic. As an example, an attack can be performed by sending gratuitous ARP message to whole broadcast segment.

A grandmetric.com Arp spoofing- arp poisoning

Arp spoofing- arp poisoning example

Solution:

One of preventive methods is to use ARP inspection technique implemented on ethernet switch port level. Thanks to this, switch controls all the ARP messages that are coming into the switch ports and compares the MAC and IP pairs against the table learned from DHCP Snooping process. If switch sees the wrong MAC and IP on the switch ports, it puts the port into the down state.

 

4. DHCP Snooping – the mitigation of very popular phishing attacks

DHCP is widely used protocol for obtaining IP addressing in dynamic way in Ethernet networks. Because it benefits from broadcast behavior, similar to ARP, DHCP is vulnerable to layer 2 spoofing attacks that make use of presence in common broadcast segment. Such attacks can lead to the phishing of sensitive information .

Potential risks:

DHCP uses first come first serve logic that is why any host in the same network L2 segment can respond to DHCP discover/request messages thus becoming DHCP server. Even if there is a user mistake which enables DHCP on OS, administrator fault by enabling another DHCP on network device or intentional malicious activity, the problem is always serious. Unknown DHCP service can cause the legitimate computers to receive fake DHCP offering and this can lead to:

  • Service outage if the offered IP addresses are not in designed scope
  • Phishing attacks where the offered DNS address is hacker’s prepared DNS
grandmetric.com DHCP Snooping Man in the middle

DHCP Spoofing attack

Solution:

The problem described above is very serious having a high probability. I can bet that there is no protection against DHCP attacks in 90% of enterprise networks. This is something I recall from my experience. Prevention against such problem could be easy because I think almost all key LAN solution vendors have mechanism like DHCP Snooping that can be enabled with no extra fee. How does it work? IT admin configures switch ports dividing ethernet ports to trusted (DHCP server messages are allowed on this port ingress) and untrusted (DHCP Server messages are not allowed  on this port ingress). When there is a violation seen on port – for example DHCP Offer message incoming on Untrusted port, the switch disables the port arbitrary. In parallel, ethernet switch with such prevention technique enabled learns legitimate DHCP conversations between clients and servers and stores IP – MAC – Switch Port information in DHCP binding table for further reference. Very often other mechanisms like ARP inspection or IP Source Guard make use of DHCP binding table.

 

5. IP Spoofing vs Reverse Path Forwarding

Sometimes, especially during Proof of Concept (PoC) projects or infrastructure audits, network admins start seeing suspected traffic coming from their internal network that is sourced from IP ranges not in corporate scope. This may be the sign of malicious activity like IP spoofing or misconfigured devices that are forgotten by IT stuff.

Potential risks:

With IP spoofing issues there are two general problems associated.

  • Junk traffic generation that may cause additional utilization of network resources and one needs to stop such traffic.
  • IP spoofing activity meaning someone generates traffic from inside of corporate network with bad sources. The behavior of most routing devices is to route traffic based on destination IP in packet header so the spoofed traffic can be freely forwarded. The bad thing about this is that spoofing can be used to attack other systems in order to hide the real attackers. An example could be DoS attack with high volume of TCP SYN segments directed to critical server farm with dynamically changing sources. If the source IP will point to subnets or Internet destinations other than attacker is located in, attacker can quickly allocate server resources causing service outage in the same time being invisible or at least difficult to track back.
grandmetric.com Syn Flood IP Spoofing DoS uRPF

Syn Flood with IP Spoofing attack

Solution:

To prevent spoofing once can use Reverse Path Forwarding that works simply by verifying source IP address of incoming packet against routing table. If layer 3 device sees the route in routing table that would be used to forward traffic to verified source IP address, the packet is allowed if not router drops the packet.

grandmetric.com uRPF Reverse patch forwarding

uRPF – Reverse patch forwarding feature

If you want to read more about details of mentioned features let Us know

Part 2 of features checklist is in progress. If you want to read more Stay connected!

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 12 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter