Many people wonder why good design and implementation of corporate LAN and Edge features is necessary. There are many answers to this simple question and among them, we require a good network to be least vulnerable to unwanted intrusions along with it to be able to support all our requirements.
We have compiled a list that you can check to know how you can mitigate many risks by using out-of-the-box features that are often supported at no extra license cost and in which cases you should use these features.
1. VLANs
This might come as a surprise or sound funny to some experienced engineers. But, in fact, there is nothing funny about this.. from my professional experience many systems administrators don’t even know what exactly VLAN is or does! Yes, that’s the sad truth, so to the point:
Potential risks:
Solution:
Consider segmenting your network with VLANs. VLANs often work in relation to IP subnetting, so a good approach is to plan and design your segments first and then make changes. Remember that good design is proficient even many years after, so think about the IP addressing summarization, design subnets that will be large enough but not too big. Make VLANs and subnets self-explanatory, for example, give the third IP octet the id of VLAN Id:
– for subnet 10.20.10.0/24 allocate VLAN 10
– for subnet 10.20.11.0/24 allocate VLAN 11
2. Anti-Loop Mechanisms; Delays, drops, annoyance, and more.
When switching loops in the network arise the troubleshooting game begins as services and systems start showing delays, browsers stop responding eventually leading to user complaints and increased pressure on IT departments. When we add broadcast effect on top of this the network can go completely out of order.
Potential risks:
Switching Loop anatomy
Solution:
Features like Loop Guard could avoid the loop formations by taking additional checks and putting the port in STP loop-inconsistent state when the loop condition is in place. The loop inconsistent state behaves like STP blocking state.
3. ARP Inspection. Are you sure your data is not intercepted?
ARP is something that is still not understood by all as it should be. As I wrote here: ARP – what is it for? this is a fundamental requirement to understand for every network specialist and to better understand the problem, please read the post first. Because of ARP’s broadcast behavior it can be used to violate user confidentiality by making a man-in-the-middle attack.
Potential risks:
A malicious user (or hacker) working in the Ethernet segment can use a few techniques to poison the ARP table of other device’s in the same segment so that they start thinking that the malicious computer will be the trusted gateway. When they start sending traffic to a malicious MAC address (instead of a real gateway MAC address), hackers can intercept the session and listen to real traffic. As an example, an attack can be performed by sending a gratuitous ARP message to the whole broadcast segment.
Arp spoofing- arp poisoning example
Solution:
One of the preventive methods is to use the ARP inspection technique implemented on the ethernet switch port level. Thanks to this, the switch controls all the ARP messages that are coming into the switch ports and compares the MAC and IP pairs against the table learned from the DHCP Snooping process. If the switch sees the wrong MAC and IP on the switch ports, it puts the port into the downstate.
4. DHCP Snooping – the mitigation of very popular phishing attacks
DHCP is a widely used protocol for obtaining IP addressing in a dynamic way in Ethernet networks. Because it benefits from broadcast behavior, similar to ARP, DHCP is vulnerable to layer 2 spoofing attacks that make use of presence in the common broadcast segment. Such attacks can lead to the phishing of sensitive information.
Potential risks:
DHCP uses first come first serve logic that is why any host in the same network L2 segment can respond to DHCP discover/request messages thus becoming a DHCP server. Even if there is a user mistake that enables DHCP on OS, administrator fault by enabling another DHCP on a network device, or intentional malicious activity, the problem is always serious. Unknown DHCP service can cause the legitimate computers to receive fake DHCP offering and this can lead to:
DHCP Spoofing attack
Solution:
The problem described above is very serious having a high probability. I can bet that there is no protection against DHCP attacks in 90% of enterprise networks. This is something I recall from my experience. Prevention against such a problem could be easy because I think almost all key LAN solution vendors have mechanisms like DHCP Snooping that can be enabled with no extra fee. How does it work? IT admin configures switch ports dividing ethernet ports to trusted (DHCP server messages are allowed on this port ingress) and untrusted (DHCP Server messages are not allowed on this port ingress). When there is a violation seen on port – for example, DHCP Offer message incoming on Untrusted port, the switch disables the port arbitrary. In parallel, ethernet switch with such prevention technique enabled learns legitimate DHCP conversations between clients and servers and stores IP – MAC – Switch Port information in DHCP binding table for further reference. Very often other mechanisms like ARP inspection or IP Source Guard make use of the DHCP binding table.
5. IP Spoofing vs Reverse Path Forwarding
Sometimes, especially during Proof of Concept (PoC) projects or infrastructure audits, network admins start seeing suspected traffic coming from their internal network that is sourced from IP ranges not in the corporate scope. This may be the sign of malicious activity like IP spoofing or misconfigured devices that are forgotten by IT staff.
Potential risks:
With IP spoofing issues there are two general problems associated.
Syn Flood with IP Spoofing attack
Solution:
To prevent spoofing one can use Reverse Path Forwarding that works simply by verifying the source IP address of the incoming packet against the routing table. If layer 3 device sees the route in the routing table that would be used to forward traffic to verified source IP address, the packet is allowed if not router drops the packet.
RPF – Reverse patch forwarding feature
If you want to read more about the mentioned features let Us know
hi
nice block