Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • VLAN and more. Does your network have these features enabled? – UPDATED

    VLAN and more. Does your network have these features enabled? – UPDATED

    Date: 27.05.2021

    Author:


    Many people wonder why good design and implementation of corporate LAN and Edge features is necessary. There are many answers to this simple question and among them, we require a good network to be least vulnerable to unwanted intrusions along with it to be able to support all our requirements.

    We have compiled a list that you can check to know how you can mitigate many risks by using out-of-the-box features that are often supported at no extra license cost and in which cases you should use these features.

    1.VLANs

    This might come as a surprise or sound funny to some experienced engineers. But, in fact, there is nothing funny about this.. from my professional experience many systems administrators don’t even know what exactly VLAN is or does! Yes, that’s the sad truth, so to the point:

    Potential risks:

    • One broadcast domain for the whole network or only the user network can lead to unnecessary broadcast traffic, which upon a traffic loop might cause a complete service outage.
    • Secondly, but even more important, large broadcast domains are vulnerable to traffic sniffing and easier man-in-the-middle kind of attacks.
    • Lastly, a lack of VLANs can cause an administration mess.

    Solution:

    Consider segmenting your network with VLANs. VLANs often work in relation to IP  subnetting, so a good approach is to plan and design your segments first and then make changes. Remember that good design is proficient even many years after, so think about the IP addressing summarization, design subnets that will be large enough but not too big. Make VLANs and subnets self-explanatory, for example, give the third IP octet the id of VLAN Id:

    – for subnet 10.20.10.0/24 allocate VLAN 10

    – for subnet 10.20.11.0/24 allocate VLAN 11

    how to configure vlan

    2.Anti-Loop Mechanisms; Delays, drops, annoyance, and more.

    When switching loops in the network arise the troubleshooting game begins as services and systems start showing delays, and browsers stop responding eventually leading to user complaints and increased pressure on IT departments. When we add broadcast effect on top of this the network can go completely out of order.

    Potential risks:

    • A human error by an IT admin plugging the cable in the wrong port can cause loop formation.
    • The lack of Spanning Tree in operation is an additional risk that leads to the loop effect.
    • Even if the network is working well, one could be a victim of a virtualization administrator making a mistake. An example could be a mistake with interface bundling on the vSwitch. This can cause switching loops as well. I know one large outage of large e-commerce that was caused by loop on virtual machines level (that was a “test & dev” environment 😉 hitting production).
    • Another risk is when the network is physically redundant and the switch port stops receiving BDPU frames then it transitions to a forwarding state causing a loop. As an example, the lack of BPDU could be caused by unidirectional link failure.
    grandmetric.com Loop Guard Delays Packet Drops Service Unavailable
    Switching Loop anatomy

    Solution:

    Features like Loop Guard could avoid the loop formations by taking additional checks and putting the port in STP loop-inconsistent state when the loop condition is in place. The loop inconsistent state behaves like STP blocking state.

    3.ARP Inspection. Are you sure your data is not intercepted?

    ARP is something that is still not understood by all as it should be. As I wrote here: ARP – what is it for? this is a fundamental requirement to understand for every network specialist and to better understand the problem, please read the post first. Because of ARP’s broadcast behaviour it can be used to violate user confidentiality by making a man-in-the-middle attack.

    Potential risks:

    A malicious user (or hacker) working in the Ethernet segment can use a few techniques to poison the ARP table of other devices in the same segment so that they start thinking that the malicious computer will be the trusted gateway.  When they start sending traffic to a malicious MAC address (instead of a real gateway MAC address), hackers can intercept the session and listen to real traffic. As an example, an attack can be performed by sending a gratuitous ARP message to the whole broadcast segment.

    A grandmetric.com Arp spoofing- arp poisoning
    Arp spoofing- arp poisoning example

    Solution:

    One of the preventive methods is to use the ARP inspection technique implemented on the ethernet switch port level. Thanks to this, the switch controls all the ARP messages that are coming into the switch ports and compares the MAC and IP pairs against the table learned from the DHCP Snooping process. If the switch sees the wrong MAC and IP on the switch ports, it puts the port into the downstate.

    DHCP is a widely used protocol for obtaining IP addressing in a dynamic way in Ethernet networks. Because it benefits from broadcast behaviour, similar to ARP, DHCP is vulnerable to layer 2 spoofing attacks that make use of presence in the common broadcast segment. Such attacks can lead to the phishing of sensitive information.

    Potential risks:

    DHCP uses first come first serve logic which is why any host in the same network L2 segment can respond to DHCP discover/request messages thus becoming a DHCP server. Even if there is a user mistake that enables DHCP on OS, administrator fault by enabling another DHCP on a network device, or intentional malicious activity, the problem is always serious. Unknown DHCP service can cause legitimate computers to receive fake DHCP offerings and this can lead to:

    • Service outage if the offered IP addresses are not in the designed scope
    • Phishing attacks where the offered DNS address is the hacker’s prepared DNS
    grandmetric.com DHCP Snooping Man in the middle
    DHCP Spoofing attack

    Solution:

    The problem described above is very serious having a high probability. I can bet that there is no protection against DHCP attacks in 90% of enterprise networks. This is something I recall from my experience. Prevention against such a problem could be easy because I think almost all key LAN solution vendors have mechanisms like DHCP Snooping that can be enabled with no extra fee. How does it work? IT admin configures switch ports dividing ethernet ports to trusted (DHCP server messages are allowed on this port ingress) and untrusted (DHCP Server messages are not allowed on this port ingress). When there is a violation seen on a port – for example, DHCP Offer message incoming on an Untrusted port, the switch disables the port arbitrarily. In parallel, an ethernet switch with such a prevention technique enabled learns legitimate DHCP conversations between clients and servers and stores IP – MAC – Switch Port information in DHCP binding table for further reference. Very often other mechanisms like ARP inspection or IP Source Guard make use of the DHCP binding table.

    5.IP Spoofing vs Reverse Path Forwarding

    Sometimes, especially during Proof of Concept (PoC) projects or infrastructure audits, network admins start seeing suspected traffic coming from their internal network that is sourced from IP ranges not in the corporate scope. This may be a sign of malicious activity like IP spoofing or misconfigured devices that are forgotten by IT staff.

    Potential risks:

    With IP spoofing issues there are two general problems associated.

    • Junk traffic generation may cause additional utilization of network resources and one needs to stop such traffic.
    • IP spoofing activity means someone generates traffic from inside of a corporate network with bad sources. The behaviour of most routing devices is to route traffic based on the destination IP in the packet header so the spoofed traffic can be freely forwarded. The bad thing about this is that spoofing can be used to attack other systems in order to hide the real attackers. An example could be a DoS attack with a high volume of TCP SYN segments directed to a critical server farm with dynamically changing sources. If the source IP will point to subnets or Internet destinations other than the attacker is located in, the attacker can quickly allocate server resources causing service outage at the same time being invisible or at least difficult to trackback.
    grandmetric.com Syn Flood IP Spoofing DoS uRPF
    Syn Flood with IP Spoofing attack

    Solution:

    To prevent spoofing one can use Reverse Path Forwarding which works simply by verifying the source IP address of the incoming packet against the routing table. If the layer 3 device sees the route in the routing table that would be used to forward traffic to the verified source IP address, the packet is allowed if not router drops the packet.

    grandmetric.com uRPF Reverse patch forwarding
    RPF – Reverse patch forwarding feature

     

    Author

    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    1 Comment
    Mauricio
    22 April 2022 at 20:51

    hi

    nice block

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric