Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Popular LAN security vulnerabilities and how to prevent them

    LAN security and how it is hacked

    Date: 01.08.2022

    Author:


    To check whether a given IT infrastructure is resilient, and its LAN security strong, first, we need to run audits and penetration tests. While performing these, we use various protection breaching techniques to access the company’s resources. One of the basic tests is an attempt to obtain as much information as possible at a local network level, which often is less secure than other areas and resources in the network. 

    If we want to enter the local network, we have two most common ways – via wired or wireless access. Here, we’ll cover the first method, wired access. 

    Wired access, or attacking “over the cable” 

    We can access a wired network wherever we can connect our device using an Ethernet cable, i.e. to a port on the wall, a floor box, or directly to the Ethernet switch or a free port in an IP phone. This way of gaining access grants us the capability to penetrate the local network, and if there are no security measures, even a wide area network infrastructure, or application segments of the company. 

    Fig. 1 Potential LAN access points 

    Connecting any device to a network port most often enables us to dynamically obtain the IP address. Thus, it allows us to initiate any traffic or other activities in the company network. 

    Broadcasting nature of LAN 

    The Ethernet-type network is based on a medium and protocols that are broadcasting in nature. This means that computers and devices connected to the same local network communicate with each other via mechanisms, upon broadcasting some information to all connected devices, either beforehand or in a recurring manner.  

    This type of traffic is the so-called broadcast. In practice, it looks like the computer broadcasts the query while connecting to the network so that it can obtain the correct IP. Assuming that the server managing the addresses (the DHCP server) is trusted, the computer gets the correct address instantaneously and can start operation in the network. 

    DHCP - LAN broadcasting character and vulnerability to LAN security
    IP obtaining mechanism in the Ethernet type network – step one, DHCP Discover

    The broadcasting nature of the network can cause trouble in two areas: 

    • security of network, data, and users, 
    • stability of the local campus network, and therefore our business. 

    Man in the Middle attack 

    The broadcasting medium is prone to security breaches mainly due to the nature of the network. 

    The number one problem occurs when the attacker’s connected device spoofs the address managing server (DHCP).  

    Please note that the DHCP server allocates a host of other information along with the IP, one of which is the default gateway IP, which is the node/device responsible for all routing outside the local subnetwork. 

    When the attacker is quicker (e.g. closer to the client) than the actual DHCP server and sends the IP information that has the attacking computer’s IP in the gateway field, the attacker then assumes the role of a default gateway for this computer. This way it can route all default client network’s outgoing traffic through the attacker’s computer. 

    This can facilitate the so-called Man in the Middle attack, which is acting as an intermediary between the victim’s computer and the targeted systems, which leads to data alteration or tapping the communications of an unaware user that is the victim of the MITM attack.  

    Spoofing - a threat to LAN security
    The mechanics of a Man in The Middle attack using a rogue DHCP server with a subsequent DNS Spoofing attack

    False DNS server 

    Another problem is the possibility of using a planted DNS server. 

    One of the pieces of information passed by the DHCP server during the process of obtaining IP by the client is also the DNS server address. 

    The DNS (Domain Name System) is a key service by itself, and its task is to translate names (FQDN) into IP addresses. Most of today’s communication over the Internet is based on this service. If the attacker launches his DNS server just to route traffic to a server that was doctored beforehand (e.g. extort information – so-called phishing), putting in his DNS server’s address in the DHCP offer message would do the trick. The attack victim will then use the planted DNS server while, for instance, opening his bank’s website, and the attacker will redirect the victim’s traffic to any target server that imitates the bank’s server. 

    The phishing website is prepared in such a way that it looks exactly like the bank’s. An attack of this kind can result in, e.g. extorting the login and password to the victim’s electronic banking system.  

    False payment gateway as an attack vector
    False payment gateway 

    What can we do to reduce the possibility of attacks described above? 

    How to secure the LAN network? 

    Physical security 

    When talking about access to the wired network, we mean the facilities, factories, rooms, open office spaces, so specific, physical places. Room access control and central authentication would be the first barrier for the attacker to overcome. 

    Of course, by using suggestions or taking advantage of the lack of awareness of employees, the attacker can beat these protections and get into the desired areas of the building. That’s why it’s worthwhile to develop detailed procedures for moving within the building’s zones and the business grounds, as well as provide periodic training for the employees. 

    Another defensive element could be simply securing the wired access network. We can’t put a padlock on a network port, but we have a variety of mechanisms and good practices at our disposal, which can help us protect access ports or Ethernet switches. They are the ones that aggregate all wired network sockets, floor boxes, and access devices. 

    An example would be protecting the access to the distribution cabinet, starting with the switch itself, for instance by enabling 802.1x mechanisms that will prevent any outsiders from physically connecting to the port to start communications in the LAN. 

    Segmentation with VLAN 

    Using basic techniques of traffic segmentation, we can limit and control the so-called broadcasting domains, to which the attacker’s activities will be restricted upon breaching the access barrier. In this particular case, we’re talking about segmentation with VLAN, meaning partitioning each network by logic in the data link layer (L2). This will not ensure complete protection of the infrastructure, but it’s the first step towards securing access networks.  

    VLANs are local logic networks that, on the one hand, limit the broadcasting segment (i.e. limit the impact and scale of a potential attack), and on the other, isolate user system groups by their role, for example. It’s worth adding that VLAN is a functionality provided by the best quality switches on the market, like Cisco Catalyst 9200 series

    Let me also point out that each VLAN segment can be “stretched” over many access devices (access switches) within the local network, while one physical switch can host many VLAN segments. 

    LAN security - How does VLAN segmentation work? 
    How does VLAN segmentation work? 

    To completely rule out unauthorized connections to our local network, we should employ means of authentication and authorization of devices and users prior to granting them access to the network. This kind of security measure can be achieved in several ways. The most popular is 802.1x, which we covered in a bit more detail in our article on guest access. 

    The purpose of the 802.1x mechanism is to verify a device or a user connecting to the port. Depending on the result of the operation, the 802.1x mechanism sets the switch port to the authorized or unauthorized mode. In addition, it enables optional dynamic VLAN assignment, or application of a dynamic access list to filter traffic based on the authorization carried out. 

    802.1x mechanism – a proven way to improve LAN security
    802.1x mechanism – recognizing the user based on his presence in the domain

    Micro-segmentation 

    Another, related method that can greatly reduce the attacker’s options in the access network, and in data centers, where it’s used more often, is the so-called micro-segmentation. It enables the partitioning of devices and users within one VLAN. 

    With micro-segmentation, two devices present in the same segment of a VLAN can be separated by logic based on the so-called “contract” that is enforced with a policy by the network’s admin. A good example of using micro-segmentation in an access network is the Cisco TrustSec architecture and the use of the so-called SGTs (Security Group Tags). 

    Guest access 

    With regards to the Ethernet access, we often have to deal with open space rooms, meeting rooms, and other parts of the building for hosting, e.g. guests. There we can use the mechanisms that redirect an unknown user to the guest portal. Such activity puts greater security restrictions on our guests, but it grants Internet use, for example. Interestingly, both mechanisms can be combined to form a single logical entity that will work on one Ethernet port. In this case, granting permissions will be a result of authentication performed at the port based on a sequence of MAB and 802.1x mechanisms. 

    The operations mentioned above can significantly increase the LAN’s security. 

    Beware of loops! 

    An action able to destabilize a local network, even a large campus one, can be intentional or incidental. An example of such action would be connecting a rogue switch or device to the network port in order to increase the number of available network ports (possibly at the admin’s fault). Unfortunately, operations like these can have disastrous consequences, even for the entire local network of a whole building or factory. 

    In a broadcast network with Ethernet as a medium, we are dealing with phenomena such as loops, broadcast storms, and link flaps. The impact of these events can be reduced by using mechanisms like, e.g. Spanning Tree Protocol or limiting the L2 structures (routing to the edge), however, even approaching things in this manner will not completely eliminate the possibility of loops occurring in the network. 

    The loop phenomenon in LANs 
    The loop phenomenon in LANs 

    If a switch gets incorrectly connected to the Ethernet port, the traffic going into it can be directed back. Consequently, this will escalate the looping of the growing amount of traffic. In a critical case, a loop like this can affect every network and client device, and possibly even shut down the network’s production operations. 

    It’s important to realize that network equipment of appropriate quality has integrated mechanisms that are able to deal with these occurrences. For example, we’re talking about storm control, unidirectional link detection, or port security functionalities. 

    Properly configured equipment with pre-designed functionality will help you avoid most of the nasty effects specific to attacks on wired Ethernet access networks. 

    Summary 

    Although in everyday situations we experience wireless networks mostly as users, it’s this weakest or less popular link (wired access in this case) that can be the decisive vector of a successful attack. It’s good to keep that in mind when designing networks and selecting equipment of an appropriate class. Better safe than sorry. 

    Author

    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric