To check whether a given IT infrastructure is resilient, and its LAN security strong, first, we need to run audits and penetration tests. While performing these, we use various protection breaching techniques to access the company’s resources. One of the basic tests is an attempt to obtain as much information as possible at a local network level, which often is less secure than other areas and resources in the network.
If we want to enter the local network, we have two most common ways – via wired or wireless access. Here, we’ll cover the first method, wired access.
We can access a wired network wherever we can connect our device using an Ethernet cable, i.e. to a port on the wall, a floor box, or directly to the Ethernet switch or a free port in an IP phone. This way of gaining access grants us the capability to penetrate the local network, and if there are no security measures, even a wide area network infrastructure, or application segments of the company.
Connecting any device to a network port most often enables us to dynamically obtain the IP address. Thus, it allows us to initiate any traffic or other activities in the company network.
The Ethernet-type network is based on a medium and protocols that are broadcasting in nature. This means that computers and devices connected to the same local network communicate with each other via mechanisms, upon broadcasting some information to all connected devices, either beforehand or in a recurring manner.
This type of traffic is the so-called broadcast. In practice, it looks like the computer broadcasts the query while connecting to the network so that it can obtain the correct IP. Assuming that the server managing the addresses (the DHCP server) is trusted, the computer gets the correct address instantaneously and can start operation in the network.
The broadcasting nature of the network can cause trouble in two areas:
The broadcasting medium is prone to security breaches mainly due to the nature of the network.
The number one problem occurs when the attacker’s connected device spoofs the address managing server (DHCP).
Please note that the DHCP server allocates a host of other information along with the IP, one of which is the default gateway IP, which is the node/device responsible for all routing outside the local subnetwork.
When the attacker is quicker (e.g. closer to the client) than the actual DHCP server and sends the IP information that has the attacking computer’s IP in the gateway field, the attacker then assumes the role of a default gateway for this computer. This way it can route all default client network’s outgoing traffic through the attacker’s computer.
This can facilitate the so-called Man in the Middle attack, which is acting as an intermediary between the victim’s computer and the targeted systems, which leads to data alteration or tapping the communications of an unaware user that is the victim of the MITM attack.
Another problem is the possibility of using a planted DNS server.
One of the pieces of information passed by the DHCP server during the process of obtaining IP by the client is also the DNS server address.
The DNS (Domain Name System) is a key service by itself, and its task is to translate names (FQDN) into IP addresses. Most of today’s communication over the Internet is based on this service. If the attacker launches his DNS server just to route traffic to a server that was doctored beforehand (e.g. extort information – so-called phishing), putting in his DNS server’s address in the DHCP offer message would do the trick. The attack victim will then use the planted DNS server while, for instance, opening his bank’s website, and the attacker will redirect the victim’s traffic to any target server that imitates the bank’s server.
The phishing website is prepared in such a way that it looks exactly like the bank’s. An attack of this kind can result in, e.g. extorting the login and password to the victim’s electronic banking system.
What can we do to reduce the possibility of attacks described above?
When talking about access to the wired network, we mean the facilities, factories, rooms, open office spaces, so specific, physical places. Room access control and central authentication would be the first barrier for the attacker to overcome.
Of course, by using suggestions or taking advantage of the lack of awareness of employees, the attacker can beat these protections and get into the desired areas of the building. That’s why it’s worthwhile to develop detailed procedures for moving within the building’s zones and the business grounds, as well as provide periodic training for the employees.
Another defensive element could be simply securing the wired access network. We can’t put a padlock on a network port, but we have a variety of mechanisms and good practices at our disposal, which can help us protect access ports or Ethernet switches. They are the ones that aggregate all wired network sockets, floor boxes, and access devices.
An example would be protecting the access to the distribution cabinet, starting with the switch itself, for instance by enabling 802.1x mechanisms that will prevent any outsiders from physically connecting to the port to start communications in the LAN.
Using basic techniques of traffic segmentation, we can limit and control the so-called broadcasting domains, to which the attacker’s activities will be restricted upon breaching the access barrier. In this particular case, we’re talking about segmentation with VLAN, meaning partitioning each network by logic in the data link layer (L2). This will not ensure complete protection of the infrastructure, but it’s the first step towards securing access networks.
VLANs are local logic networks that, on the one hand, limit the broadcasting segment (i.e. limit the impact and scale of a potential attack), and on the other, isolate user system groups by their role, for example. It’s worth adding that VLAN is a functionality provided by the best quality switches on the market, like Cisco Catalyst 9200 series.
Let me also point out that each VLAN segment can be “stretched” over many access devices (access switches) within the local network, while one physical switch can host many VLAN segments.
To completely rule out unauthorized connections to our local network, we should employ means of authentication and authorization of devices and users prior to granting them access to the network. This kind of security measure can be achieved in several ways. The most popular is 802.1x, which we covered in a bit more detail in our article on guest access.
The purpose of the 802.1x mechanism is to verify a device or a user connecting to the port. Depending on the result of the operation, the 802.1x mechanism sets the switch port to the authorized or unauthorized mode. In addition, it enables optional dynamic VLAN assignment, or application of a dynamic access list to filter traffic based on the authorization carried out.
Another, related method that can greatly reduce the attacker’s options in the access network, and in data centers, where it’s used more often, is the so-called micro-segmentation. It enables the partitioning of devices and users within one VLAN.
With micro-segmentation, two devices present in the same segment of a VLAN can be separated by logic based on the so-called “contract” that is enforced with a policy by the network’s admin. A good example of using micro-segmentation in an access network is the Cisco TrustSec architecture and the use of the so-called SGTs (Security Group Tags).
With regards to the Ethernet access, we often have to deal with open space rooms, meeting rooms, and other parts of the building for hosting, e.g. guests. There we can use the mechanisms that redirect an unknown user to the guest portal. Such activity puts greater security restrictions on our guests, but it grants Internet use, for example. Interestingly, both mechanisms can be combined to form a single logical entity that will work on one Ethernet port. In this case, granting permissions will be a result of authentication performed at the port based on a sequence of MAB and 802.1x mechanisms.
The operations mentioned above can significantly increase the LAN’s security.
An action able to destabilize a local network, even a large campus one, can be intentional or incidental. An example of such action would be connecting a rogue switch or device to the network port in order to increase the number of available network ports (possibly at the admin’s fault). Unfortunately, operations like these can have disastrous consequences, even for the entire local network of a whole building or factory.
In a broadcast network with Ethernet as a medium, we are dealing with phenomena such as loops, broadcast storms, and link flaps. The impact of these events can be reduced by using mechanisms like, e.g. Spanning Tree Protocol or limiting the L2 structures (routing to the edge), however, even approaching things in this manner will not completely eliminate the possibility of loops occurring in the network.
If a switch gets incorrectly connected to the Ethernet port, the traffic going into it can be directed back. Consequently, this will escalate the looping of the growing amount of traffic. In a critical case, a loop like this can affect every network and client device, and possibly even shut down the network’s production operations.
It’s important to realize that network equipment of appropriate quality has integrated mechanisms that are able to deal with these occurrences. For example, we’re talking about storm control, unidirectional link detection, or port security functionalities.
Properly configured equipment with pre-designed functionality will help you avoid most of the nasty effects specific to attacks on wired Ethernet access networks.
Although in everyday situations we experience wireless networks mostly as users, it’s this weakest or less popular link (wired access in this case) that can be the decisive vector of a successful attack. It’s good to keep that in mind when designing networks and selecting equipment of an appropriate class. Better safe than sorry.
Leave a Reply