Security texts often focus on encryption techniques, firewalls and security for servers. Often missing are the inherent weaknesses in the very building blocks of modern local area networks. This chapter discusses the devices and protocols common to every single production network running today in terms of their basic security vulnerabilities and provides some techniques for reducing security threats. Specifically, this chapter will cover the operation of routers, switches and access points with a brief mention of hubs. Protocols covered will include the spanning tree, internet control message, address resolution, management, and routing protocols. Packet captures and screenshots will be used to illustrate some of the protocols.
TopIntroduction
There is more to network security than encrypting user data, virtual private networks or installing firewalls. While these are very important, we must review every aspect of network communication to ensure that we are providing adequate protection to network resources. The reality is that every device and protocol has its own set of vulnerabilities. In addition, most network activities such as file transfer are simply implemented with the intent on accomplishing the end goal rather than being designed with security in mind.
As a result, we currently deploy networks that are plagued by security holes at all levels of the TCP/IP (or OSI) model and every type of networking device. These security holes are present not because a programmer didn’t protect against buffer overflow or there was a flaw in the encryption algorithm, but because devices and protocols are operating exactly as intended. The good news is that with an understanding of basic behavior and some minor configuration changes, many of these weaknesses can be minimized or eliminated entirely. Lastly, by having insight into the network and understanding the baseline measurements, one can more easily respond to an attack in progress or deal with the aftermath. This chapter will examine some of the common elements deployed today and how the standard operation makes reconnaissance for an attacker simpler. We will also discuss some basic steps to help mitigate the security holes.
Sometimes understanding the nature of an attack or our vulnerabilities can give us an idea as to the vectors that might be used. The reverse is also true. Regardless of your point of view, it is difficult to defend against an attack if you do not understand nature of the attack. There are many reasons that an attacker may target a network and attacks are not always for material gain. Some of these reasons include but are not limited to;
Underscoring the need to understand the threat is a series of polls from the Computer Security Institute. For more than a decade this organization has collected data on attack types, security deployments, personnel skills and many other aspects of computer crime. Consistently, the top threats or problems experienced by those responding to the poll are viruses, insider abuse and laptop theft or fraud (Richardson, 2008). Some insider threats result from poorly configured security that gave unauthorized personnel access to restricted resources. No matter the cause, it is clear that a better firewall isn’t the answer.
TopReconnaissance
Apart from the most obvious or brute force attacks, exploits usually begin with some sort of investigation or reconnaissance. Depending on the goal of the attack, the recon may be as simple as driving around looking for an open access point that is still using the default configuration or a much more in-depth analysis of network traffic, behavior and resources. The information gained during this phase of the attack can come from a wide variety of sources. Employees may be unwitting accomplices as they are tricked or social engineered into revealing information. Wireless scans can often be very fruitful and some companies even post a considerable amount of information on web pages in order to make employee resources easier to find. As an example, many organizations may electronically post the locations or even IP addresses of printers and servers. The intent is that employees will now be able to more easily connect to these devices without having to generate a troublecall to the helpdesk. Of course this also makes it easier on the bad guy.