Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come from inside your network. Whether it is a user with malicious intentions or a hacker who broke into a less important part of your network, the inner threat is the worse. Besides outside and inside attacks on your network, there is one more attack type, called MIM (Man In the Middle) attack. This involves two trusted parts of your network that transit one or many routers that you don't control. For instance, we might have a network in one building and another network in a distant building and we ask our ISP to connect both of the networks, but due to the ISP's distribution network, the packets pass through one of its routers. If we don't make an encrypted VPN connection between the sites, the Man In the Middle (our provider) can easily sniff the traffic going from one network to the other, discovering passwords, servers' IP addresses, remote control ports, etc. If the provider has bad intentions, he or she can assume trusted IP addresses from one of the sites to log in into protected servers on the other site after sniffing out users and passwords. Of course, a serious provider would never do that, but still you might consider that behind everything there are people that can have malicious intentions, or that there is a small chance that some hacker that wants your data may hack your provider's systems. Well, we've now established that a security threat may come from inside, outside, or from transit points of the network. This means you are exposed to everywhere, and so a good practice would be to close some doors. Closing doors means eliminating transit points (create encrypted VPNs), identifying weak parts of your network, and treating them as outside network. If you can do this with your network, you will have only outside attacks to care about. Even if the Internet runs on the TCP/IP protocol suite, we explained in Article 1 that the reference model for networking is the OSI layered model. Network security should be addressed at each OSI layer for different vulnerabilities and types of attacks. You will find out that every layer has its own security challenges.

Layer 1 Security Threats

OSI Layer 1 defines physical links. There are quite a few types of attacks that can be found at Layer 1, including: Cable / Fiber cuts High voltage applied on copper lines Wireless links jamming Electromagnetic field sources brought near copper cables, etc. Securing the physical layer is beyond the scope of this article and must be done by field or transmission engineers. However, it is important for network administrators to know how the physical links are built, and to have backup routes for the most important ones as well as for the most exposed ones.

Layer 2 Security Threats

Layer 2 of the OSI model defines the data link layer. The data link layer can be a very weak link in terms of security, and the worst thing is that it can affect the upper layers by causing service disruptions or security breaches. At Layer 2 we can find ATM, frame relay, PPP, Ethernet, Wireless LAN (802.11a/b/g), etc. Since the most popular Layer 2 protocol is Ethernet, we will discuss its security in more detail.

MAC Attacks

MAC addresses used in Ethernet, 802.11x Wireless networks, Bluetooth, FDDI, Fiber Channel, and Token Ring are unique identifiers attached to the networking equipment. MAC addresses are 48 bits long, should be unique, and are usually shown in hexadecimal format (e.g. "00-13-F7-18-A1-AC"). The first 24-bit part of a MAC address is the manufacturer code assigned by IEEE, and the second 24 bits are assigned by the manufacturer to this interface. By convention, the MAC address FF-FF-FF-FF-FF-FF is used for broadcast. A security issue found at Layer 2 is CAM table overflow, which affects switches in the network. CAM is a physical part of a switch; it stands for Content Addressable Memory, and it stores information about MAC addresses available on each physical port and their associated VLAN parameters. Physically, a CAM is a normal memory limited in size. In 1999, Ian Vitek created a tool called macof, later integrated in dsniff, which floods switches with invalid source MAC addresses (up to 155,000/minute). This tool quickly fills up the CAM table of the switch to which the computer running the tool is connected, and also the adjacent switches. The result of this attack is an abnormal behavior of the switch by flooding incoming traffic out on all ports (like a simple old Hub), thus making possible a Man-In-the-Middle (MIM) attack—the attacker can start sniffing network traffic. Unfortunately, Linux can't protect you against this type of attack. Only managed switches with port security options can do that. However, the attacker can only sniff packets within his or her VLAN; so it is important to determine where these attacks may come from, and make sure that no important traffic passes through that VLAN. Another security issue with this subject is MAC address spoofing, which is used by attackers to replace a CAM table entry of a known MAC address on another port. This will cause the switch to send the traffic destined for the port of the attacked computer to the port at which the attacker is connected. This attack causes service disruption and can be used as an MIM attack with the attacker sniffing the packets destined to the attacked computer. MAC address spoofing attacks can be blocked only in the switches, if the switches have facilities for that.

DHCP Attacks

DHCP (Dynamic Host Configuration Protocol) described by RFC 2131 (http://www.ietf.org/rfc/rfc2131.txt) is a protocol used by devices in a network to obtain the network configuration settings like IP Address, subnet mask, default router, and DNS servers' IP addresses from a server in the network running DHCP Server software. DHCP servers are configured to assign clients (devices in the network) IP addresses from defined ranges.

The DHCP server gives the IP address to a requesting device on a lease basis, meaning that the IP address is "leased" for a limited amount of time. During this time, the DHCP server will not lease that IP address to any other clients. Before the lease time expires, the DHCP client must request an extension of the lease time from the DHCP server. The DHCP lease time is configurable from 120 seconds to whatever the administrator chooses.

DHCP starvation attack consists of consuming the IP address space allocated by a DHCP server. This can easily be accomplished by an attacker by broadcasting a large number of DHCP requests using spoofed MAC addresses. The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients. This leads to Denial of Service for those clients in the network requesting IP addresses from the DHCP server. At this point, the attacker can set up a rogue DHCP server serving clients with false details, for example giving them its own IP address as default router. This will result in all the traffic passing through the attacker's computer, thus making it really easy for him or her to sniff all the network traffic from the clients.

The rogue DHCP server can be set up even without performing the DHCP starvation attack, as clients accept the first DHCPOFFER they receive. Both these attacks can be easily accomplished using gobbler, a simple tool that can be found on the Internet. Unfortunately, only switches can protect users against these attacks. DHCP starvation attack can be prevented by using port security features that don't allow more than X MAC addresses on one port (the same method of prevention as for CAM attacks). However, the rogue DHCP server attack is more difficult to prevent, but hopefully it will be in the future with the implementation of "Authentication for DHCP Messages" described by RFC 3118. For now some smart and expensive switches have a "DHCP snooping" function, which filters DHCP messages from non-trusted hosts.

ARP Attacks

ARP stands for Address Resolution Protocol, and it's the protocol used to map IP addresses into MAC addresses. Within the same broadcast domain (network segment), computers exchange ARP messages to find each other's MAC address based on the IP address they have. ARP is essential to TCP/IP communications, and is a very simple protocol with almost zero security features. ARP spoofing is a simple way to conduct ARP attacks by sending broadcasts with spoofed MAC or IP addresses causing either Denial-of-Service or Man-In-the-Middle attacks. Adding IP/MAC pairs manually in the ARP tables of the computers in the network can solve some of the ARP spoofing attack scenarios, but it's far from being a solution to this type of attack. The very popular dsniff package (http://www.monkey.org/~dugsong/dsniff/ ) contains ARP spoofing tools among other network attack/audit tools.

STP and VLAN-Related Attacks

Virtual LANs (VLANs) are logically independent networks physically connected in a larger network. The idea behind VLANs is to create multiple broadcast domains within a single network and to separate different traffic types from each other. Multiple VLANS can exist in a single switch, and VLAN information can be carried between switches using trunks. Trunks are interconnections between switches that carry data between them using tags to identify to which VLAN the data belongs to. The dominant tagging protocol is IEEE 802.1Q. Creating VLANS is a very good security measure at Layer 2 because of separation of different types of traffic. However, misconfigured switches can allow a certain type of attack called VLAN hopping.

VLAN hopping is an attack in which an attacker tries to send data to hosts that belong to other VLANs by tagging the data with a different VLAN ID than the one it belongs to. As 802.1Q implementations are available for Linux and other OSes, and some vendors' (e.g. Cisco) switches have the default mode for a port as trunking, an attacker can easily create a trunk link between the switch and itself, thus being able to communicate to hosts in all VLANs configured on that switch. Another type of attack that probably everyone knows about is creating network loops.

A network loop appears when two ports belonging to the same VLAN have a link to each other, or when there are two or more paths between two switches. Malicious users can physically create network loops, and the easiest way to do that is connecting a cross-connect cable to two ports that belong to the same switch and the same VLAN (the same broadcast domain). When a loop appears in a network, broadcasts travel infinitely within that VLAN, flooding every port that belongs to that VLAN for every switch in the network, thus bringing the network down. STP Spanning Tree Protocol (IEEE 802.1D) was designed to prevent network loops.

STP works by deactivating links that can form a network loop, raising the possibility of deploying redundant links in the network that, without STP, would create network loops. STP manipulation is a type of threat in which an attacker broadcasts STP configuration or topology change BPDUs (Bridge Protocol Data Units), forcing STP recalculations and expecting that the attacker becomes the root bridge. As root bridge, the attacker can sniff Ethernet frames belonging to other VLANs. 802.1D STP takes about 30 to 45 seconds to re-elect a root bridge if the old root bridge fails, thus resulting in a DoS attack.

Layer 3Security Threats

At the network layer of OSI model, we find the Internet Protocol (IP) with ICMP being a part of the Internet Protocol. Layer 3 is vulnerable to multiple DoS attacks and privacy disclosure attacks.

Packet Sniffing

We discussed packet sniffing earlier in this article and how attackers in a switched network can sniff packets that don't belong to them. If the network is not switched (e.g. a Hub is used) packet sniffing becomes a lot easier. Sniffing packets means capturing IP traffic using tools like dsniff, tcpdump, ethereal, etc. Because data from upper layers is encapsulated into IP packets, all the information from those layers can be disclosed when analyzing (decapsulating) IP packets. Protocols like POP3, SMTP, SNMP, etc., transmit passwords in clear text, and so, decoding captured IP packets may result in disclosing such sensitive data.

Packet sniffers like dsniff have very nice tools to decode those packets and store this information in a file in clear text. Securing Layer 2 with managed switches can drastically reduce the success of packet sniffers in the network. Also, creating encrypted VPNs using IPSec or other encryption means will decrease the possibility of the data being sniffed almost to zero.