isom 317 - local area networks research paper

7/31/2019 ISOM 317 - Local Area Networks Research Paper

1/14

Richard Bach

ISOM 317

Research Paper: Chapter 6 - Local Area Network


2/14

Table of ContentsIntroduction ........................................................................................................... 3Threats .................................................................................................................. 3Firewalls ................................................................................................................ 4

Hardware Firewalls ............................................................................................ 5Software Firewalls ............................................................................................. 5

Proxies .................................................................................................................. 6Hubs vs. Switches ................................................................................................. 6Wired vs. Wireless Networking ............................................................................. 8Third-Party Networks .......................................................................................... 10Network Design/Layout ....................................................................................... 11Bibliography ........................................................................................................ 13


3/14

Richard Bach Page 3

Introduction

In recent years the word "security" has been thrown around quite a bit.Whether it is in reference to national security, border security, financial security,

or even computer security, security has been moving to the forefront of ourcollective consciousness. Here I would like to discuss network security inrelation to local area networks, but since most LANs do not exist in a vacuum itwill be necessary to cover network security as it relates to other areas such asthe Internet. I will cover topics ranging from firewalls, hubs, and switches tovirtual private networks and encryption both from the perspective of a home userand a corporation. When finished, I hope to have laid out a solid foundation fromwhich a greater understanding of computer and network security (and security ingeneral) will arise. Naturally, before we can secure our networks we must firstrecognize what is at risk and how those things will be attacked.

Threats

First of all, let's outline what we hope to protect on our network(s). Ourmain goals in securing a network are to "protect confidential information fromthose who do not explicitly need to access it," and "protect [the] network and itsresources from malicious users and accidents that originate outside of [the]network." (Cisco Systems, Inc.) Common threats to confidential informationinclude packet sniffing, IP address spoofing, man-in-the-middle attacks, andpassword attacks.

Packet sniffing is perhaps the coolest of the attack methods listed abovein the writer's opinion. Typically, information is sent over the network in "cleartext" that any person or program that happens to be listening in can pick up,read, and interpret (this, of course, was covered in our lab on Ethereal). Ciscodefines a packet sniffer as "a software application that uses a network adaptercard in promiscuous mode (a mode in which the network adapter card sends allpackets received on the physical network wire to an application for processing) tocapture all network packets that are sent across a local area network (CiscoSystems, Inc.)." Although packet sniffers have several perfectly valid uses suchas diagnosing network problems, clearly they have the potential to be used togather sensitive information on a local network. This information could be

anything from a user's username and password to someone's Social Security orcredit card number.

IP Spoofing is the act of masking a network adapter's true IP address sothat it matches some other arbitrary IP address. Typically, it would be used bysomeone with an untrusted IP address (perhaps they are outside your network oroutside a specific portion of your network) to give themselves an address within arange of IPs that you do trust and thus gain some access to information available


4/14

Richard Bach Page 4

only to supposedly-trustable computers. Generally, an IP spoofing attack merelyinvolves injecting one's own data or commands into an already-existing stream ofdata traveling over the network, but under the right circumstances the spoofermay be able to change routing tables to include their spoofed IP. In such casesthey will have the same access to information as any other trusted user (Cisco

Systems, Inc.).

Password attacks take on many forms including brute-force attacks,Trojans, and the previously mentioned packet sniffing and IP spoofing attacks.Typically, password attacks take on the form of brute-force, social engineering, ortrojans, making them less of a focus for this paper.

Man-in-the-middle attacks also fall into the realm of being more of aconcern for connections between computers within your network and the outsideworld (and thus outside the main target of this document), but they're stillsomething to keep in mind when securing your local network. Basically, in aman-in-the-middle attack someone intercepts your network traffic and then

forwards that traffic on to its intended destination. Clearly, these are closelyrelated to packet sniffing (and indeed packet sniffers are often used in the attack)(Cisco Systems, Inc.).

With that out of the way, we can move on to protecting the network.

Firewalls

A firewall could be seen as the first line of defense for your network.Firewalls can be defined as "a system or group of systems that enforces anaccess control policy between two or more networks." (Paul D. Robertson) Insimpler terms, firewalls control what goes in and out of your network. While theytypically take on the form of a piece of hardware that sits between your (trusted)network and the rest of the (untrusted) world, they can also take the form ofsoftware installed on your own computer. Each form has its own strengths andweaknesses that need to be weighed when designing a plan for securing yournetwork.

So how does a firewall work, anyway? In general, firewalls work at eitherthe network or application layers. At the network layer, the firewall is able to domuch less examination of the packets moving through it compared to its

application layer-based brethren. As a trade-off, such firewalls tend to be fasterthan those of the application-layer variety (Paul D. Robertson). Hardwarefirewalls typically do their filtering based on the source, destination addressesand ports in each IP packet. More modern firewalls are also capable of keepinginternal information on the state of various connections, and the content of thedata streams passing through them (Paul D. Robertson). All of this goes onwithout user intervention or even their knowledge (unless, of course, somethingthey try to access is blocked--that they'll certainly take notice).


5/14

Richard Bach Page 5

A firewall that works at the application layer is capable of extensivelogging and analysis of traffic passing through it. It generally takes on the form ofa proxy running on the firewall hardware itself. An application layer firewall canalso be used for network address translation (Paul D. Robertson). Althougholder application layer firewalls incurred a performance hit on their users, modern

firewalls have come a long way both in improving performance and increasingtransparency to the user. In fact, over the years both network layer andapplication layer firewalls have gradually moved closer together both in featuresand speed. Today most firewalls are a hybrid of these two approaches (Paul D.Robertson).

Hardware FirewallsAs stated previously, hardware firewalls are by far the most common of

the two varieties. The basic idea is that all the data traveling into or out of thenetwork goes through the firewall. This gives us a rather convenient, centralplace to enforce the bulk of our security policies. They are typically configured toblock any incoming traffic that wasn't specifically asked for by a machine withinyour network, but they generally do not guard against data flowing out of yournetwork. Since everything traveling between your network and the outside worldgoes through the firewall, it serves as an excellent point to log traffic, too, if youso desire (Paul D. Robertson).

A nice benefit of a hardware firewall compared to a firewall implementedin software is that it since it is an entirely separate piece of hardware none ofyour computers' resources are used to keep it running, keeping the overallimpact on performance to a minimum. This separation from the computerscomes at a price, however, and that is the hardware firewall's inability to filtertraffic based on the program it came from, a feature the software firewalls are

able to implement.

Software FirewallsAs the name suggests, a software firewall exists purely as a piece of

software the user must install on their own computer. They have similarfunctionality to their hardware-based counterparts, but obviously have someadvantages (and disadvantages) compared to them, too. The most obviousdisadvantage is that the firewall has to be set up on each individual machine andeven if the firewall is preinstalled on the system (suppose you've chosen to usethe built-in Windows firewall) you'll still need to configure it. Also, since thefirewall is a piece of software running on the computer it is taking up system

resources that could be used for more valuable work. They can also fall victim tonasty malware that may infect a system and disable the firewall (much like someviruses, worms, etc may disable antivirus software) without the user's knowledge.While it is possible that a flaw in a hardware firewall could allow it to becompromised in some way, this would be theoretically more difficult thancircumventing a software firewall.


6/14

Richard Bach Page 6

The chief advantage of a software firewall as I see it is its remarkableability to control which programs have access to the computer's networkadapters. While basic firewalls such as the one included in Windows XP don'ttake advantage of this, products such as Zone Alarm, Kerio Personal Firewall,and Sygate do. Suppose we're running a new web browser for the first time.

When the browser first attempts to access the network, the software firewall willpop up a message informing the user that the program has tried to access theinternet and gives the user the choice of allowing the program to connect orstopping it. This added functionality comes at the price of potentially annoyingthe user, however, and in a corporate environment it probably isn't the best ideato let the users decide for themselves what to allow through to the network.

Proxies

Proxies are somewhat related to firewalls and can be defined as "an

application that mediates traffic between a protected network and the Internet. "(Paul D. Robertson) Proxies can log traffic or provide support for userauthentication and are application-specific. For example, you must haveseparate proxies for FTP, HTTP, and telnet traffic. Generic proxies such asSOCKS exist, but they don't support application-specific features (Paul D.Robertson). As an aside, it should be noted that proxies also have several funuses for the mischievous system administrator. For example, you could flipimages in web pages upside down (http://www.ex-parrot.com/~pete/upside-down-ternet.html). I wouldn't recommend doing anything like that on anythingother than a home network, however.

Hubs vs. Switches

So we have a firewall guarding the perimeter of our network from theperils of the Internet, but how should we connect the computers to each otherand the rest of the world? Our options, fortunately, are sparse and it should beobvious what to use. First, though, we must analyze those options: hubs andswitches.

As noted in class, a hub is simply a repeater. It takes the signal coming inon one of its ports, amplifies it, and sends it back out on its other ports. Thismakes it possible to create a chain of hubs to connect computers over greaterdistances than otherwise would be possible, but it has some serious downsidesthat make hubs less than attractive options for connecting computers. First of all,every computer on the network receives all of the data being sent through thehubs. On a large enough network this will clearly lead to severe performanceproblems and leads to various security problems. Remember those packetsniffers we learned about a couple pages back? Hubs make it trivially easy for


7/14

Richard Bach Page 7

packet sniffing applications such as Ethereal to monitor all the traffic goingthrough the network as was illustrated quite plainly in the lab we did on Ethereal.This isn't much of a problem if you are certain you can trust everyone on thenetwork, but there are many cases where you can't be sure of that. We'll get intothose later. In short, hubs are a fairly basic tool to connect a network of

computers.

Switches, on the other hand, are relatively advanced. Unlike hubs, theyanalyze the packets passing through them and forward them only to the port theyknow the destination machine is located through. As Lantronix puts it,

"Switches map the Ethernet addresses of the nodes residing oneach network segment and then allow only the necessary traffic topass through the switch. When a packet is received by the switch,the switch examines the destination and source hardwareaddresses and compares them to a table of network segments andaddresses. If the segments are the same, the packet is dropped

("filtered"); if the segments are different, then the packet is"forwarded" to the proper segment. Additionally, switches preventbad or misaligned packets from spreading by not forwarding them."(Lantronix)

The advanced filtering of a switch gives us the possibility not only of improvingnetwork performance but also improving security.

Switches improve network performance by dividing the network into aseries of smaller networks, resetting distance and repeater limitations. Inaddition, they reduce collisions (which in turn reduces congestion of the network).(Lantronix) However, you don't always see a positive effect on performance byusing switches. In small networks where there aren't many collisions anyway thelatency delays inherent in switches may in fact slow the network down. In a largenetwork the key to improving performance can be the location you place theswitch in the network. Placing a switch in an area where most of the packets aswitch receives will be forwarded anyway will give you much less of aperformance boost than putting it a location where most of the traffic it sees getsfiltered. (Lantronix)

More to the point of this paper, switches enhance the security of anetwork. Switched networks are far less susceptible to packet sniffing attacks,for example. Since information is forwarded directly to the computer intended to

receive it, the packet sniffing computer doesn't get a chance to capture andexamine the data. In fact, the attacker will have no idea information was evenbeing exchanged. There are, of course, exceptions to this rule. If the attackeremploys tactics such as ARP spoofing or MAC flooding they may be able to trickthe switch into giving up its secrets. ARP spoofing involves tricking the switchinto using your own computer's MAC address as the network gateway and MACflooding is simply overwhelming the switch with a deluge of spurious MAC


8/14

Richard Bach Page 8

addresses hoping it will choke on all the data and fall into a failsafe mode whereit begins behaving as a hub would.

There are, of course, downsides to switches. Besides the possibleperformance issues mentioned above, it is also difficult to monitor traffic goingthrough switches for the same reasons malicious packet sniffers have difficultysnooping traffic. Some higher quality switches have the ability to broadcast alltraffic out onto a designated port allowing an admin to monitor traffic, but suchswitches are more expensive. Consumer level switches are barely moreexpensive than hubs these days, so at least for them it is becoming increasinglypointless to bother with hubs. Of course, we're ignoring the increasingly popularwireless networks. Naturally, they open up a whole new can of securityconsiderations.

Wired vs. Wireless Networking

Wireless networks are wonderfully convenient tools. Why run countlessfeet of wires and mess around with hubs and switches when you can simplyplace a couple wireless access points in strategic locations and be done with thewhole thing? Sadly, given the ease with which a wireless network can be set up(just plug the wireless router/access point in and go) most people don't seem toput much more thought into choosing a wired or wireless network than what I'vebriefly outlined. If only they knew the severe security risks wireless networkspresent us with.

First of all, most wireless networks are stupidly easy to spy on. At least

with wired networks your would-be malefactor's ability to sniff your traffic islimited to the areas he has physical access to plug into the network. Since anaccess point is sending its signal out in, well, every single direction possibleevildoers could attack from pretty much anywhere your AP's signal reaches. Indensely packed office buildings or apartment complexes you may have no way totell who is trying to connect to your network (or where precisely they are). Sohow can we protect ourselves over the airwaves? Let's start with some of theless effective safeguards first and work our way up, shall we?

The least effective way to secure your network is to simply disable SSIDbroadcasting on your access point or router. The SSID is basically the "name" ofyour network, such as bsu. Once SSID broadcasting is off, your access point will

no longer show up when you scan for wireless networks to connect to, preventingmost people from even knowing your network exists, let alone connect to it.Unfortunately, with the right software someone can find your SSID and connect,anyway (Jupitermedia).

The next not-so-effective technique for securing an access point is to useMAC address filtering. To use this, you basically set up a "white list" of MACaddresses that are allowed to connect to your network. If someone who's


9/14

Richard Bach Page 9

network adapter is not on the list tries to connect they'll simply be unable to do sosuccessfully. The flaw here is that the MAC address can be spoofed(Jupitermedia). Since it is possible to analyze wireless traffic without connectingto the network, it is trivial to monitor the data streams to find a valid MAC addressto spoof as your own. Besides, it can be a small pain to enter the MAC address

for every device you wish to grant access to your network.

Moving up the line, we come to encrypting the data traveling over yourwireless network. This is undoubtedly a good idea, but what should we use doit? For 802.11 wireless networks, we basically have two options: WiredEquivalent Privacy and Wi-Fi Protected Access. In keeping with the patternwe've established of working up from least secure to most secure, let's coverWEP first.

Like a wired network in general, WEP is vulnerable to various attacks suchas:

"Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based

on known plaintext.

Active attacks to decrypt traffic, based on tricking the access point.

Dictionary-building attack that, after analysis of about a day's worth oftraffic, allows real-time automated decryption of all traffic." (Nikita Borisov)

Before explaining these in detail we must first dig a little to learn how WEPworks, without delving too deep into the specifics of WEP's cryptography. WEPuses RC4 encryption, which works by expanding a short key into infinite randomkey stream. This key stream is combined with the message being sent to

encrypt the data. On the receiving end, the same key stream is used to decryptthe data. An Initialization Vector is combined with the key stream to prevent thesame encryption key from being used for every packet traveling over the network(Nikita Borisov). Unfortunately, this is implemented badly and provides little realsecurity. Basically, the IV field is such a short length that eventually you arecertain to repeat it.

The first attack method, passive attempts to decrypt traffic using statisticalanalysis is made possible through WEP poor implementation of the IV. Once anIV is repeated enough times, an attacker can gather this data together to beginanalyzing the contents of the data. Since IP traffic can be fairly repetitive andpredictable, the possibilities for the contents of the packets falls dramatically.

With just a few packets it is possible to fully decrypt a packet and from there it issimple to decipher the rest of the messages (Nikita Borisov).

The active data injection attack builds on the information gathered fromthe previous attack. Once one packet has been decrypted, it is possible tocreate your own packets that will be accepted by the access point. Active trafficdecryption involves guessing the packet header rather than the data itself (and allyou really need is the destination IP address). From there, the attacker can


10/14

Richard Bach Page 10

change the destination IP to that of a computer they control and send it on itsway. The access point will decrypt the message for the attacker and then sendthe packet to the destination computer. Once received, the attacker now hasboth the encrypted and plaintext versions of the packet to analyze (NikitaBorisov).

The final form of attack is the most dangerous. It also happens to be theattack that takes the most time. In a nutshell, it involves using the abovemethods to gather all the IVs and key streams used by an access point. Oncecollected, the attacker will have essentially unrestricted access to any data goingover the wireless network even to the point where they're decrypting informationin real-time (Nikita Borisov).

Even with all of these flaws WEP still has its uses. Bad encryption isbetter than no encryption at all (although I suppose you should use the qualifier,"as long as you know it is bad encryption"). Even SSID hiding and MAC addressfiltering have their uses. At the very least they will prevent random people from

connecting to your network. In the case of WEP it will serve as a speed bump forthose with the knowledge of cracking WEP. Under no circumstances should youdo anything terribly important (such as checking email you'd rather not haveanyone else see) on a WEP-"protected" access point, however. Personally, Iwouldn't even do online banking or shopping even though they're typicallysecured with SSL, but that's just me. So what do we use if we want our wirelessnetwork to be absolutely secure? The answer is simple: use WPA.

WPA was created by the Wi-Fi Alliance to address WEP's shortcomings.Not only did it succeed in that goal, but it also adds the ability to use userauthentication, a feature that was missing in WEP (Wi-Fi Alliance). It is most

commonly used in WPA-PSK mode. PSK stands for "Pre-Shared Key". Like inWEP, the user enters a passphrase when connecting to the network and that isused to generate the encryption key. Unlike WEP, this phrase is in the form of 8-63 ASCII characters (WEP required a much longer hex string). Like any otherpassword, a longer, more random passphrase is more secure than a shortdictionary word or two. Tools exist online to generate long, secure passphrasesto use when setting up a WPA-PSK network but they aren't strictly necessary.

As it stands, the only known vulnerability in WPA is the possibility for an attackerto brute-force the passphrase, but that can't be avoided and is mitigated with asufficiently long passphrase, anyway.

Third-Party Networks

All this talk of MAC filtering and SSIDs and WPA is nice, but what do youdo in a situation where you've connected to a network you don't have controlover? Perhaps you're using a hotel's local network or maybe you're spending abit of time at the local Starbucks enjoying an overpriced coffee and their openaccess point. Obviously, since you're not in control of these networks you can't


11/14


setup filtering or encryption or anything else of the sort. Given that it isn't ournetwork we probably don't care much about who gets on there as long as theycan't interfere with our usage, so really our main concern is other peoplesnooping around our data streams. We can prevent that easily enough usingVirtual Private Networking.

Microsoft defines a VPN as "the extension of a private network thatencompasses links across shared or public networks like the Internetin amanner that emulates a point-to-point private link (such as a dial-up or long haulT-Carrier-based WAN link)." (Microsoft) There are several types of VPNconnections, but for our purposes we only need to be concerned with what isknown as Remote Access VPN. In this scenario, a computer runs VPN clientsoftware to connect to the remote VPN server. All data travelling between theclient and server is encrypted preventing anyone who may be packet sniffingfrom getting any useful information from the data.

Of course, what good is a VPN client if we don't have a sever to connect

to? In our case we could connect to Ball State's VPN (http://bsu.edu/vpn formore information), but obviously that won't work for the general public. The moretechnically-minded may choose to set up their own VPN using their homeinternet connection and software such as OpenVPN (http://openvpn.net/). Forthose who don't want to bother with the complexities of setting up a VPN serverthemselves, there are commercial services such as Hamachi(http://www.hamachi.cc/) that provide a server and client software for you to use(for a fee, of course). Regardless of which solution you use, however, it shouldbe noted that once your traffic reaches the VPN server it is decrypted for the restof its journey over the Internet to its destination, but that probably is what theycall a "no-brainer".

Network Design/Layout

Let us return to our own dominion for a bit and cover how we shouldlayout our local network to be as secure as it can possibly be using thetechnologies we've outlined above. Our first (and main) consideration is how wewish to logically lay out our routers, switches, firewalls, etc. Most home users optfor a single router/switch for their network and they usually choose a product thatalso acts as a wireless access point. This is a nice, compact, convenient, and

relatively cheap package, but it isn't as secure as it could be. First of all, there isusually no separate between the machines connected through the router'sEthernet ports and those connected through the WAP. For many this isn'tconsidered a problem, and it is even desirable behavior but the truth of thatassumption depends entirely on how well you trust the machines connecting tothe WAP. If your access point is completely open, you can't really trust anyoneconnected to it, but if you're using WPA it is much more likely that the machines


12/14


are trustworthy (unless, of course, your WPA passphrase is easy to crack or youhand it out to random people for some inexplicable reason).

Even so, some may still not trust even WPA-secured connections and willwant to segregate them from the rest of the network. One way to do that wouldbe to take three separate firewalls, a router (substitute this for one of the firewallsif you wish), a WAP, and a switch and arrange them like so:

1. Connect the router/firewall to your Internet connection (DSL, cable, etc).2. Connect each of the two remaining firewalls to separate ports on your

firewall/router.3. Connect your WAP to firewall A.4. Connect your switch to firewall B and then connect your wired clients to

the switch.

This will leave you with a Y-shaped arrangement of access points, firewalls, andswitches. Firewalls A and B will prevent traffic from the other firewall from

passing through, effectively segmenting the two from one another while bothretain Internet connectivity. If a wireless client needs to access a resource on thewired segment you can setup a VPN to connect that computer to the wirednetwork. This requires significantly more work and money than simply going witha broadband router, so it isn't for everybody.

So it turns out that while a LAN can be a dangerous place, it is possible toprotect yourself without too much effort. Even moderate security is probablyenough to keep most people off your network and spying on you. Even so, thereis so much more to computer security than the network, and you're only as safeas the weakest link in your chain. Even the strongest front door with 11 locks isuseless if you leave a window open at night.


13/14


Bibliography

Cisco Systems, Inc. Evolution of the Firewall Industry. 28 September 2002. 28October 2006.

. Why You Need a Firewall. 28 September 2002. 28 October 2006.

Jupitermedia. Securing your Wireless Network. 2006. 30 October 2006.

Lantronix. Network Switching Tutorial. 29 October 2006.

Microsoft. Virtual Private Networking: Frequently Asked Questions. 21 July 2003.30 October 2006.

Nikita Borisov, Ian Goldberg, David Wagner. (In)Security of the WEP algorithm.30 October 2006 .

Paul D. Robertson, Matt Curtin, Marcus J. Ranum. Internet Firewalls: FrequentlyAsked Questions. 26 July 2004. 28 October 2006.

Wi-Fi Alliance. Wi-Fi Protected Access White Paper. 29 April 2003. 30 October2006 .


14/14


isom 317 - local area networks research paper

Documents