This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Today computer networks are used to transmit large amounts of data which may or may not contain sensitive information. Within this document I will be discussing ways in which your networks may become vulnerable to attacks. Man in the middle attacks, spanning tree attacks, security issues related to Trunking, and security issues relating to identity spoofing.
What is a Man in the middle attack?
Man in the middle attack is a name given to a type of attack where the person intercepts communication being sent across a data network. This type of attack is also known as a Bucket-brigade attack, Fire brigade attack, Monkey-in-the-middle attack, Session hijacking, TCP hijacking, TCP session hijacking etc.
Man in the middle attack is an attack that is usually performed on an internal network. Man in the middle attacks is where hackers introduce a rogue device onto the network then intercept communication between two network devices. This is done by sending out a series of ARP requests and ARP responses to two devices making them think that they are talking to each other.
An example of a man in the middle attack would consist of two hosts, host one and host two. The hacker would connect a rogue device, host three, most likely on the same switch that both host one and two are connected to. Once that he is able to communicate on the network he would then send out ARP requests and responses to both host one and two making them believe that he is the other host. This will make host one and two re-route their connection through host three. Once host one and host two are communicating between each other via the new connection established by host three, the hacker will now be able to capture packets sent between them.
Once an attacker has performed a man in the middle attack, they can use this in a number of ways for example Public Key Exchanging, Command Injection, Malicious Code Injection, Downgrade Attacks etc.
There are many tools available that network managers will use in order to monitor their networks. These tools can also be used from a hacker's point of view as they allow the hacker to capture packets that are being sent across the network. This essentially allows the hacker to see what you are doing.
The following tools are commonly used for capturing and analysing network traffic by an attacker
WiresharkÂ® is a network protocol Analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is the world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
Dsniff is a collection of tools for network auditing and penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). Arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). Sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analysing and testing the deployed networks and systems.
Spanning Tree Attacks
Spanning tree protocol is a protocol that has been implemented to help prevent switching loops from accruing. In networking is it good to have redundancy, this is where you have more than one connection to devices on the network. For example switch one and switch two. You may have more than one connection connecting these switches together so if one connection goes down the switches will still be able to communicate with each other. If a spanning tree protocol is enabled it would make one link active and one link would be dormant so if the active link goes down the second link will be activated and the connection between the switches will remain. Spanning tree does this by creating a topology of all switches in the network that support the spanning tree protocol. The spanning tree protocol does this by sending out bridge protocol data units. Bridge protocol data units contain information about ports, switches, addresses, port priority, etc. Once that the topology has been created the spanning tree protocol would analyse the information collected and choose the best path, this is performed on the switch that has been designated to be the root bridge. The root bridge will take into consideration, cost as well as line speed, when making the decision of choosing the best path. All other links will be down until a link becomes unavailable, as this happens the route bridge would select the next best path.
The first step an attacker would perform on a spanning tree attack would be to take over the route bridge, they can achieve this by sending out spanning tree protocol messages with a priority value which makes it the designated root bridge. From this the attacker can make it so they are able to choose what path the data takes when communicating over the network. They are able to change the network active topology from a high speed network to a low speed network by activating the redundant links instead of the links the protocol has identified as the best path. This would come in handy when performing a man in the middle attack, as you would be able to make the data travel via a route that was not initially planned for allowing the data to travel via the packet monitor the attacker has introduced onto the network. This will allow you to capture the data that is being transmitted over the network. Another attack that could be performed would be a denial of service attack, this can be done by enabling all routers on the network creating an infinite switching loop. This loop would consume all the switches CPU power and bring down the network.
In order to keep your switches from encountering spanning tree attacks, the network manager would want to make sure that the protocol was configured correctly. BPDU guard is a great way of securing your network from spanning tree attacks. Network managers would enable BPDU Guard on access points so you don't encounter any end devices being able to change the spanning tree topology. If a rouge switch is introduced onto the network with better values than the existing route bridge, it will cause the topology to change. But when you connect a rouge switch when BPDU guard is enabled, as soon as the switch sends out and receives the first BPDU the port is shut down and can only be enabled again once the no shut command is issued on the switch. By shutting down the port down this prevents the spanning tree topology to be affected. BPDU filtering on the other hand only filter BPDU messages it will prevent inbound and outbound messages, this will disable port fast if a BPDU is received. Effectively this means that the spanning tree protocol is disabled on the port, this is the same as spanning tree being disabled allowing switching loops to occur on the network.
Security Issues Related to Trunks and Trucking Protocols
Trucking protocol is a protocol used that will allow traffic to flow between connected switches. For example VLAN Trucking Protocol allows the configuration of one switch to be transferred to one or more switch's within a VTP domain.
To do this you would have to set up VLAN Trucking Protocol. First you would have to configure a switch with VLAN Trucking Protocol mode set to server. This will allow the switch to operate as a server for the VLAN Trucking Protocol. Once you have successfully set up your switch as a VLAN Trucking Protocol server, you would then set up a trunk link. You do this by setting a port on your switch network interface to trunk mode. You would then connect another switch via the network interface you set to trunk. Once that you have connected the switch, you would have to set the VLAN Trucking Protocol to client. Now that you have set the switch to VLAN Trucking Protocol mode client, the switch will now download all configurations from the switch acting as VLAN Trucking Protocol mode server. This includes VLANs etc.
Hackers can exploit this protocol in a number of ways for example;
The first way a hacker could exploit this protocol would be if they were to connect a rouge switch with its VLAN Trucking Protocol set to client. If plugged into another switch the switch will recognise that there is a trunk link and set the port up accordingly. The switch would then automatically download all the configurations off the closest server. Once the switch has downloaded the network configuration the hacker would then be able to This would allow the hacker to be able to plug in any device and this would allow communication across the network the network. This would compromise the network security, as the hacker would then be able to set up monitoring software on the network interface of the trunk allowing any data passed over the trunk to be captured.
Another way VLAN Trucking Protocol could be exploited, would to configure your rouge switch with VLAN Trucking Protocol set to mode server. When the switch connects to the network the configurations that have been configured on the switch will be applied to all other switches connected to the network with their VLAN Trucking Protocol set to client. This would allow the hacker to be able to re-configure the network.
VLAN hopping attack allows an attacker to be able to gain unauthorised access to a different VLAN by sending tagged packets onto the network with the VLAN ID of another VLAN. This works as a switch would look at the VLAN tag before it passes the packet on, this happens even if the port that the message was sent from isn't assigned to the target VLAN.
You can protect your trunk protocols in a number of ways, one of which would be to assign passwords to your trunk links. This makes it so you have to have the correct password configured within the settings of all your switch's. Once that all your switches have the correct passwords configured you will be able to create a secure connection between the devices. If the passwords are incorrect, the trunk link would not accept data to flow between the devices with incorrect passwords configured.
Another way of creating a secure trunk link between switches would be to setup switch port security. This is a security protocol that allows you to set the MAC address of the connected device, this means that only the device with the correct MAC address configured will be able to make a connection. There are three different security settings involved with switch port security, shutdown, restrict, protect. If the MAC address is incorrect and switch port security is set to shut down the switch be put into a state where it blocks all traffic being sent to the port. Protect on the other hand keeps the link open but drops all packets being sent from MAC addresses that aren't configured to be allowed. Restrict is like protect but it creates a system log message and increases the violation counter.
To prevent VLAN hopping attacks the switch would use ingress filtering to drop all tagged packets, since workstations attacked to edge ports should not send tagged packets into your network.
Security Issues related to Spoofing of frames
When you spoof frames it is so that you are able to make the devices on your network think that you are someone else. There are many types of frames spoofing attacks that can be performed on the network such as ARP spoofing.
ARP is a protocol used by networks to map out IP addresses to the hardware addresses. ARP spoofing is usually performed within the man in the middle attack process. ARP spoofing is where a hacker would send out bogus messages onto a local network, these messages allow the hacker to associate his MAC address with the IP address of another host. The attacker once performed will have the ability to see, capture and manipulate this data. The default configuration of most switches is set up to allow this attack to succeed.
DNS spoofing is an attack performed on into the DNS name servers cache, this attack allows the attacker to return an incorrect IP address, this will often return the IP address of the attacker allowing them to display a page that they have created instead of the legitimate source. Cache poisoning attack is the name given to the attack the hacker will use. Normally the DNS server would be provided by the ISP but in big organisations they are deployed on site in order to speed up resolution times. The attack works by exploiting a flaw within the DNS software. This can be done by injecting false data into the DNS cache. When a user tries to access a web page the request will be sent to the DNS and return the page that is stored in its cache. If the DNS has been poisoned the server may return a different page other than the page that was requested. If performed correctly the user will not be able to access the site that they want but in return they will get the site that the hacker wants them to see.
In networking the MAC address is used to identify the hardware associated with the IP address of a host. MAC address spoofing is an attack that is performed on network hardware that allows the attackers MAC address appear different, usually the attack is performed to make the address appear as a MAC address of another host currently on the network. Networks today allow their managers to deploy MAC address filters, when these filters are deployed they restrict traffic to rouge devices that have not been configured within the MAC address access control list. Spoofing MAC address would allow a hacker to use the MAC address of a host that is on the access control list, granting them access on the network.
There are ways in which you are able to prevent the above attacks from being performed.
ARP spoofing can be prevented with the use of dynamic ARP inspection, this is a security feature that validates ARP packets within a network. Dynamic ARP inspection determines the validity of packets by performing an IP-to-MAC address inspection, this information is stored in a trusted database before the packet is then forwarded onto the appropriate destination. The dynamic ARP inspection will drop all packets if the IP-to-MAC address is incorrect. Dynamic ARP inspection examines inbound packets only it will not check outbound packets. You can use wire shark as a way of detecting ARP attacks that are being performed in real time as the software picks up on the ARP requests being sent over the network. Once you have identified a possible ARP attack that is being performed, you would be able to then shut down the port of the connected device therefore preventing the device from performing the attack. Once that the attack has been prevented you can then add the MAC address to an access control list that prevents traffic on the network.
To prevent DNS spoofing you can do this by deploying multiple lines of defence. First off you can upgrade the DNS software to a version witch patches the flaw which is used to poison the cache. As well as keeping the server software up to date you can also deploy an intrusion prevention system, this will help log any unauthorised activity that is detected as well as help prevent the attack from happening. Firewalls can be used to regulate traffic that is travelling onto the network by rules that have been set in their configurations. Antivirus software can be used in order to prevent possible intruders that have infected the system with Virus, Trojans and any other Malware.
MAC address spoofing can be prevented by setting up the device to lock in the MAC address and IP address of the first device that is connected. This allows only the device with the MAC address associated with the IP address access onto the network, otherwise the switch will shut down the port and any packets sent will be dropped.
Within this document I have discussed the potential threats that networks need to be secured against. I have explained how attackers perform the attacks as well as how a network manager would go about preventing the attacks from happening. You can see from this document it is important that you deploy extra lines of defence, this is better than one line as there are multiple ways that attacks can be perfumed on the network compromising your systems.