Richard Bach ISOM 317 Research Paper: Chapter 6 - Local Area Network

Table of Contents
Introduction ........................................................................................................... 3 Threats.................................................................................................................. 3 Firewalls ................................................................................................................ 4 Hardware Firewalls ............................................................................................ 5 Software Firewalls ............................................................................................. 5 Proxies .................................................................................................................. 6 Hubs vs. Switches................................................................................................. 6 Wired vs. Wireless Networking ............................................................................. 8 Third-Party Networks .......................................................................................... 10 Network Design/Layout ....................................................................................... 11 Bibliography ........................................................................................................ 13

Introduction
In recent years the word "security" has been thrown around quite a bit. Whether it is in reference to national security, border security, financial security, or even computer security, security has been moving to the forefront of our collective consciousness. Here I would like to discuss network security in relation to local area networks, but since most LANs do not exist in a vacuum it will be necessary to cover network security as it relates to other areas such as the Internet. I will cover topics ranging from firewalls, hubs, and switches to virtual private networks and encryption both from the perspective of a home user and a corporation. When finished, I hope to have laid out a solid foundation from which a greater understanding of computer and network security (and security in general) will arise. Naturally, before we can secure our networks we must first recognize what is at risk and how those things will be attacked.

Threats
First of all, let's outline what we hope to protect on our network(s). Our main goals in securing a network are to "protect confidential information from those who do not explicitly need to access it," and "protect [the] network and its resources from malicious users and accidents that originate outside of [the] network." (Cisco Systems, Inc.) Common threats to confidential information include packet sniffing, IP address spoofing, man-in-the-middle attacks, and password attacks. Packet sniffing is perhaps the coolest of the attack methods listed above in the writer's opinion. Typically, information is sent over the network in "clear text" that any person or program that happens to be listening in can pick up, read, and interpret (this, of course, was covered in our lab on Ethereal). Cisco defines a packet sniffer as "a software application that uses a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received on the physical network wire to an application for processing) to capture all network packets that are sent across a local area network (Cisco Systems, Inc.)." Although packet sniffers have several perfectly valid uses such as diagnosing network problems, clearly they have the potential to be used to gather sensitive information on a local network. This information could be anything from a user's username and password to someone's Social Security or credit card number. IP Spoofing is the act of masking a network adapter's true IP address so that it matches some other arbitrary IP address. Typically, it would be used by someone with an untrusted IP address (perhaps they are outside your network or outside a specific portion of your network) to give themselves an address within a range of IPs that you do trust and thus gain some access to information available

Richard Bach

Page 3

only to supposedly-trustable computers. Generally, an IP spoofing attack merely involves injecting one's own data or commands into an already-existing stream of data traveling over the network, but under the right circumstances the spoofer may be able to change routing tables to include their spoofed IP. In such cases they will have the same access to information as any other trusted user (Cisco Systems, Inc.). Password attacks take on many forms including brute-force attacks, Trojans, and the previously mentioned packet sniffing and IP spoofing attacks. Typically, password attacks take on the form of brute-force, social engineering, or trojans, making them less of a focus for this paper. Man-in-the-middle attacks also fall into the realm of being more of a concern for connections between computers within your network and the outside world (and thus outside the main target of this document), but they're still something to keep in mind when securing your local network. Basically, in a man-in-the-middle attack someone intercepts your network traffic and then forwards that traffic on to its intended destination. Clearly, these are closely related to packet sniffing (and indeed packet sniffers are often used in the attack) (Cisco Systems, Inc.). With that out of the way, we can move on to protecting the network.

Firewalls
A firewall could be seen as the first line of defense for your network. Firewalls can be defined as "a system or group of systems that enforces an access control policy between two or more networks." (Paul D. Robertson) In simpler terms, firewalls control what goes in and out of your network. While they typically take on the form of a piece of hardware that sits between your (trusted) network and the rest of the (untrusted) world, they can also take the form of software installed on your own computer. Each form has its own strengths and weaknesses that need to be weighed when designing a plan for securing your network. So how does a firewall work, anyway? In general, firewalls work at either the network or application layers. At the network layer, the firewall is able to do much less examination of the packets moving through it compared to its application layer-based brethren. As a trade-off, such firewalls tend to be faster than those of the application-layer variety (Paul D. Robertson). Hardware firewalls typically do their filtering based on the source, destination addresses and ports in each IP packet. More modern firewalls are also capable of keeping internal information on the state of various connections, and the content of the data streams passing through them (Paul D. Robertson). All of this goes on without user intervention or even their knowledge (unless, of course, something they try to access is blocked--that they'll certainly take notice).

Richard Bach

Page 4

A firewall that works at the application layer is capable of extensive logging and analysis of traffic passing through it. It generally takes on the form of a proxy running on the firewall hardware itself. An application layer firewall can also be used for network address translation (Paul D. Robertson). Although older application layer firewalls incurred a performance hit on their users, modern firewalls have come a long way both in improving performance and increasing transparency to the user. In fact, over the years both network layer and application layer firewalls have gradually moved closer together both in features and speed. Today most firewalls are a hybrid of these two approaches (Paul D. Robertson).

Hardware Firewalls
As stated previously, hardware firewalls are by far the most common of the two varieties. The basic idea is that all the data traveling into or out of the network goes through the firewall. This gives us a rather convenient, central place to enforce the bulk of our security policies. They are typically configured to block any incoming traffic that wasn't specifically asked for by a machine within your network, but they generally do not guard against data flowing out of your network. Since everything traveling between your network and the outside world goes through the firewall, it serves as an excellent point to log traffic, too, if you so desire (Paul D. Robertson). A nice benefit of a hardware firewall compared to a firewall implemented in software is that it since it is an entirely separate piece of hardware none of your computers' resources are used to keep it running, keeping the overall impact on performance to a minimum. This separation from the computers comes at a price, however, and that is the hardware firewall's inability to filter traffic based on the program it came from, a feature the software firewalls are able to implement.

Software Firewalls
As the name suggests, a software firewall exists purely as a piece of software the user must install on their own computer. They have similar functionality to their hardware-based counterparts, but obviously have some advantages (and disadvantages) compared to them, too. The most obvious disadvantage is that the firewall has to be set up on each individual machine and even if the firewall is preinstalled on the system (suppose you've chosen to use the built-in Windows firewall) you'll still need to configure it. Also, since the firewall is a piece of software running on the computer it is taking up system resources that could be used for more valuable work. They can also fall victim to nasty malware that may infect a system and disable the firewall (much like some viruses, worms, etc may disable antivirus software) without the user's knowledge. While it is possible that a flaw in a hardware firewall could allow it to be compromised in some way, this would be theoretically more difficult than circumventing a software firewall.

Richard Bach

Page 5

The chief advantage of a software firewall as I see it is its remarkable ability to control which programs have access to the computer's network adapters. While basic firewalls such as the one included in Windows XP don't take advantage of this, products such as Zone Alarm, Kerio Personal Firewall, and Sygate do. Suppose we're running a new web browser for the first time. When the browser first attempts to access the network, the software firewall will pop up a message informing the user that the program has tried to access the internet and gives the user the choice of allowing the program to connect or stopping it. This added functionality comes at the price of potentially annoying the user, however, and in a corporate environment it probably isn't the best idea to let the users decide for themselves what to allow through to the network.

Proxies
Proxies are somewhat related to firewalls and can be defined as "an application that mediates traffic between a protected network and the Internet. " (Paul D. Robertson) Proxies can log traffic or provide support for user authentication and are application-specific. For example, you must have separate proxies for FTP, HTTP, and telnet traffic. Generic proxies such as SOCKS exist, but they don't support application-specific features (Paul D. Robertson). As an aside, it should be noted that proxies also have several fun uses for the mischievous system administrator. For example, you could flip images in web pages upside down (http://www.ex-parrot.com/~pete/upsidedown-ternet.html). I wouldn't recommend doing anything like that on anything other than a home network, however.

Hubs vs. Switches

So we have a firewall guarding the perimeter of our network from the perils of the Internet, but how should we connect the computers to each other and the rest of the world? Our options, fortunately, are sparse and it should be obvious what to use. First, though, we must analyze those options: hubs and switches. As noted in class, a hub is simply a repeater. It takes the signal coming in on one of its ports, amplifies it, and sends it back out on its other ports. This makes it possible to create a chain of hubs to connect computers over greater distances than otherwise would be possible, but it has some serious downsides that make hubs less than attractive options for connecting computers. First of all, every computer on the network receives all of the data being sent through the hubs. On a large enough network this will clearly lead to severe performance problems and leads to various security problems. Remember those packet sniffers we learned about a couple pages back? Hubs make it trivially easy for

Richard Bach

Page 6

packet sniffing applications such as Ethereal to monitor all the traffic going through the network as was illustrated quite plainly in the lab we did on Ethereal. This isn't much of a problem if you are certain you can trust everyone on the network, but there are many cases where you can't be sure of that. We'll get into those later. In short, hubs are a fairly basic tool to connect a network of computers. Switches, on the other hand, are relatively advanced. Unlike hubs, they analyze the packets passing through them and forward them only to the port they know the destination machine is located through. As Lantronix puts it, "Switches map the Ethernet addresses of the nodes residing on each network segment and then allow only the necessary traffic to pass through the switch. When a packet is received by the switch, the switch examines the destination and source hardware addresses and compares them to a table of network segments and addresses. If the segments are the same, the packet is dropped ("filtered"); if the segments are different, then the packet is "forwarded" to the proper segment. Additionally, switches prevent bad or misaligned packets from spreading by not forwarding them." (Lantronix) The advanced filtering of a switch gives us the possibility not only of improving network performance but also improving security. Switches improve network performance by dividing the network into a series of smaller networks, resetting distance and repeater limitations. In addition, they reduce collisions (which in turn reduces congestion of the network). (Lantronix) However, you don't always see a positive effect on performance by using switches. In small networks where there aren't many collisions anyway the latency delays inherent in switches may in fact slow the network down. In a large network the key to improving performance can be the location you place the switch in the network. Placing a switch in an area where most of the packets a switch receives will be forwarded anyway will give you much less of a performance boost than putting it a location where most of the traffic it sees gets filtered. (Lantronix) More to the point of this paper, switches enhance the security of a network. Switched networks are far less susceptible to packet sniffing attacks, for example. Since information is forwarded directly to the computer intended to receive it, the packet sniffing computer doesn't get a chance to capture and examine the data. In fact, the attacker will have no idea information was even being exchanged. There are, of course, exceptions to this rule. If the attacker employs tactics such as ARP spoofing or MAC flooding they may be able to trick the switch into giving up its secrets. ARP spoofing involves tricking the switch into using your own computer's MAC address as the network gateway and MAC flooding is simply overwhelming the switch with a deluge of spurious MAC

Richard Bach

Page 7

addresses hoping it will choke on all the data and fall into a failsafe mode where it begins behaving as a hub would. There are, of course, downsides to switches. Besides the possible performance issues mentioned above, it is also difficult to monitor traffic going through switches for the same reasons malicious packet sniffers have difficulty snooping traffic. Some higher quality switches have the ability to broadcast all traffic out onto a designated port allowing an admin to monitor traffic, but such switches are more expensive. Consumer level switches are barely more expensive than hubs these days, so at least for them it is becoming increasingly pointless to bother with hubs. Of course, we're ignoring the increasingly popular wireless networks. Naturally, they open up a whole new can of security considerations.

Wired vs. Wireless Networking

Wireless networks are wonderfully convenient tools. Why run countless feet of wires and mess around with hubs and switches when you can simply place a couple wireless access points in strategic locations and be done with the whole thing? Sadly, given the ease with which a wireless network can be set up (just plug the wireless router/access point in and go) most people don't seem to put much more thought into choosing a wired or wireless network than what I've briefly outlined. If only they knew the severe security risks wireless networks present us with. First of all, most wireless networks are stupidly easy to spy on. At least with wired networks your would-be malefactor's ability to sniff your traffic is limited to the areas he has physical access to plug into the network. Since an access point is sending its signal out in, well, every single direction possible evildoers could attack from pretty much anywhere your AP's signal reaches. In densely packed office buildings or apartment complexes you may have no way to tell who is trying to connect to your network (or where precisely they are). So how can we protect ourselves over the airwaves? Let's start with some of the less effective safeguards first and work our way up, shall we? The least effective way to secure your network is to simply disable SSID broadcasting on your access point or router. The SSID is basically the "name" of your network, such as bsu. Once SSID broadcasting is off, your access point will no longer show up when you scan for wireless networks to connect to, preventing most people from even knowing your network exists, let alone connect to it. Unfortunately, with the right software someone can find your SSID and connect, anyway (Jupitermedia). The next not-so-effective technique for securing an access point is to use MAC address filtering. To use this, you basically set up a "white list" of MAC addresses that are allowed to connect to your network. If someone who's

Richard Bach

Page 8

network adapter is not on the list tries to connect they'll simply be unable to do so successfully. The flaw here is that the MAC address can be spoofed (Jupitermedia). Since it is possible to analyze wireless traffic without connecting to the network, it is trivial to monitor the data streams to find a valid MAC address to spoof as your own. Besides, it can be a small pain to enter the MAC address for every device you wish to grant access to your network. Moving up the line, we come to encrypting the data traveling over your wireless network. This is undoubtedly a good idea, but what should we use do it? For 802.11 wireless networks, we basically have two options: Wired Equivalent Privacy and Wi-Fi Protected Access. In keeping with the pattern we've established of working up from least secure to most secure, let's cover WEP first. Like a wired network in general, WEP is vulnerable to various attacks such as: "Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic." (Nikita Borisov)

Before explaining these in detail we must first dig a little to learn how WEP works, without delving too deep into the specifics of WEP's cryptography. WEP uses RC4 encryption, which works by expanding a short key into infinite random key stream. This key stream is combined with the message being sent to encrypt the data. On the receiving end, the same key stream is used to decrypt the data. An Initialization Vector is combined with the key stream to prevent the same encryption key from being used for every packet traveling over the network (Nikita Borisov). Unfortunately, this is implemented badly and provides little real security. Basically, the IV field is such a short length that eventually you are certain to repeat it. The first attack method, passive attempts to decrypt traffic using statistical analysis is made possible through WEP poor implementation of the IV. Once an IV is repeated enough times, an attacker can gather this data together to begin analyzing the contents of the data. Since IP traffic can be fairly repetitive and predictable, the possibilities for the contents of the packets falls dramatically. With just a few packets it is possible to fully decrypt a packet and from there it is simple to decipher the rest of the messages (Nikita Borisov). The active data injection attack builds on the information gathered from the previous attack. Once one packet has been decrypted, it is possible to create your own packets that will be accepted by the access point. Active traffic decryption involves guessing the packet header rather than the data itself (and all you really need is the destination IP address). From there, the attacker can

Richard Bach

Page 9

change the destination IP to that of a computer they control and send it on its way. The access point will decrypt the message for the attacker and then send the packet to the destination computer. Once received, the attacker now has both the encrypted and plaintext versions of the packet to analyze (Nikita Borisov). The final form of attack is the most dangerous. It also happens to be the attack that takes the most time. In a nutshell, it involves using the above methods to gather all the IVs and key streams used by an access point. Once collected, the attacker will have essentially unrestricted access to any data going over the wireless network even to the point where they're decrypting information in real-time (Nikita Borisov). Even with all of these flaws WEP still has its uses. Bad encryption is better than no encryption at all (although I suppose you should use the qualifier, "as long as you know it is bad encryption"). Even SSID hiding and MAC address filtering have their uses. At the very least they will prevent random people from connecting to your network. In the case of WEP it will serve as a speed bump for those with the knowledge of cracking WEP. Under no circumstances should you do anything terribly important (such as checking email you'd rather not have anyone else see) on a WEP-"protected" access point, however. Personally, I wouldn't even do online banking or shopping even though they're typically secured with SSL, but that's just me. So what do we use if we want our wireless network to be absolutely secure? The answer is simple: use WPA. WPA was created by the Wi-Fi Alliance to address WEP's shortcomings. Not only did it succeed in that goal, but it also adds the ability to use user authentication, a feature that was missing in WEP (Wi-Fi Alliance). It is most commonly used in WPA-PSK mode. PSK stands for "Pre-Shared Key". Like in WEP, the user enters a passphrase when connecting to the network and that is used to generate the encryption key. Unlike WEP, this phrase is in the form of 863 ASCII characters (WEP required a much longer hex string). Like any other password, a longer, more random passphrase is more secure than a short dictionary word or two. Tools exist online to generate long, secure passphrases to use when setting up a WPA-PSK network but they aren't strictly necessary. As it stands, the only known vulnerability in WPA is the possibility for an attacker to brute-force the passphrase, but that can't be avoided and is mitigated with a sufficiently long passphrase, anyway.

Third-Party Networks
All this talk of MAC filtering and SSIDs and WPA is nice, but what do you do in a situation where you've connected to a network you don't have control over? Perhaps you're using a hotel's local network or maybe you're spending a bit of time at the local Starbucks enjoying an overpriced coffee and their open access point. Obviously, since you're not in control of these networks you can't Richard Bach Page 10

setup filtering or encryption or anything else of the sort. Given that it isn't our network we probably don't care much about who gets on there as long as they can't interfere with our usage, so really our main concern is other people snooping around our data streams. We can prevent that easily enough using Virtual Private Networking. Microsoft defines a VPN as "the extension of a private network that encompasses links across shared or public networks like the Internet in a manner that emulates a point-to-point private link (such as a dial-up or long haul T-Carrier-based WAN link)." (Microsoft) There are several types of VPN connections, but for our purposes we only need to be concerned with what is known as Remote Access VPN. In this scenario, a computer runs VPN client software to connect to the remote VPN server. All data travelling between the client and server is encrypted preventing anyone who may be packet sniffing from getting any useful information from the data. Of course, what good is a VPN client if we don't have a sever to connect to? In our case we could connect to Ball State's VPN (http://bsu.edu/vpn for more information), but obviously that won't work for the general public. The more technically-minded may choose to set up their own VPN using their home internet connection and software such as OpenVPN (http://openvpn.net/). For those who don't want to bother with the complexities of setting up a VPN server themselves, there are commercial services such as Hamachi (http://www.hamachi.cc/) that provide a server and client software for you to use (for a fee, of course). Regardless of which solution you use, however, it should be noted that once your traffic reaches the VPN server it is decrypted for the rest of its journey over the Internet to its destination, but that probably is what they call a "no-brainer".

Network Design/Layout
Let us return to our own dominion for a bit and cover how we should layout our local network to be as secure as it can possibly be using the technologies we've outlined above. Our first (and main) consideration is how we wish to logically lay out our routers, switches, firewalls, etc. Most home users opt for a single router/switch for their network and they usually choose a product that also acts as a wireless access point. This is a nice, compact, convenient, and relatively cheap package, but it isn't as secure as it could be. First of all, there is usually no separate between the machines connected through the router's Ethernet ports and those connected through the WAP. For many this isn't considered a problem, and it is even desirable behavior but the truth of that assumption depends entirely on how well you trust the machines connecting to the WAP. If your access point is completely open, you can't really trust anyone connected to it, but if you're using WPA it is much more likely that the machines

Richard Bach

Page 11

are trustworthy (unless, of course, your WPA passphrase is easy to crack or you hand it out to random people for some inexplicable reason). Even so, some may still not trust even WPA-secured connections and will want to segregate them from the rest of the network. One way to do that would be to take three separate firewalls, a router (substitute this for one of the firewalls if you wish), a WAP, and a switch and arrange them like so: 1. Connect the router/firewall to your Internet connection (DSL, cable, etc). 2. Connect each of the two remaining firewalls to separate ports on your firewall/router. 3. Connect your WAP to firewall A. 4. Connect your switch to firewall B and then connect your wired clients to the switch. This will leave you with a Y-shaped arrangement of access points, firewalls, and switches. Firewalls A and B will prevent traffic from the other firewall from passing through, effectively segmenting the two from one another while both retain Internet connectivity. If a wireless client needs to access a resource on the wired segment you can setup a VPN to connect that computer to the wired network. This requires significantly more work and money than simply going with a broadband router, so it isn't for everybody. So it turns out that while a LAN can be a dangerous place, it is possible to protect yourself without too much effort. Even moderate security is probably enough to keep most people off your network and spying on you. Even so, there is so much more to computer security than the network, and you're only as safe as the weakest link in your chain. Even the strongest front door with 11 locks is useless if you leave a window open at night.

Richard Bach

Page 12

Bibliography
Cisco Systems, Inc. Evolution of the Firewall Industry. 28 September 2002. 28 October 2006 <http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm >. . Why You Need a Firewall. 28 September 2002. 28 October 2006 <http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch2.htm >. Jupitermedia. Securing your Wireless Network. 2006. 30 October 2006 <http://www.practicallynetworked.com/support/wireless_secure.htm>. Lantronix. Network Switching Tutorial. 29 October 2006 <http://www.technick.net/public/code/cp_dpage.php?aiocp_dp=guide_networking _switching>. Microsoft. Virtual Private Networking: Frequently Asked Questions. 21 July 2003. 30 October 2006 <http://www.microsoft.com/technet/itsolutions/network/vpn/vpnfaq.mspx>. Nikita Borisov, Ian Goldberg, David Wagner. (In)Security of the WEP algorithm. 30 October 2006 <http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html>. Paul D. Robertson, Matt Curtin, Marcus J. Ranum. Internet Firewalls: Frequently Asked Questions. 26 July 2004. 28 October 2006 <http://www.interhack.net/pubs/fwfaq/>. Wi-Fi Alliance. Wi-Fi Protected Access White Paper. 29 April 2003. 30 October 2006 <http://www.wi-fi.org/white_papers/whitepaper-042903-wpa/>.

Richard Bach

Page 13

Richard Bach

Page 14