Many people wonder why good design and implementation of corporate LAN and Edge features is necessary. There are many answers to this simple question and among them, we require a good network to be least vulnerable to unwanted intrusions along with it to be able to support all our requirements.
We have compiled a list that you can check to know how you can mitigate many risks by using out-of-the-box features that are often supported at no extra license cost and in which cases you should use these features.
This might come as a surprise or sound funny to some experienced engineers. But, in fact, there is nothing funny about this.. from my professional experience many systems administrators don’t even know what exactly VLAN is or does! Yes, that’s the sad truth, so to the point:
One broadcast domain for the whole network or only the user network can lead to unnecessary broadcast traffic, which upon a traffic loop might cause a complete service outage.
Secondly, but even more important, large broadcast domains are vulnerable to traffic sniffing and easier man in the middle kind of attacks.
Lastly, a lack of VLANs can cause an administration mess.
Consider segmenting your network with VLANs. VLANs often work in relation to IP subnetting, so a good approach is to plan and design your segments first and then make changes. Remember that good design is proficient even many years after, so think about the IP addressing summarization, design subnets that will be large enough but not too big. Make VLANs and subnets self-explanatory, for example, give the third IP octet the id of VLAN Id:
– for subnet 10.20.10.0/24 allocate VLAN 10
– for subnet 10.20.11.0/24 allocate VLAN 11
Anti-Loop Mechanisms; Delays, drops, annoyance, and more
When switching loops in the network arise the troubleshooting game begins as services and systems start showing delays, browsers stop responding eventually leading to user complaints and increased pressure on IT departments. When we add broadcast effect on top of this the network can go completely out of order.
A human error by an IT admin plugging the cable in the wrong port can cause loop formation.
Lack of Spanning Tree in operation is an additional risk that leads to the loop effect.
Even if the network is working well, one could be a victim of a virtualization administrator making a mistake. An example could be a mistake with interface bundling on the vSwitch. This can cause switching loops as well. I know one large outage of large e-commerce that was caused by loop on virtual machines level (that was “test & dev” environment hitting production).
Another risk is when the network is physically redundant and the switch port stops receiving BDPU frames then it transitions to a forwarding state causing a loop. As an example, the lack of BPDU could be caused by unidirectional link failure.
Features like Loop Guard could avoid the loop formations by taking additional checks and putting the port in STP loop-inconsistent state when the loop condition is in place. The loop inconsistent state behaves like STP blocking state.
ARP Inspection. Are you sure your data is not intercepted?
ARP is something that is still not understood by all as it should be. This is a fundamental requirement to understand for every network specialist and to better understand the problem, please read the post first. Because of ARP’s broadcast behaviour, it can be used to violate user confidentiality by making a man-in-the-middle attack.
A malicious user (or hacker) working in the Ethernet segment can use a few techniques to poison the ARP table of other device’s in the same segment so that they start thinking that the malicious computer will be the trusted gateway. When they start sending traffic to a malicious MAC address (instead of a real gateway MAC address), hackers can intercept the session and listen to real traffic. As an example, an attack can be performed by sending a gratuitous ARP message to the whole broadcast segment.
One of the preventive methods is to use the ARP inspection technique implemented on the ethernet switch port level. Thanks to this, the switch controls all the ARP messages that are coming into the switch ports and compares the MAC and IP pairs against the table learned from the DHCP Snooping Process. If the switch sees the wrong MAC and IP on the switch ports, it puts the port into the downstate.
DHCP Snooping – the mitigation of very popular phishing attacks
DHCP is a widely used protocol for obtaining IP addressing in a dynamic way in Ethernet networks. Because it benefits from broadcast behaviour, similar to ARP, DHCP is vulnerable to layer 2 spoofing attacks that make use of presence in the common broadcast segment. Such attacks can lead to the phishing of sensitive information.
DHCP uses first come first serve logic that is why any host in the same network L2 segment can respond to DHCP discover/request messages thus becoming a DHCP server. Even if there is a user mistake that enables DHCP on OS, administrator fault by enabling another DHCP on a network device, or intentional malicious activity, the problem is always serious. Unknown DHCP service can cause the legitimate computers to receive fake DHCP offerings and this can lead to:
Service outage if the offered IP addresses are not in designed scope
Phishing attacks where the offered DNS address is the hacker’s prepared DNS
The problem described above is very serious having a high probability. I can bet that there is no protection against DHCP attacks in 90% of enterprise networks. This is something I recall from my experience. Prevention against such a problem could be easy because I think almost all key LAN solution vendors have mechanisms like DHCP Snooping that can be enabled with no extra fee. How does it work? IT admin configures switch ports dividing ethernet ports to trusted (DHCP server messages are allowed on this port ingress) and untrusted (DHCP Server messages are not allowed on this port ingress). When there is a violation seen on port – for example, DHCP Offer message incoming on Untrusted port, the switch disables the port arbitrary. In parallel, ethernet switch with such prevention technique enabled learns legitimate DHCP conversations between clients and servers and stores IP – MAC – Switch Port information in DHCP binding table for further reference. Very often other mechanisms like ARP inspection or IP Source Guard make use of the DHCP binding table.
IP Spoofing vs Reverse Path Forwarding
Sometimes, especially during Proof of Concept (PoC) projects or infrastructure audits, network admins start seeing suspected traffic coming from their internal network that is sourced from IP ranges not in the corporate scope. This may be the sign of malicious activity like IP spoofing or misconfigured devices that are forgotten by IT staff.
With IP spoofing issues there are two general problems associated.
Junk traffic generation may cause additional utilization of network resources and one needs to stop such traffic.
IP spoofing activity meaning someone generates traffic from inside of corporate network with bad sources. The behaviour of most routing devices is to route traffic based on destination IP in the packet header so the spoofed traffic can be freely forwarded. The bad thing about this is that spoofing can be used to attack other systems in order to hide the real attackers. An example could be a DoS attack with a high volume of TCP SYN segments directed to a critical server farm with dynamically changing sources. If the source IP will point to subnets or Internet destinations other than the attacker is located in, the attacker can quickly allocate server resources causing service outage at the same time being invisible or at least difficult to trackback.
To prevent spoofing one can use Reverse Path Forwarding that works simply by verifying the source IP address of the incoming packet against the routing table. If layer 3 device sees the route in the routing table that would be used to forward traffic to verified source IP address, the packet is allowed if not router drops the packet.
If you want to read more about the mentioned features let Us know