Network protection consideration and design
LAN protection revolves around Layer-2 protection on OSI models. All layers of TCP/IP have got its own security threats and vulnerabilities. A firewall is one very simple way to protect a LAN, but this only protects traffic which is coming from outside. Layer-2 attacks are sources from inside a LAN.
It is difficult for an outsider to achieve a Layer-2 attack, but never underestimate the power of insiders. Insiders can do more damage than outsiders by launching malicious attacks from inside the network. The proactive deterrence for this would be to keep track of your logs and setup your IDS to detect such attacks!
Before going deeper into this topic, let's get an understanding of how network switches work.
Let us examine a topology in a VLAN segment: A, B & C are three hosts which are connected to three different ports on a single switch. When host A sends data to host B through port Fastethernet0/1, the switch learns that host A is located on port Fastethernet0/1 and records mapping into the Content-Addressable Memory (CAM). If host B does not initiate a connection and does not send even a single packet, then the switch is not able to locate host B and will therefore flood the packet originated by A to all VLAN ports. Learning by flood is the basic behavior of the switch which is carried out to discover hosts on a network:
Here are the known major Layer-2 attacks:
- CAM OVERFLOW / MAC FLOODING: Switches store MAC addresses in a CAM table. Memory size varies according to each model and capacity, but memory size is limited. It is very possible to flood the network switch with fictitious MAC address data. The switch, not knowing how to handle the excess data, falls into a trap and starts acting as a HUB. After the attack, you can use a program like Wireshark or any other generic sniffer to listen to all the traffic on the network, because the switch will be forwarding data out of all other ports. Macof is a member of the dsniff suit tool set and is mainly used to flood the switch on a local network with MAC addresses. Macof generates thousands of packets per second, and each packet is sent random source and destination IP addresses. A source and destination MAC address is also different for each Ethernet frame.
- CAM Flow Protection and Defensive Measures: Port security features can be used to protect a network against this kind of attack, which limits the number of MAC addresses on an interface. Cisco is built into the IOS, and this allows you to shut the port down if the switch receives more than a certain number of MAC addresses on one port.
Nexus 3064 switch can hold 128k entries. Total MAC addresses learned by this switch can be viewed using this command:
Cisco IOS switch 2960 can hold 8k entries:
As soon as you launch the macof attack, available addresses become zero and the switch starts acting as a HUB.
You can limit the number of MAC addresses learned on this switch interface and define the violation action. Keep in mind that this is a simple step to secure the user port, but in the case of data center environments where virtualization is used, more MAC addresses are expected to be learned on the same switch port:
This is a virtual environment and multiple MACs are being learned on the same interface. This is not an attack but you can still limit the number of MACs in accordance with the design guide:
ARP SPOOFING: Address Resolution Protocol (ARP) is a protocol or process used for finding an unknown MAC address for a known IP address. All network devices that need to communicate on the network broadcast ARP queries in the system to find out other machines' MAC addresses. In simple terms, for any communication on an IP network, we need to know the MAC address of the next hop in order to place the packet on the wire.
There are two types of ARP messages that can be sent:
- ARP request
- ARP reply
In an ARP request message, the sender broadcasts the ARP request to all computers in a subnet in order to discover the MAC address of the targeted IP address.
In an ARP reply, the target system sends the reply to the sender, giving the MAC address.
For example, the target spoofed may be the internet gateway router. The attacker spoofs the router's MAC address. To pert traffic, you will have to put the same IP on the other device. However, this will cause IP duplication and may alert the network administrator. There are very few ARP requests transmitted by a router because the ARP caching time for such a device may be huge (for example, default CISCO router configuration takes eight hours). All of this magic happens with gratuitous ARP, which automatically causes ARP to broadcast its MAC address to the entire network. In this case, attackers will send Gratuitous ARP (GARP) to poison the ARP table in a victim's machine:
The preceding diagram demonstrates the normal process for learning the MAC address of the gateway. A victim's host machine sends ARP requests to the default gateway 192.168.1.1 and gets a response which contains the MAC address CC:CC:CC:CC:CC:
Attackers send G-ARP, which tells the victim that they now own the default gateway 192.168.1.1 and the source IP 192.168.1.2. This is where the game begins. The communication can now be hijacked with the sniffer. This will enable the victim and the internet gateway to exchange traffic through the attacker's PC without notifying them.
WAN protection: WAN is a geographically distributed connectivity that connects multiple networks. A typical WAN may consist of a connection to an internet service provider's multiple locations, internet connection between ISPs, connectivity to branch offices, collocation facilities, cloud services, public internet connectivity, and other locations. For example, MPLS WAN, INTERNET WAN, PRIVATE LEASE LINES, IPLC CIRCUITS, and DARK FIBER CIRCUITS.
To protect confidentiality and integrity for data travelling over the WAN, we need to ensure data is encrypted. Over internet VPNs, IPsec and SSL encryptions can provide comprehensive protection.
All MPLS service providers use the term Virtual Private Network (VPN), indicating some level of security. But in reality, MPLS does not provide encryption by default. Instead, technology allows service providers to keep the separate routing tables for each customer. Attackers cannot directly gain access to an MPLS customer network, but they might gain access to the core network. The lack of inbuilt encryption would mean that the attacker could sniff data and analyze it. Just in case the core network is compromised, IPsec offers additional security over an MPLS network.
When planning for encryption, we need to decide which layer we want to encrypt.
Why encrypt Layer-1?
Encrypting IP data traffic at higher layers can significantly increase the latency between two network nodes, while Layer-1 encryption gives extremely low latency and high throughput. Keeping in mind the rise of 100 Gigabits (and beyond) network connectivity, the desired results can be achieved by encrypting data on Layer-1. The complexity of the network and encryption management also increases with higher-layer encryption, more devices to manage, and complex encryption key management. Optical encryption includes the encryption and decryption process together with the key distribution between the transmitter and receiver.
The major use case is data center interconnect (DCI) over dark fiber:
Why encrypt Layer-2?
An Ethernet encryptor that encrypts the network at Layer-2 is the best option when it comes to securing an Ethernet based VPN. The tapping of networks is a common and unpreventable practice. Layer-2 encryption is hardware processed which operates at almost full wire speed and is adaptable to an L2 network (point-to-multipoint and multi-mode links):
MACsec offers you Layer-2, hop-by-hop encryption. Every hop device will encrypt and decrypt packets, but the IP and IP payload will be encrypted. If you look at a packet in transit, you will only see the Layer-2 header and nothing else. MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec capable devices. Not all switches support MACsec. Check switch capabilities before implementing MACsec.
TrustSec uses AES-128 GCM and GMAC (Galois/Counter Mode Advanced Encryption Standard 128). MACsec can be configured between hosts - in this mode, the switch is called Downlink MACsec. MACsec also works between switches - this mode is called Uplink MACsec.
For downlink mode, we need to have NIC, which helps MACsec or Cisco to reply on any connected software:
Why encrypt Layer-3?
Public internet is cheap and more flexible. Keeping in mind that public internet is not safe, IPsec provides a lot of flexibility to encrypt data and to provide a framework to maintain confidentiality, integrity, authentication, and anti-replay. IPsec offers a standards based end-to-end encryption solution that is agnostic to the underlying physical network infrastructure. IPsec also has several limitations. This includes the fact that it does not support non-IP traffic flows, including data center storage protocols such as Fiber-Channel (FC).
IPsec encryption takes place at the network layer (Layer-3) in the OSI model. Layer-2 and Layer-1 encryption technologies provide bump-in-the-wire with 100% throughput at line rate and far lower latency than IPsec VPNs, which operate at Layer-3. Layer-3 encryption is a better choice for low-bandwidth environments:
