7Attacks on Local Networks - Examples and Solutions

The security of network elements has been underestimated for a long time and pushed backwards by the companies. Recently, however, the trend has changed and many companies are aware of the significance and consequences of potential threats. The number of attacks inside the network quickly outweighs the number of attacks from the outside of the network. That is why we deal with security of Access Switches, to which users have direct access, where high risk of different types of attacks comes to existence.

Examples of possible attacks on switches:

Potential solutions:

  1. Port Security

Port Security is the easiest way to secure ports to check MAC addresses (Medium Access Control) connected to the ports. In case of a violation of a defined rule, the action is performed according to how the port was set up.

There are three responses to security breaches:

In this way, a given physical port is concatenated (linked up) with a fixed virtual network (VLAN). This creates a fixed connection of the MAC address group and one VLAN to the given access port.

For large enterprise networks, the previous solution is not sufficient. Complex integrated solutions such as protocol-based solutions resulting from the recommendation IEEE 802.1X.

Port Security is made on the Cisco switch as follows. First, you need to enable Port-Security function on a given port, by using command "switchport port-security". The default value is 1, which means that only one device can be connected to that port. This value, i.e. the allowed number (amount) of MAC addresses that can access the port, can be changed. Addresses with the switch can also be learned either dynamically or manually. The manual configuration is done using the "port-security mac-address MAC-ADDRESS" command. This command can be extended by so-called "sticky" parameter, which ensures that the dynamically learned MAC address is stored in the device configuration. As mentioned above, you need to prepare an action that the switch executes in case of violation of rules using the "switchport port-security violation" command. That is clearly shown in the following figure.

image
Example of the Port Security Configuration on the Cisco switch
  1. DHCP Snooping

DHCP Spoofing is a type of network attack where an attacker (in a local network) falsifies DHCP protocol messages (for example, by running a custom DHCP server with altered network parameters) to deceive the victim, for example, by using another default gateway. This allows the attacker to redirect traffic from victim to his computer. Subsequently, they are able to intercept all the outgoing traffic from the victim.

Another type of attack on the DHCP server is the depletion of the DHCP server ranges (DHCP Starvation). In this case, the attacker generates a large number of false requests to assign an address, which results in running out of addresses.

DHCP Snooping is an indication of how to defend against DHCP Spoofing. It is configured on switches that are directly connected to end stations (so-called Access Switches). The essence of the whole process of defending against DHCP spoofing is listening to DHCP queries on switcher ports, and blocking transmission of false responses to queries. This eliminates the attacker's spoofed DHCP server's effect. Sending responses from a DHCP server is only enabled on trusted switch ports. The port that is "trusted" is set manually by the administrator, and usually there is only one port to which the right DHCP server is connected. Cisco switches allow you to set up DHCP Snooping for any number of VLANs, set trusted ports to which DHCP servers are connected, and reduce the number of PPS (Packet Per Second) queries on the DHCP server to prevent overloading. An example of the configuration of DHCP Snooping is in the following figure.

image
An example of a DHCP Snooping configuration on a Cisco switch

By enabling the DHCP Snooping Binding Database (see the figure below), one can also protect against other types of attacks on local networks. After switching on this function, the switch creates a table containing links between the MAC address of the station, the IP address, the IP address lease time, the port from which it communicates, the virtual network (VLAN) where it is located, and the way the item was added to the table (manually or automatically). This information uses DAI (Dynamic ARP Inspection) to protect against ARP Cache Poisoning.

image
Enabling the Snooping Binding Database DHCP feature on the Cisco switch
  1. Dynamic ARP Inspection

ARP Cache Poisoning is an easy-to-implement and hard-to-detect attack based on falsifying message replies of ARP (Address Resolution Protocol). The ARP protocol provides IP address-MAC address links in the local network. An attacker using fake responses can cause the infected PC communication to be redirected to an attacker. It can then listen to the complete victim’s communication with other stations on the network.

This attack can be detected (and prevented) by a switch that supports the DAI function.

The attack can be performed on a PC, for example by using Cain&Abel tool (www.oxid.it) or Ettercap (http://ettercap.sourceforge.net/).

DAI is a way of defending against ARP Cache Poisoning. Tables created using DHCP Snooping are used. If the ARP comes to a packet from a trusted port, it is sent further. However, if the ARP comes to a packet from an untrusted port, it is analyzed. In the case of an ARP Request message, the packet network processor detects whether the MAC and IP address of the requesting computer belong to each other. If so, the packet is forwarded to the network. Otherwise, it is discarded. In the case of the ARP Reply, it also checks whether the MAC and the IP address of the computer corresponding to the ARP Request message are related to each other. The combinations of IP and MAC addresses are taken from a database created by the Snooping DHCP feature. The DAI enable command is presented in the following figure.

image
Turning on the DAI function on the Cisco switch

The next figure shows a command to disable DAI control on trusted interfaces.

image
Turning off DAI control on the trusted Cisco switch interface

IP Source Guard has a similar function to DAI, but instead of detecting fake MAC addresses, fake source IP addresses are detected. It allows blocking of unauthorized IP addresses on ports. It is set to a specific port. This feature also uses the DHCP Snooping Binding Database. The command to turn on IP Source Guard is shown in the following figure.

image
Enabling IP Source Guard on the Cisco switch
image
An example of topology to engage tasks for the simulation of attacks in the local network