Network Attacks, Architecture and Isolation
Network Isolation:
It is physically or logically putting devices on separate networks and restricting them to communicate with each other.
Why Network Isolation?
If all the devices are on the same network and if one device is compromised by an attacker, the other devices can get compromised too. Here network isolation comes into play so that the rest of the network remains safe from the attackers attack.
What can an attacker do if they are on the network?
· Local sniffing or snooping
o Simply observing and recording the traffic that goes across the network that is not desirable
· Perform Man In The Middle (MITM) Attacks
Inject and manipulate the network traffic
Eg.
SSL Striping — Remove the encryption
If using HTTP-They can literally insert into the traffic malicious code and that can attack your browser and attempt to compromise it
· Attacking the devices directly by targeting the open ports
Network Attacks-
Working of Switches:
· Switches keep a table of Ethernet MAC Address which is called a MAC Table
· It uses these unique MAC Addresses for your devices to send traffic to its destination on the LAN
· It works on the data link layer- Layer 2
· Once data is travelling on the local network, IP address is not used anymore, the MAC Addresses are used for traffic to find its destination to the local network
· Switches are more secure than the hub because switches have an isolated collision domain. That means you can’t sniff the traffic on the network with a switch because traffic only gets forwarded to the correct LAN port based on the MAC Address
· So when the traffic goes into the switch or the router, the switch knows what the MAC Address is so instead of sending data to all the devices it sends it to that one physical port and down that wire
· So anyone plugged in into that switch won’t receive that data.
· That’s the isolated collision domain.
MITM Attacks:
· On the Ethernet network connected via a switch, it is relatively easy to perform MITM attacks
· An attacker fools all the devices in the network on believing that the attacker is the default gateway or the router by abusing the address resolution protocol (ARP)
· The attacker can then observe, record ,inject and manipulate traffic.
· With a Wi-Fi Network traffic can also be manipulated in this way
· If we have a hub instead of switch , we can observe the traffic anyway
· But if we want to perform injection and manipulation we need to perform ARP Spoofing anyways
ARP Attacks:
Working of ARP:
Address resolution protocol resolves the network layer IP address into data link layer MAC Address
ARP Broadcasts a frame requesting the MAC Address for the IP it has
The device with the correct IP replies with the correct MAC Address.
This is then added to the ARP Table Cache with tools like: ARP Spoof,Ettercap which are available in Linux and Cain & Able available in Windows.
An attacker or malware with similar functionality on the network could fool all the devices on the network that they are the correct MAC Address for the router’s IP Address.
Now the attacker can see all the functionality of the victim and perform all the attacks such as manipulation, injection, SSL Striping, attacking the browser etc.
The ARP Protocol can also be used to perform DOS (Denial of Service Attacks)
Effective Network Isolation (How to Protect your Network against attacks)
1. Having separate routable networks for different devices of different levels of trust
· This can be implemented by a :
Router
Firewall — may be same device or separate devices
Switch
Wireless devices — through WiFi access point which can also be a router
1. DMZ-
Stands for De-Militarized zone
It is a special type of network that is used when certain services / web server are directly connected to the internet.
If we place the server or the devices in a separate network , they are secured and cannot be access by the other untrusted devices that are now within its network.
Eg. We can have an FTP server that is connected through the internet,
The FTP server is placed in the DMZ so that when the clients upload/download any file, they only have access to the FTP server and not the other devices or services.
Hence , DMZ provides an extra layer of security to the network
2. VLAN’s
Stands for virtual LAN’s
They create a separate network for the devices
They segregate the network and create a private network within a public network
Eg. In a University, there is one common LAN for all the departments, but there is an requirement where we want segregation of the network for different departments.
o Here we create a virtual LAN where we place different departments in different VLAN’s so that the devices in one department are not able to communicate with the devices in the other VLAN
3. Install Protection software on the laptop/devices such as:
· Netcut
· Tuxcut
· Sniffdet
· XArp
· Arpwatch
4. Port Security
· For cisco devices to prevent unauthorized access to the ports by specifying the MAC Address that will be allowed
5. IEEE 802.AE
· MAC security Standard or MACSec
· Enables authentication and encryption and other services
6. IEEE 802.1X
· Provides PNAC-Port Based Network Access control
· That means the devices needs to authenticate before connecting to the network
7. DHCP Snooping
· Feature in cisco switches
· Builds a table of IP addresses to MAC Address similar to OP table
· Can be used with other security measures such as port security
8. VPN
· We can create a virtual encrypted network on top of the physical network using VPN’s
If you liked the story and want to appreciate us you can clap as much as you can. Appreciate our work by your constructive comment and also you can connect to us on….
Youtube: https://www.youtube.com/channel/SocietyOFAI
LinkedIn : https://www.linkedin.com/company/society-of-ai
Facebook: https://www.facebook.com/societyofai/
Website : https://www.societyofai.in/