Three Common Network Attacks—And Why Your Firewall Can’t Help

By Charles Stizza| June 25, 2010

Most people understand why one of the most important aspects of a technology solution is the need for security. Oddly enough, one area in particular that is neglected most often is the switching ("Layer 2") domain within an organization.

Why is this so often neglected? It could be due to a lack of awareness. Also, while most organizations are willing to invest in a firewall solution, the general impression is that the most significant attack vector is from the outside. But there’s more to this story.

Here are three types of attacks that your Internet firewall, not matter how good, generally can't stop:

VLAN Hopping: This is when an attacker gains access to the restricted network segment (VLAN) by manipulating a misconfigured access layer switch using tagged frames to masquerade traffic where it should not be. This is the equivalent of Tom Cruise using spy masks in the movie Mission Impossible to trick his foes into providing him with access to vital information and documents.

ARP Poisoning: An attacker replies to ARP requests on behalf of another host and is able to intercept traffic bound for it. Think of this as someone going to your mailbox, reading your mail, then placing the mail back into your mailbox. Only in this case what is being read is all of the data being sent to and from your workstation or server.

MAC Flooding: An attacker floods the network with an invalid MAC address in an attempt to max out the switch CAM table. Once this occurs, the switch becomes like a hub and will allow sniffing of ALL data frames on the network segment. This is like a person (we all know one!) who is normally reserved and quiet, but when they have a bit too much to drink they starting spilling the beans about anything and everything, even stuff you don't care to hear. If you feed a switch too much Layer 2 data, it starts blabbing.

As you would guess, there is a solution for every single one of these exploits, but is your network protected against them?  If I was a betting person--and based on experience--my answer would be, "Probably not."  The good news is that securing your internal network can generally be done by leveraging the functionality built into your current hardware.

Now let me counter these three attacks with three solutions that can be used to protect your Layer 2 domain. It should be noted that most vendors support their own iteration of this feature but may go by slightly different names, so as always, consult documentation.

SOLUTION 1 - DHCP Snooping: This strategy, generally used in conjunction with DARP (Dynamic Arp Inspection) will keep connected workstations honest. Think of this as the ultraviolet light used to spot counterfeit money.

SOLUTION 2 - Port Security: This feature limits a connected host to a specific MAC address entry. In the case of MAC flooding, the port can discard source addresses above an allocated limit. This feature is easy to set up and very effective.

SOLUTION 3 - Static VLAN membership: I can't emphasize how important it is to remove ALL traces of dynamic trunking/tagging negotiation on your network. Tagged frames should never have the possibility to be on user facing ports. (There is one exception to this in the instance of voice VLANs, but when done properly, it does not create the security dilemma at issue.)

Obviously this list is only the tip of the iceberg. NAC, 802.1X, VMPS and RADIUS are a few of the more robust methods being used. But I wanted to emphasize solutions that likely require no additional hardware. What strategies have you used to secure your internal resources?

Teams security and compliance demo