Essential Insecurities Part 4 — Ethernet

Network communication is divided up into seven layers: application, presentation, session, transport, network, data link, and physical. We will examine the primary data link protocol, Ethernet, in this entry.

Ethernet transports data between network devices. There are, as always, concerns about availability, integrity, and confidentiality. Attackers can block or disrupt the flow of Ethernet frames. Or they can quietly gather these frames, reassemble them, and glean confidential information. Ethernet passes information across a shared network media; an untrusted medium.

On a shared media, only one Ethernet device can talk at a time. Ethernet has methods to detect that some device is talking and to wait. These are CSMA/CD for wired and CSMA/CA for wireless connections. CD means detection and CA means avoidance. These can be thought of as listening for your turn versus raising your hand and asking to speak.

Both can be exploited to disrupt availability. For instance, if wired into the Lan, an attacker constantly talks. The victim patiently waits its turn to talk. When it never detects silence, the victim never sends its data. Now, imagine the attacker and victim both are on a wireless network. The victim requests to communicate with the access point. Basically, it raises its hand. The attacker then sends a response to wait. And the victim does, never transmitting. Silence is the result.

Instead of silencing the victim, however, the attacker may wish to listen in. The attacker puts his network card into promiscuous mode. Depending on one’s point of view, this might sound immoral or rather interesting. Actually, however, it simply means the attacker’s computer now receives all frames on the shared network media. The frames can then be reassembled and the confidential information gained.

On the network, assume no confidentiality. Wait, some people may say, this may be true for shared media like hubs and wireless connections. What about switched media, like network switches?

Switches were once sold partially as security devices. The rule of thumb was to never use a hub. Network hubs repeat traffic out all ports. This means that any device connected can listen in on all communications. Switches are better in that they only send traffic to the destination port. Time marches quickly in InfoSec, however, and it has been shown that switches can be subverted.

Suppose Alice’s computer talking to Bob’s. Alice asks for Bob’s computer by name. Her computer then turns the name into an IP address, and the IP address into an Ethernet MAC address. This last bit is done with ARP and the information is stored in the switch’s ARP cache. The attacker can poison this cache and trick Alice’s computer into sending Bob’s frames to the attacker’s MAC address. The attacker then can listen in to all network communications between Alice and Bob, even though they are on a switch.

ARP cache poisoning is a lot of work. An easier attack on confidentiality is to overload the switch’s firmware. Most vendors would rather degrade than fail. So instead of dropping connectivity, an overloaded switch downgrades to acting like a hub. Of course, this could break the network altogether.

If the network is down then all devices are down, of course, which brings us back full circle. The bottom line is that there are a number of ways an attacker can abuse the Ethernet protocol to disrupt the business or to gather confidential information.

There are many ways to hook up cables and computers. Bus, ring, mesh, and star topologies all have availability and integrity concerns. (Again, we are putting confidentiality aside for the moment. We will come back to it higher in the networking stack.) The best for availability is mesh, though its cost and complexity usually relegate it to the switch backbone and Wan links. Lans are usually physically a star and logically switched.

Peer-to-peer networks take less time and money to setup. Yet they are inherently insecure. The company’s information is in the hands of people who are very good at doing their job, yet likely not very good at doing the job of a systems administrator. Central control and formal policy is better, which is what domains are intended for.

Let’s talk a bit about cabling. In particular, twisted-pair copper versus Fibre. One of touted benefits of Fibre cables over Twisted-pair is that you cannot eavesdrop on the data communications. However, again, forget about confidentiality. The data can still be captured from the end-points; from switches and routers. No, if you can afford the cost, the benefits of Fibre is that it is fast and that it fails cleanly.

Fibre natively supports 1 Gbps transfer speeds. 1 Gbps has been achieved with CAT5, however, the frequencies needed exceed the cable’s ratings. Put another way, it may be possible to get close to 1 Gbps on Twisted-pair but the network will be dropping packets. This means data integrity issues. So best to stick with 100 Mbps on CAT5.

Fibre also fails cleanly which, at first, might not look like a benefit. Twisted-pair can be physically damaged and yet continue transmitting traffic. This results in sporadic problems like corrupted communications, network drops, or poor performance. These are difficult to reproduce and time consuming to repair. It might take days before the bad cable is identified. Fibre, when physically damaged, stops transmitting altogether. This is immediately noticed and therefore can be quickly identified and replaced.

Functionality equals vulnerability. Networks connect computers to share information and resources. That is the functionality.  Once connected, what is shared is no longer private and protected. That is the vulnerability. An unplugged computer is secure. By contrast, a networked computer is vulnerable. There you have it.

The vulnerabilities, generally speaking, are that shared resources may become unavailable, corrupted, or shared with the wrong people. So we put in the network to facilitate business and then mitigate the risk by maintaining on availability, integrity, and confidentiality.

These three areas are common in all types of networks. Now, the major classifications of networks are Lans, Wans, Mans, and Pans. That is, respectively, Local Area Networks, Wide Area Networks, Metropolitan Area Networks, and Personal Area Networks. All four can be broken. All four can lose data or eat emails. And, of course, all four can leak confidential information.

In fact, at the network level, it is best to assume no confidentiality. Sure, there might be some in Lans. But this can be broken. If you are going out over a Wan link, you have no control over the equipment. There is no guarantee that someone is not reading your data. In fact, according to the news lately, there is a good chance that someone is reading your data. Address confidentiality issues at higher layers, and focus on network availability and integrity.