Chapter 4 from Mastering Network Security, published by Sybex, Inc.
In this chapter, you will look at the communication properties of network transmissions. You will also see what insecurities exist in everyday network communications—and how you can develop a network infrastructure that alleviates some of these problems.
On This Page
Understanding Network Transmissions
It is no accident that the National Security Agency, which is responsible for setting the encryption standards for the U.S. government, is also responsible for monitoring and cracking encrypted transmissions that are of interest to the government. In order to know how to make something more secure, you must understand what vulnerabilities exist and how these can be exploited.
This same idea applies to network communications. In order to be able to design security into your network infrastructure, you must understand how networked systems communicate with each other. Many exploits leverage basic communication properties. If you are aware of these communication properties, you can take steps to insure that they are not exploited.
Digital communication is analogous to Morse code or the early telegraph system: certain patterns of pulses are used to represent different characters during transmission. If you examine Figure 4.1, you'll see an example of a digital transmission. When a voltage is placed on the transmission medium, this is considered a binary 1. The absence of a signal is interpreted as a binary 0.
Because this wave form is so predictable and the variation between acceptable values is so great, it is easy to determine the state of the transmission. This is important if the signal is electrical, because the introduction of noise to a circuit can skew voltage values slightly. As shown in Figure 4.2, even when there is noise in the circuit, you can still see what part of the signal is a binary 1 and which is a 0.
This simple format, which allows digital communication to be so noise-resistant, can also be its biggest drawback. The information for the ASCII character A can be transmitted with a single analog wave or vibration, but transmitting the binary or digital equivalent requires eight separate waves or vibrations (to transmit 01000001). Despite this inherent drawback, digital communication is usually much more efficient than analog circuits, which require a larger amount of overhead in order to detect and correct noisy transmissions.
Note: Overhead is the amount of additional information that must be transmitted on a circuit to insure that the receiving system gets the correct data and that the data is free of errors. Typically, when a circuit requires more overhead, less bandwidth is available to transmit the actual data. This is like the packaging used for shipping. You didn't want hundreds of little Styrofoam acorns, but they're there in the box taking up space to insure your item is delivered safely.
When you have an electric circuit (such as an Ethernet network that uses twisted-pair wiring), you need to pulsate your voltage in order to transmit information. This means your voltage state is constantly changing, which introduces your first insecurity: electromagnetic interference.
Electromagnetic Interference (EMI)
EMI is produced by circuits that use an alternating signal, like analog or digital communications (referred to as an alternating current or an AC circuit). EMI is not produced by circuits that contain a consistent power level (referred to as a direct current or a DC circuit).
For example, if you could slice one of the wires coming from a car battery and watch the electrons moving down the wire (kids: don't try this at home), you would see a steady stream of power moving evenly and uniformly down the cable. The power level would never change: it would stay at a constant 12 volts. A car battery is an example of a DC circuit, because the power level remains stable.
Now, let's say you could slice the wire to a household lamp and try the same experiment (kids: definitely do not try this at home!). You would now see that, depending on the point in time when you measured the voltage on the wire, the measurement would read anywhere between –120 volts and +120 volts. The voltage level of the circuit is constantly changing. Plotted over time, the voltage level would resemble an analog signal.
As you watched the flow of electrons in the AC wire, you would notice something very interesting. As the voltage changes and the current flows down the wire, the electrons tend to ride predominantly on the surface of the wire. The center point of the wire would show almost no electron movement at all. If you increased the frequency of the power cycle, more and more of the electrons would travel on the surface of the wire, instead of at the core. This effect is somewhat similar to what happens to a water skier—the faster the boat travels, the closer to the top of the water the skier rides.
As the frequency of the power cycle increases, energy begins to radiate at a 90û angle to the flow of current. In the same way that water will ripple out when a rock breaks its surface, energy will move out from the center core of the wire. This radiation is in a direct relationship with the signal on the wire; if the voltage level or the frequency is increased, the amount of energy radiated will also increase (see Figure 4.3).
This energy has magnetic properties to it and is the basis of how electromagnets and transformers operate. The downside to all of this is that the electromagnetic radiation can be measured in order to "sniff" the signal traveling down the wire. Electricians have had tools for this purpose for many years. Most electricians carry a device that they can simply connect around a wire in order to measure the signal traveling through the center conductor.
There are more sophisticated devices that can measure the EMI radiation coming off an electrical network cable and actually record the digital pulses traveling down the wire. Once a record of these pulses has been made, it is a simple matter to convert them from a binary format to a format readable by humans (although a serious geek is just as happy reading the information in binary format, we did specifically say "humans").
Note: While twisted-pair cabling has become very popular due to its low cost, it is also extremely insecure. Most modern networks are wired using unshielded twisted pair. Since twisted pair is used for the transmission of electrical signals, EMI is produced. Because the cable does not use any shielding, it is extremely easy to detect the EMI radiating from each of the conductors. So while twisted pair is an excellent choice for general network use, it is not a very good selection if the information traveling along the wire needs to remain 100 percent secure.
So your first point of vulnerability is your actual network cables. These are typically overlooked when people evaluate the security of a network. While an organization may go to great lengths to secure its computer room, there may be a web of cabling running through the ceilings. This can be even more of a problem if your organization is located in shared office space and you have cabling running through common areas.
This means that a would-be attacker would never have to go near a computer room or wiring closet to collect sensitive information. A step ladder and a popped ceiling tile is all that's needed to create an access point to your network. A savvy attacker may even use a radio transmitter to relay the captured information to another location. This means the attacker can safely continue to collect information for an extended period of time.
Fiber Optic Cable
Fiber optic cable consists of a cylindrical glass thread center core 62.5 microns in diameter wrapped in cladding that protects the central core and reflects the light back into the glass conductor. This is then encapsulated in a jacket of tough KEVLAR fiber.
The whole thing is then sheathed in PVC or Plenum. The diameter of this outer sheath is 125 microns. The diameter measurements are why this cabling is sometimes referred to as 62.5/125 cable. While the glass core is breakable, the KEVLAR fiber jacket helps fiber optic cable stand up to a fair amount of abuse. Figure 4.4 shows a fiber optic cable.
Unlike twisted-pair cable, fiber uses a light source for data transmission. This light source is typically a light-emitting diode (LED) that produces a signal in the visible infrared range. On the other end of the cable is another diode that receives the LED signals. The type of light transmission can take one of two forms: single mode or multimode.
Warning: Never look into the beam of an active fiber optic cable! The light intensity is strong enough to cause permanent blindness. If you must visually inspect a cable, first make sure that it is completely disconnected from the network. Just because a cable is dark for a moment does not mean it is inactive. The risk of blindness or visual "dead spots" is too high to take risks—unless you know the cable is completely disconnected.
Single-mode fiber consists of an LED that produces a single frequency of light. This single frequency is pulsed in a digital format to transmit data from one end of the cable to another. The benefit of single-mode fiber over multimode is that it is faster and will travel longer distances (in the tens-of-miles range). The drawbacks are that the hardware is extremely expensive and installation can be tedious at best. Unless your company name ends with the word "Telephone" or "Utility," single-mode fiber would be overkill.
Multimode transmissions consist of multiple light frequencies. Because the light range does not need to be quite so precise as single-mode, the hardware costs for multimode are dramatically less than for single-mode. The drawback of multimode fiber is light dispersion, the tendency of light rays to spread out as they travel.
You'll see light dispersion if you shine a flashlight against a nearby wall: the light pattern on the wall will have a larger diameter than the flashlight lens. If you hold two flashlights together and shine them both against the wall, you'll get a fuzzy area in the middle where it's difficult to determine which light source is responsible for which portion of the illumination. The farther away from the wall you move, the larger this fuzzy area gets. This is, in effect, what limits the distance on multimode fiber (that is, if you can call 1.2 miles a distance limitation for a single cable run). As the length of the cable increases, it becomes more difficult for the diode on the receiving end to distinguish between the different light frequencies.
Because multimode transmissions are light-based instead of electrical, fiber benefits from being completely immune to all types of EMI monitoring. There is no radiation to monitor as a signal passes down the conductor. While it may be possible to cut away part of the sheath in order to get at the glass conductor, this would most likely cause the medium to fail. The attacker would be foiled, because your systems would cease to communicate once connectivity was broken.
Fiber cable has one other major benefit: it is capable of supporting large bandwidth connections. 10Mb, 100Mb, and even gigabit Ethernet are all capable of supporting fiber cable. So along with security improvements, there are performance improvements. This is extremely helpful in justifying the use of fiber cable within your network—it allows you to satisfy both bandwidth and security concerns. If Woolly Attacker is going to attempt to tap into your network in order to monitor transmissions, he will to want to pick a network segment with a lot of traffic so that he can collect the largest amount of data. Coincidentally, these are also the segments where you would want to use fiber cable in order to support the large amount of data flowing though this point in the network. By using fiber cable on these segments, you can help to protect the integrity of your cabling infrastructure.
Bound and Unbound Transmissions
The atmosphere is what is referred to as an unbound medium—a circuit with no formal boundaries. It has no constraints to force a signal to flow within a certain path. Twisted-pair cable and fiber optic cable are examples of bound media as they restrain the signal to within the wire. An unbound transmission is free to travel anywhere.
Unbound transmissions bring a host of security problems. Since a signal has no constraints that confine it within a specific area, it becomes that much more susceptible to interception and monitoring. The atmosphere is capable of transmitting a variety of signal types. The most commonly used are light and radio waves.
Light transmissions through the atmosphere use lasers to transmit and receive network signals. These devices operate similarly to a fiber cable circuit, except without the glass media.
Because laser transmissions use a focused beam of light, they require a clear line of sight and precise alignment between the devices. This helps to enhance system security, because it severely limits the physical area from which a signal can be monitored. The atmosphere limits the light transmission's effective distance, however, as well as the number of situations in which it can be used.
Unbound light transmissions are also sensitive to environmental conditions—a heavy mist or snowfall can interfere with their transmission properties. This means that it is very easy to interrupt a light-based circuit—thus denying users service. Still, light transmissions through the atmosphere make for a relatively secure transmission medium when physical cabling cannot be used.
Radio waves used for networking purposes are typically transmitted in the 1–20GHz range and are referred to as microwave signals. These signals can be fixed frequency or spread spectrum in nature.
Fixed Frequency Signals
A fixed frequency signal is a single frequency used as a carrier wave for the information you wish to transmit. A radio station is a good example of a single frequency transmission. When you tune in to a station's carrier wave frequency on your FM dial, you can hear the signal that is riding on it.
A carrier wave is a signal that is used to carry other information. This information is superimposed onto the signal (in much the same way as noise) and the resultant wave is transmitted into the atmosphere. This signal is then received by a device called a demodulator (in effect, your car radio is a demodulator that can be set for different frequencies), which removes the carrier signal and passes along the remaining information. A carrier wave is used to boost a signal's power and to extend the receiving range of the signal.
Fixed frequency signals are very easy to monitor. Once an attacker knows the carrier frequency, he has all the information he needs to start receiving your transmitted signals. He also has all the information he needs to jam your signal, thus blocking all transmissions.
Spread Spectrum Signals
A spread spectrum signal is identical to a fixed frequency signal, except multiple frequencies are transmitted. The reason multiple frequencies are transmitted is the reduction of interference through noise. Spread spectrum technology arose during wartime, when an enemy would jam a fixed frequency signal by transmitting on an identical frequency. Because spread spectrum uses multiple frequencies, it is much more difficult to disrupt.
Notice the operative words "more difficult." It is still possible to jam or monitor spread spectrum signals. While the signal varies through a range of frequencies, this range is typically a repeated pattern. Once an attacker determines the timing and pattern of the frequency changes, she is in a position to jam or monitor transmissions.
Note: Because it is so easy to monitor or jam radio signals, most transmissions rely on encryption to scramble the signal so that it cannot be monitored by outside parties. We cover encryption in Chapter 9.
There are two methods that can be used to transmit both fixed frequency and spread spectrum signals. These are referred to as terrestrial and space-based transmissions.
Terrestrial transmissions are completely land-based radio signals. The sending stations are typically transmission towers located on top of mountains or tall buildings. The range of these systems is usually line of sight, although an unobstructed view is not required. Depending on the signal strength, 50 miles is about the maximum range achievable with a terrestrial transmission system. Local TV and radio stations are good examples of industries that rely on terrestrial-based broadcasts. Their signals can only be received locally.
Space-based transmissions are signals that originate from a land-based system but are then bounced off one or more satellites that orbit the earth in the upper atmosphere. The greatest benefit of space-based communications is range. Signals can be received from almost every corner of the world. The space-based satellites can be tuned to increase or decrease the effective broadcast area.
Of course, the larger the broadcast range of a signal, the more susceptible it is to being monitored. As the signal range increases, so does the possibility that someone knowledgeable enough to monitor your signals will be within your broadcast area.
Choosing a Transmission Medium
You should consider a number of security issues when choosing a medium for transferring data across your network.
How Valuable Is My Data?
As you saw in earlier chapters, the typical attacker must feel like he or she has something to gain by assaulting your network. Do you maintain databases which contain financial information? If so, someone might find the payoff high enough to make it worth the risk of staging a physical attack.
Which Network Segments Carry Sensitive Data?
Your networks carry sensitive information on a daily basis. In order to protect this information, you need to understand the work-flow of how it is used. For example, if you identify your organization's accounting information as sensitive, you should know where the information is stored and who has access to it. A small workgroup with its own local server will be far more secure than an accounting database which is accessed from a remote facility using an unbound transmission medium.
Tip Be very careful when analyzing the types of services that will be passing between your facilities. For example, e-mail is typically given little consideration, yet it usually contains more information about your organization than any other business service. Considering that most e-mail systems pass messages in the clear (if an attacker captures this traffic, it appears as plain text), e-mail should be one of your best-guarded network services.
Will an Intruder Be Noticed?
It's easy to spot an intruder when an organization consists of three of four people. Scale this to three or four thousand, and the task becomes proportionately difficult. If you are the network administrator, you may have no say in the physical security practices of your organization. You can, however, strive to make eavesdropping on your network a bit more difficult.
When you select a physical medium, keep in mind that you may need to make your network more resilient to attacks if other security precautions are lacking.
Are Backbone Segments Accessible?
If a would-be attacker is going to monitor your network, he is going to look for central nodes where he can collect the most information. Wiring closets and server rooms are prime targets because these areas tend to be junction points for many communication sessions. When laying out your network, pay special attention to these areas and consider using a more secure medium (such as fiber cable) when possible.
Consider these issues carefully when choosing a method of data transmission. Use the risk analysis information you collected in Chapter 2 to cost justify your choices. While increasing the level of topology security may appear to be an expensive proposition, the cost may be more than justified when compared to the cost of recovering from an intrusion.
Now that you have a good understanding of the transmission media available for carrying your data, we will discuss how these media are configured to function as a network. Topology is defined as the rules for physically connecting and communicating on given network media. Each topology has its own set of rules for connecting your network systems and even specifies how these systems must "speak" to each other on the wire. By far the most popular local area network (LAN) topology is Ethernet.
In Chapter 3, you saw what type of information is included within an Ethernet frame. Now we will examine how Ethernet moves this information from one system to another across a network. The better you understand network communication properties, the easier it will be to secure your network.
Note: Ethernet was developed in the late 1970s by Xerox; it later evolved into the IEEE specification 802.3 (pronounced "eight-oh-two-dot-three"). Its flexibility, high transmission rate (at the time, anyway), and nonproprietary nature quickly made it the networking topology of choice for many network administrators.
Ethernet is by far the most popular networking topology. Its ability to support a wide range of cable types, low-cost hardware, and plug-and-play connectivity has caused it to find its way into more corporate (as well as home) networks than any other topology.
Ethernet's communication rules are called Carrier Sense Multiple Access with Collision Detection (CSMA/CD). This is a mouthful, but it's simple enough to understand when you break it down:
Carrier sense means that all Ethernet stations are required to listen to the wire at all times (even when transmitting). By "listen," I mean that the station should be constantly monitoring the network to see if any other stations are currently sending data. By monitoring the transmissions of other stations, a station can tell if the network is open or in use. This way, the station does not just blindly transfer information and interfere with other stations. Being in a constant listening mode also means that the station is ready when another station wants to send it data.
Multiple access simply means that more than two stations can be connected to the same network, and that all stations are allowed to transmit whenever the network is free. It is far more efficient to allow stations to transmit only when they need to than it is to assign each system a time block in which it is allowed to transmit. Multiple access also scales much more easily as you add more stations to the network.
Collision detection answers the question: "What happens if two systems think the circuit is free and try to transmit data at the same time?" When two stations transmit simultaneously, a collision takes place. A collision is similar to interference, and the resulting transmission becomes mangled and useless for carrying data. As a station transmits data, it watches for this condition; if it detects such a condition, the workstation assumes that a collision has taken place. The station will back off, wait for a random period of time, and then retransmit.
Note: Each station is responsible for determining its own random waiting period before retransmission. This helps to insure that each station is waiting for a different period of time, avoiding another collision. In the unlikely event that a second collision does occur (the station backs off but is again involved in a collision), each station is required to double its waiting period before trying again. When two or more consecutive collisions take place, it is referred to as a multiple collision.
If you were to chart CSMA/CD, it would look something like Figure 4.5. This process takes place after the ARP decision process discussed in Chapter 3.
An integral part of Ethernet communications is that each system is constantly monitoring the transmissions of all the other stations on the wire. Unfortunately, this is also Ethernet's biggest security flaw. It is possible to configure a system to read all of this information it receives. This is commonly referred to as a promiscuous mode system.
Promiscuous mode can be leveraged by a network administrator to monitor a network from one central station so that errors and network statistics can be gathered. A network analyzer is effectively a computer operating in promiscuous mode. Since a station is listening to all network traffic anyway, a simple software change allows a system to actually record all the information it sees.
Unfortunately, the existence of promiscuous mode also means that a not-so-honest person may be able to eavesdrop on network communications or steal sensitive information. This is particularly a problem because most information passed along a computer network is transmitted as clear text. See Figure 4.6 for an example of this output.
In order to minimize the amount of information that can be collected with a network monitor or analyzer, you must segment network traffic to isolate network communications. This is best accomplished with a bridge, switch, or router. These devices are discussed in the "Basic Networking Hardware" section of this chapter.
Wide Area Network Topologies
Wide area network (WAN) topologies are network configurations that are designed to carry data over a great distance. Unlike LANs, which are designed to deliver data between many systems, WAN topologies are usually point to point. Point to point means that the technology was developed to support only two nodes sending and receiving data. If multiple nodes need access to the WAN, a LAN will be placed behind it to accommodate this functionality.
Private Circuit Topologies
Leased lines are dedicated analog or digital circuits that are paid for on a flat-rate basis. This means that whether you use the circuit or not, you are paying a fixed monthly fee. Leased lines are point-to-point connections—they are used to connect one geographical location to another. The maximum throughput on a leased line is 56Kbps.
A T1 is a full-duplex signal (each end of the connection can transmit and receive simultaneously) over two-pair wire cabling. This wire pair terminates in a receptacle that resembles the square phone jacks used in older homes. T1s are used for dedicated point-to-point connections in the same way that leased lines are. Bandwidth on a T1 is available in increments from 64Kb up to 1.544Mb. T1s use time division to break the two wire pairs into 24 separate channels. Time division is the allotment of available bandwidth based on time increments. This is extremely useful, as a T1 is capable of carrying both voice and data at the same time.
There are two common ways to deploy leased lines or T1s:
The circuit constitutes the entire length of the connection between the two organizational facilities (such as a branch office and a main office).
The leased line is used for the connection from each location to its local exchange carrier. Connectivity between the two exchange carriers is then provided by some other technology, like frame relay (discussed in the next section).
The first of these two options creates the more secure connection, but at a much higher cost. Using a private circuit for end-to-end connectivity between two geographically separated sites is the best way to insure that your data is not monitored. While it is still possible to sniff one of these circuits, an attacker would need to gain physical access to some point along its path. The attacker would also need to be able to identify the specific circuit to monitor. Telephone carriers are not known for using attacker-friendly labels like "Bank XYZ's financial data: monitor here."
The second option is simply used to get your signal to the local exchange carrier. From there, your data would travel over a public network, such as frame relay or X.25.
Frame Relay and X.25
Frame relay and X.25 are packet-switched technologies. Because data on a packet-switched network is capable of following any available circuit path, such networks are represented by clouds in graphical presentations such as Figure 4.7.
Both X.25 and frame relay must be configured as permanent virtual circuits (PVCs), meaning that all data entering the cloud at point A is automatically forwarded to point B. These end points are defined at the time the service is leased. For large WAN environments, frame relay can be far more cost effective than dedicated circuits. This is because you can run multiple PVCs through a single WAN connection.
For example, let's say you have four remote sites that require a 56Kb connection to the home office. If you were to construct this network out of dedicated circuits, you would require a 56Kb leased line connection at each of the remote sites, as well as four 56Kb leased line connections running into the main office.
With frame relay, however, you could replace the four dedicated connections at the main office with one fractional T1 connection and simply activate four channels of the T1 circuit to accept the data. By requiring only a single circuit at the main site, you can reduce your WAN costs.
In fact, there is nothing that says the CIR at the main office must equal the CIR value of all your remote sites. For example, let's assume that the connections to your remote site are used strictly for transferring e-mail. If bandwidth requirements are low, you may be able to drop the CIR at the main office from 256Kb to 128Kb. As long as the combined traffic to your four remote sites never exceeds 128Kb, you would not even notice a drop in performance. This would reduce your WAN costs even further.
Note: The packet-switched network is a shared medium. Your exchange carrier uses the same network for all PVCs it leases out. In effect, you are sharing available bandwidth with every other client.
Your connection point into the cloud is defined through the use of a Data Link Connection Identifier (DLCI). A unique DLCI is assigned to each router that connects to the cloud. The DLCI lets the local exchange carrier know which PVC it should map to your connection.
As long as everyone uses their assigned DLCI, life is happy. The problem is when someone incorrectly, or with malicious intent, assigns his or her router the same DLCI as your circuit. This can cause traffic to be diverted to their network. In order for this to occur, the following conditions must be met:
The attacker must be connected to the same local exchange carrier.
The attacker must be connected to the same physical switch.
The attacker must know your DLCI.
Clearly, this is not the most difficult attack to stage. While it would be expensive (unless the attacker can gain access to another organization's network and "borrow" that connection), this attack may be well worth the effort if the attacker knows that sensitive information will be passing across the link.
Also, a would-be attacker can actually redirect a PVC to another geographical location. While doing so would eliminate the need to be connected through the same local carrier and the same switch in order to capture data, it also means that the attacker would have to infiltrate the exchange carrier's management system. Although this is not an easy task, it has been done in the past.
Basic Networking Hardware
These days there is a plethora of networking products to consider when planning your network infrastructure. There are devices for everything from connecting computer systems to the network to extending a topology's specifications to controlling network traffic. Sometimes your choices are limited. For example, to connect an office computer to the network, you must have a network card.
Many of these devices, when used correctly, can also help to improve your network security. In this section, we will take a look at some common networking hardware and discuss which can be used to reinforce your security posture.
Repeaters are simple two-port signal amplifiers. They are used in a bus topology to extend the maximum distance that can be spanned on a cable run. The strength of the signal is boosted as it travels down the wire. A repeater will receive a digital signal on one of its ports, amplify it, and transmit it out the other side.
A repeater is like a typical home stereo amplifier. The amp takes the signal it receives from the CD or tape deck, amplifies the signal, and sends it on its way to the speakers. If the signal is a brand-new Radiohead CD, it simply boosts the signal and sends it on its way. If you're playing an old Grateful Dead concert tape that is inaudible because of the amount of background hiss, the amp happily boosts this signal, as well, and sends it on its way.
Repeaters function similarly to a stereo amplifier: they simply boost whatever they receive and send it on its way. Unfortunately, the signal a repeater receives could be a good frame of data, a bad frame of data, or even background noise. A repeater does not discern data quality; it simply looks at each of the individual digital pulses and amplifies them.
A repeater provides no data segmentation. All communications that take place on one side of a repeater are passed along to the other side, whether the receiving system is on the other end of the wire or not. Again, think of a repeater as a dumb amplifier and you will get the idea.
Hubs are probably the most common piece of network hardware next to network interface cards. Physically, they are boxes of varying sizes that have multiple female RJ45 connectors. Each connector is designed to accept one twisted-pair cable outfitted with a male RJ45 connector. This twisted-pair cable is then used to connect a single server or workstation to the hub.
Hubs are essentially multiport repeaters that support twisted-pair cables in a star typology. Each node communicates with the hub, which in turn amplifies the signal and transmits it out each of the ports (including back out to the transmitting system). As with repeaters, hubs work at the electrical level. When you design your network typology, think of hubs, which provide zero traffic control, as functionally identical to repeaters.
A bridge looks a lot like a repeater; it is a small box with two network connectors that attach to two separate portions of the network. A bridge incorporates the functionality of a repeater (signal amplification), but it actually looks at the frames of data, which is a great benefit. A common bridge is nearly identical to a repeater except for the indicator lights, as shown in Figure 4.8. A forward light flashes whenever the bridge needs to pass traffic from one collision domain to another.
In our discussion of Ethernet in Chapter 3, we introduced the concept of a data frame and described the information contained within the frame header. Bridges put this header information to use by monitoring the source and destination MAC address on each frame of data. By monitoring the source address, the bridge learns where all the network systems are located. It constructs a table, listing which MAC addresses are directly accessible by each of its ports. It then uses that information to play traffic cop and regulate the flow of data on the network. Let's look at an example.
A Bridge Example
Look at the network in Figure 4.9. Betty needs to send data to the server Thoth. Because everyone on the network is required to monitor the network, Betty first listens for the transmissions of other stations. If the wire is free, Betty will then transmit a frame of data. The bridge is also watching for traffic and will look at the destination address in the header of Betty's frame. Because the bridge is unsure of which port the system with MAC address 00C08BBE0052 (Thoth) is connected to, it amplifies the signal and retransmits it out Port B. Note that until now the bridge functionality is very similar to that of a repeater. The bridge does a little extra, however; it has learned that Betty is attached to Port A and creates a table entry with her MAC address.
When Thoth replies to Betty's request, as shown in Figure 4.10, the bridge will look at the destination address in the frame of data again. This time, however, it finds a match in its table, noting that Betty is also attached to Port A. Because it knows Betty can receive this information directly, it drops the frame and blocks it from being transmitted from Port B. The bridge will also make a new table entry for Thoth, recording the MAC address as being off of Port A.
For as long as the bridge remembers each station's MAC address, all communications between Betty and Thoth will be isolated from Sue and Babylnor. Traffic isolation is a powerful feature, because it means that systems on both sides of the bridge can be carrying on conversations at the same time, effectively doubling the available bandwidth. The bridge insures that communications on both sides stay isolated, as if they were not even connected together. Because stations cannot see transmissions on the other side of the bridge, they assume the network is free and send their data.
Each system only needs to contend for bandwidth with systems on its own segment. This means that there is no way for a station to have a collision outside of its segment. Thus these segments are referred to as collision domains, as shown in Figure 4.11. Notice that one port on each side of the bridge is part of each collision domain. This is because each of its ports will contend for bandwidth with the systems it is directly connected to. Because the bridge isolates traffic within each collision domain, there is no way for separated systems to collide their signals. The effect is a doubling of potential bandwidth.
Also notice that splitting the network into two collision domains has increased the security of the network. For example, let's say that the system named Babylnor becomes compromised. An attacker has gained high-level access to this system and begins capturing network activity in order to look for sensitive information.
Given the above network design, Thoth and Betty would be able to carry on a conversation with relative security. The only traffic that will find its way onto Babylnor's collision domain is broadcast traffic. You may remember from Chapter 3 that a broadcast frame needs to be delivered to all local systems. For this reason, a bridge will also forward broadcast traffic.
By using a bridge in this situation, you get a double bonus light. You have not only increased performance, but security as well.
So what happens when traffic needs to traverse the bridge? As mentioned, when a bridge is unsure of the location of a system it will always pass the packet along just in case. Once the bridge learns that the system is in fact located off of its other port, it will continue to pass the frame along as required.
If Betty begins communicating with Sue, for example, this data will cross the bridge and be transmitted onto the same collision domain as Babylnor. This means that Babylnor is capable of capturing this data stream. While the bridge helped to secure Betty's communications with Thoth, it provides no additional security when Betty begins communicating with Sue.
In order to secure both of these sessions, you would need a bridge capable of dedicating a single port to each system. This type of functionality is provided in a device referred to as a switch.
Switches are the marriage of hub and bridge technology. They resemble hubs in appearance, having multiple RJ45 connectors for connecting network systems. Instead of being a dumb amplifier like a hub, however, a switch functions as though it has a little miniature bridge built into each port. A switch will keep track of the MAC addresses attached to each of its ports and route traffic destined for a certain address only to the port to which it is attached.
Figure 4.12 shows a switched environment in which each device is connected to a dedicated port. The switch will learn the MAC identification of each station once a single frame transmission occurs (identical to a bridge). Assuming that this has already happened, you now find that at exactly the same instant Station 1 needs to send data to Server 1, Station 2 needs to send data to Server 2, and Station 3 needs to send data to Server 3.
There are some interesting things about this situation. The first is that each wire run involves only the switch and the station attached to it. This means that each collision domain is limited to only these two devices, because each port of the switch is acting like a bridge. The only traffic seen by the workstations and servers is any frame specifically sent to them or to the broadcast address. As a result, all three stations will see very little network traffic and will be able to transmit immediately. This is a powerful feature that goes a long way toward increasing potential bandwidth. Given our example, if this is a 10Mbps topology, the effective throughput has just increased by a factor of 3. This is because all three sets of systems can carry on their conversations simultaneously, as the switch isolates them from each other. While it is still technically 10Mbps Ethernet, potential throughput has increased to 30Mbps.
Besides increasing performance dramatically, you have also increased security. If any one of these systems becomes compromised, the only sessions that can be monitored are sessions with the compromised system. For example, if an attacker gains access to Server 2, she will not be able to monitor communication sessions with Servers 1 or 3, only Server 2.
This is because monitoring devices can only collect traffic that is transmitting within their collision domain. Since Server 2's collision domain consists of itself and the switch port it is connected to, the switch does an effective job of isolating System 2 from the communication sessions being held with the other servers.
While this is a wonderful security feature, it does make legitimate monitoring of your network somewhat cumbersome. This is why many switches include a monitoring port.
A monitoring port is simply a port on the switch that can be configured to receive a copy of all data transmitted to one or more ports. For example, you could plug your analyzer into port 10 of the switch and configure the device to listen to all traffic on port 3. If port 3 is one of your servers, you can now analyze all traffic flowing to and from this system.
This can also be a potential security hole. If an attacker is able to gain administrative access to the switch (through Telnet, HTTP, SNMP, or the console port), she would have free rein to monitor any system connected to, or communicating through, the switch. To return to our example, if the attacker could access Server 2 and the switch itself, she is now in a perfect position to monitor all network communications.
Note: Keep in mind that bridges, switches, and similar networking devices are designed primarily to improve network performance, not to improve security. Increased security is just a secondary benefit. This means that they have not received the same type of abusive, real-world testing as, say, a firewall or router product. A switch can augment your security policy, but it should not be the core device to implement it.
Switching introduces a new technology referred to as the virtual local area network (VLAN). Software running on the switch allows you to set up connectivity parameters for connected systems by workgroup (referred to as VLAN groups) instead of by geographical location. The switch's administrator is allowed to organize port transmissions logically so that connectivity is grouped according to each user's requirements. The "virtual" part is that these VLAN groups can span over multiple physical network segments, as well as multiple switches. By assigning all switch ports that connect to PCs used by accounting personnel to the same VLAN group, you can create a virtual accounting network.
Think of VLANs as being the virtual equivalent of taking an ax to a switch with many ports in order to create multiple switches. If you have a 24-port switch and you divide the ports equally into three separate VLANs, you essentially have three 8-port switches.
"Essentially" is the key word here, as you still have one physical device. While this makes for simpler administration, from a security perspective it is not nearly as good as having three physical switches. If an attacker is able to compromise a switch using VLANs, he might be able to configure his connection to monitor any of the other VLANs on the device.
This can be an extremely bad thing if you have one large switch providing connectivity on both sides of a traffic-control device such as a firewall. An attacker may not need to penetrate your firewall—he may find the switch to be a far easier target. At the very least, the attacker now has two potential ways into the network instead of just one.
A router is a multiport device that decides how to handle the contents of a frame, based on protocol and network information. To truly understand what this means, we must first look at what a protocol is and how it works.
Until now, we've been happily communicating using the Media Access Control address assigned to our networking devices. Our systems have used this number to contact other systems and transmit information as required.
The problem with this scheme is that it does not scale very well. For example, what if you have 2,000 systems that need to communicate with each other? You would now have 2,000 systems fighting each other for bandwidth on a single Ethernet network. Even if you employ switching, the number of broadcast frames will eventually reach a point where network performance will degrade and you cannot add any more systems. This is where protocols such as IP and IPX come in.
At its lowest levels, a network protocol is a set of communication rules that provide the means for networking systems to be grouped by geographical area and common wiring. To indicate it is part of a specific group, each of these systems is assigned an identical protocol network address.
Network addresses are kind of like zip codes. Let's assume someone mails a letter and the front of the envelope simply reads: Fritz & Wren, 7 Spring Road. If this happens in a very small town, the letter will probably get through (as if you'd used a MAC address on a LAN).
If the letter were mailed in a city like Boston or New York, however, the Post Office would have no clue where to send it (although postal workers would probably get a good laugh). Without a zip code, they may not even attempt delivery. The zip code provides a way to specify the general area where this letter needs to be delivered. The postal worker processing the letter is not required to know exactly where Spring Road is located. She simply looks at the zip code and forwards the letter to the Post Office responsible for this code. It is up to the local Post Office to know the location of Spring Road and to use this knowledge to deliver the letter.
Protocol network addresses operate in a similar fashion. A protocol-aware device will add the network address of the destination device to the data field of a frame. It will also record its own network address, in case the remote system needs to send a reply.
This is where a router comes in. A router is a protocol-aware device that maintains a table of all known networks. It uses this table to help forward information to its final destination. Let's walk through an example to see how a routed network operates.
A Routed Network Example
Let's assume you have a network similar to that shown in Figure 4.13 and that System B needs to transmit information to System F.
System B will begin by comparing its network address to that of System F. If there is a match, System B will assume the system is local and attempt to deliver the information directly. If the network addresses are different (as they are in our example), System B will refer to its routing table. If it does not have a specific entry for Network 3, it will fall back on its default router, which in this case is Tardis. In order to deliver the information to Tardis, System B would ARP for Tardis's MAC address.
System B would then add the network protocol delivery information for System F (the source and destination network numbers) to the data and create a frame using Tardis's MAC address as the destination. It does this because System B assumes that Tardis will take care of forwarding the information to the destination network.
Once Tardis receives the frame, it performs a CRC check to insure the integrity of the data. If the frame checks out, Tardis will then completely strip off the header and trailer. Tardis then analyzes the destination network address listed in the frame (in this case Network 3) to see if it is locally connected to this network. Since Tardis is not directly connected to Network 3, it consults its routing table in order to find the best route to get there. Tardis then discovers that Galifrey is capable of reaching Network 3.
Tardis now ARPs to discover the local MAC address being used by Galifrey. Tardis then creates a new frame around the data packet by creating a header consisting of its MAC address to the source address field and Galifrey's MAC address in the destination field. Finally, Tardis generates a new CRC value for the trailer.
While all this stripping and recreating seems like a lot of work, it is a necessary part of this type of communication. Remember that routers are placed at the borders of a network segment. The CRC check is performed to insure that bad frames are not propagated throughout the network. The header information is stripped away because it is only applicable on Network 1. When Tardis goes to transmit the frame on Network 2, the original source and destination MAC addresses have no meaning. This is why Tardis must replace these values with ones that are valid for Network 2.
Because the majority of the header (12 of the 14 bytes) needs to be replaced anyway, it is easier to simply strip the header completely away and create it from scratch. As for stripping off the trailer, once the source and destination MAC addresses change, the original CRC value is no longer valid. This is why the router must strip it off and create a new one.
Note: A data field that contains protocol information is referred to as a packet. While this term is sometimes used interchangeably with the term frame, a packet in fact only describes a portion of a frame.
So Tardis has created a new frame around the packet and is ready to transmit it. Tardis will now transmit the frame out onto Network 2 so that the frame will be received by Galifrey. Galifrey receives the frame and processes it in a similar fashion to Tardis. It checks the CRC and strips off the header and trailer.
At this point, however, Galifrey realizes that it has a local connection to System F, because they are both connected to Network 3. Galifrey builds a new frame around the packet and, instead of needing to reference a table, it simply delivers the frame directly.
In order for a router to provide this type of functionality, it needs to understand the rules for the protocol being used. This means that a router is protocol specific. Unlike a bridge, which will handle any valid topology traffic you throw at it, a router has to be specifically designed to support both the topology and the protocol being used. For example, if your network contains Banyan Vines systems, make sure that your router supports VinesIP.
Routers can be a powerful tool for controlling the flow of traffic on your network. If you have a network segment that is using IPX and IP but only IP is approved for use on the company backbone, simply enable IP support only on your router. The router will ignore any IPX traffic it receives.
A wonderful feature of routers is their ability to block broadcasts. (As I mentioned in Chapter 3, broadcasts are frames that contain all Fs for the destination MAC address.) Because any point on the other side of the router is a new network, these frames are blocked.
Note: There is a counterpart to this called an all-networks broadcast that contains all Fs in both the network and MAC address fields. These frames are used to broadcast to local networks when the network address is not known. Most routers will still block these all-networks broadcasts by default.
Most routers also have the ability to filter out certain traffic. For example, let's say your company enters a partnership with another organization. You need to access services on this new network but do not want to allow your partner to access your servers. To accomplish this, simply install a router between the two networks and configure it to filter out any communication sessions originating from the other organization's network.
Most routers use static packet filtering to control traffic flow. The specifics of how this works will be covered in Chapter 6. For now, just keep in mind that routers cannot provide the same level of traffic control that may be found in the average firewall. Still, if your security requirements are minimal, packet filtering may be a good choice—chances are you will need a router to connect your networks, anyway.
A Comparison of Bridging/Switching and Routing
Table 4.1 represents a summary of the information discussed in the preceding sections. It provides a quick reference to the differences between controlling traffic at the data link layer (bridges and switches) and controlling traffic at the network layer (routers).
Table 4.1 Bridging/Switching versus Routing
A Bridge (Switch):
Uses the same network address off all ports
Uses different network addresses off all ports
Builds tables based on MAC address
Builds tables based on network address
Filters traffic based on MAC information
Filters traffic based on network or host information
Forwards broadcast traffic
Blocks broadcast traffic
Forwards traffic to unknown addresses
Blocks traffic to unknown addresses
Does not modify frame
Creates a new header and trailer
Can forward traffic based on the frame header
Must always queue traffic before forwarding
Layer 3 Switching
Now that you have a clear understanding of the differences between a switch and a router, let's look at a technology that, on the surface, appears to mesh the two. Layer 3 switching, switch routing, and router switching all are used interchangeably to describe the same devices.
So what exactly is a switch router? The device is not quite as revolutionary as you might think. In fact, these devices are more an evolution of existing router technology. The association with the word "switch" is more for marketing appeal to emphasize the increase in raw throughput these devices can provide.
This devices typically (but not always) perform the same functions as a standard router. When a frame of data is received, it is buffered into memory and a CRC check is performed. Then, the topology frame is stripped off the data packet. Just like a regular router, a switch router will reference its routing table to determine the best route of delivery, repackage the data packet into a frame, and send it on its merry way.
How does a switch router differ from a standard router? The answer lies under the hood of the device. Processing is provided by application-specific integrated circuit (ASIC) hardware. With a standard router, all processing was typically performed by a single RISC (Reduced Instruction Set Computer) processor. In a switch router, components are dedicated to performing specific tasks within the routing process. The result is a dramatic increase in throughput.
Keep in mind that the real goal of these devices is to pass information along faster than the standard router. In order to accomplish this, a vendor may choose to do things slightly differently than the average router implementation in order to increase throughput (after all, raw throughput is everything, right?). For example, a specific vendor implementation may not buffer inbound traffic in order to perform a CRC check on the frame. Once enough of the frame has been read in order to make a routing decision, the device may immediately begin transmitting information out the other end.
From a security perspective, this may not always be a good thing. Certainly performance is a concern—but not at the cost of accidentally passing traffic that should have been blocked. Since the real goal of a switch router is performance, it may not be as nitpicky as the typical router about what it passes along.
Layer 3 switching has some growing up to do before it can be considered a viable replacement for the time-tested router. Most modern routers have progressed to the point where they are capable of processing more than one million packets per second. Typically, higher traffic rates are required only on a network backbone. To date, this is why switches have dominated this area of the network.
Switch routing may make good security sense as a replacement for regular switches, however. The ability to segregate traffic into true subnets instead of just collision domains brings a whole new level of control to this area of the network.
Like their router counterparts, some switch routers support access control lists, which allow the network administrator to manipulate which systems can communicate between each of the subnets and what services they can access. This is a much higher level of granular control than is provided with a regular switch. Switch routing can help to fortify the security of your internal network without the typical degradation in performance. If your security requirements are light, a switch router may be just the thing to augment your security policy.
Note: We will look at some examples of implementing an access control list (ACL) on a Cisco router in Chapter 6.
We've covered a lot of ground in this chapter. We discussed the basics of communication properties and looked at transmission media and hardware from a security perspective. We also discussed what traffic control options are available with typical network hardware.
In the next few chapters, we'll look at systems that are specifically designed to implement security policies. We will start by discussing firewalls and then work our way into intrusion-detection systems.
About the Author
Chris Brenton is a Certified Novell Engineer (CNE), Microsoft Certified Systems Engineer (MCSE), and Cisco Design Specialist (CDS). As a Technology Specialist for Alpine Computers, he serves as a security consultant to clients and a mentor to engineering staff.
Copyright © 1999 Sybex, Inc.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only.
International rights = English only.