Network Considerations

When you think of physical security, you might not necessarily think about your network. However, the network is an important part of anyone 's computing experience today. Here we will take a brief look at traditional and wireless networks and what you can do to make them more secure.

Traditional Networks

Although there are a variety of traditional network topologies, the two most common are bus topology and star topology.

A bus topology connects all network devices along the same network trunk, the backbone. The backbone is typically a thinnet cable, also known as 10BASE-2 or coax (for coaxial cable). If the cable is interrupted at any point, the network goes down. This type of topology tends to have a high collision rate. Additionally, with all of the machines connected to the same line, network troubleshooting is more difficult because you can't conveniently isolate parts of the network for testing.

In a star topology, machines are connected to a hub or switch, typically by twisted-pair (also called 10BASE-T) wiring. If you disconnect one or more of the machines, the network does not go down. The ability to conveniently disconnect machines makes troubleshooting a star topology network more convenient .

The primary network security concern is in someone being able to watch your network traffic as your network is used. If you aren't using secure software on all machines in your network, things such as user IDs and passwords will be flying around your network in plain text for anyone with a little too much curiosity to see. Even if you are using secure software on all the machines in your network, many network services that your users will use to access the Internet at large will be insecure , and malicious network eavesdroppers will be able to view the data traveling out to Internet servers.

A secondary network security concern is that your network wiring is a trivial target for a person who wants to disable machines on your network. A quick slash with a pocketknife and your entire thinnet backbone stops working, or a whole branch of your 10BASE-T network loses connectivity to the outside world.

10BASE-2 networks are particularly vulnerable to the sniffing of network traffic because all packets go everywhere on the network. Removing a machine and replacing it with one that records the traffic passing by is easily accomplished. If the intruder wants to keep a lower profile, cutting into the cable and patching in a new connector is the work of but a few seconds.

Generally, we recommend avoiding 10BASE-2 networks whenever possible. They're cheap and easy to set up for a few machines, but they are fraught with support problems and you'll be a happier person if you never have to work with one.

Old-style 10BASE-T networks suffer from the same problem of all packets on the network going to all machines, but the advent of inexpensive smart switches makes this topology inherently much more securable than a 10BASE-2 network. Building a star (or tree) topology network with smart switches rather than hubs as the cable connecting hardware restricts network traffic to only those wires that are absolutely required to carry the data. Smart switches learn what machines are where on the network, and they intelligently route traffic specifically where it needs to go, rather than send it everywhere, in the hopes that the machine for which it's destined is listening. This has two benefits. It speeds up the network considerably, as many high-bandwidth functions ”such as printing to a networked printer ”will be restricted to only those network wire segments between the hosts that are directly communicating. With printing, for example, the data being transmitted only ties up the wires physically linking the printing computer and the printer. Other branches of the same logical network are unaffected by the traffic. In many cases, this can limit such traffic to only the wiring of one room, allowing the rest of the network to function as though the traffic between communicating machines didn't even exist. Additionally, it helps to prevent any machine plugged into the network from seeing traffic that isn't destined for it. A machine that wishes to snoop on network traffic in a completely switch-connected network will see very little data to snoop on: Because nothing knows it's there, there will be no data sent to it, and nothing will ever be sent down the wire to which it's connected. Clever crackers have ways to limit the protections that switched networks offer, so they should not be considered to be a panacea for all network-traffic-sniffing ills. However, switched networks are inherently more difficult to attack than networks using only simple hubs, and so are a natural tool in the security professional's toolbox.

When possible, we recommend using smart switches for as much of your network as possible. They'll save you many headaches , and the better versions give you nice control over your network, such as the ability to remotely disconnect the network from a machine that's begun causing problems at 4:00 on a cold winter morning.

Wireless (802.11b/AirPort, 802.11g/AirPort Extreme) Networks

The conference where Steve Jobs introduced the original iBook in conjunction with the AirPort card and AirPort base station ushered in an exciting time for Macintosh users. Since then, Macintosh users have been embracing wireless technology. We are now getting used to being able to surf the web from our backyards, or taking our laptops from one part of our office building to another without losing network connectivity. Although wireless networks are indeed convenient, they also have security risks. A wireless network is conceptually similar to a star topology traditional network, only instead of machines connecting to a central hub by wire, they connect via radio transmission. It's also similar in that data sent between a computer and the hub (AirPort card and wireless base station), is visible to all in-range computers with wireless capability. Although each connection to the base station may be encrypted, conferring some level of privacy, the network is not "point to point," like a switched 10BASE-T network. Any computer than cares to snoop can receive the encrypted traffic, log it, and bash on the encryption to try to break it at its convenience.

WEP Encryption

Wireless networks typically consist of one or more wireless access points attached to a network wire and some number of wireless clients . In the typical Macintosh case, the wireless access point is the AirPort Base Station, which can currently support up to 50 users. Yesterday's wireless networks commonly achieved a data rate of up to 10Mbps, and they broadcast on a 2.4GHz radio frequency. Today we're moving to 54Mbps on the same broadcast frequency with the 802.11g standard.

The 802.11b and 802.11g standards, the standards upon which the AirPort's and AirPort Extreme's wireless technologies are based, also include a way to encrypt traffic by using the WEP (Wired Equivalent Privacy) protocol. This can be configured with no encryption, 40-bit encryption, or 128-bit encryption. Although 128-bit encryption is better than 40-bit encryption, WEP encryption is overall a weak form of encryption.

Anyone who wants to decrypt the WEP encryption needs only a Unix box with a package such as AirSnort or WEPCrypt (AirSnort, http://airsnort.shmoo.com/, appears to be the package under regular development). After packets are decrypted, the intruder can collect whatever interesting data passes by, including usernames and passwords.

Security Limitations

Along with the weak WEP encryption, wireless networks have other security limitations.

For example, because it's difficult to stop the radio waves carrying a wireless network at the boundaries of a building, it is easier for an unauthorized client to become a part of the network. Previously, to physically insert a client into a traditional network, physical access to the interior of the building was required. Now, someone need only park outside your building and flip open a laptop. With an external antenna, an unauthorized client can potentially received the wireless network's signal at a greater distance; hardware hackers regularly achieve multikilometer connections to AirPort networks by using Pringles potato chip cans as antennae (http://www.turnpoint.net/wireless/has.html and http://www.oreillynet.com/cs/weblog/view/wlg/448 ). If there is no password for the access point, the unauthorized client just joins the network. If only the default password is in use, the intruder probably knows it and can still join. An intruder who has joined your network can perform malicious acts from it, including reconfiguring your AirPort Base Station.

Because of problems such as these, it's common for wireless networks to be set up with a number of rather severe limitations that are designed to mitigate problems caused by potential unauthorized use. These range from configuring the antenna placement and broadcast pattern to limit the access area to carefully defined regions , to setting the system up so that wireless-connected users must use a VPN client to tunnel into another network before they can gain any substantial functionality. The most common, and least secure, is simply to consider the wireless network an untrusted segment with respect to the remainder of the network, but this does nothing to prevent either misuse of the resource or leakage of sensitive data from trusted machines onto the untrusted segment.