3.1 Connecting the Network

3.1 Connecting the Network

3.1.1 The Physical Layer

In deference to tradition of the OSI Model and because it just makes sense, we then begin our discussion of the network elements at the first layer of the OSI Model — the physical layer.

If you want to see the physical layer, look at the back of your computer. Odds are that there is some sort of cable of fiber-optic, category 5 copper (thin, flexible cable with four pairs of copper wire inside them), a phone line, or even a wireless network card. Each of these is some type of physical medium, and each has specific hardware with instructions as to how to transmit information that will represent a one or a zero, which in turn is transmitted over the physical medium as a light wave, voltage, or radio wave.

You can rarely pick up a text about network design without considerable text discussing the relative advantages and disadvantages of each of the different types of physical media and their associated hardware. For those of you without one of those texts handy, here is a brief overview before we begin to discuss the security considerations of the physical layer.

Fiber-optic cable sets the gold standard for physical layer transmissions. Stretched from extremely pure glass or plastic, fiber-optic cable supports fantastic transmission speeds. I would quote you some incredible top end, but as of this writing the top end has not yet been determined. The problem is that the electronics that are in common use to create the ones and zeros cannot match the potential of fiber. Currently, speeds in the terabit range are common although even faster speeds are predicted for the future. From a straight bandwidth argument, fiber is the medium of choice for the foreseeable future.

While a fiber-optic bundle of cables may include hundreds of individual fiber filaments and be as big around as your little finger, in the actual transmission path in the bundle, the individual fibers are microscopic and generally cannot be seen by the naked eye. The fiber itself is extremely pure. It is said that if the ocean were as clear as optical fiber, we would be able to see to the bottom of its deepest trenches from a boat on the surface. Around each fiber is a type of cladding that has a slightly lower refractive index than the fiber core. This causes any stray light particles to bounce back toward the center of the fiber in the same manner as a mirror. Around this cladding there is a protective sheath and strengthening fabric.

Fiber optic boasts the longest cabling distances of all media without the use of repeaters to regenerate the signal. Most copper wires used in LAN networks are commonly 100 m and top out at about 500 m in older installations. Fiber is capable of running for dozens or even thousands of kilometers. Fiber also suffers the least from attenuation of all media and has an extremely low error rate. ^[1] If you have a need for a network that circles a small town or campus, fiber is the logical choice.

Fiber optic suffers from a serious drawback. While the fiber itself is generally cheaper to purchase than an equivalent amount of copper cabling, the connections and the specialized splicing equipment that must be used to join microscopic fiber filaments together are very expensive. This expense factor generally limits fiber-optic media to other long-haul applications where the extra expense is easily amortized, or use in server rooms to facilitate high-speed connections between servers and network devices.

Copper comes in a variety of flavors. For some time in the days of networking, coaxial cable similar to that used to provide cable service to your television was used in most local area networks (LANs). With the emergence of cable Internet access, this form of copper has seen resurgence — for wide area access. Clearly, if 100 channels of the greatest entertainment on Earth can be transmitted over a piece of copper no bigger around than a pencil, then copper must be able to support great bandwidths of data. For the most part, the thicker a piece of copper, the more information that can be sent through it. Commonly, in LANs, the copper used is much thinner and is actually a small bundle of very thin copper wires similar to telephone wires. This type of cabling is often referred to as unshielded twisted pair (UTP). The name itself refers to the twists of the copper used to reduce interference from signals traveling down the copper. There are some types of copper, not in common use on most networks, that also have a thick mesh shield that protects the copper from radio and electromagnetic interference. This shielded version is naturally known as shielded twisted pair (STP). UTP cable, commonly referred to as category 5, (cat 5) or category 6 (cat 6), is very cheap and easy to work with. Category 6 cable is very similar to category 5 cable except that it is a newer standard and has been certified to support gigabit speeds over 100-m runs. In addition to being cheap and easy to work with, there is not much going for copper in terms of transmission media. It does not support very high bandwidths ^[2] in gauges commonly used on LANs and it does not support long distances. Standards for copper cable are satisfied to get 100 m out of a single run of copper cable. Copper is also easily influenced by nearby radio and electrical sources — fluorescent lights and machinery are notorious for skewing the signal on a copper wire. Still, it is very cheap and very easy to work with compared to alternatives such as fiber optic.

The final major category of transmission media is wireless technology. Just as there are different types of fiber-optic and copper cabling, there are different areas of the radio spectrum reserved for data transmission. While the range and data throughput of wireless currently does not compare to those of copper and fiber, you cannot beat the ease of installation; and for most network users, the throughput rate is more than adequate.

The various physical media all have different usage considerations that range from installation, maximum useful distance, data throughput, and maintenance. From the security perspective, regarding the various physical layer media, the most pressing concern is generally how easy it for someone to read data that is being transmitted over the media. Fiber-optic media are generally considered the most difficult to "sniff," or read data as it passes through. Because the data is being transmitted as pulses of light, unless there is significant bleeding of light into the cladding of the fiber, it is virtually impossible to track information. For those that are determined enough, the fiber can be spliced and some sort of high-speed sniffer inserted mid-stream, but such an undertaking would only be a risk from the most determined and well-financed threats. Because end users are usually not directly attached to the fiber infrastructure, users' ability to put packet sniffers on their computers and access information passing over the fiber is likewise limited.

Copper, on the other hand, is easier to sniff. Due to the tendency for high-frequency waves to emanate from the copper as signals are passed along its length, a device sensitive enough to read this radiation will be able to reconstruct data although the cost of such a device is more than the average hacker would be willing to accommodate. For the convenience of end users and the occasional hacker, there are usually a number of ports along walls that provide easy access to the network itself. There have been recent reports of individuals hacking gaming consoles such as Sony's PlayStation with built-in Ethernet ports. These consoles are hacked with a stripped-down version of Linux and deposited inside a company's network. From there, inconspicuously under a desk or in a closet, they sit and listen to all network traffic.

Most users do not need to go to such lengths to sniff the traffic on a copper infrastructure. Because user workstations are connected to the copper media, a sophisticated packet sniffer showing all traffic on the local area network can be easily installed. For those who prefer a more scaled-back sniffer, sniffers that look for patterns in the observed transmissions that look like "user" and "password" and common variants of those combinations are available for downloading.

Because copper is so cheap to work with, it has become the physical medium of choice for the majority of office buildings and local area networks around the world. While excellent in many regards, all copper should be regarded as insecure from a security point of view.

The ease of reading copper, however, pales in comparison with that of wireless. Few who have wandered about the office or home with a laptop in one hand and a wireless access point some place overhead can deny that the convenience of wireless is hard to resist. For myself, it only took the first day of working from home while sitting on my deck to convince me that I had found networking Nirvana. Wireless is, however, an inherently insecure medium. With copper, someone had to at least make a half-hearted effort to find some copper to sniff from. With wireless, all transmissions are in the clear for any interested party. In some cities, it has become a hobby of some groups to mark on sidewalks the boundaries of nearby business so that passersby may know where to look for either free wireless Internet access or "free" information about the company.

The above information should be our very first lesson into the world of risk assessment regarding networking components. A medium such as fiber can be very secure due to its nature, but never 100 percent secure. Wireless and copper, on the other hand, should never be considered secure, no matter their location. The degree of exposure for each of these may vary, depending on where it is installed. If the physical plant of an organization is trusted and software controls on workstations are implemented, then copper can be considered a bit more secure. If the securing of the entire physical plant is too expensive or time consuming, consider encrypting the data on the copper — in this way, anyone who does manage to capture the data will only capture unreadable information.

Wireless, while insecure due to its broadcast nature, can be made more secure by careful positioning of the wireless devices in relationship to the outside world. Access points in the heart of your campus would be less likely to be accessed by those on the street than those hung on the outside walls of buildings. While the built-in encryption protocol of the popular 802.11b wireless networking has been shown to be ineffective, there are other options available for encrypting wireless transmission. Depending on your risk assessment and the value of your assets, the vulnerabilities of wireless data transmission may create an acceptable risk. These solutions are discussed in Chapter 11, "Wireless Network Security."

Other hardware that is generally classified as "physical layer" hardware are known as repeaters. During the days of yore on networks, when 10base5 and 10base2 coaxial copper media ruled the LAN, a common problem was the maximum transmission distances of the coaxial cable would place serious design constraints upon networks. The problem revolved around a concept known as attenuation. As an electrical signal traveled down a wire, it slowly lost strength and the receiving stations could no longer interpret it accurately until at some point the signal became so weak that it was unreadable by the receiving side.

To overcome the distance limitations, repeaters were installed on the network. As the name suggests, these devices received the digital signal in one port and retransmitted it out another port. The new signal would be just as clear and strong as the original and the several spans of coaxial cable could then be laid end to end. This process could theoretically occur a number of times until LANs of fantastic sizes could be built — were it not for the collision detection mechanisms of the data-link layer.

As the popular physical medium of the LAN moved from coaxial copper to the more flexible cat-5 UTP, the role of a repeater changed. Where coaxial-based LANs were known as "bus" topologies in that they shared a single length of coaxial cable between all stations, UTP LANs are always designed in a physical "star" topology. Because the UTP itself is even more sensitive to attenuation, and therefore distance considerations, than the coaxial cable, at the center of the star a repeater was placed to ensure that the signal from each host would be amplified enough to reach all other hosts. The two-port repeater of the bus topology gave way to multi-port repeaters of the star topology. We called these repeaters "hubs." A hub operates just like a repeater, except with multiple ports. A signal transmitted into one port of a hub is repeated without discretion out all other ports. The diagram in Exhibit 1 illustrates the common LAN topologies. For wireless and fiber-optic media, repeaters are still quite popular. Ask anyone who has shot 802.11b around a mountainside from their office to their home, or between the homes of friends — a repeater used to redirect the signal is quite handy. Long-haul fiber typically has repeaters every so many kilometers to keep the signal strong, although these distances are increasing and nonpowered technologies such as erbium-doped fiber can, in some instances, eliminate the need for a separate repeater altogether.

Exhibit 1: LAN Topologies

In the office LAN, two-port repeaters are very rare, but the good old hub still holds a privileged spot in many workgroups. Hubs are a specific and well-known vulnerability when considering network security. Because a signal transmitted from one host can be heard by any host attached to any other port on the hub, all traffic is visible to all networked hosts at all times. The security provided by a hub alone is the equivalent of sharing secrets in a crowded room. If anyone in the room is intentionally listening for that secret, there is no way to hide it from them.

In truth, most network administrators are stuck with the physical media they have in place. A general understanding of the risks of the media itself, however, will provide the knowledge needed for a more accurate risk assessment for a corporation.

A summary of the physical layer follows:

• Fiber optic: High bandwidth, long distances, high cost. Generally the most secure physical medium due to the effort required in compromising it. Due to its expense, fiber is generally only used in long-haul circuits or specialized applications in server rooms and high-speed networking devices.

• Copper: Medium bandwidth, medium distances, medium cost. Can be compromised in any number of ways. The most complex is to read the flux in the magnetic field surrounding the copper as digital signals pass through it. Most of the time, that much effort is not required. RJ-45 ports are usually plentiful and conveniently located. If no ports are available, a network-attached host will generally suffice, providing the chance to load sniffing software onto the host. In short, suspect your copper.

• Wireless: Low bandwidth, low distance, and low cost. It is like having your own low-watt radio station. Anyone with a receiver that can tune into your frequency will be able to see all traffic on your network. In this respect, a wireless network can be equated to a hub in that all traffic is easily visible. Because the interloper can be some distance from the transmission sources themselves (or even the building), someone gathering packets can be difficult to detect. Wireless transmission should be considered an open book and not used without additional encryption of data at higher layers of the OSI model.

3.1.2 Data-Link Layer

The data link is the layer at which most framed protocols operate. Examples of data-link protocols include Ethernet, Token Ring, Frame Relay, ATM, ^[3] HDLC, and PPP. These protocols convey information from one host to another and typically operate between network nodes only. Each data-link layer is specifically tuned to a particular type of physical medium and often the standards that define the data-link layer also specify the expected operation of the physical layer. For example, Ethernet is defined in the IEEE 802.3 standard. This standard defines the operations of Ethernet from speeds of 10 Mbps to 1000 Mbps and defines protocol operation over different types of fiber and various types of copper.

Security concerns of the data-link layer, being closely tied to the physical layer, generally revolve around hardware and encryption. Because encryption is rarely performed at the data-link layer, we start our discussion with this short prelude.

Many types of physical media are vulnerable to eavesdropping. To protect against this, we can encrypt data-link layer data as it travels from link to link. This ensures that as the data is actually being transmitted, it will be very difficult for anyone to determine if the data is using some sort of device that reads the electromagnetic emanations from the media, such as a sniffer.

While this certainly sounds secure, there are several disadvantages that make this an option for only the most sensitive of data, and then only when there is no other option. First, the encryption engine adds additional expense to the network hardware, and this is generally not the type of equipment that you can purchase at an online wholesaler. Frames that travel from node to node based upon higher layer routing information need to be decrypted at each node so that a routing decision can be made upon the packet. Thus, even having the link encryption means that the packets must be in cleartext at some points as it travels through the network. The time and effort taken to encrypt and decrypt the packet at each hop add additional overhead and increase the overall delay of the network as well.

If the risk assessment determines that the data traveling over the Frame Relay links is of sufficient value and at a high risk for exposure, then link layer encryption is an option. For most of the cases involving the IP protocol that require encrypting data across the wire, there are better options. In some cases, however, link layer encryption could be considered. For example, if there is a great deal of non-IP traffic, such as SNA that is being distributed from a central hub location to remote sites over dedicated layer 2 links such as Frame Relay or X.25, clearly the option of using IP encryption does not apply.

The more common discussion of data-link security issues centers around the hardware normally found in a LAN environment. This is because unencrypted data is at the most risk because the effort required to capture it is minimal. A frame sent to one port is forwarded out all ports regardless of the ultimate destination of the frame. From a performance point of view, this is not optimal. The collision detection algorithms used by Ethernet dictate that in a shared environment, the total bandwidth over time available for any given station decreases as more hosts are added to the shared medium. Thus, ten stations sharing a 100-Mbps hub will, on average, each enjoy 10 Mbps of bandwidth available for use. When 25 stations share the same 100 Mbps and try to transmit at the same time, on average they will each have available 4 Mbps for use. This area of shared bandwidth creates what is known as a collision domain, an area of the network where hosts compete with each other to transmit their data over the network.

The initial solution to this performance problem was the bridge (see Exhibit 2). By logically breaking up a network into two or more collision domains, the number of stations that were competing for the same resources decreased. The performance for each host then increased, as, on average, more bandwidth was available for its use. A bridge would segment nodes by reading the data-link layer addresses as they passed through the bridge device. As more stations transmitted, the bridge would eventually learn the location of every host in relation to itself. Thus, when Host A sent a frame to Host B, the bridge, knowing that Host A was on port 1 and Host B was somewhere on port 2, would forward the frame from one port to another. At the same time, when Host C sent a frame to Host A, the bridge, knowing that they were on the same network segment, would not forward the frame between the two of them. The first bridges were expensive and simple devices that only had two ports and were used sparingly on a network. As the technology became more advanced and competition between networking vendors for Ethernet equipment heated up, the prices of bridges fell and the performance increased. By increasing the number of ports on a bridge, the Ethernet switch was created. Acting with the same logic as the bridge, the switch would rapidly learn the network topology as stations sent traffic during the normal course of business. When the switch knows the network topology, it would then only forward frames out the ports of hosts that were interested in receiving the frame. This, in effect, would give any two network hosts the illusion that they were sharing private communications facilities — much like what occurs when we make local telephone calls.

Exhibit 2: Learning Bridge Operation

As long as the switch had the capacity to switch the traffic from port to port quickly enough, the performance of the network approached its theoretical maxima. In the common configuration of one host per switch port, the host has available to it the full transmission capacity of the medium, be it 10, 100, or 1000 Mbps.

While the cheap and available switch revolutionized our local area networks in terms of performance, they changed the security landscape — for a time. Unlike the hub, protocol exchanges between two hosts are not transmitted out all ports. Therefore, if Host A and Host B were exchanging packets, the forwarding logic of the switch would only forward information out the ports to which Host A and Host B were attached. If Host C located on another port wanted to capture traffic between the pair, it would be out of luck, as no data would be forwarded to Host C.

It would seem that, based on this, the switch was the perfect solution to combat network monitors. Considering that you could purchase a single technology that not only increased the performance of the network but also the security — then that would be a product that was worth every penny. With competition between hardware vendors dropping the price per port on a switch until they compare favorably with hubs, there is no reason not to use a switch instead of a hub.

The sense of security that switches used to provide has passed us however. There are a number of ways in which the data-link isolation provided by a switch can be circumvented. Using sophisticated spoofing techniques, an attacker is able to confuse the switch regarding the placement of network hosts.

The first method of confusing a switch is for a sniffing device to simply respond to ARP messages for IP addresses other than its own. In this manner, a sniffing host can cause a switch to forward a number of packets out the port of the sniffer.

A sniffer can also reply to ARP requests made for the router itself. This is effective because the switch then forwards packets to be routed to the sniffer, and the sniffer records the contents of the packets and then forwards them to the router with little outward indication of what has occurred. Reversing the process, the sniffer can respond to router ARPs pretending to be a local host on the network. By enabling the forwarding of IP packets on the sniffer, both directions of the communication can be sniffed despite the presence of the switch.

A host acting as a sniffer may also disable a remote host using a packet-based IP attack and take over the IP address the now-disabled host had. As far as the switch is concerned, the target host has simply switched ports and the switch dutifully begins forwarding packets to the new location — the sniffer.

Many times, the isolation offered by a switch can be defeated by flooding the switch with fake MAC addresses. A switch keeps track of the location of host and port based on a MAC address. If the portion of the switch memory allocated to retaining MAC addresses is overloaded, switches will begin to forward all traffic out all ports to ensure that traffic reaches the proper destination. In a sense, by flooding the switch with MAC addresses, an attacker can force a switch to act like a hub while it tries to recover from the attack.

Managed switches, while more expensive, are generally worth the investment because they allow the network administrator to create a number of virtual LANs (VLANs) to increase performance for small workgroups by reducing overall broadcast traffic or otherwise isolate hosts without the need for additional hardware. Managed switches, however, also allow what is known as port mirroring. While recognizing that for some troubleshooting and monitoring applications such as an intrusion detection system (IDS) the restriction on broadcasting can actually be detrimental, port mirroring allows certain ports to be configured to automatically receive or mirror traffic on any other port, group of ports, VLANs, or the entire switch. If not properly secured, the switch itself can actually facilitate the capturing of traffic. Again, we must assume that the network infrastructure is untrusted.

The amount of data that each host is allowed to transmit over a given data-link layer in a single frame is called the maximum transmit unit (MTU). The MTU is a design decision for each data-link layer and is based on several factors. The transmission speed of the data-link layer is one important consideration; links are more efficient with larger MTUs. This is because more of each frame is dedicated to data and less to overhead. Sharing characteristics are also taken into account for the data-link layer. If each host is allowed to transmit frames that are too large in a shared environment, then all other hosts need to wait to transmit their data. In small data exchanges, the large frames would cause unnecessarily long delays for small frames. The biggest factor influencing MTU selection, however, is the chip that is used to create the network interface card. One of the reasons that the MTU of Ethernet was set at 1500 octets was simply because at the time Ethernet was being developed, the cheapest, most available chip sets that could be found would support up to 1518 octets of data. While transmission speed and multiplexing of many hosts was an important consideration, the ultimate arbiter of MTU was the available hardware to support the given datalink layer.

Common MTU sizes are shown in Exhibit 3. With some restrictions, the MTU can be adjusted and, for many network media, this is often the case. Because the default MTU is also usually the maximum size that the network interface card can accept, the most common option is to set the MTU to a lower size, representing the least common denominator, to avoid fragmentation on other network media that have lower MTU values. MTU size is also an important issue for security-related reasons. MTUs that are too large may need to be fragmented somewhere in the network. This causes a decrease in network performance due to the routers' requirement of fragmentation and the hosts' requirement to reassemble the fragmented packet. As we discuss in the section on the IP layer, fragmented packets can also be a security risk. If you are concerned about IP packet fragments, changing MTU sizes on your network will eliminate them.

Exhibit 3: Common Data-Link Layer MTUs in Octets

Media	MTU in Octets
Ethernet	1518
Gigabit Ethernet	64000 (only with Jumbo frames options selected)
Token Ring 4 Mbps	4000
Token Ring 16 Mbps	16000 (commonly set to 4000 for 4 Mbps compatability)
FDDI	4500
ATM	16000
PPP	1500 (lower values common over dial up links)
HDLC	18000 (lower values likewise common)

3.1.3 The Network Layer

At the network layer, or layer 3, the primary hardware device is the router. Routers are used to connect IP networks together, with each port on a router defining a single IP network. Generally, some sort of specialized computer with a number of network interfaces, routers make forwarding decisions based on the layer 3 addressing information in a datagram. Routers determine which interface a packet is forwarded out, based on a "routing table" (see Exhibit 4). The routing table is simply a list of all known network destinations along with the interface and next-hop IP address used to reach these destinations. In the event that there is more than one interface that would allow connectivity to a remote network, routing tables also include a metric of some sort that allows the routing process to make an objective decision as to which interface of many to use. There are two primary ways to create a routing table. The first is through static routes. This means that someone sits down in front of a router console and types in a statement that, roughly translated, would say, "To reach network 200.5.6.0/24, send the packet out the first Ethernet interface to the next router with an IP address of 135.10.15.254." This process could be repeated a number of times until all the relevant network destinations were entered. This approach, on a small scale, is very efficient. For large networks, it is time consuming, difficult to maintain as the network changes, and prone to human error.

Exhibit 4: A Sample Routing Table

To avoid the negative issues associated with static routes, dynamic routing protocols are often used. While there are a number of routing protocols that vary in complexity and suitability for one network type or another, in the end, each dynamic routing protocol is simply a way for a group of routers to share network reachability information with each other and create a local routing table.

When passing traffic from one IP subnet to another, a router is always used. As such, they serve as concentration points for network traffic. In this capacity, a router can be called into service to apply other needed network functions. Some examples may be firewall functions. This could include packet filtering, stateful packet filtering, network addresses translation (NAT), dynamic access-list generation, and even some higher layer protocol filtering such as is seen in application layer firewalls. Routers can also serve as Dynamic Host Configuration Protocol (DHCP) servers for the assignment of IP addresses, subnets, default gateways, and DNS servers to hosts. When connecting networks together using a VPN, routers can also serve as the physical endpoint of encryption. This means that each router will contain at least one VPN key that can be used in the encryption of VPN traffic — and its subsequent decryption.

As focal points of network traffic, routers will also be configured to track and monitor network traffic. This may simply total the volume of traffic in average bits per second, or it may mean volume and type of traffic between any two points. In a pinch, a router can also be used to load its own operating system image onto another router. This can be useful in restoring a router when the software operating system is not otherwise handy.

Few devices are more important to the idea of confidentiality, integrity, and availability than network routers. As the above description of some of the roles that a router plays in a typical network point out, several critical network functions are handled by a router.

Once a packet is en route from the host, the arbiter of that packet's fate is the router. Control of the routing tables is control of the network. For someone interested in sniffing data, careful manipulation of routing tables could direct data over a network that they have control over and have packet sniffers installed. Unless a particular issue requires troubleshooting, most users would not even notice the diversion of their traffic. Most users are accustomed to sessions timing out. If the routing manipulation occurs during an active session, users would habitually select the "reconnect" or "reload" button without a second thought.

Changing any security characteristics of the router would also severely impact the overall network security. Once again, as long as everything was working to the user's content, minor modifications to the firewall would mostly go unnoticed. The only way these changes could be detected was through the regular auditing of the perimeter security.

No attacker, unless he had access to computing resources that were greater than most in use today, would spend time trying to decrypt captured VPN traffic. Access to the routers themselves, however, may give the attacker enough information to recreate the session keys used in the VPN or even allow access to unrestricted data.

In the role of a network monitoring device, the router can also provide a wealth of information for those interested in learning more about the traffic patterns on a network. Some Simple Network Management Protocol (SNMP) configurations will even allow remote users to monitor and change the routers configuration — all of this without having to log in to the router itself.

It should be clear by now that the router should have special consideration in the overall security plan. While network connectivity may be impossible without them, a poorly configured or improperly secured router will severely compromise the security of a network.

^[1]For connection-oriented protocols such as TCP (to be discussed shortly), error rates have a significant impact on how much of that transmission potential can actually be used to transfer data.

^[2]That said, the maximum bandwidth for common LAN usage is still 1 Gbps — a transmission rate more than adequate for Web surfing and checking e-mail.

^[3]ATM, strictly speaking, is an entire protocol stack much like the TCP/IP suite with standards for addressing and path finding. As commonly seen from the point of view of IP, however, ATM simply serves as a layer 2 technology.