Since the inception of networking technologies, security has always been a vital aspect of the design and deployment of networks. Moreover, security has always held an integral component of the functionality of a network and in today’s enterprise networks has incorporated many new innovations such as unified computing, e-commerce, cloud computing and enterprise mobility. However, while these technologies facilitate better networking procedures, they also increase the challenges of meeting the set standards of network security (Ali, Hossain & Parvez, 2015). Now, campus networks are an important aspect of campus life and require adequate security procedures to maintain their integrity and operational requirements. These security procedures protect campus networks and their associated institutions from attacks that may occur using multiple and diversified attack techniques.
Theoretically, network security should protect campus networks from all threats and attacks, however, owing to the different variables under consideration some liabilities or vulnerabilities may be exhibited by a network and its infrastructure thus leading to security issues (Wu, 2010). Furthermore, a hierarchical architecture of any network is configured using different protocols which themselves may raise other security issues. This report will evaluate the security issues associated with campus networks more so, those that affect switches. In addition to this, the report will also highlight possible solutions to these problems.
So, what is a campus network? A campus network is any proprietary network e.g. LAN (local area network) that serves an organisation such as a university, agency, or company. A typical campus network will include an interconnection of LANs that serve multiple building within the confines of one organisation. However, the users may be distributed further than the defined proximity but their geographical location is never widely scattered as seen in wide area networks (WAN) (Rouse, 2017). Academic institutions such as colleges and universities represent the best example of this network having systems that are associated using a common interconnection while within the same vicinity in a given area.
All networks regardless of their implementation procedures will hold a number of security limitations as well as vulnerabilities. For instance, Ethernet switches which are commonly used in campus networks despite their popular beliefs will hold many inherent security flaws, from control protocols (e.g. spanning tree protocol) to data plane protocols such as those used in addressing (address routeing protocol, ARP) (Vyncke, 2008). Most of these issues can be mitigated using proper configuration procedures while others will require adamant assessment and monitoring procedures.
Issue 1: MAC Address-Based Security Issue
Switches will normally look up MAC addresses of the frames they receive in the Content addressable memory (CAM). This lookup will reveal the destination of the frame and allow the switch to direct it accordingly. A common security issue will involve the flooding of the CAM or the MAC address table. Since this table has a limited size, any overflow of address request will substantially delay the operation of a switch thus affect the overall functionality of a campus network. Moreover, this security problem causes the memory to be fully loaded which stops the recording of MAC addresses (port mapping) turning a typical switch into a hub (Popeskic, 2011). As a hub, the switch further exposes more vulnerabilities as it now broadcasts all the data it receives to all connected machines. Therefore, exposing the content being transmitted.
Flooding attacks can be detrimental to campus networks as they execute within a very short period of time. In essence, a CAM table can be easily filled with fake addresses (port mappings) which eliminate a crucial security measure implemented in network switches that is access control (Telelink, 2013).
Several solutions exist for this security problem with the choice depending on the type of switch being used. However, a general solution will apply two general control procedures; one, outlining the actual MAC addresses that are allowed to communicate with a given physical port of a switch. Secondly, limiting the overall number of addresses that can access the said port. From these mitigation procedures, it’s easy to see the overall solution which in this case is port security (Redscan, 2017). By default, most switches give access to any communicating device forwarding traffic from one source to another. However, this operational procedure is what exposes LAN network to vulnerabilities that can be easily exploited by attackers.
Port security is a control feature implemented on networks such campus networks to allow administrators to regulate communication traffic. Therefore, from this solution, a given network can specify the number of MAC addresses accessing a given switch port. Moreover, the users can even specify the actual devices (MAC) that access the physical port. Furthermore, depending on the implemented security policy, affected networks can either be disabled or temporary deactivated until the relevant authority is alerted (Cisco, 2009). Again, this approach improves access control and facilitates the management of campus networks.
Issue 2: Address Resolution Protocol (ARP) Issues
Let’s reference the OSI model, more importantly, the data link layer which uses the ARP to determine MAC addresses having identified the IP addresses. During its operation activities, the data link layer encapsulates packets from the network layer using control information such as destination among other parameters. However, before performing this role, it must establish the MAC address of the destination which forces it to send an ARP request (broadcast message) to devices connected to the LAN. This request will carry the destination’s IP address which will reply to the request having its associated MAC address (Sukkar, Saifan, Khwaldeh, Maqableh & Jafar, 2016). After receiving the requested MAC address, the host will then save the details in the ARP table which again can be used as a cache with requests only being sent if the MAC address details lack in the table.
Now, the security issue, ARP’s problem arise from the fact that it’s a stateless protocol which means it can accept any ARP reply even if it never sent a request. Therefore, a campus switch stands to have an issue if ARP messages are sent to it randomly without requests being made. Furthermore, a malicious individual can send ARP replies that can contain IP addresses of sensitive campus network resources such as the default gateway and even the DNS server. In the process, the affected network is unable to distinguish between legitimate and illegitimate claims and continuously responds with the correct information. In the end, the attacker assumes a role known as a man-in-the-middle where any traffic sent or received by the victim network is first sent through him/her (the intruder) (Bryner, 2006).
Two techniques are commonly used to mitigate this problem; prevention and detection procedures. Most commonly used configuration procedures are used as a de facto solution to ARP issues, for instance, static ARP tables where a fixed set of reply entries are provided and are unaffected by spoofed requests (Andress, 2001). However, this solution is highly inefficient as it contains a high level of overhead and also forces administrators to manually configure all network devices. Another prevention procedure is to use ARP filtering techniques where all packets are identified and logged. This solution will drop any reply packet lacking an ARP request.
Finally, we have authentication where using authentication policies small networks (e.g. campus networks) isolate and block malicious users (Cisco, 2009). However, in large networks such as public networks, it’s difficult to establish this solution as it increases the complexity of the system including assigning the authentication parameters of all the users (who are very many). On the other hand, detection system/procedures will apply for individual devices such as PCs. Basically, these solutions will monitor ARP tables and highlight any changes in gateway settings.
Issue 3: Switch Spoofing (VLAN hopping attacks)
Virtual LANs (VLANs), are logical partitions or subsections of layer 2 networks which can be created to improve network security, performance, and cost. Essentially, just like any other physical LAN, VLANs exist as independent broadcast domains having their own unique IP networks. Therefore, to communicate between these networks, data packets must pass through a router to establish a path to the required destination (Cisco, 2008). Furthermore, multiple VLAN can be combined to form a trunk and these trunks are usually established within switches to allow devices of the same VLAN to communicate.
A given trunk will carry traffic for all host VLANs associated with it which exposes a serious vulnerability more so if a malicious individual convinces a switch to function in trunking mode. Through the trunking mode, an attacker can use his/her machine to access all the traffic being ferried by a given trunk even though they lack the necessary authority or authentication to do so. A common sniffing attack can follow suit where details of user’s accounts such as usernames and passwords can be obtained to execute later attacks (Popeskic, 2012). Let’s consider Cisco Catalyst switches which by default are usually in the auto mode of trunking (dynamic desirable). If a campus switch happens to be in this mode, their ports are automatically converted to trunk ports if they receive any DTP (dynamic trunking protocol) request/frame. This request can be manipulated by an attacker using two ways, one by spoofing the DTP frames themselves or by connecting third party switches (rogue) to an access port (Rouiller, 2006).
Switch spoofing attacks are caused by configuration limitations where users in a given network fail to implement the necessary security measure to avoid illegal access to their communication network which exposes their traffic. Therefore, the first and most important step should be to implement safety precautions that prevent attacks that use DTP frames. This includes turning off all ports from trunking mode (dynamic desirable for Cisco switches). Moreover, trunking in all the switches being used should be enabled manually to avoid cases of spoofing and sniffing through dynamic processes (Cisco press, 2014). Furthermore, a campus network should then adopt a hard-core approach to network design where all access ports are individually configured with all the necessary parameters to initiate communication. Finally, disable all the interfaces that are not in use to avoid rogue access ports. In most cases, networks are accessed using idle interfaces such as ports which in most case are rarely protected or are configured using old security protocols which expose the entire network (Omnisecu, 2017).
Campus networks face many considerable security threats because of the many components used to meet its resource requirements. Moreover, these threats seem to be more pronoun within the network itself as internal users are relatively versed with its connections as compared to external users. Therefore, when considering security issues such as those affecting LAN switches, internal users are the most likely advents of the problems. Furthermore, the highlighted security issues in most cases will arise from the naivety and usage of the internal users where they remain complacent to the structure and functionalities of their systems. A campus administrator may apply all the necessary security precautions and procedures only to be outdone by a single (internal) user who establishes a rogue access spot using their mobile device.
Nevertheless, regardless of these considerations, a strategic and unified plan should be used to setup any campus network. This plan should consider all security problems based on the assessment done by experts as well as any existing risk analysis method. Furthermore, following the thorough assessments, the users led by the administrators should implement advanced security technologies such as firewalls, encryption, centralised control and management. Moreover, these technologies must be regularly monitored and updated to meet the existing security issues. Finally, the management should then establish a strong system that formulates the necessary network security secrecy procedures met by strict implementation and access methods.
Ali. M, Hossain. M & Parvez. M. (2015). Design and Implementation of a Secure Campus Network. International Journal of Emerging Technology and Advanced Engineering, 5(7). Retrieved 21 April, 2017, from: https://www.researchgate.net/file.PostFileLoader.html?id=5712fea193553b52231b9d74&assetKey=AS%3A351697495969793%401460862625372.
Andress. M. (2001). Wireless LAN security. Black hat briefing. Retrieved 21 April, 2017, from: www.blackhat.com/presentations/bh-usa-01/.../bh-usa-01-Mandy-Andress.ppt
Bryner. J. (2006). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. SANS institute InfoSec Reading Room. Retrieved 21 April, 2017, from: https://www.sans.org/reading-room/whitepapers/threats/address-resolution-protocol-spoofing-man-in-the-middle-attacks-474
Cisco. (2008). Chapter 3: VLANs. Routing and switching. Retrieved 21 April, 2017, from: mars.tekkom.dk/mediawiki/images/e/e8/Sem2-Chapter3.pdf
Cisco. (2009). Understanding, Preventing, and Defending Against Layer 2 Attacks. Bhaji, Cisco. Retrieved 21 April, 2017, from: https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf
Cisco press. (2014). Cisco Networking Academy's Introduction to VLANs. Cisco networking academy. Retrieved 21 April, 2017, from: https://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10
Omnisecu. (2017). What is Switch spoofing attack and how to prevent Switch spoofing attack. CCNA security. Retrieved 21 April, 2017, from: https://www.omnisecu.com/ccna-security/what-is-switch-spoofing-attack-how-to-prevent-switch-spoofing-attack.php
Popeskic. V. (2011). MAC Address Flooding – MAC address table overflow attacks. Security-Layer 2. Retrieved 21 April, 2017, from: https://howdoesinternetwork.com/2011/mac-address-flooding
Popeskic. V. (2012). VLAN hopping attack – Switch Spoofing and Double tagging. Security- Layer 2. Retrieved 21 April, 2017, from: https://howdoesinternetwork.com/2012/vlan-hopping-attack
Rouiller. S. (2011). Virtual LAN Security: weaknesses and countermeasures. GIAC Security Essentials Practical Assignment, 1.4b. Retrieved 21 April, 2017, from: https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090
Rouse. M. (2017). Campus network. Tech target. Retrieved 21 April, 2017, from: https://searchsdn.techtarget.com/definition/campus-network
Redscan. (2013). Top ten threats to VLAN security. Retrieved 21 April, 2017, from: https://www.redscan.com/news/ten-top-threats-to-vlan-security/
Sukkar. G, Saifan. R, Khwaldeh. S, Maqableh. M & Jafar. I. (2016). Address Resolution
Protocol (ARP): Spoofing Attack and Proposed Defense. Communications And Network. Retrieved 21 April, 2017, from: https://file.scirp.org/pdf/CN_2016071417525253.pdf
Telelink. (2013). MAC address spoofing. Accessing networking threats, IT threats. Retrieved 21 April, 2017, from: https://itsecurity.telelink.com/mac-address-spoofing/
Vyncke. E. (2008). LAN Switch Security: What Hackers Know About Your Switches? A practical guide to hardening Layer 2 devices and stopping campus network attacks. Retrieved 21 April, 2017, from: https://www.ciscopress.com/store/lan-switch-security-what-hackers-know-about-your-switches-9781587052569
Wu. C. (2010). International Journal of Emerging Technology and Advanced Engineering. International Conference on Industrial and Information Systems. Retrieved 21 April, 2017, from: https://www.leonsoftsolutions.com/ieeepapers/networking/Network35.pdf