devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Less wiring means greater flexibility, increased efficiency, and reduced wiring costs. Ad hoc networks, such as those enabled by Bluetooth, allow data synchronization with network systems and application sharing between devices. Bluetooth functionality also eliminates cables for printer and other peripheral device connections. Handheld devices such as personal digital assistants (PDA) and cell phones allow remote users to synchronize personal databases and provide access to network services such as e-mail, Web browsing, and Internet access.Moreover, these technologies can offer dramatic cost savings and new capabilities to diverse applications ranging from retail settings to manufacturing shop floors to first responders.
However, risks are inherent in any LAN technology. Some of these risks are similar to those of wirednetworks; some are exacerbated by LAN connectivity; some are new. Perhaps the most significantsource of risks in LAN networks is that the technology's underlying communications medium, theairwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot.The loss of confidentiality and integrity and the threat of denial of service (DoS) attacks are riskstypically associated with LAN communications. Unauthorized users may gain access to agencysystems and information, corrupt the agency's data, consume network bandwidth, degrade networkperformance, launch attacks that prevent authorize As described in this document, the risks related to the use of LAN technologies are considerable. Many current communications protocols and commercial products provide inadequate protection and thus present unacceptable risks to agency operations. Agencies must actively address such risks to protect their ability to support essential operations, before deployment of LAN technologies. Furthermore, many organizations poorly administer their LAN technologies. Some examples include deploying equipment with "factory default" settings, failing to control or inventory access points, not implementing the security capabilities provided, and not developing or employing a security architecture suitable to the LAN (e.g., one with firewalls between wired and LAN systems, blocking of unneeded of strong cryptography).
.
Specific threats and vulnerabilities to LAN networks and handheld devices include the following:
All the vulnerabilities that exist in a conventional wired network apply to LAN technologies.
Malicious entities may gain unauthorized access to an agency's computer network through LAN connections, bypassing any firewall protections.
Sensitive information that is not encrypted (or that is encrypted with poor cryptographic techniques) and that is transmitted between two LAN devices may be intercepted and disclosed.
DoS attacks may be directed at LAN connections or devices.
Malicious entities may steal the identity of legitimate users and masquerade as them on internal or external corporate networks.
Sensitive data may be corrupted during improper synchronization.
Malicious entities may be able to violate the privacy of legitimate users and be able to track their movements.
Malicious entities may deploy unauthorized equipment (e.g., client devices and access points) to surreptitiously gain access to sensitive information.
Handheld devices are easily stolen and can reveal sensitive information.
Data may be extracted without detection from improperly configured devices.
Viruses or other malicious code may corrupt data on a LAN device and subsequently be
introduced to a wired network connection.
Malicious entities may, through LAN connections, connect to other agencies or organizations for the purposes of launching attacks and concealing their activities.
Interlopers, from inside or out, may be able to gain connectivity to network management controls and thereby disable or disrupt operations.
Malicious entities may use third-party, untrusted LAN network services to gain access to an
agency's or other organization's network resources.
Internal attacks may be possible via ad hoc transmissions.
This proposal provides an overview of LAN networking technologies and LAN handheld devices
most commonly used in an office environment and with today's mobile workforce. This proposal seeks
to assist agencies in reducing the risks associated with 802.11 LAN local area networks (LAN),
Bluetooth LAN networks, and handheld devices.
Maintaining a secure LAN network and associated devices requires significant effort, resources, and vigilance and involves the following steps:
Maintaining a full understanding of the topology of the LAN network.
Labeling and keeping inventories of the fielded LAN and handheld devices.
Creating backups of data frequently.
Performing periodic security testing and assessment of the LAN network.
Performing ongoing, randomly timed security audits to monitor and track LAN and handheld devices.
Applying patches and security enhancements.
Monitoring the LAN industry for changes to standards that enhance security features and for the release of new products.
Vigilantly monitoring LAN technology for new threats and vulnerabilities.
Agencies should not undertake LAN deployment for essential operations until they have
examined and can acceptably manage and mitigate the risks to their information, system
operations, and continuity of essential operations. Agencies should perform a risk assessment and
develop a security policy before purchasing LAN technologies, because their unique security
requirements will determine which products should be considered for purchase.
However, mitigating these risks requires considerable tradeoffs between technical solutions and costs.
Today, the vendor and standards community is aggressively working toward more robust, open, and
secure solutions for the near future. For these reasons, it may be prudent for some agencies to simply wait for these more mature solutions.Agencies should be aware of the technical and security implications of LAN and handheld device technologies.
Agencies should carefully plan the deployment of 802.11, Bluetooth, or any other LAN
technology.Because it is much more difficult to address security once deployment and implementation have occurred,security should be considered from the initial planning stage. Agencies are more likely to make better security decisions about configuring LAN devices and network infrastructure when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support the inevitable tradeoff decisions between usability, performance, and risk.
Agencies should be aware that security management practices and controls are especially critical to
maintaining and operating a secure LAN network.
Appropriate management practices are critical to operating and maintaining a secure LAN network.
Security practices entail the identification of an agency's or organization's information system assets and
the development, documentation and implementation of policies, standards, procedures, and guidelines
that ensure confidentiality, integrity, and availability of information system resources.
To support the security of LAN technology, the following security practices (with some illustrative
examples) should be implemented.Agency-wide information system security policy that addresses the use of 802.11, Bluetooth, and Security training to raise awareness about the threats and vulnerabilities inherent in the use of LAN technologies (including the fact that robust cryptography is essential to protect the "radio" channel, and that simple theft of equipment is a major concern).
Configuration/change control and management to ensure that equipment (such as access points) has the latest software release that includes security feature enhancements and patches for discovered vulnerabilities.Standardized configurations to reflect the security policy, to ensure change of default values, and to ensure consistency of operation.
Agencies should be aware that physical controls are especially important in a LAN environment.Agencies should make sure that adequate physical security is in place. Physical security measureincluding barriers, access control systems, and guards, are the first line of defense. Agencies must makesure that the proper physical countermeasures are in place to mitigate some of the biggest risks such astheft of equipment and insertion of rogue access points or LAN network monitoring devices.Agencies must enable, use, and routinely test the inherent security features, such as authenticationand encryption, that exist in LAN technologies. In addition, firewalls and other appropriateprotection mechanisms should be employed.
LAN technologies generally come with some embedded security features, although frequently many
of the features are disabled by default. As with many newer technologies (and some mature ones), the
security features available may not be as comprehensive or robust as necessary. Because the security
features provided in some LAN products may be weak, to attain the highest levels of integrity,
authentication, and confidentiality, agencies should carefully consider the deployment of robust, proven,and well-developed and implemented cryptography.
NIST strongly recommends that the built-in security features of Bluetooth or 802.11 (data link level
encryption and authentication protocols) be used as part of an overall defense-in-depth strategy. Although these protection mechanisms have weaknesses described in this publication, they can provide a degree of protection against unauthorized disclosure, unauthorized network access, and other active probing attacks.
However, the Federal Information Processing Standard (FIPS) 140-2, Security Requirements for
Cryptographic Modules, is mandatory and binding for federal agencies that have determined that certain information be protected via cryptographic means. As currently defined, the security of neither 802.11 nor Bluetooth meets the FIPS 140-2 standard.
In the above-mentioned instances, it will be necessary to employ higher level cryptographic protocols and applications such as secure shell (SSH), Transport-Level Security (TLS) or Internet Protocol Security
(IPsec) with FIPS 140-2 validated cryptographic modules and associated algorithms to protect that
information, regardless of whether the nonvalidated data link security protocols are used.
NIST expects that future 802.11 (and possibly other LAN technologies) products will offer Advanced
Encryption Standard (AES)-based data link level cryptographic services that are validated under FIPS
140-2. As these will mitigate most concerns about LAN eavesdropping or active LAN attacks, their use is strongly recommended when they become available. However, it must be recognized that a data link level LAN protocol protects only the LAN subnetwork. Where traffic traverses other network segments, including wired segments or the agency or Internet backbone, higher-level FIPS-validated, endto-end cryptographic protection may also be required.
LAN NETWORK SECURITY
Finally, even when federally approved cryptography is used, additional countermeasures such asstrategically locating access points, ensuring firewall filtering, and blocking and installation of antivirussoftware are typically necessary. Agencies must be fully aware of the residual risk following theapplication of cryptography and all security countermeasures in the LAN deployment.LAN technologies have become increasingly popular in our everyday business and personal lives.Personal digital assistants (PDA) allow individuals to access calendars, e-mail, address and phone number lists, and the Internet. Some technologies even offer global positioning system (GPS) capabilities that can pinpoint the location of the device anywhere in the world. LAN technologies promise to offer even more features and functions in the next few years.
An increasing number of government agencies, businesses, and home users are using, or consideringusing, LAN technologies in their environments. Agencies should be aware of the security risksassociated with LAN technologies. Agencies need to develop strategies that will mitigate risks as they integrate LAN technologies into their computing environments. This document discusses certain LAN technologies, outlines the associated risks, and offers guidance for mitigating those risks.
Authority
Guidelines in this document are for federal agencies that process sensitive information. They areconsistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding upon federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, the Director of the OMB, or any other federal official.
Document Purpose and Scope
The purpose of this document is to provide agencies with guidance for establishing secure LANnetworks.1 Agencies are encouraged to tailor the recommended guidelines and solutions to meet theirspecific security or business requirements.The document addresses two LAN technologies that government agencies are most likely to employ:LAN local area networks (WLAN) and ad hoc or-more specifically-Bluetooth networks. Thedocument also addresses the use of LAN handheld devices. The document does not address
technologies such as LAN radio and other WLAN standards that are not designed to the Institute ofElectrical and Electronics Engineers (IEEE) 802.11 standard. These technologies are out of the scope ofthis document.LAN technologies are changing rapidly. New products and features are being introduced continuously. Many of these products now offer security features designed to resolve long-standing weaknesses or address newly discovered ones. Yet with each new capability, a new threat or vulnerability is likely to arise. LAN technologies are evolving swiftly. Therefore, it is essential to remain abreast of the current and emerging trends in the technologies and in the security or insecurities of these technologies. Again, this guideline does not cover security of other types of LAN or emerging LAN technologies such as third-generation (3G) LAN telephony.
Audience and Assumptions
This document covers details specific to LAN technologies and solutions. The document is technical in nature; however, it provides the necessary background to fully understand the topics that are discussed.Hence, the following list highlights how people with differing backgrounds might use this document. The intended audience is varied and includes the following:
Government managers who are planning to employ LAN networked computing devices in their agencies (chief information officers, senior managers, etc.)
Systems engineers and architects when designing and implementing networks
System administrators when administering, patching, securing, or upgrading LAN networks
Security consultants when performing security assessments to determine security postures of LAN environments
Researchers and analysts who are trying to understand the underlying LAN technologies.
This document assumes that the readers have some minimal operating system, networking, and securityexpertise. Because of the constantly changing nature of the LAN security industry and the threats and vulnerabilities to these technologies, readers are strongly encouraged to take advantage of other resources (including those listed in this document) for more current and detailed information.
VLAN hopping: VLAN hopping is a network attack whereby an end system sends out packets destined for a system on a different VLAN that cannot normally be reached by the end system. This traffic is tagged with a different VLAN ID to which the end system belongs. Or, the attacking system may be trying to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between other VLANs.
Security Through Obscurity: MAC Address
MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or LAN network / devices. Is this technique effective?sPersonally, I do not use and recommend MAC address based filtering. MAC address can be easily spoofed under each and every operating system out there. So I was wondering why anybody want to use MAC-based filtering? You can easily filter IPv4 or IPv6 IP address. My formula is as follows to filter and control bad stuff:
For Servers:
1. Throttle network connections using firewall, operating system control mechanisms, and applications control mechanisms.
2. Set connection rate per IP, do not allow unlimited access to any public service.
3. Drop abusing netblocks at router / edge level.
4. Drop bad IPs using Iptables / pf firewall. Use DMZ if required. Use proxy layer if required.
5. Disable unwanted services.
6. Monitor public services using open source tools, IPS and/or custom scripts.
7. Default policy deny all & open required ports, least privilege policy for all applications, users and anything that can communicate over network.
For LAN networks and Desktops
1. Always use WPA / WPA2 with TKIP or AES encrypting with a strong passphrase
2. Change your passphrase every month
3. Disable stupid UPnP
4. Disable your LAN router's remote management and ssh / telnet port features.
5. Turn on firewall, port scan and DoS protection
6. Windows / Mac OS X user should always use an anti virus, firewall / internet security suite. Keep your operating system and virus databases always up to date.
7. Use VPN or SSH while communicating with Linux / Windows servers.
8. Use secure SMTP, IMAP or POP3 version for email communication. Most ISP and free service such as gmail support secure version of email protocols.
Personally, If I found anyone breaking the security polices, I would warn them. In some case I recommend firing them. I don't care if it is small break or anything else. If you are willing to break the IT security policies why should you be trusted? Hire a third party or constant to evaluate your current security policy. The network security measures at the data link layer are complementary to the network layer (IPsec) measures to provide extra protection of the network and users, especially in the case of LAN LAN. The following table gives feature comparison of the network security at the data link layer and network layer.
Network Security at the Data Link Layer (Layer 2) of LAN
Every layer of communication has its own unique security challenges. The data link layer (layer 2) communication is a weak link in terms of security. Network security should be addressed at multiple layers to for different vulnerabilities. We focus on the security issues related to wired local area networks. Switches are key components at the layer 2 communications and they are also used for layer 3 communications. They are susceptible to many of the same Layer 3 attacks as routers, as well as many unique network attacks, which include:
Content-Addressable Memory ( CAM) table overflow: The CAM table in a switch contains information such as the MAC addresses available on a given physical port of a switch, as well as the associated VLAN parameters. CAM tables are limited in size. Typically a network intruder will flood the switch with a large number of invalid-source MAC addresses until the CAM table fills up. When that occurs the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table. CAM table overflow only floods traffic within the local VLAN so the intruder will see only traffic within the local VLAN to which he or she is connected.
Spanning-Tree Protocol manipulation: Spanning-Tree Protocol is used in switched networks to prevent the creation of bridging loops in an Ethernet network topology. By attacking the Spanning-Tree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology. To do this the network attacker broadcasts out Spanning-Tree Protocol Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an attempt to force spanning-tree recalculations. The BPDUs sent out by the network attacker's system announce that the attacking system has a lower bridge priority. If successful, the network attacker can see a variety of frames.
Media Access Control (MAC) Address spoofing: MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the other host's source Ethernet address, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.
Address Resolution Protocol (ARP) attack: ARP is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. ARP attack happens when someone is trying to change the ARP table of MAC and IP addresses information without authorization. By doing so, hackers can spoof his/her MAC or IP address to launch the following two types of attacks: Denial of Service and Man-In-The-Middle attacks.
Private VLAN: Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN. DHCP starvation: A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as gobbler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. This is a simple resource starvation attack just like a SYN flood. The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network.
Mitigations of LAN Security Risks
The CAM table-overflow attack can be mitigated by configuring port security on the switch. This option provides for either the specification of the MAC addresses on a particular switch port or the specification of the number of MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port, the switch can either block the offending MAC address or shut down the port.
Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly turning off DTP on those ports.To mitigate Spanning-Tree Protocol manipulation use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network as well as enforce the Spanning-Tree Protocol domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the network.
The Spanning-Tree Protocol BPDU guard is designed to allow network designers to keep the active network topology predictable. While BPDU guard may seem unnecessary given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge because there might be a bridge with priority zero and a lower bridge ID. BPDU guard is best deployed towards user-facing ports to prevent rogue switch network extensions by an attacker.
Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port. The command also provides the ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache.
Configure access control lists (ACLs) on the router port to mitigate private VLAN attacks. Virtual ACLs can also be used to help mitigate the effects of private VLAN attacks.
The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. As implementation of RFC 3118, Authentication for DHCP Messages, DHCP starvation attacks will become more difficult.
In addition, IEEE 802.1X, a standard for passing the Extensible Authentication Protocol (EAP) framework over a wired or LAN network , acts as a gatekeeper for basic network access at the data link layer. By denying access to the network before authentication is successful, 802.1X can prevent many attacks against network infrastructure that depend on having basic IP connectivity. Originally written to be used within the Point-to-Point Protocol (PPP) of dial-up and remote access networks, 802.1x allows for EAP to be used within the context of LANs, including LAN LAN.
Although these technologies offer significant benefits, they also provide unique security challenges overtheir wired counterparts. The coupling of relative immaturity of the technology with poor securitystandards, flawed implementations, limited user awareness, and lax security and administrative practices forms an especially challenging combination. In a LAN environment, data is broadcast through the air and organizations do not have physical controls over the boundaries of transmissions or the ability to use the controls typically available with wired connections. As a result, data may be captured when it is broadcast. Because of differences in building construction, LAN frequencies and attenuation, and the capabilities of high-gain antennas, the distances necessary for positive control for LAN technologies to prevent eavesdropping can vary considerably. The safe distance can vary up to kilometers, even when the nominal or claimed operating range of the LAN device is less than a hundred meters.
