Managing Network Security

Switching Your Infrastructure

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

A Hub of Activity

In a recent protection assessment, I encountered a series of sites that had predominantly hubs as their internal Ethernet infrastructure element. Over the first hour or so I collected packets using a free off-the-Internet packet sniffer called Ethereal. Here is what I found:

My recommendation was simple. Change from hubs to switches immediately. The cost of the change, about $10 per computer, installed. If it were $100 per computer it would be a great bargain.

Air Adored LAN

When I got my fist wireless card and got it functional on our bootable Linux CD, one of the first things I wanted to do was go war driving. It is now a common practice in my security assessments to walk around the place looking for wireless LANs. One of my colleagues has a Palm computer with a wireless card in it so we can be more or less covert when walking into buildings. Go the the bathroom and scan for a LAN.

I wish I could explain how hard it is to attack an infrastructure with wireless. You turn on your computer, run the sniffer, and start picking up traffic. Are they using WEP encryption? No problem. Run the WEP encryption cracker. Then, go back to the first section of this month's article and proceed from there.

I adore wireless. I use it all the time. It makes it really easy to get to the Internet almost anywhere I go. Now, if I could only figure out who to send a payment to to reimburse the folks whose infrastructures I am riding on... OK - I admit it - I don't actually use other peoples' infrastructures for this purpose - except when I am testing if for them. But of course the bad guys don't have this morality problem.

Go ahead and deny it!

Problem 3 for this month. Switches and wireless are really easy to use denial of service attacks against. So if you don't let me sniff and I am a bad guy, I can do denial of services pretty easily.

For switches, denial of services is easily created by listening for Address Resolution Protocol (ARP) requests and answering them repeatedly. Because most switches remember the port that last used a given MAC address for routing purposes, you can easily overwhelm the switch and cause all traffic to come to your port. This also redirect traffic to other ports toward yours and tells the gateway a wrong ARP address for the computers it would otherwise talk to. If you are fast enough, this gateway attack works an Hubs as well.

For wireless, the same basic trick as I described for hubs works, but there are also a lot of other wireless denial of service attacks. For example, you can get the Wireless Access Point (WAP) to spend several seconds in adjusting its properties pretty easily, and do it again and again.

OK - That Hurt

Sorry about that folks. I just told you that switches and hubs are both fatally flawed. With hubs you get sniffing of traffic, and with switches you get denial of services. Wireless has both faults - you can be sniffed and services can easily be denied.

Can it get any worse? Sure it can. But what's the difference at this point. If I can sniff traffic or deny services, which is better for you? The answer lies in the response. With a switched infrastructure, assuming you bought the right switches, you can disable ports that are acting badly, if you can find them. So the response starts with tracking the source of the problem to a physical entry point. Of course once I have done that, it might be a good idea to send someone large to secure the evidence, but you can simply cut off the traffic if you want it to happen again at the next port...

With hubs you are in a bit of a quandary in the response realm. Essentially, you need to go to the hub and look at the lights to figure out which port is being used for what. If it is not high volume or you cannot associate it with the attack, you need to start pulling out one wire after another to determine which is the bad one. This is, of course, a give away to the attacker, assuming they are smart enough to tell the difference right away. With Wireless you will need a radio strength meter to start trying to track down all the transmitters...

My Advice

I have long used and liked hubs. They are an excellent technology for doing what I often want to do with networks. But realistically, allowing others to sniff all the traffic between systems from wherever they are in your infrastructure is an unnecessary and potentially costly risk. I know that you can use cryptography to defeat a lot of the sniffing attacks, but it is a poor solution that replaces a simple hardware upgrade with a hard-to-manage complex infrastructure dependent on interactions of software.

Go to switches - run to switches. They will make the sniffing technology more or less obsolete. I know that they make some sorts of diagnosis a bit harder, but get the good ones and pay an extra few dollars per computer for the ability to track problems and create virtual LANs (VLANs) when needed. It is a good deal - trust me.


Switch your infrastructure. It's inexpensive, simple to do, has almost no effect on almost all normal operations, it is low cost, and it virtually eliminates one of the most common and simple attacks that is available to the bad guys today.

About The Author:

Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security Posture and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting