Network Security

Dr. Ihsan Ullah

Department of Computer Science & ITUniversity of Balochistan, Quetta

Pakistan

June 18, 2015

1 / 19

ARP (Address resolution protocol) poisoning

ARP is used to resolve 32-bit IP addresses (e.g., 55.91.56.21)into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41)

Hosts on the same network must know each other’s MACaddresses before they can send and receive packets using IPaddresses

Hosts build ARP tables by sending ARP requests and repliesto each other

2 / 19

Normal ARP operation

Every hosts on a network builds an ARP table

Entry of 10.0.0.1 into ARP table at gateway router

3 / 19

Normal ARP operation

Suppose the gateway (router) receives a packet addressed toan internal host (10.0.0.1)

It sends an ARP request to every host on the LAN asking ifthey have that IP address

Only the host that has the requested IP address responds. Allother hosts ignore the request

Here, host A responds with an ARP reply that contains itsphysical/MAC address (A1-A1-A1-A1-A1-A1)

The switch records the MAC addresses of the gateway andHost A, as well as their respective port numbers

The gateway receives the ARP reply and records Host A’s IPaddress and corresponding MAC address

4 / 19

Normal ARP operation

After adding the MAC address entry into its ARP table forhost A, the gateway can forward all packets addressed to10.0.0.1

The switch looks only at the MAC address as the packet ispassed from the gateway to Host A

Other hosts on the LAN cannot see any packets addressed toHost A

5 / 19

ARP Spoofing

ARP requests and replies do not require authentication orverification

All hosts trust all ARP replies

ARP spoofing uses false ARP replies to map any IP address toany MAC address

Spoofed ARP replies are broadcast to other hosts on the LAN

This allows an attacker to manipulate ARP tables on all LANhosts

6 / 19

ARP poisoning

ARP poisoning can be used to reroute traffic for a MITM(Man-in-the-Middle) attackThe attacker begins the attack by sending a continuousstream of unsolicited ARP replies to all hosts on the LANexcept the gatewayTells other hosts on the LAN that the gateway (10.0.0.4) isnow at C3-C3-C3-C3-C3-C3Hosts on the LAN record the false ARP reply in their ARPtablesAny packets they wish to send to the gateway will beaddressed to 10.0.0.4 at C3-C3-C3-C3-C3-C3Since the switch only looks at MAC addresses, it cannotidentify the incorrect ARP resolution being pushed out to allother hostsAfter intercepting the message, the attacker reroutes traffic tothe gateway 7 / 19

ARP poisoning

8 / 19

ARP poisoning

To poison the gateway. The attacker sends a continuousstream of spoofed ARP replies to the gateway telling it thatall other internal hosts are at C3-C3-C3-C3-C3-C3

The gateway records all internal IP addresses (10.0.0.1,10.0.0.2, and 10.0.0.3) and the same MAC address(C3-C3-C3-C3-C3-C3) in its ARP table

Any packet the gateway receives will be forwarded to theattacker

The attacker redirects the traffic it intercepts

To launch this attack, the attacker must have access to thelocal network and must also send a continuous stream ofspoofed ARP replies to keep the other hosts’ ARP tables fromself-correcting

9 / 19

ARP DoS attack

A minor modification in the attack stops all traffic on thelocal network

The attacker sends all internal hosts a continuous stream ofunsolicited spoofed ARP replies saying the gateway (10.0.0.4)is at E5-E5-E5-E5-E5-E5

Hosts record the gateway’s IP address and nonexistent MACaddress

Packets addressed to E5-E5-E5-E5-E5-E5 are dropped byswitch since the MAC address does not exist

10 / 19

ARP DoS attack

11 / 19

Preventing ARP poisoning

Static tables

ARP poisoning can be prevented by using static IP tables andstatic ARP tables

Static ARP tables are manually set and cannot be dynamicallyupdated using the ARP

Difficult to manage

Limit local access

Another way of preventing ARP poisoning is to limit access tothe local network

Controlling network access

12 / 19

Network access control

LAN can be both wired and wireless where most oftenwireless LANs are connected to wired LANs

The wireless client communicates by radio with a wirelessaccess point, which in turn connects via 4-pair UTP to anEthernet switch

13 / 19

Network access control

14 / 19

Access control threats

Traditionally, Ethernet LANs offered no access control security

Any intruder who entered a corporate building could walk upto any wall jack and plug in a notebook computer

The intruder would then have unrestricted access to theLAN’s computers, bypassing the site’s border firewall

A complete breakdown in access control

Even deeper access threats in wireless LANs

Once intruders gain access, they can use a packet sniffer tointercept and read legitimate traffic

15 / 19

Ethernet security

802.1X security

802.1X makes the Ethernet workgroup switch the gateway tothe network

The user’s computer connects to a specific port on theworkgroup switch

That port is the real point of access control

The name of the 802.1X standard is Port-Based AccessControl

16 / 19

802.1X security

17 / 19

802.1X security

When the computer first connects, the port is in anunauthorized state

It will not permit the user to communicate over the network

The port remains unauthorized until the computerauthenticates itself

After authentication, the port changes to authorized state,and the computer gets access to the network

Not to burden up the switch, the switches rely on a centralauthentication server

This server has credentials-checking authentication data andthe processing power

18 / 19

RADIUS and EAP

Remote Authentication Dial In User Service (RADIUS) is anetworking protocol that provides centralized Authentication,Authorization, and Accounting (AAA) management for userswho connect and use a network service

802.1X relies on Extensible Authentication Protocol (EAP), togovern the specifics of authentication interactions

19 / 19