LAN switch security: what the hackers know that you don't

Author experts explain how to thwart ARP spoofing, ARP poisoning, P2P traffic, wireless LAN threats and more during a live Network World Chat.

Moderator-Julie: Welcome to Network World Chats. Today's guest is author expert Christopher Paggen discussing the topic, LAN switch security: What hackers know about your switches. He penned a book of the same title. We have a surprise guest coming today, too; Chris's co-author, Eric Vyncke (but Eric will be joining us late). 

Christopher_Paggen: Hello - glad to be here!

ARP spoofing and ARP poisoning

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Moderator-Julie: Welcome to Network World Chats. Today's guest is author expert Christopher Paggen discussing the topic, LAN switch security: What hackers know about your switches. He penned a book of the same title. We have a surprise guest coming today, too; Chris's co-author, Eric Vyncke (but Eric will be joining us late). 

Christopher_Paggen: Hello - glad to be here!

ARP spoofing and ARP poisoning

Moderator-Keith: Why should we care about LAN security? Outside hackers can't do much (we're behind a firewall), and we're pretty sure that employees aren't engaging in illicit activities.

Christopher_Paggen: While you are correct with regard to the firewall protecting you from outside LAN attacks, LAN-borne attacks are always performed locally by someone hooked up to a local network port. The range of people performing LAN attacks can range from adventurous employees "playing around" with Swiss-army-knife tools to  motivated malicious guests trying to harvest confidential data.

BartKnight: I've heard it's possible for a hacker operating inside the company to intercept all LAN traffic without ever being noticed. How is this possible?

Christopher_Paggen: Yes, it's indeed possible by using ARP poison routing.

Stiekes: How many of the LAN security risks are more accurately characterized as resulting from compromises of host systems?

Christopher_Paggen: Many very potent LAN attacks such as ARP spoofing are performed on a remote machine connected to same LAN as the victim(s). So even if your host is patched with the latest antivirus software, it talks on the Ethernet segment and remains subject to communication hijacking.

Sully: What about VLAN hopping on a switch? Is it possible and, if so, then how can it be prevented?

Christopher_Paggen: VLAN hopping is one of the trickiest attacks in the sense that it takes many favorable conditions lined up to occur. While tools such as Yersinia make it easy to attempt, the return from a hacker's perspective is fairly minimal: malicious traffic is injected one way from the hacker to the victim. The hacker gets no feedback from the victim as traffic coming back from the victim won't hop VLANs back to the hacker. All in all, I would rate this a low severity, hard to perform attack.

Fred: Can you give us some examples of typical attacks, and how to defend against them?

Christopher_Paggen: Sure. The worst attack is probably ARP poisoning. I rate it worst because it's extremely sneaky, very efficient and (too) easy to perform. There are two ways to protect yourself from an ARP spoofing/poisoning attack: either you monitor suspicious ARP traffic on a machine connected to the LAN (using ARPWatch for instance, a free Linux utility) or you rely on the switch's built-in security mechanism. Most Cisco switches, for instance, ship with protection against ARP spoofing attacks. They do so by associating a MAC entry (including the source Ethernet MAC and the payload of the ARP packet) to a given trusted port. If the same ARP packet shows up on a different port, that port isn't allowed to talk and a violation indication is triggered.