Intranet
Currently, most local area networks (LANs) use Ethernet, which is based on broadcast technology. Any data packet communicated between two nodes is not only received by the network cards of these two nodes but also intercepted by the network card of any other node on the same Ethernet. Therefore, a hacker can simply connect to any node on the Ethernet for eavesdropping and capture all data packets occurring on this Ethernet, then perform packet analysis to steal critical information. This is the inherent security risk of Ethernet.
A. LAN Security
In fact, many free hacker tools available on the Internet, such as SATAN, ISS, NETCAT, etc., use Ethernet eavesdropping as their basic method.
Currently, there are several solutions to ensure LAN security:
1. Network Segmentation
Network segmentation is generally considered a fundamental way to control network broadcast storms, but it is also an important measure to ensure network security. Its purpose is to isolate unauthorized users from sensitive network resources, thus preventing possible illegal eavesdropping. Network segmentation can be divided into physical segmentation and logical segmentation.
Currently, most customs LANs adopt a network structure centered around switches with routers at the boundaries. The focus should be on utilizing the access control functions and three-layer switching capabilities of the central switch, combining both physical and logical segmentation methods to achieve secure control over the LAN. For example, the intrusion detection function widely used in the customs system, such as DEC MultiSwitch 900, is actually a type of access control based on MAC addresses, or the aforementioned physical segmentation based on the data link layer.
2. Replace Shared Hubs with Switched Hubs
After segmenting the LAN's central switch, the danger of Ethernet eavesdropping still exists. This is because final user access is often through branch hubs rather than the central switch, and the most commonly used branch hubs are shared hubs. Thus, when users communicate data with the host, the data packets (called unicast packets) between two machines can still be eavesdropped upon by other users on the same hub. A very dangerous situation arises when a user TELNETs to a host. Since TELNET lacks encryption, every character entered by the user (including usernames, passwords, and other important information) will be sent in plain text, providing hackers with an opportunity.
Therefore, shared hubs should be replaced with switched hubs so that unicast packets are transmitted only between two nodes, thereby preventing unauthorized eavesdropping. Of course, switched hubs can only control unicast packets and cannot control broadcast packets (Broadcast Packet) or multicast packets (Multicast Packet). Fortunately, the amount of critical information contained in broadcast and multicast packets is much less than in unicast packets.
3. VLAN Division
To overcome Ethernet's broadcast problem, besides the above methods, VLAN (Virtual Local Area Network) technology can also be applied, transforming Ethernet communication into point-to-point communication, preventing most network-eavesdropping-based intrusions.
Currently, there are mainly three types of VLAN technologies: VLAN based on switch ports, VLAN based on node MAC addresses, and VLAN based on application protocols. Port-based VLANs, although slightly less flexible, are more mature and have proven effective in practical applications, making them widely popular. MAC address-based VLANs provide possibilities for mobile computing but also carry the hidden danger of being susceptible to MAC fraud attacks. Protocol-based VLANs are theoretically ideal but lack maturity in practical application.
In a centralized network environment, we typically consolidate all host systems in the center into one VLAN, where no user nodes are allowed, effectively protecting sensitive host resources. In a distributed network environment, VLANs can be divided according to the structure of institutions or departments. All servers and user nodes within each department reside in their respective VLANs without interfering with each other.
Connections within a VLAN are implemented through switching, while connections between VLANs are implemented through routing. Currently, most switches (including the widely adopted DEC MultiSwitch 900 within customs) support RIP and OSPF, two international standard routing protocols. If special needs arise requiring the use of other routing protocols (such as Cisco’s EIGRP or IS-IS supporting DECnet), external multi-Ethernet port routers can replace switches to achieve VLAN routing functionality. However, in this case, the efficiency of route forwarding will decrease somewhat.
Whether it's a switched hub or a VLAN switch, both are centered around switching technology, which is quite effective in controlling broadcasts and preventing hackers. However, they also cause trouble for some intrusion monitoring technologies and protocol analysis technologies based on broadcast principles. Therefore, if there are such intrusion monitoring devices or protocol analysis devices within the LAN, a special switch with SPAN (Switch Port Analyzer) functionality must be selected. This type of switch allows system administrators to map all or certain switch port data packets to a specified port, providing them to the intrusion monitoring device or protocol analysis device connected to this port. In the design of Xiamen Customs' external network, I selected Cisco's Catalyst series switch with SPAN functionality, allowing us to enjoy the benefits of switching technology while ensuring the "usefulness" of the existing Sniffer protocol analyzer.