Network Protocols for Security Professionals

By Deepanshu Khanna , Yoram Orzach

Early Access

This is an Early Access product. Early Access chapters haven’t received a final polish from our editors yet. Every effort has been made in the preparation of these chapters to ensure the accuracy of the information presented. However, the content in this book will evolve and be updated during the development process.

Learn more
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. 1 Data Centers and the Enterprise Network Architecture and its Components

About this book

Network security plays an important role in securing IT infrastructures against attacks. The increased demand for computer systems, and the ever-evolving internet, has allowed people to find vulnerabilities and infiltrate into organizations through their network. Network Protocol Security will help you safeguard your organization's network and networking devices.

This book is a comprehensive guide that begins with the basics, gradually increases in complexity, and later takes you through advanced concepts. You will start by understanding the structure of data network protocols and devices as well as breaches. In addition to this, you’ll become familiar with attacking tools and scripts that take advantage of these breaches. After covering the basics, you will learn attacks that target networks and network devices. Next, you will perform eavesdropping, learn data analysis, and use behavior analysis for network forensics. Toward the concluding chapters, you will understand network protocols and how to use methods and tools you learned in the previous parts to attack and protect these protocols.

By the end of this network security book, you will have learned network protocol security and security counter-measures to protect network protocols.

Publication date:
November 2022
Publisher
Packt
Pages
541
ISBN
9781789953480

 

1 Data Centers and the Enterprise Network Architecture and its Components

Communication networks have long been a critical part of any organization. Protecting them against risks of all kinds, especially security risks, is critical to the operation of the organization. Understanding the structure of data networks will help you understand network vulnerabilities, where they exist, and where and how we can protect against them.

This chapter provides a preview of a data network’s structure and weakness points. We will also describe the hardware, software, and protocols involved in the network, as well as their potential vulnerabilities. We will talk about the traditional structure of enterprise networks and data centers, network components and their connectivity, and understand the data flows in the network. Finally, we will explain the evolving software-defined networking (SDN) and network function virtualization (NFV) technologies and their impact on data networks, along with the networking and security considerations of cloud connectivity.

In this chapter, we’re going to cover the following main topics:

  • Exploring networks and data flows
  • The data center, core, and user networks
  • Switching (L2) and routing (L3) topologies
  • The network perimeter
  • The data, control, and management planes
  • SDN and NFV
  • Cloud connectivity
  • Types of attacks and where they are implemented
 

Exploring networks and data flows

Network architecture is about how the building blocks of the networks are connected; data flows are about the information that flows through the network.

Understanding the network architecture will assist us in understanding the weak points of the network. Data flows can be manipulated by attackers to steal information from the network. By diverting them in the attacker's direction, the attacker can watch information running through the network and steal valuable information.

To eliminate this from happening, you must understand the structure of your network and the data that flows through it. A typical data network is built out of three parts:

  • The data center, which holds the organization's servers and applications.
  • The core network, which is the part of the network that is used to connect all the parts of the network, including the user’s network, the data centers, remote networks, and the internet.
  • The user’s network, which is the part of the network that is used for the user’s connectivity. The user network is usually based on the distribution and access networks.

These parts are illustrated in the following diagram:

Figure 1.1 – Typical enterprise network

In the top-left corner, we can see the main data center, DC-1. The user’s network is located in the data center site; that is, Users-1. In the top-right corner, we can see a secondary data center, DC-2, with a user’s network located on the secondary data center site. The two data centers are connected to the internet via two firewalls, which are located in the two data centers.

In the center of the diagram, we can see the Wide Area Network (WAN) connectivity, which includes the routers that connect to the service provider’s (SP’s) network and the SP network that establishes this connectivity.

In the lower part of the diagram, we can see the remote sites that connect to the center via the SP network.

Now, let’s focus on the protocols and technologies that are implemented on each part of the network.

 

The data center, core, and user networks

First, let’s see what the areas in the organization’s data network are. The data center is the network that holds the majority of the organization's servers. In many cases, as shown in the following diagram, we have two data centers that work in high availability mode; that is, if one data center, fails the other one can fully or partially take its place.

The user networks depend on the size, geographical distribution, and the number of users in the organization. The core network is the backbone that connects the users to the data center, remote offices, and the internet. The distribution switches will be in central locations in the campus and the access switches are located in buildings and small areas.

The data center, core, and user networks are illustrated in the following diagram, which is of a typical mid-sized network:

Figure 1.2 – The data center, core, and user networks

At the top, we can see the data center switches, when every server is connected via two cables. This connectivity can be implemented as port redundancy for redundancy only or link aggregation (LAG) for redundancy and load sharing. A typical connection is implemented with two wires, copper or fiber, when heavy-duty servers on server blades can be connected with 2-4 wires or more.

In the center, we can see the core switches. As the name implies, they are the center of the network. They connect between the data center and the user network, and they connect to remote sites, the internet, and other networks. The connectivity between the core switches and the data center switches can be implemented in Layer 2 or Layer 3, with or without an overlay technology, as we will see later in this chapter.

The user network holds the distribution and access areas. The access layer holds the switches that connect to the users, while the distribution layer aggregates access switches. For example, in a Campus network, there will be a distribution switch for every building or group of buildings, while the access switches are connected to the nearest one. Distribution switches are usually installed in a redundant topology – that is, two switches per site – when the access switches are connected to both.

In the next section, we will learn about Layer 2 and Layer 3 by examining the data flow and how data passes through the network. We will describe various design options and describe the pros and cons from a security point of view.

 

Switching (L2) and routing (L3) topologies

In this section, we will talk about the structure of a campus network.

Switching (L2) and routing (L3)

Layer 2 switches are devices that switch packets between ports, while Layer 3 switches or routers look at the Layer 3 header of the packet and make routing decisions. This can be seen in the following diagram.

At the top left, we can see a single LAN switch. We can see that a frame arrives at the switch. Then, the switch looks at the destination MAC address, makes a forwarding decision, and forwards the frame to the destination port; that is, port 3.

At the bottom left, we can see how a frame crosses a network of switches. The frame enters the left switch, which makes a forwarding decision and forwards it to port 3. Port 3 is connected to port 1 on the right switch, which looks at its MAC address and forwards it to the right switch; that is, port 4. The decision on how to forward the frames is done locally; that is, the decision is made on every switch without any connection to the other.

In routing, as shown to the right of the following diagram, a decision is made at Layer 3. When a packet enters the router, the router looks at the Layer 3 destination address, checks if the packet’s destination is valid in the routing table, and then makes a routing decision and forwards the packet to the next hop:

Figure 1.3 – The data center, core, and user network

Important Note

In the packets shown in the preceding diagram, D stands for destination address and S stands for source address. Although in Ethernet the destination address comes before the source, for convenience, it is presented in the same order – D and S for both L2 and L3.

While the basic building blocks of data networks are Layer 2 switches that the users connect to, we can also use Layer 3 switches in the higher levels – that is, the distribution, core, or data center level –to divide the network into different IP networks. Before we move on, let’s see what Layer 3 switches are.

The following diagram shows a traditional router to the left and a Layer 3 switch to the right. In a traditional router, we assign an IP address to every physical port – that is, Int1, Int2, Int3, and Int4 – and connect a Layer 2 switch to each when devices, such as PCs in this example, are connected to the external switch.

In a Layer 3 switch, it is all in the same box. The Layer 3 interfaces (called Interface VLAN in Cisco) are software interfaces configured on the switch. VLANs are configured and an L3 interface is assigned to each. Then, the external devices are connected to the physical ports on the switch:

Figure 1.4 – The data center, core, and users network

Dividing the network into different IP subnets provides many advantages: it provides us with more flexibility in the design in that every department can get an IP subnet with access rights to specific servers, routing protocols can be implemented, broadcasts do not cross routers so that only a small part of the network will be harmed, and many more.

L2 and L3 architectures

L3 can be implemented everywhere in the network. When we implement Layer 3 in the core switches, their IP addresses will be the default gateways of the users; when we implement Layer 3 in the data center switches, their addresses will be the default gateways of the servers.

The design considerations for a data network are not in the scope of this book. However, it is important to understand the structure of the network to understand where attacks can come from and the measures to take to achieve a high level of security.

The following diagram shows two common network topologies – L3 on the core and DC switches on the left, and L3 on the DC only on the right:

Figure 1.5 – L2/L3 network topologies

On the left, we have the following configuration:

  • Virtual LANs (VLANs) configured on the core switches: VLAN50 and VLAN60 are the user’s VLANs. Each user VLAN holds several physical ports and one logical L3 Interface – the Interface VLAN in Cisco terminology. In this example, Interface VLAN50’s IP address is 10.50.1.1/16, while Interface VLAN60’s IP address is 10.60.1.1/16.
  • VLANs configured on the DC switches: VLAN 10 and VLAN 20 are the server’s VLANs. Each server VLAN holds several physical ports and one logical L3 Interface – Interface VLAN. For example, Interface VLAN 10’s IP address is 10.10.1.1/16, while Interface VLAN 20’s IP address is 10.10.1.1/16.
  • The default gateways of the users in the 10.50.0.0/16 and 10.60.0.0/16 networks are 10.50.1.1 and 10.60.1.1, respectively.

On the right, we can see a different topology, which is where all the Interface VLANs are on the DC switches:

  • All the VLANs are configured on the DC switches.
  • The core switches are only used as Layer 2 devices.
  • The default gateways of both the user’s devices and servers are on the DC switches.

L2 and L3 architecture data flow

For the data flow, let’s look at the following diagram:

Figure 1.6 – L2/L3 network topologies

In the left topology, we can see the following:

  • When sending packets from the users to the servers, users on VLAN 50 or VLAN 60 send packets to the default gateway; that is, the L3 Interface on the left core switch. From there, packets are routed to the L3 Interface on the left DC switch and the server.
  • When sending the packets back, the servers on VLAN 10 or VLAN 20 send packets to the default gateway of 10.10.1.1, which is on the left DC switch. The packets are routed to the L3 Interface on the left core switch and the user.

In the right topology, we can see the following:

  • The DC switches are the default gateways for the users and the servers, so packets from both are sent to the DC switches and routed internally in them.

L2 and L3 architecture data flow with redundancy

Now, let’s see how packets flow through the network. This example is for the case when the user’s L3 Interfaces are on the core switches.

In the following diagram, a PC with an address of 10.60.10.10/16 is sending information to the server on 10.20.1.100/16. Let’s look at the main and redundant flows:

Figure 1-7 – Data flowing through the network

In a network under regular conditions – that is, when all the network components are functioning – the data flow will be as follows:

  • When PC2 sends packets to a server, they go to its default gateway (1); that is, 10.60.1.1 on the lower left core switch.
  • From 10.60.1.1, the packets are forwarded to 10.20.1.1 on the top left DC switch (2).
  • From 10.60.1.1, packets are forwarded to the upper server; that is, 10.60.100/16 (3).

When a failure occurs, as in the example in Figure 1.4, when the left DC switch (DC-SW-1) fails, the following happens:

  • The MAC address of the S1 server is now learned on the DC switch on the right (DC-SW-2), and from there it will be learned on the core switch on the right (CORE-SW-2).
  • Packets that are sent from PC2 to the server will be forwarded to the core switch on the right (a).
  • The core switch on the right forwards the packets to the next hop (b), which is the DC switch on the right (DC-SW-2).
  • The DC switch on the right forwards the packets to the server (c).

L2 and L3 topologies with firewalls

A common practice in network design is to add firewalls to two locations of the enterprise network – data center firewalls and core firewalls. Data center firewalls are more common and are used to protect the data center, while the ore firewalls protect different users and areas in the network. A typical network is illustrated in the following diagram:

Figure 1.8 – The data center, core, and users network (with FWs)

In this case, we have firewalls with the following functionality:

  • Data center firewalls: These are firewalls that protect the data center. On these firewalls, we will usually have packet filtering, stateful inspection, intrusion detection, and application filtering.

    Important Note

    Packet filtering is a term that refers to filtering packets according to Layer 3 (IP) and Layer 4 (TCP/UDP) information. Stateful inspection is a mechanism that watches the direction of traffic crossing the firewall and allows traffic to be forward in the direction where the session started. Intrusion prevention is a mechanism that protects against intrusion attempts to the network. Application filtering is a mechanism that works on Layer 7 and filters sessions based on the application and its content. Further discussions on these mechanisms and others, as well as how to use them and harden them, will be provided later in this book.

  • Core firewalls: These are used to protect different areas of the network, such as different departments, different companies on the same campus, and so on.

The data flow in a firewall-protected network is as follows:

Figure 1.9 – Data flowing through the network (with FWs)

Data can flow in several directions, with several levels of protection:

  • In the first example, PC2, which has an address of 10.60.10.10, sends data to its default gateway; that is, the IP interface on its VLAN (1). From there, packets are routed to the DC firewall (FW1) at the top-left (2) and the required server (3).
  • A second option is when PC4, which is on the right, sends packets to the server. This happens when the packets go through the first level of security – core firewall FW4. Packets from the PC are sent to the default gateway; that is, the IP interface of the VLAN (a). From there, they are routed to the core firewall (FW4) (b), the DC FW (FW2) (c), and the required server (d).
  • There are many other options here, including routing packets from the users through the core FW to external networks, routing packets between users through the core FWs, and so on.

L2 and L3 topologies with overlays

When building a traditional enterprise network, the network structure ensures one thing: that packets are forwarded from the source to the destination as fast as possible.

Important Note

As fast as possible, in terms of a data network, can be achieved with four parameters: bandwidth, delay, jitter, and packet loss. Bandwidth is defined as the number of bits per second that the network can provide. Delay is the round-trip time (RTT) in seconds that will take a packet to get to the destination and the response to arrive back to the sender. Jitter is defined as variations in delay and measured in percent. Packet loss is the percent of packets that were lost in the transmission. Different applications require different parameters – some require high bandwidth; others are sensitive to delay and jitter, while some are sensitive to packet loss. A network attack on a communications line can cause degradation in the performance of one or all these parameters.

Overlay technologies provide additional functionality to the network, in a way that we establish a virtual network(s) over physical ones. In this case, the physical network is referred to as the underlay network, while the virtual network is referred to as the overlay network, as illustrated in the following diagram:

Figure 1.10 – Underlay/overlay network architecture

Here, we can see a standard network that is made up of routers with connectivity between them. The overlay network is made up of end-to-end tunnels that create a virtual network over the real one.

There are various overlay technologies, such as VxLAN, EVPN, and others. The principle is that the packets from the external network that are forwarded through the overlaid tunnels are encapsulated in the underlying packets, forwarded to the destination, and de-capsulated when exiting to the destination.

Since bits are eventually forwarded through the wires, attacks on both the underlay network and the overlay connectivity can influence and cause downtimes to the network.

Now that we’ve talked about the organization network, let's talk about connectivity to the world; that is, the perimeter.

 

The network perimeter

The network perimeter is the boundary between the private locally managed enterprise network and public networks such as the internet.

A network perimeter, as shown in the following diagram, includes firewalls, Intrusion Detection and Prevention Systems (IDPSes), application-aware software, and sandboxes to prevent malware from being forwarded to the internal network:

Figure 1.11 – The perimeter architecture

There are three zones on the perimeter which act as the boundaries between the organization’s private network and the internet:

  • Internal Zone: This is the area that is used for organizing users and servers. It is also referred to as the trusted zone. This is the zone with the highest level of security. No access is allowed from the external zones to the internal zone and all access, if any, should be through the DMZ.
  • Demilitarized Zone (DMZ): This is the area that users from the internet can access, under restrictions. Here will be, for example, mail relays, which receive emails from external servers and forward them to the internal server on the SZ, as well as websites and proxies, which act as mediation devices for controlling access to important servers, and others.
  • External zone: This is the connection to external networks, such as Internet Service Providers (ISPs) end other external connections.

Usually, the architecture is more complex; there can be several DMZs for several purposes, several SZs for different departments in the organization, and so on. The firewall's cluster may also be distributed when each firewall is in a different location, and there can be more than two firewalls.

In the Zero-Trust architecture, created by John Kindervag from Forrester Research, we talk about deeper segmentation of the network, which is when we identify a protected surface made from the network’s critical data, assets, applications, and services (DAAS), and designing the firewall topology and defenses according to it. In this architecture, we talk about the trusted area, which is for users and servers, the untrusted area, which is for external connections such as the internet, and the public areas, which is for frontend devices and services that are being accessed from the external world.

Additional software can be implemented in the perimeter: intrusion detection and prevention systems, sandboxes that run suspicious software that’s been downloaded from the internet, web and mail filters, and others. These can be implemented as software on the firewall or as external devices.

Attacks from the perimeter are common. There will be malicious websites, emails with malicious attachments, intrusion attempts, and many others.

Data networks attacks can focus on the network itself or network components. Now that we’ve talked about the network topology, let’s learn how the network components are built.

 

The data, control, and management planes

Network devices perform three different operations:

  • Process and forward the data in transit. This is referred to as the data plane.
  • Make forwarding decisions; that is, where to forward the data. This is referred to as the control plane.
  • Enable the administrator, or the management system, to give commands and read information from the device. This is referred to as the management plane.

The following diagram shows how these three planes function:

Figure 1.12 – The data, control, and management planes

Here, we can see the objectives of the data, control, and management planes.

The data plane

The data plane is responsible for forwarding information. It receives instructions from the control plane, such as routing tables, and forward packets from port to port. The forwarding tables can learn from various control plane functions. For example, several routing protocols can run in the control plane, while the result of them will be a single routing table in the control plane that is translated into a single forwarding table on the data plane.

The data plane is responsible for processing and delivering packets, so it is implemented on network interfaces and device CPUs.

Attacks on the forwarding table can be achieved by overloading the network – link flooding attacks and Distributed Denial of Service (DDoS) attacks load the network.

The control plane

The control plane is where we determine how data should be forwarded in the data plane. The control plane includes routing protocols that exchange information between routers, multicast protocols, Quality of Service (QoS) protocols, and any other protocol that the network devices use to exchange information and make forwarding decisions. These protocols are running in the control plane, and their result is a forwarding table that is built in the data plane.

The control plane is part of the network device software, and it runs in the device’s CPU.

Several types of attacks can be performed on the control plane. Some of them simply try to load the device resources (such as CPU and memory), while others try to confuse the protocols running on the device – to send fake routing updates and try to divert traffic, to flood device ARP caches so that packets will be forwarded in the wrong direction, and so on.

The management plane

The management plane is responsible for interacting with the network device, whether these are interactions with the management system via protocols such as SNMP or Netflow, REST APIs, or any other method that the device can work with or via human interactions via a command-line interface (CLI), web interface, or a dedicated client.

The management plane is implemented entirely by software. Attacks on the management plane mostly try to break into the network device to log in, by human or by machine, and make settings in violation of the enterprise policy with the intent to disrupt or break into network activity.

Now that we’ve talked about network devices and their structure, let’s talk about the new designs in data networks; that is, SDN and NFV.

 

SDN and NFV

SDN and NFV are technologies from the early 2010s that virtualize network operations. While SDN is a technology that came from the enterprise network and data centers, NFV came from the network service provider (NSP) world. Let’s see what they are and the security hazards for networks that implement them.

Software-defined networking (SDN)

SDN separates the data plane from the control plane, creating software-programmable network infrastructure that can be manually and automatically adapted to application requirements.

While in traditional networks, network devices exchange information between them, learn the network topology, and forward packets, in SDN, the switches are simple devices that forward according to commands they receive from the network controller.

Let’s take, for example, a network of routers. The following happens in traditional networks:

  • In the control plane: Routing protocols exchange routing information between them, check restrictions such as access control lists (ACLs) and QoS requirements, and fill in the routing tables.
  • In the data plane: From the routing tables, they build the forwarding tables. Then, when a packet enters the router, the router will forward it according to the forwarding tables.

The following diagram shows an example of an SDN network:

Figure 1.13 – Software-defined networking (SDN)

In this network, we have a central controller, which is the network’s brain. This controller acts as the control plane for the entire network. When a new session is opened and packets are sent through the network, every switch receiving the first packet will send a request to the controller, asking how to forward it. Upon receiving the response, the switches will store it in their forwarding table. From now on, every packet will be forwarded according to it. This is done through the southbound interface using protocols such as OpenFlow or Netconf. Connections from the controller to the switches are established over the transport control protocol (TCP), preferably with transport layer security (TLS).

On the northbound interface, the controller sends and receives information to and from SDN applications via standard APIs such as RESTfull. SDN applications can be applications that implement network functionalities such as routers, firewalls, load balancers, or any other network functionality. An example of an SDN application is a Software-Defined – Wide Area Network (SD-WAN), which provides connectivity between remote sites over private and internet lines.

An SDN domain is all the devices under the same SDN controller. A network orchestrator is used to control multiple SDN domains. For example, when enterprise LANs are connected through a private SD-WAN service, there will be three controllers – two controllers for the two LANs and one controller for the SD-WAN. The orchestrator controls its end-to-end connectivity.

Several security breaches can be used on an SDN network:

  • Attacks on the connections between the controller and the SDN switches that are implemented over a standard TCP connection with standard port numbers.
  • Attacks on network controllers and orchestrators.
  • Attacks on data plane switches.

Later in this book, we will discuss these risks in more detail.

Network function virtualization (NFV)

NFV takes the concept of computing virtualization to the networking world. The concept is that instead of using dedicated hardware for every networking function, we use standard off the shelf (OTS) hardware, along with standard virtual machines (VMs), when the network functions are software running on these VMs. First, let’s have a look at the platforms that host these applications:

Figure 1.14 – VMs and Hypervisors

The preceding diagram shows how the networking applications are installed. In the case of Linux containers, the virtual machines are implemented as Linux containers, while the applications are installed on the contains, together or separately.

A Type 1 Hypervisor is installed directly over the hardware. Here, we can find the most common Hypervisors, such as VMWare ESX/ESXi, Microsoft Hyper-V, and Citrix XenServer.

A Type 2 Hypervisor is installed over the host operating system. Here, we can find PC-based Hypervisors such as VMWare workstations, Microsoft Virtual PC, and Oracle Virtual Box.

Important Note

A VM is an emulation of a computer system that provides the functionality of a physical computer. A Hypervisor is a piece of software that runs the VMs. There are two types of hypervisors – Type 1, which runs directly over the system hardware, and Type 2, which runs over the host operating system. The first Hypervisor was developed in the 1960s by IBM, iVMWare ESX (later ESXi) came out in 1999, XEN from Citrix came out in 2003, and a year later, Hyper-V from Microsoft came out. In the Linux world, it started with traditional UNIX platforms such as Sun-Solaris before coming out as Linux KVMs and Dockers. The purpose of all of them is simple – to effectively carry many applications over different OSes that run independently over the same hardware.

Linux containers dominate the networking market in NFV. These can be routers, switches, firewalls, security devices, and other applications in the data center network. They can be also cellular network components that are installed on the same hardware. The NFV model is shown in the following diagram:

Figure 1.15 – Network function virtualization (NFV)

The NFV architecture is comprised of the following:

  • Computing hardware, including computing and storage resources.
  • Virtual resources; that is, the resources that are allocated to the VMs.
  • VNFs, which are the VMs and the applications installed on them – routers, firewalls, core cellular components, and other network functionalities.
  • Element managers (EMs), which manage the network’s functionality.
  • NFV management and orchestration (MANO), along with operations support systems (OSSes) and business support systems (BSSes).

When considering NFV application security hazards, we should consider potential attacks on the entire software stack, from the operating system to Hypervisor, the VMs, and the applications.

SDN and NFV are about taking the transitions from hardware-based areas to virtual networks. Now, let’s take this one step forward by going to the cloud and seeing how we can implement the network in it.

 

Cloud connectivity

There are various types of cloud services. The major ones are illustrated in the following diagram:

Figure 1.16 – Cloud-based services

Let’s look at the cloud computing services mentioned in the preceding diagram in detail:

  • Infrastructure as a Service (IaaS): These are cloud services that provide us with the hardware and VMs needed to run their environments. We only need to install, configure, and maintain operating systems, applications, data, and user access management with it.
  • Platform as a Service (PaaS): These are cloud services that provide the platform – that is, the hardware and the operating system – so that the user can install its applications directly.
  • Software as a Service (SaaS): These are cloud services that provide us with the necessary software so that we can connect to the software and work with it.

Now that we’ve covered the network structure and topologies, network virtualization and how it is implemented, and the different cloud service types and how we connect to the cloud, let’s talk about the risks and what can go wrong in each part.

 

Type of attacks and where they are implemented

Now that we’ve learned about network structures and connectivity, let’s have a look at potential threats, types of attacks, and their potential causes. Let’s look at the following diagram and see what can go wrong:

Figure 1.17 – The data, control, and management planes

Risks can be categorized as follows:

  • Threats that cause downtime to the entire IT environment or part of it. Here, the damage is in the unavailability of IT resources to the organization. Damages here can start from relatively minor issues such as loss of working hours, but it can be also critical to organizations that depend on the network, and loss of computing resources can cause unrecoverable damages.
  • Threats that cause damage to organization data. Here, we have risks involving the destruction or theft of the organization’s data. This depends on the organization – in some cases, both are critical, in other cases, only one of them is, and in some cases, neither.

Various types of attacks can cause unavailability, while other types can damage the data. In the next section, we will look at a critical point in any organization’s IT environment and what the results of such an attack are.

Attacks on the internet

Let’s start with the internet. Every once in a while, we hear that “A third of the internet is under attack” (Science Daily, November 1, 2017), “China systematically hijacks internet traffic“ (ITnews, October 26, 2018), “Russian Telco Hijacked Internet Traffic of Major Networks - Accident or Malicious Action?” (Security Week, April 7, 2020), “Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others. Ros Telecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers.” (ZDNet, April 5, 2020) and many more.

What is it? How does it work? Attacks on the internet network itself are usually attacks that deny or slow down access to the internet, and attacks that divert traffic so that it will get to the destination through the attacker network or don’t get there at all.

In the first case, when the attacker tries to prevent users from using the internet, they will usually be DoS and DDoS types of attacks.

Important Note

DDoS attacks are a very wide range of attacks that intend to prevent users from using a service. A service can be a network, a server that provides several services, or a specific service. A DDoS targeting the network can be, for example, a worm that generates traffic that blocks communication lines, or sessions that are generated for attacking the routers that forward the traffic. A DDoS targeting a specific server can be, for example, loading the server interfaces with a huge amount of TCP sessions. A DDoS targeting a specific service can be traffic generated to a specific TCP port(s) of the service itself.

DDoS attacks on the internet can be, for example, generating traffic to specific IP destinations, both from devices controlled by the attackers (referred to as direct attackers) and from third-party servers that are involuntarily used to reflect attack traffic (referred to as reflection attackers).

Another type of attack that can be performed on the internet is diverting traffic from its destination. This type of attack involves making changes to the internet routers so that traffic is diverted through the attacker network, as shown in the following diagram:

Figure 1.18 – Traffic diversion

Here, we can see traffic being sent from Alice to Bob being diverted through Trudy’s network. Normally, when Alice sends traffic to Bob, it will go through region A to region B and get to Bob. Under the attack, Trudy configures the routers in region B to pull the traffic in their direction, so that traffic from router A4 will be sent to B1. Inside region B, traffic will be forwarded to the point where it can be recorded and copied, and then it will be sent to router C3 in region C on the way to the destination.

Important Note

Bob, Alice, and Trudy (from the word intruder) are the common names of fictional characters commonly used for cyber security illustrations. Here, Bob and Alice are used as placeholders for the good guys that exchange information, while Trudy is used as a placeholder for the bad guy that tries to block, intrude, damage, or steal the data that’s sent between Bob and Alice

To divert the data that should be forward from A4 to C3 so that it can be sent to B1 in area B, router B1 must tell router A4 that it has a higher priority so that router A4 will see that the best route to the destination is through B1 and not through C3. In the case of the internet, it is configured in the Border Gateway Protocol (BGP), which we will look at in more detail in Chapter 13, Attacking Routing Protocols.

The traffic in this example is forwarded in two directions. I used an example with single-direction traffic for simplicity.

Attacks from the internet targeting the organization network

Attacks from the internet can be of various types. They can be intrusion attempts, DDoS, scanning, and more. Let’s look at some examples.

Intrusions attempts are discovered and blocked by identifying anomalies or well-known patterns. An anomaly is, for example, a sudden increase in traffic to or from an unknown source, while an intrusion pattern is, for example, port scanning. Further discussion on traffic suspicious patterns will be provided in Chapter 6, Discovering Network-Based Attacks and Tools.

A nice website called Digital Attack Types provides a daily DDoS attacks world map. It can be found at https://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18419&view=map.

Attacks on firewalls

Attacks on firewalls usually take place when the attacker tries to penetrate the network. Penetrating the network can be done in several ways. It can be done by scanning the firewall to look for security breaches, such as ports that were left open so that we can open a connection through them to the internal network. Another method is to crash the firewall services so that it will only continue to work as a router. We can also generate user login attempts to log into the firewall as a VPN client and break into the secured network.

Another component we need to protect is the firewall management console. When the console is installed on an external device, make sure it is hidden from the internet and protected with strong passwords.

Attacks on servers

When attacking the organization’s servers, the risk is to the organization's data, and sometimes, this is the most dangerous risk. In this book, we will talk about threats to networks and network services and how to secure them.

There are various types of attacks that can be carried on organization servers. Attacks can be on the availability of the servers, on the services that run on them, or their information. The following are some of the risks to servers:

  • Risks to servers and software such as HTTP, mail, IP, telephony, file servers, databases, and other attacks. This will be covered in the third part of this book.
  • Risks involving DDoS targeting servers to prevent users from accessing them.
  • Risks involving breaking into servers to try to steal or destroy the information running on them.
  • Risks involving impersonating users and data disruption.

Risks to network applications, services, and servers will be discussed in the third part of this book.

Attacks on local area networks (LANs)

Attacks on the organization’s LANs can be implemented in several ways, but the intruder must be inside the LAN or break into the LAN from an external network.

The attacks here can be of several types:

  • Attacks network devices, as described in Chapter 7, Attacks on Network Devices and their Mechanisms, such as attacks on LAN switches and CPUs to cause them to drop packets and get to the point of inactivity.
  • Attacks on network protocols, as described in Chapter 6, Network-Based Attacks and Tools, and Chapter 7, Attacks on Network Devices and their Mechanisms, such as attacks on Spanning Tree Protocol (STP), attacks on ARP caches, and many others.
  • Another category of attacks is eavesdropping and information theft. These types of attacks will be described in Chapter 8, Network Traffic Analysis and Eavesdropping.

Attacks on network routers and routing protocols

Attack on routers and routing protocols target the routers and the interactions between them. The following are some attacks that can be performed on routers networks:

  • Attacks on the router’s hardware and software, as described in Chapter 7, Attacks on Network Devices and Their Mechanisms.
  • Attacks on routing protocols, misleading the routers to stop forwarding packets or sending packets in the wrong direction.
  • Attacks on protocols that are not routing protocols that come to serve other purposes such as Hot Standby Routing Protocol (HSRP)/Virtual Router Redundancy Protocol (VRRP), multicast protocols, and so on.
  • Another common attack to be carried out on routers and Wide Area Networks (WAN) is DDoS, where, by flooding the communication lines, the attacker can prevent users from using the network.

We will learn how router networks can be jeopardized and how they can be protected in Chapter 12, Routing Protocols Breaches, How to Attack, and How to Protect.

Attacks on wireless networks

Attacking wireless networks and protecting against these attacks, with an emphasis on Wi-Fi networks that are based on 802.11 standardization, is a major challenge both for the attackers and the organizations that protect against them.

There are several lines of protection here that will be described in Chapter 11, Wireless Networks Security, which consists of several principles:

  1. Authenticate users with strong authentication when accessing the organization's Wi-Fi.
  2. Encrypt the information that’s sent over the air between users and access points.
  3. Don’t trust Steps 1 and 2 and connect the wireless networks through a firewall.

This is a simple set of rules regarding how to protect wireless networks, but if you forget one of them, the whole chain will be broken.

As a rule, when you send something in the air, it can be heard, and when you invite guests to your network, make sure they stay guests so that if you have a guest network(s), you can isolate them completely from the organization network.

 

Summary

In this chapter, we talked about network architecture and the structure of an organization’s network. We talked about the data center, which holds the organization’s network, the user network, which the users connect to, and the core network, which connects everything. We also talked about the perimeter, which is the connection from the organization to the world.

Then, we talked about network virtualization in SDN and NFV, the advantages of these networks and their risks, and cloud services and how to connect to them.

After that, we talked about the risks that can occur at every point; risks can come from attacks coming from the internet, from attacks on the organization's servers, attacks on network devices, and attacks on and from the wireless networks.

In the next chapter, we will talk about the network protocols that implement the topologies we talked about in this chapter, where they are implemented, and the potential risks of each.

 

Questions

Answer the following questions to test your knowledge of this chapter:

  1. What is the core network?
    1. The network that connects the servers to the internet
    2. The center of the network that connects the data center(s) and the user networks
    3. A general term for an enterprise network
    4. The network between the users and the internet
  2. In Figure 1.5, on the left, we can see a typical network topology. In this network, assuming they are on the same IP subnet, when PC1 pings PC5, the packets are forwarded through which of the following?
    1. Access switch ACC1, distribution switch DIST1, core switches CORE1 and CORE2, data center switches DC1 and DC2, distribution switch DIST2, and access switch ACC4.
    2. Access switch ACC1, distribution switch DIST1, core switches CORE1 and CORE2, distribution switch DIST2, and access switch ACC4.
    3. Answers (a) and (b) can be correct, depending on the routing configuration.
    4. Answers (a) and (b) can be correct, depending on the HSRP configuration.
  3. In the same figure (Figure 1.5) on the left, PC1 pings PC4. The packets will go through which of the following?
    1. ACC1, DIST1, CORE1, DIST2, and ACC3
    2. ACC1, DIST1, CORE2, DIST2, and ACC3
    3. ACC1, DIST1, CORE1, CORE2, DIST2, and ACC3
    4. ACC1, DIST1, CORE1, DC1, DC2, CORE2, DIST2, and ACC3
  4. Assuming PC1 is in VLAN50 and PC2 is in VLAN60, pings are sent from PC1 to PC2. Routing will be performed on which of the following?
    1. The left network is on CORE1 and the right network is on DC1.
    2. The left network is on CORE1 or CORE2, and the right network is on DC1 or DC2, depending on the routing protocol configuration.
    3. The left network is on CORE1 and the right network is on DC2.
    4. The left network is on CORE1 or CORE2, and the right network is on DC1 or DC2, depending on HSRP configuration.
  5. In Figure 1.8, on the left, the packets from PC4 that are sent to the servers will be forwarded through which of the following?
    1. ACC3, DIST2, CORE2, and DC2
    2. ACC3, DIST2, CORE2, FW2, DC2, and FW1
    3. ACC3, DIST2, CORE2, FW2, and DC2
    4. Any of the above, depending on the routing configuration.
  6. Which of the following is a characteristic of attacks that target the data plane?
    1. Changing routing tables to divert packets in the attacker’s direction
    2. Flooding the network to stop users from using it
    3. Taking control of the device’s console to change its configuration
    4. All the above
  7. Which of the following is a characteristic of attacks that target the control plane?
    1. Changing routing tables to divert packets in the attacker’s direction
    2. Flooding the network to stop users from using it
    3. Taking control of the device’s console to change its configuration
    4. All the above
  8. What are DDoS attacks?
    1. Attacks that prevent access to the network
    2. Attacks that prevent access from network servers
    3. Attacks that prevent access from network services
    4. All of the above
 

Answers

  1. (B)
  2. (B)
  3. (C)
  4. (D)
  5. (D)
  6. (B)
  7. (A)
  8. (D)

About the Authors

  • Deepanshu Khanna

    Deepanshu Khanna is a 23 year old

    countries pioneer Information Security &

    Cyber Crime Consultant. The young and

    dynamic personality of Deepanshu has not

    only assisted in solving and creating

    awareness about information security and

    cyber crimes but also

    During his graduation at Lovely Professional

    University he developed projects like

    Intrusion Detection System, Advance

    Intrusion Detection System, IP Security

    System exhibiting his sharp acumen for

    technology later which his project was

    selected in Project Dissertation-2014 held

    at LPU.

    At the age of 19, Deepanshu exposed the vulnerabilities in GRUB terminal for LINUX Red

    Hat-5. The loophole was allowed the attackers to gain the access into the main system as a

    root and got his name in many newspapers like Mahrashtra Times, India Times, Divya

    Marathi and many other Security Research Blogs.

    He presented his research paper at HATCon, Nashik for which he received an appreciation

    certificate from the owners and directors of HCF (Hindustan Cyber Force)

    At 20, Deepanshu has found loopholes like "Partial Error Based and Partial Blind Based

    SQLI’s” in many government sites like AAM AADMI Party (AAP), for which he was

    rewarded with the appreciation letter by AAP.

    At 21, Deepanshu has successfully solved numerous cases of Cyber Crimes for many Crime

    Branches and Crime Investigation Departments including Phishing Cases, Biggest Data Theft

    Case, Espionage Case, Credit Card Fraud Case, Several Orkut Fake Profile Impersonation

    Cases etc.

    At 21, Deepanshu successfully broke into the MD5-Hash Algorithm and got his paper

    published on Hackin9 (An International Hacking Magazine) and got appreciated as the Best

    Article on July-2014.

    At 21, During his college days, PENTESTMAG and HACKIN9 world’s most prominent

    magazines on hacking and penetration testing conducted his media interview for

    publishing more than 9 research papers with license copyright on various hacking

    techniques going on in this world.

    At 22, Deepanshu got award from the Indian Defense (North Eastern Police Academy) as a

    token of appreciation for showing the working of various Black Market Techniques and

    also find out the CSRF token authentication vulnerability in PNB for which he was awarded

    by an appreciation mail letter.

    He also got the number of mementos, appreciation letters from different colleges around

    the India, for his excellent interaction and communication and training programs that he

    runs during the workshops/seminars and trainings.

    Deepanshu’s exceptional talent and expertise is widely recognized in India and abroad. He

    was bestowed with a Memento an appreciation of token by Indian Defense (North Eastern

    Police Academy) for showing up and giving training on various Black Markets techniques

    and the methodologies attempted by Black Hats to various CID, CBI and Police Dept. Officers

    of different states at a mere age of 22 year in 2014. Further Deepanshu is been awarded

    many appreciation letters for his Research Papers on Intrusion Detection Systems and

    Algorithm Depletion.

    At 23, Deepanshu got his research paper on MD-5 Collision Exploitation selected for

    TOORCON17 held in USA, DEFCON-2016 and also got it published on Packetstorm,

    Deepanshu has conducted various workshops and seminars on “ANTIVIRUS, Vulnerability

    Assessment, Penetration Testing, Cyber Crime Investigation & Forensics” at various

    institutions all across India. He is a frequent guest to engineering colleges & and India Inc. to

    deliver session on "Intrusion Detection Systems”.

    He runs Certified Training program on Information Security Expert, Cyber Crime

    Investigation & Forensics at Jalandhar, Punjab & various centres across India which is

    appreciated by students, professionals, lawyers & law enforcement officials. The same

    program was attended by Cyber Cell, Crime Investigation Dept. Jharkhand, Ministry of

    Home affairs, India.

    He is now the Head of Information Security Consult Dept. at Sytech Labs which is rapidly

    growing security services & investigation consulting organization focusing on Cyber

    Crime Investigations,Cyber Law Consulting,Vulnerability Assessment & Penetration

    Testing,Information Security Training.

    Cell: +91-9779903383

    Emails: [email protected]

    Facebook Profile: - https://www.facebook.com/deepanshu.khanna17

    LinkedIn Profile: - in.linkedin.com/in/deepanshukhanna/

    Browse publications by this author
  • Yoram Orzach

    Yoram Orzach is a senior networks and networks security advisor, providing network design and network security consulting services to a range of clients. Having spent thirty years in network and information security, Yoram has worked as a network and security engineer across many verticals in roles ranging from a network engineer, security consultant, and instructor. Yoram has gained his B.Sc. from the Technion in Haifa, Israel. Yoram's experience is both with corporate networks; service providers and Internet service providers' networks. His customers are Motorola solutions, Elbit Systems, 888, Taboola, Bezeq, PHI Networks, Cellcom, Strauss group, and many other hi-tech companies.

    Browse publications by this author
Network Protocols for Security Professionals
Unlock this book and the full library FREE for 7 days
Start now