• Security, Switches and the Idiot

My name is Jim Stickley and I have a problem. Unfortunately I don't think there is an association that has been formed to help. No weekly meetings, no twelve steps program. In fact, though I am certain millions of people are afflicted with the same condition, it seems there has been no grass roots effort to do something about it. You see, I am surrounded by idiots. Let me first state that I am by no means a genius. In fact my wife would probably say that I am just lucky to be walking upright. So for a Cro-mag like myself to be aware of such a dismaying situation, it truly must be of epidemic proportion. Of course one might think a group such as MENSA might be just the ticket. A forum dedicate the exchange of intellectual ideas amongst its members would appear to be the natural solution. Unfortunately not even MENSA has been able to defeat this breed of idiot. In fact I have met several MENSA members that can easily fall into the idiot classification. No longer is the term idiot only for the slack jawed, tobacco chewing, cretin. The idiot has learned to adapt. Now through reading books and getting degrees, the idiot has learned to blend in with regular society. Look around your office, several of your co-workers might just be idiots. In fact some idiots might not even know they suffer from this affliction.

I have always found that an example can generally make the point. I was recently at a co-location site where the ISP hosted hundreds of servers for organizations throughout the United States. While testing the network for vulnerabilities I was given access to plug my laptop into a switch located on the "Internet" side of the network. When I started sniffing the network traffic I could see broadcasts from numerous servers. Immediately I assumed the ISP had given me special access through their VLAN for testing and that is why I could see so much traffic. I asked to be moved to one of the networks being hosted. The employee I was working with looked at me with a puzzled expression. I explained that I wanted to plug into a port that would be similar to any of the hosted servers on the network. He explained to me that I was. Still in disbelief, I pressed on to just be physically taken to one of the cages and allow me to plug into the same spot they were plugged in. He complied while continuing to explain that everyone was plugged into the backbone the same way. Though my concerns were growing I still kept an open mind. As I plugged the wire into the switch provided to one of their customers, my sniffer tool immediately started spewing broadcast information from severs all over the site. The employee saw the data and immediately explained to me that the traffic was not a security risk because the switch was only passing broadcast information and it was not passing "real data". I explained that the switch was not a security device and that "real data" could be viewed as well. The employee responded that the switch was a security device and the whole point of a switch was to keep people from being able to sniff traffic on a network. This employee was an idiot.

If knowledge is power, what happens when the knowledge is based on misinformation? The problem with the idiot of today is that they have just enough information to think they know what they are talking about. But unfortunately once they have gained that knowledge they have an inexplicable aversion to change. Life is black or white and when you mix the two colors together you get red. The idiot would rather argue the limited facts they have gathered then listen to additional information. As for the employee I mentioned above, ultimately he left and a few minutes later returned with reinforcements. Now there were three employees explaining to me how a switch worked. This is a typical maneuver of the idiot. Politicians do it as well. If there is more of us then there are of you, we must be right.

Understanding the switch

The definition of a switch as defined by about.com reads: A network switch is a small device that joins multiple computers together at a low-level network protocol layer. Technically, network switches operate at layer two (Data Link Layer) of the OSI model. Network switches look nearly identical to hubs, but a switch generally contains more "intelligence" than a hub. Unlike hubs, network switches are capable of inspecting the data packets as they are received, determining the source and destination device of that packet, and forwarding that packet appropriately. By delivering messages only to the connected device that it was intended for, network switches conserve network bandwidth and offer generally better performance than hubs.

This definition clearly states what a switch is doing and how it works. What is not mentioned is the word security. A switch is not a security device. Though a switch does offer an inadvertent level of security, its primary design is for performance. The misunderstanding comes from the way the switch passes the packets. Since the switch is aware of where the packet is coming from and where it is going to, it does not send each packet out to all ports. Instead it keeps track of the mac address as it relates to each IP address on each of its ports. By doing so it knows where to send a packet when it arrives to the switch. The security benefit is that it does not pass the packet out to all ports but instead only to its intended recipient. Because of this, a person running a sniffer on a switch will only see traffic that has a destination to them All other traffic will be ignored.

By reading the previous paragraph you can't help but understand why the idiot was so sure they were doing things securely. If the traffic can't get to me, I can't sniff it. If I can't sniff it then there is no security issue. However there is a flaw in this design. Keeping in mind that the switch is not a security device, you have to assume there must be a loop hole. In this case it's as simple as convincing the switch that the IP address it thinks it is looking for is actually assigned to a different MAC address. Simply put, the switch can be fooled into passing packets to the wrong computer. In reality the computers sending the traffic are actually the ones being tricked but the result is what is most important here. When all is said and done, I can plug my laptop into a switch and watch the traffic as it flows between one or more computers on the same local network segment.

Continuing with the example I gave earlier I can show you just how devastating this misunderstanding can be. Being one of a number of different organizations all communicating over the same local switch I decide to start spoofing packet to other servers on the network. I broadcast out to server A that the default router has the MAC address that is actually my address. This is sometimes known as ARP poisoning and often used for denial of service types of attacks. In this case though I am not looking to cause a denial of service so I must also do some additional work. I will now tell the router that the server A is also my MAC address. Now both systems think I am the address for one another. Now I just have to pass the data back and forth between the two as it passes through me. Of course doing this requires a small amount of work but fortunately several programs have already been written to do this for me. My personal favorite is Cane Version 2.5. It not only takes care of the above mentioned steps, it also logs all passwords it sniffs on the wire such as telnet and POP which is often used by programs such as outlook and Eudora to retrieve mail from mail servers. So I simply crank up Cane, and pick a few servers to target (Though I could select every server on the local network if I wanted) and start watching the traffic. Within minutes I have captured the password to hundreds of pop mail accounts. In addition I have captured the password to FTP servers and several hotmail accounts.

If I had been a malicious user I could have compromised several servers and that was with little effort and limited time. It should now be clear that a switch is not meant to replace strong security and encrypted sessions. If confidential traffic is being passed across a switch and there is no security controls in place to limit who can access this data, this information is at risk. In addition some switches have been given a much more beefy role in the network and have been designed with security in mind. MAC security to monitor what port has a specific MAC is one simple way to avoid many of the security risks associated with ARP poisoning. However most administrators never enable this feature.

The idiot and his crew now stand silent as I document my findings. Eventually one of them ask if they can have a copy of the program I just ran. I explain it's free off the internet and they are welcome to download it from the author. A shiver runs down my spine as I try to imagine what this individual could possibly have in mind for using this tool.