lecture notes: introduction to network security and spoofing

Lecture Notes: Introduction to Network Security and Spoofing

1.1 Network Security 1.1.1 Introduction to Network Security Network security refers to the measures adopted for securing the network of an organisation from unauthorised access, malicious activities, spyware and several other threats. A particular network may consist of a large amount of shared or confidential data that needs protection; hence, securing a network is necessary. A computer network should follow the three fundamentals of security, which are as follows:

● Confidentiality: Only those who are given access should be able to view or edit the data.

● Integrity: The information should remain consistent throughout its lifetime unless any authorised changes are made.

● Availability: The information should be available to all the authentic users at all times.

1.1.2 Components of Network Security To protect a network, it is crucial to focus on all the components of network security. These components not only make the network secure but also help in maintaining the network performance. The four essential elements of network security are as follows:

● Firewalls: Firewalls are similar to security walls that protect the network by monitoring incoming and outgoing traffic. The decision to allow specific traffic or not is taken by firewalls.

● Intrusion detection system: An intrusion detection system can be a device or

an application that tracks any malicious activity and policy violation in the network. These systems can be classified into several categories such as

© Copyright 2020. upGrad Education Pvt. Ltd. All rights reserved

network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).

In this image, you can see that an IDS is placed after a firewall so that even if an attacker is able to bypass a firewall, they cannot pass through the IDS, as the IDS will immediately inform the management station.

● Intrusion prevention system: Intrusion prevention systems differ from IDS in the sense that they detect and prevent vulnerabilities. These systems are placed just behind the firewalls as an additional layer of security.

● Network access control: Access control tools make sure that only authorised users can access the network and devices in the network. A few behavioural tools also detect any abnormal behaviour in the network.


● Security information and event management (SIEM): This network security component is a combination of two different components.

The security event management software conducts a real-time analysis of a network and informs network administrators about the threats and vulnerabilities. It collects data from log files and performs analysis on them. Then, it submits the report to network administrators. 1.1.3 Types of Networks

Networks are broadly classified into four types based on their sizes and accessibility. These four types of networks and their features are based on certain parameters that are presented in the table given below.


Parameters Local Area Networks (LAN)

Personal Area Networks (PAN)

Metropolitan Area Networks (MAN)

Wide Area Networks(WAN)

Definition Local area networks spread across a very small area and connect a limited number

Personal area networks connect devices that are very near to each other. An example

Metropolitan area networks connect devices within a larger geographical

Wide area networks spread across a country or continents. The best example of a

1.2 Local Area Networks LANs are computer networks that interconnect computers within a limited area. Common technologies used in LAN are Ethernet and Wi-Fi. It supports personal computers at a relatively low cost. These networks independently procure personal computers for applications.


of devices. An example of a LAN could be a network in an office building.

of a PAN could be connection of devices via Bluetooth.

area. They can be a combination of several LANs as well. An example of a MAN could be cable TV networks across a city.

WAN is the internet.

Bandwidth Bandwidth refers to the amount of information transferred by a network at a time. LANs offer a very high bandwidth.

PANs offer a high bandwidth but with certain range limitations.

MANs offer a moderate bandwidth.

WANs offer quite a low bandwidth.

Range LANs offer a limited range between 100–1000 metres.

PANs are accessible only within 10 metres.

MANs have a range of up to 100 kilometres.

WANs offer the highest range of up to several 1,000 kilometres.

Speed LANs offer a high data transfer speed of up to 1,000 Mbps.

PANs also offer a high data transfer speed but within a range.

MANs offer a data transfer speed of 100 Mbps.

WANs offer the lowest data transfer speed owing to its high coverage area.

1.2.1 LAN Standards LAN standards are defined rules for the ease of data communication and the interaction of networking devices. They are standardised by the Institute of Electrical and Electronics Engineers (IEEE). The two broadly used standards for local area networks are as follows:

● IEEE 802.3: It is one of the most widely used standards for data communications. This is a standard that is defined specifically for data link layers and describes the network characteristics. It is used for wired networks. One of the advantages of wired networks is that stations can easily detect the possibility of collisions, as the energy of the signal that is supposed to be received by the station almost doubles.

● IEEE 802.11: This is a standard defined for wireless networks. Networks based on this standard make use of high frequency radio waves instead of cables. Several amendments of this standard include 802.11a, 802.11b, 802.11g and 802.11n. This standard makes use of the carrier sense multiple access-collision avoidance (CSMA-CA) technology that prevents collisions, as the stations in wireless networks can hardly detect collisions.

1.2.2 Carrier Sensing

● Carrier sensing is a technique that helps in avoiding collision by sensing a signal. This implies that each node should check the state of the transmission medium before transmitting a signal.

● The retransmission of data frames that occurs owing to collision gets reduced by carrier sensing.


● It helps in improving the performance of a network, as the nodes sense for a carrier present in the transmission medium before accessing it.

1.3 Ethernet Ethernet is a wired networking technology. It is commonly used in wired local area networks (LANs). It has the ability to deliver higher levels of performance. It is possible to increase its performance with successive updates in its current features. 1.3.1 Switched Ethernet It refers to an Ethernet LAN that uses switches to connect individual hosts or segments. It provides point-to-point connections between hosts. The devices in a switched ethernet network are connected with the help of cables. Ethernet cables mainly operate in the physical layer. They support industry standards, including Category 5 and Category 6 cables. These cables connect devices in LANs such as Ethernet switches, routers and PCs. The types of cables are as follows:

● Coaxial cable: These cables are used in systems that make use of radio frequency for communication. They are difficult to install and are expensive. The transmission rate is up to 10 Mbps. These cables are used for connecting devices over long distances, and the bandwidth offered by these cables is high.

● Fiber optic cable: These cables transmit signals in the form of light and are

made of either glass or plastic. They use reflection to guide light through a channel. The glass (or plastic) core in a fiber optic cable is surrounded by glass (or plastic) cladding. The difference in the density of the core material and the cladding material that is used affects light movements.


● Twisted pair cable: It is one of the lightweight and easy to install categories of

cables. A twisted pair cable consists of two conductors. One of these conductors is used to carry signals from the source to the destination. It is of the following two types:

○ Unshielded Twisted Pair (UTP) ○ Shielded Twisted Pair (STP)

1.3.2 Ethernet Frame Format The Ethernet frame format is defined in the IEEE 802.3 standard. It is required by all media access control implementations. It starts with the Preamble and Start of Frame Delimiter (SFD), and both work at the physical layer. An Ethernet header contains both the Source and Destination MAC addresses, after which the payload of the frame is present. The last field is the Cyclic Redundancy Check(CRC) that is used to detect the error. The details of each of the fields are as follows:

1. Preamble: ● It is the first field in the Preamble comprising 7 bytes. ● These 7 bytes are alternating sequences of 0s and 1s. ● It informs the receiver about the frame arrival.

2. The start of the frame delimiter (SFD): ● It is a 1-byte field. The bits are always set to 10101011. ● It informs the receiver that the upcoming bits will represent the

destination address. ● SFD may be part of the Preamble sometimes.

3. Destination address: ● It is a 6-byte field containing the MAC address of the destination

machine. ● It consists of the Address Resolution Protocol (ARP) packets that

consist of the destination address. 4. Source address:


● It is also a 6-byte field that contains the MAC address of the source machine.

● The source address is always one and, hence, the least significant bit of the first byte is always 0.

5. Length: ● It is a 16-bit field that determines the entire length of the Ethernet

frame. 6. Data:

● This field consists of actual data. It is also known as the payload. ● The maximum data may be 1,500 bytes long.

7. Cyclic redundancy check: ● It is a 4-byte field. It checks for corrupted data by evaluating

checksums. ● It consists of the hash codes produced by the source address, the

destination address, the data and the length fields.

1.4 Media Access Control address A MAC address is a unique value that is assigned to network adapter. It is also known as the physical address. This address is 48 bits in length. These addresses are written in the following formats: MM:MM:MM:SS:SS:SS MMMM-MMSS-SSSS The first half (24 bits) contains the number of the adapter manufacturer, and the second half (24 bits) represents the serial number. For example, consider the following MAC address: 00:A2:C4:14:C8:29 The prefix 00A2C4 indicates that the manufacturer is Intel Corporation. IEEE assigns a unique 3-byte code to every manufacturer, which is known as the Organizational Unique Identifier (OUI). Manufacturers use this OUI at the starting of the MAC address on all the NICs. The remaining bytes are assigned a unique hexadecimal value by the manufacturer.


1.5 IP Address An IP address uniquely identifies a device on an IP network. An IP address is recognised by other systems that use the internet protocol for communication. The two primary types of IP addresses are as follows:

● IPv4: These are 32-bits long (28 unique addresses). ● IPv6: These are 128-bits long (232 unique addresses).

Nowadays, LAN applications make use of IPv4. The types of IP addresses are as follows:

● Static IP address: It is manually set by the network administrator. It is manageable for small networks and requires careful checks to avoid duplication.

● Dynamic IP address: It is assigned by the dynamic host configuration protocol(DHCP) server when the host boots up. It is derived automatically from a range of addresses. After its use, the address is released back to the server.


1.6 Subnet Mask A subnet mask is a 32-bit number. The term ‘mask’ is used because the subnet mask uses its own 32-bit number to mask the IP address. It is made by setting up all host bits to 0s and network bits to 1s. In this way, it separates the IP address into the network and host addresses. A network address represents the address of a network, whereas a host address represents the address of a particular node in a network. A network address is used to find the subnet where the device is located, whereas a host address is used to locate devices in that subnet. Its goal is to simply enable the subnetting process, which is the process of dividing a network into smaller subnetworks to increase network performance.

Note: In Linux and Mac systems, subnet masks can be viewed using the ifconfig command, whereas in Windows systems, it can be seen using the ipconfig/all command.


1.7 EtherOops Attack The attack works only if the network contains faulty Ethernet (networking) cables. It is a packet-in-packet attack. Such attacks come into play when network packets are nested inside each other. The outer shell is a friendly packet, whereas the inner one contains malicious code or commands. The outer packet allows the attack payload to slip by initial network defences, such as firewalls or other security products, whereas the inner packet attacks devices inside the network. But networking packets do not typically change their composition and lose their ‘outer shells’. However, such an attack has a very low chance of success, but if it is successful, it can:

● Enter networks directly, ● Enter internal networks from a demilitarised segment, and ● Move between various segments of networks.

The simplest way to protect against these attacks is using either shielded Ethernet cables or network security products such as firewalls, IDS/IPS and security gateways that are capable of detecting packet-in-packet payloads inside the network traffic.

1.8 Switches

A switch is a multiport device that improves network efficiency. A switch operates at the data link layer of the OSI model and has a more intelligent role than hubs. Handling limited routing information about nodes in the internal network allows connections to systems such as hubs or routers. Switches can read the hardware addresses of incoming packets to transmit them to the appropriate destination. When a device in a network sends a packet to another device, a switch reads the header of the packet to determine where the packet is to be sent. It then matches the destination address or addresses. If the destination address is found, it sends the packet out through the appropriate ports.

1.8.1 Types of Switches Switches differ in their capabilities. The types of switches are as follows:

● Unmanaged switch: Unmanaged switches are the most basic switches. They offer a fixed configuration. They are generally of the plug-and-play type, which means that users have limited options.


● Managed switch: Managed switches have numerous functionalities and a number of features for IT professionals. They use command line interfaces (CLI) for configuration. They support virtual LANs, the quality of service settings and IP routing.

● Power-over-Ethernet (PoE) switch PoE technology: These types of switches provide power to devices using network cables. They offer up to 60 W of output per port to deliver high-speed data transmission. The power provided by the PoE switch can be used to run other devices through Ethernet cabling.

● LAN switch: It is also known as a ‘frame switch’. LAN switches are common in Ethernet networks. They are also available for token ring and the FDDI network.

1.8.2 Types Of Information Transfer From A Switch Information transfer occurs between devices connected through switches in these three different ways:

● Unicast: This type of transfer occurs directly between one host and another. For example, when we click on a hyperlink on a website, we actually request for HTTP data from the host. In this way, information transfer occurs only between us and the host defined in the hyperlink.

● Broadcast: It occurs between a single sender and multiple receivers. For example, a radio channel broadcasts signals to various receivers.

● Multicast: This type of information transfer is targeted only for a group of computers without disturbing the others that are not interested in the communication. It can also be a one-to-one or a many-to-many type of communication.

1.9 MAC Spoofing

Spoofing is the act of imitating someone or something. Similarly, MAC spoofing is a technique that is used to change the MAC address of a machine in a local network. Although it is difficult to change the MAC address that is hard coded on an NIC card, drivers (device drivers that help in system functionality) allow MAC addresses to be changed. MAC spoofing can be legitimate or illegitimate. MAC addresses can sometimes be spoofed by attackers to bypass access control lists, servers and routers. You will understand when it can help you. Using public networks such as free Wi-Fi at a restaurant without registration can be achieved using MAC spoofing. You can mask


your original MAC address if you do not want to get recognised in that network. If you try to spoof MAC addresses in Kali Linux, you will see two MAC addresses that are current and permanent. The current MAC address is set by the macchanger utility in Kali Linux. Current MAC addresses will continue to change with every new connection. To prevent MAC spoofing, MAC filters can be applied through Wireshark to allow only specific devices in the network. 2.0 IP Spoofing

IP spoofing is performed by replacing numbers in IP headers with some random numbers so that they look like valid IP addresses. This is done to hide a source's identity or to launch other attacks such as Distributed Denial of Service (DDOS) attack and man-in-the-middle attack. IP spoofing makes the receiver think that the data packet is from a trusted source. As this occurs at a network level, there are no possible signs of tampering. The act of spoofing of the IP address of a data is a core vulnerability that is exploited by many attacks. If an IP address is continuously falsified, it becomes difficult to block malicious requests. IP spoofing can be detected by checking the IP headers of packets before allowing them into the network. Also, only legitimate users should be able to penetrate into the network. You can do so using several network analysing tools.

It is difficult to identify the real source. Therefore, several security measures should be adopted to prevent IP spoofing. Some of the preventive measures are as follows:

● The use of access control lists to deny private IP addresses: The use of access control lists limits users from accessing files and systems in a network, thereby increasing the


performance of the network. This is also economically helpful for organisations, as they do not need to upgrade their network regularly. ACLs can also be used in places where firewalls are restrictive.

● Filtering of both inbound and outbound traffic: Inbound traffic comes into play when someone initiates a connection to your system. Outbound traffic flows when you initiate a connection to send information to a particular destination. For example, if a network administrator blocks a group of IP addresses, they should be careful about the fact that no traffic that is sourced from those blocked IP addresses should enter the network and, similarly, no traffic from inside the network should reach those addresses. If this happens, it means that someone is trying to spoof the IP address and enter into the network. So, to protect from these, inbound and outbound filters should be applied carefully.

2.1 Spanning Tree Protocol STP is a layer-2 protocol that helps in preventing loops in a local area network. Only one desirable path should be present between two nodes in the network to prevent chaos. STP works on an algorithm that selects the connection between nodes that offer the shortest path and the highest bandwidth. STP enables only those links and disables all the other redundant ones. By default, STP is enabled on all the networks, but it can be disabled using the disable option. 2.1.1 STP Attack STP makes the network loop free by selecting one of the switches as the root bridge from multiple switches that are present in the network. All the paths that are to be taken by frames travelling in a network are decided by the root bridge. Every switch in a network is given a priority by the network administrator. If the administrator does not give priority, then one of the switches becomes the root bridge automatically. The switch with the lowest priority becomes the root bridge. If two or more switches have the same priority, then the switch with the lowest bridge ID number becomes the root. The ID number is derived from the MAC address. The ports on a switch remain in different states. Those states are as follows:

● Blocking state: Switches remain in the blocking state at the time of election. When a switch is in the blocking state, it discards all the frames and only processes Bridge Protocol Data Units (BPDUs). BPDUs are frames that contain information about ports, port priority, switches and addresses.

● Listening state: The designated port moves to the listening state after the blocking state. In this state, the port receives BPDUs and forwards them to the switch system module for further processing. When a port is in the listening


state, all the other ports remain in the blocking state. ● Learning state: During this state, the port begins to process data frames and

updates the MAC table. The actual forwarding happens in this state. ● Forwarding state: The actual communication information is forwarded from a

port during this state. ● Disabled state: A port in the disabled state does not take part in information

transfer, as it is non-operational at that time, but it can be enabled anytime. An attacker can introduce a rogue switch in the network if it has access to the ports that can become trunk ports. Trunk ports are ports through which all the signals pass using a single trunk link. Trunk links are physical connections between switches. The rogue switch will be configured in such a way that it can negotiate the trunk link. Also, the attacker’s switch can be configured in a way such that it acts as the switch with the lowest priority and, hence, functions as the root bridge. All the traffic flows through the switch; hence, the attacker can tamper with any information. 2.2 Address Resolution Protocol The Address Resolution Protocol is a way of finding the destination machine’s MAC address using its IP address. When a data frame arrives at the switch, the switch searches the MAC address of the destination machine in the MAC address table. If it is not found, it broadcasts ARP requests to all the connected machines to identify the desired destination machine among the connected machines.

Each of the machines then peel the header of the frames and transfer it to layer 3 (network layer) where the IP present in the header is matched with the machine’s IP address. If it is equal, the machine responds with a MAC address, and the address is registered as a new entry in the MAC address table.


2.2.1 ARP Cache An ARP cache is similar to the cache memory. In the cache memory, frequently used data is kept. Similarly, after finding the MAC address, it is sent to the ARP cache table for future use. The table stores IP and MAC address pairs.

The ARP cache timeout is the time until when the MAC address can reside in the MAC address table. 2.2.2 Types of ARP

● Proxy ARP: In this type, the router is placed in the middle of the network and responds to a request when a MAC address is demanded. It is able to do so because it is aware of the destination of the machine place and its details.


● Gratuitous ARP: In this type, both IP and MAC addresses can be broadcasted to find their corresponding pair. For example, if a machine wants to know the IP address of a device from its MAC address, it can broadcast the ARP request to find it. A similar way can be adopted to find a MAC address from an IP address.

● Reverse ARP: RARP is used to find the IP address of a client machine. When a


new machine is connected in the network, it does not have its IP address and requests for one. So, a RARP server is located in the network that replies to the machine with the IP address. The request is broadcasted, as the machine is not aware that a RARP server is present among the other machines present in the network, but the RARP request reply is unicast.

● Inverse ARP: As the name indicates, it is used to find the IP address from the

MAC address of the destination machine. 2.2.3 ARP Spoofing ARP spoofing is a type of attack in which a machine that is connected in a network receives fake ARP requests from an attacker. This results in linking of the attacker's MAC address with the IP address of a legitimate machine in a network. The attacker will be able to see all the traffic that is intended for the authorised user. This attack can occur only on a local area network, as only this makes use of ARP. With the help of this attack, other attacks can also be performed such as the following:

● Denial-of-Service attack: Multiple IP addresses can be linked with the single MAC address with the help of spoofing by an attacker. This results in redirecting all the traffic for those machines to the attacker's machine.

● Man-in-the-middle attack: Information can be tampered with between its flow path by ARP spoofing. This is known as man-in-the-middle attack.

● Session hijacking: Session IDs can be stolen with the help of ARP spoofing. This grants an attacker the access to the private data of a device.


2.2.4 Useful ARP Commands

● arp -a: It is used to list down all the physical addresses and internet addresses in the ARP cache table present.

● arp -d: It is used to delete the IP and MAC address pair from the cache table. You need to specify the IP address with the command to delete it from the table.


● arp -s: It is used to add a new IP and MAC address pair in the ARP cache table. Both addresses need to be mentioned with the command.


lecture notes: introduction to network security and spoofing

Documents