Network Infrastructure Security
MModified by :Ahmad Al Ghoul
FFaculty Of Administrative & Financial Sciences
BBusiness Networking & System Management Department
RRoom Number 32406
EE-mail Address: firstname.lastname@example.org
Philadelphia University Ahmad Al-Ghoul 2010-2011 1
Describe exploitation and choose appropriate
security measures for hubs, bridges or switches,
Document ways in which a firewall could be
compromised and select related security solutions
List the potential for private branch exchange
(PBX) exploitations and choose appropriate
methods for securing a PBX
Describe modem exploitations and select
appropriate security measures
Philadelphia University Ahmad Al-Ghoul 2010-2011 2
On a computer network, the network infrastructure includes the cables,
connectivity devices, hosts, and connection points of the network. In
this chapter you learn ways in which network infrastructure equipment
might be exploited or attacked. This chapter also presents strategies
and devices that can increase the security of your network.
Philadelphia University Ahmad Al-Ghoul 2010-2011 3
Infrastructure Security Overview
You must control access to critical resources, protocols, and network
access points. This includes protecting the physical security of
equipment and the configuration of devices.
Attacks against your network infrastructure can include physical
attacks, such as destruction or theft of equipment, and the physical
modification of equipment configurations. Attacks can also involve the
logical modification of network infrastructure device configurations,
such as changing a routing or switching table.
You can protect your physical network infrastructure with security
personnel, closed-circuit TV, alarms, access cards, locks, tamper-proof
seals, backup electrical power, and similar measures.
Restrict remote administration of network infrastructure equipment
whenever possible. When you must allow remote administration, be
sure to use the most secure authentication and encryption possible.
Philadelphia University Ahmad Al-Ghoul 2010-2011 4
Securing Network Cabling
Network cabling is a vulnerable part of your network infrastructure. However,
an attacker or spy must have physical access to your cable (or at least be able
to get close to the cable) to exploit or attack your network cable infrastructure.
Sabotage is a simple matter for a saboteur who is able to gain physical access
to your network cable infrastructure. The saboteur could cut a coaxial or
twisted-pair cable to disrupt network communications. Also, coaxial and
twisted-pair cable are susceptible to EMI and RFI, so a source of EMI/RFI
placed near a cable or wire bundle could be enough to disrupt
communications. Fiber optic cable is impervious to EMI and RFI, but is easily
Use the following techniques to protect your cable infrastructure:
Document your entire cable infrastructure. Keep that documentation current.
Investigate all hosts and connectivity devices that are not documented.
Protect your network cable as much as possible by burying it underground,
placing it inside walls, and protecting it with tamper-proof containers.
Check the physical integrity of your network infrastructure cabling on a
regular basis. Verify your network infrastructure after power outages.
Enable managed devices to alert you of the presence of disconnected cables or
unauthorized connections. Investigate all alerts and outages.
Philadelphia University Ahmad Al-Ghoul 2010-2011 5
Because hubs are physical devices, they should be physically
protected. Try to lock hubs in wiring closets. If the hub cannot be
locked in a room or closet, try to secure it in some other type of
protective encasement. At a minimum, you should periodically
check hubs to be sure that all cables are connected properly and
that no rogue connections exist.
Managed hubs can be used to detect physical configuration changes.
Managed hubs report hub statistics and connection information to
management software. You can configure a managed hub to send
an alert when a configuration is modified. Of course, because a
managed hub has a (software) configuration, an attacker could
compromise the hub's configuration to disrupt network
communication or mask evidence of another attack.
Philadelphia University Ahmad Al-Ghoul 2010-2011 6
Switches and Bridges
switches and bridges maintain a table that contains MAC address mappings to
each of their connection points. The table allows the switch or bridge to
direct Layer 2 communications to the correct network segment or port,
making it a potential target for attack. A central switch could also be the
target of a saboteur. Destroying a central switch, disconnecting power, or
disconnecting all of the network cables would disrupt all communications
passing through the device.
If an attacker can gain administrative access to the switch or bridge, he or she can
reroute network communications. These communications can be redirected
to a host on the network under the control of the attacker, which could be
the attacker's system or a system the attacker was able to gain control over
using some other technique. If the attacker decides to sabotage
communications on the network, he or she can do so at any time once
administrative access is obtained. Of course, the attacker must gain
administrative access to the bridge or switch first. A skilled attacker can do
this by trying default administrative passwords or running a password
attack against the device
Philadelphia University Ahmad Al-Ghoul 2010-2011 7
ARP Cache Poisoning
Although switches and bridges segment the network, it might be possible
for an attacker to use Address Resolution Protocol (ARP) cache
poisoning (also known as ARP spoofing) to propagate traffic
through a switch. as a method for placing incorrect information in
computers' ARP caches to misroute packets. The ARP cache is used
to store Internet Protocol (IP) to MAC address mappings.
For an attacker to conduct ARP cache poisoning, he or she must typically
gain physical connectivity to the local segment. The attacker must
then compromise the ARP caches of the hosts on that segment. ARP
cache poisoning involves overwriting entries in the ARP cache to
cause a computer to send all network traffic directly to the attacker's
computer. If an attacker is able to do this to all the computers on the
segment, he or she could effectively listen to (and forward) data
packets without network users realizing it. The attacker would then
be able to listen to the network traffic sent on that network, most
likely to steal trade secrets or obtain unencrypted passwords.
Philadelphia University Ahmad Al-Ghoul 2010-2011 8
Securing Switches and Bridges
There are several measures you can take to prevent attacks against
your switches and bridges. As with other network devices, you should
physically secure them so they cannot be tampered with or destroyed.
Here are other suggestions that can help to secure your switches and
Secure all physical connections on your network segments. Be sure
that no unauthorized connections can be made. Also, limit physical
access to your switch locations and use security personnel and
monitoring devices to ensure connectivity devices are secure.
Set complex passwords for administrative consoles. Restrict device
administration to as few people as possible from as few locations as
possible. Also, be sure to change administrative passwords routinely
and whenever an administrator leaves the company.
Philadelphia University Ahmad Al-Ghoul 2010-2011 9
Securing Switches and Bridges
Manually enter ARP mappings on critical devices, such as central
servers, switches, bridges, and so on. If you manually enter all
necessary MAC addresses, prevent the switch or bridge from learning
Keep your switches and bridges current with the latest vendor
Document your device configurations so you know for sure what is
normal and authorized.
Monitor your network with management tools that alert you to
unauthorized connections. Tools such as ARPWATCH can monitor
activity on your network and keep a database of MAC-to-IP address
mappings. The tool can also alert you to changes in these ARP
Philadelphia University Ahmad Al-Ghoul 2010-2011 10
A central router could also be the target of a saboteur. Destroying a central
router, disconnecting power, or disconnecting all of the network cables
would disrupt all communications passing through the device. To
increase the security of your routers, consider the following
Ensure the routers are kept in locked rooms or containers.
Check the security of all incoming and outgoing connections.
Limit physical access to your network cable infrastructure, wiring
closets, and server rooms.
Use security personnel and monitoring equipment to protect
connection points and devices.
Utilize complex passwords for administrative consoles. Be sure to
change administrative passwords routinely and whenever an
administrator leaves your organization.
Philadelphia University Ahmad Al-Ghoul 2010-2011 11
Set access list entries to prevent inappropriate connections and routing
of traffic. For example, packets with the IP address of your internal
network should not be coming from the external interface on the
router. If this happens, it is usually an indication that someone is trying
to perform IP address spoofing
Keep your routers current with the latest vendor security patches.
Be sure to document and regularly review your network configuration.
Disable RIPv1 and utilize only RIPv2 or other routing protocols that
allow you to secure router updates with passwords.
Philadelphia University Ahmad Al-Ghoul 2010-2011 12
The term firewall is used generically to describe any device that
protects an internal network (or host) from malicious hackers or
software on an external network (or network to which the host is
connected). Firewalls perform a variety of tasks to filter out
potentially harmful incoming or outgoing traffic or connections.
They are often implemented between an organization's internal
network and the Internet. However, this is not always the case.
Some firewalls are used to subdivide internal networks or even
to protect individual computers.
The five main services that firewalls provide are packet
filtering, application filtering, proxy server, circuit-level, and
stateful inspection. These services are described in more detail
in the following sections.
Philadelphia University Ahmad Al-Ghoul 2010-2011 13
A packet filtering firewall or gateway checks each packet traversing the
device. The firewall inspects the packet headers of all network packets going
through the firewall. Packets are passed or rejected based on a set of
predefined or administrator-defined rules. Packet filter rules can accept or
reject network packets based on whether they are inbound or outbound, or due
to the information contained in any of the following network data packet
Source IP Address.
This field is used to identify the host that is sending the packet. Attackers
could modify this field in an attempt to conduct IP spoofing. Firewalls are
typically configured to reject packets that arrive at the external interface
bearing a source address of the internal network because that is either an
erroneous host configuration or an attempt at IP spoofing.
Destination IP Address.
This is the IP address that the packet is trying to reach.
IP Protocol ID.
Each IP header has a protocol ID that follows. For example, Transmission
Control Protocol (TCP) is ID 6, User Datagram Protocol (UDP) is ID 17, and
Internet Control Message Protocol (ICMP) is ID 1.
Philadelphia University Ahmad Al-Ghoul 2010-2011 14
TCP or UDP Port Number.
The port number that indicates the service this packet is destined for, such as
TCP port 80 for Web services
ICMP Message Type.
ICMP supports several different functions that help to control and manage IP
traffic. Some of these messages can be used to attack networks, so they are
frequently blocked at the firewall. For example, ICMP echo requests can be
exploited to cause a broadcast storm. You can read more about ICMP message
types in Request for Comments (RFC) 793.
Firewalls can examine and forward or reject fragmented packets. Some
flawed implementations of TCP/IP allow for the reassembly of fragmented
packets as whole packets (without receipt of the first packet, which contains
the full header information). A successful fragmentation attack can allow an
attacker to send packets that could compromise an internal host.
IP Options Setting.
This field is used for diagnostics. The firewall should be configured to drop
network packets that use this field. Attackers could potentially use this field in
conjunction with IP spoofing to redirect network packets to their systems.
Philadelphia University Ahmad Al-Ghoul 2010-2011 15
An application filtering firewall intercepts connections and
performs security inspections. The firewall must be
equipped with the appropriate applications to perform this
task. In this way, the firewall acts as a proxy for
connections between the internal and external network.
The firewall can check and enforce access control rules
specific to the application. Application filtering firewalls
are used to check incoming e-mails for virus attachments;
these firewalls are often called e-mail gateways.
Philadelphia University Ahmad Al-Ghoul 2010-2011 16
Like an application filtering firewall, a proxy server takes
on responsibility for providing services between the
internal and external network. However, the proxy server
can actually be the server providing the services or it can
create a separate connection to the requested server. In this
way, a proxy server can be used to hide the addressing
scheme of the internal network. Proxy servers can also be
used to filter requests based on the protocol and address
requested. For example, the proxy server could be
configured to reject incoming connections to
http://www.internal.local or outgoing connections to
Philadelphia University Ahmad Al-Ghoul 2010-2011 17
A circuit-level firewall controls TCP and
UDP ports, but doesn't watch the data
transferred over them. Therefore, if a
connection is established, the traffic is
transferred without any further checking.
Philadelphia University Ahmad Al-Ghoul 2010-2011 18
A stateful inspection firewall works at the Network layer. The firewall
evaluates the IP header information and monitors the state of each
connection. Connections are rejected if they attempt any actions that
are not standard for the given protocol.
Any of these listed firewall features can be implemented in
combination by a given firewall implementation. Placing multiple
firewalls in series is a common practice to increase security at the
network perimeter. If an attacker is able to breach the first firewall, the
second offers additional protection. Using multiple firewalls in series
(back-to-back) is one example of creating a defense-in-depth, as shown
in Figure 4-1, which means that you are using multiple layers of
protection to keep your network secure.
Philadelphia University Ahmad Al-Ghoul 2010-2011 19
Philadelphia University Ahmad Al-Ghoul 2010-2011 20
Poorly implemented firewall configuration is a common reason
firewalls are compromised. For example, firewalls can be configured
with a default-allow rule or a default-deny rule. The default-allow rule
(also known as allow-all) means that a firewall permits all inbound
network packets except those that are specifically prohibited. Network
administrators and security personnel usually view this setting as too
permissive. The other option is the default-deny rule, which rejects all
inbound packets except those that are specifically permitted. This is the
standard configuration of a secure firewall.
Flaws in firewall software are another reason firewalls are
compromised. Usually, vendors release software patches or temporary
solutions quickly after they are made publicly known. The following
list describes other ways in which firewalls might be compromised:
Philadelphia University Ahmad Al-Ghoul 2010-2011 21
As described in the previous section, there are several ways an attacker
might attempt to neutralize your firewall, so protecting it requires
vigilance. To protect your firewall, follow this advice:
Keep track of security bulletins concerning your firewall product. Apply
all software patches as they are made available.
Update virus definition files routinely.
Physically protect the firewall.
Document the firewall configuration and review that configuration
Limit the methods for managing the firewall. If remote management is
allowed, use the most secure authentication available.
Use complex passwords. Be sure to change administrative passwords
routinely, and always change them when an administrator leaves your
Know and test the firewall rules by trying to make connections to
unauthorized ports or services from outside the firewall.
Ensure that there are no network paths or connections that can be used to
circumvent the firewall.
Philadelphia University Ahmad Al-Ghoul 2010-2011 22
Telecommunications systems provide internal phone services for many
organizations. These private telecommunications systems are known as PBX
systems. They usually offer a variety of features such as voice mail, multiple-
party calling, long-distance access restrictions, and call tracking. PBX systems
are potential targets for attackers. Attackers who gain unauthorized access to
the PBX system could potentially use it to do the following:
Make free long-distance calls by changing billing records.
Compromise or shut down the organization's voice mail system.
Reroute incoming, transferred, or outgoing calls.
Compromise the rest of your organization's network, as PBX systems are part
of your network infrastructure. For example, locate a modem-equipped PC.
Use that PC to create an analog connection to the internal network, and then
use the analog connection to access the internal network.
Philadelphia University Ahmad Al-Ghoul 2010-2011 23
Hacking PBX Systems
PBX systems are frequently an organization's most valuable communication
asset. If the PBX system is compromised, the organization could lose business.
There are relatively few brands of PBX systems available, so an attacker could
use knowledge of a few select systems to compromise a wide variety of
businesses. Although PBX systems are complex, a skilled attacker could use
the system to compromise your network infrastructure. There are a variety of
methods that an attacker might use to compromise the PBX system:
PBX systems come with default passwords for system maintenance. Attackers
could run password attacks to guess these PBX maintenance passwords. Once
an attacker acquires a management password, he or she can reconfigure the
PBX systems are often expensive and upgrades are difficult. Therefore, many
businesses use older PBX systems that might have unencrypted databases with
obvious data structures that could be manipulated.
Philadelphia University Ahmad Al-Ghoul 2010-2011 24
Hacking PBX Systems
PBX security is not as popular a topic as computer security. Many
businesses don't think to protect their PBX systems or know how to do
so. Users might be tricked into giving up passwords for the telephone
system because awareness of exploitation is not as high as it is with
Remote management and upgrades of PBX systems are commonplace.
Remote connections could be used to install malicious software or
reconfigure the PBX system.
Many people use and have access to the PBX-connected telephones.
These terminals could be used to attack or reconfigure the PBX
Telecommunications infrastructure might extend into unused floors
and offices, making it easier for someone to hide an unauthorized
connection (or conceal hacking attempts).
Philadelphia University Ahmad Al-Ghoul 2010-2011 25
Modems connect computers to the Internet and to private networks, but those
connections could be susceptible to compromise or attack. As explained
earlier, modems can be used to circumvent the security provided by your
organization's firewall and other security devices. Modems can provide direct
access to a system on a network and potentially be used to access other
systems on that network. Exploited modem dialing software can be used to
erase hard drives or cause the modem to dial emergency services, for example.
To protect your network from modem exploits, follow these procedures:
Remove all unnecessary modems from computers on your network.
Check for software updates for all computers that must have modems.
Monitor security bulletins from modem vendors for newly discovered security
gaps and apply software patches as soon as they are available.
Isolate computers configured with modems to limit the damage that can be
caused by those systems should the modem be compromised.
Monitor computers with modems regularly to ensure they have not been
Philadelphia University Ahmad Al-Ghoul 2010-2011 26