Design Your Home and office network to protect against network attacks using Network Isolation

Network Isolation

Network isolation is physically or logically parting devices on a separate network and restricting them how devices can communicate.

Why do we need Network Isolation?

Untrusted devices on the network can be used to propagate attacks. Hence we need network isolation.

In our network we may have Internet of thing (IOT) devices such as TV, Setupbox, etc all these devices may connected in our network and these devices are very very immature in terms of security.

These IOT device which are connected in our network can be attack target.

These IOT devices and untrusted devices should be on separate physical, logical or wifi network so that they cannot propagate attack on other devices.

If an attacker successfully gain control over our network or the device which is connected to our network than attacker can perform following task –

•   Attacker can do local traffic sniffing and snooping, simply recording and observing the traffic that goes across network.

•  Attacker can perform man-in-the middle attacks, where attacker can inject and manipulate network traffic.

Hence Network Isolation can mitigate these attacks.

Switches

Switch is networking device. A switch in an Ethernet-based LAN reads incoming TCP/IP data packets/frames containing destination information as they pass into one or more input ports. The destination information in the packets is used to determine which output ports will be used to send the data on to its intended destination. Switch works on data link layer i.e layer 2.
Switch keep the table of Ethernet MAC addresses, called MAC table. It uses these MAC table for communication at Local area network (LAN). Once the data is travelling is local area network, IP address are not used any more, MAC address are used for traffic to find it’s destination to the LAN. IP addresses are only used in internet to find when there is some sort of routing devices. Switches are more intelligent and secure than hubs.


Communication inside local area network  (LAN) is carried out using MAC address not IP address.
Since Communication inside local area network  (LAN) is carried out using MAC address not IP address, so for this communication ARP is used.

Address Resolution Protocol (ARP)

Address resolution protocol (ARP) is a protocol which resolves IP address to MAC address i.e Network layer IP address to data link layer MAC address. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address.

How ARP works ?

When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.

ARP Poisoning

ARP poisoning is an attack, in which the ARP cache of the target system is modified by an attacker. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This attack could lead to Man-in-the Middle attacks, Denial of service, MAC flooding etc. some of the tools which are used to perform ARP poisoning are arpspoof, ettercap, cain & able.

Designing Home and Office network to protect from Network attacks.

Now we will see how we can design our home or a small office network to protect from network attacks by using network isolations. The very first thing to consider is to have a separate routable network for different devices of different level of trust, with this we can achieve the network isolation and this can be done using router/firewall (router and firewall can be same device), switch and also wireless access point.

In the above figure as we can see that we have 5 networks A,B,C,D and E. Network A is Demilitarized Zone (DMZ), network B is Trusted Vlan, network C is untrustred Vlan, network D is semi-trusted Wifi network and network E is untrusted guest Wi-fi network.

DMZ Network -  

DMZ stands for Demilitarized Zone . The DMZ zone is an area of your local (home or corporate) network that is accessible from the outside (internet). Typically, in home router there is a configuration that allows you to specify which computer (IP) is in the DMZ and the router will forward requests from the internet to that computer. That computer can then host services (http, ftp, ssh) that will be available to the internet. Depending on the router, this will be more or less configurable. 

DMZ is a special network for devices that need a port forwarding or in other words, it is for devices that need inbound connections from the internet, they needed to directly connected to the internet due to this  it makes devices more at risk , hence needed more attention so they are placed in DMZ. It can be any device which need direct connection from internet, it can be a web server, IOT device, CCTV or webcam etc.

To implement this network we can directly connect it with Ethernet cable via (router/firewall) and assign it’s own network like we have in above example i.e 192.168.1.0/24.

•        The devices in the DMZ will be blocked from making outbound connection in any of the internal network.

•          The DMZ devices will only be allow to make inbound connection from internet which would be enforced on the firewall/router.

Virtual LANs (VLANs) are commonly used to isolate network s. VLANs are the logical separation of networks instead of physical separation. A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). One switch can be used to create different VLANs or virtual networks. As in the above figure we have VLANs called as trusted VLAN and Untrusted VLAN, so all the attacks such as Man-in-the- Middle attack can only be performed inside untrusted VLAN. If the network is configured correctly than devices in the untrusted VLAN will have no idea that other networks exist. Hence with the help of VLAN we can have separate trusted and untrusted network .

The devices in the untrusted VLAN will not be allowed to make outbound connections to any of the other VLANs, it will only have direct internet access.

Instead of logical separation of network, we can also have physical separation of network where more than one switch can be used, but this will be more expensive and there will be more burden in administration.

Some more technique to mitigate network attacks –

ü  We can install ARP Protection software in our laptops or desktops. Some of tools are netcut, texcut (available for linux devices), sniffdet, xarp,  arpwatch (available for linux, on router/firewall it is possible that arpwatch or it’s equivalence service is available for example arpwatch is available on pfsense it helps to mitigate arp attacks.)

ü  It is possible to use static ARP entries. These are permanent entries in ARP cache instead of dynamic one. Dynamic entries can be spoofed

Advance Options –

Some of the advanced options that are less likely to be available on simple devices and for this we need high end devices to support this technology.

• On our router, firewall,  switch we can look for functionality called port protection or port security.

• 802.1AE is the IEEE MAC Security standard (also known as MACsec) which defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the IEEE 802.1 working group. The 802.1AE standard specifies the implementation of a MAC Security Entities (SecY) that can be thought of as part of the stations attached to the same LAN, providing secure MAC service to the client.

•  IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

•      In Cisco Devices DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

• For more security concerns, VPNs can be used on local networkto connect to local devices.

• For wifi AP isolation can be implemented and multiple SSID can be used on the same access point. This is wifi isolation and security.