Security Laboratory

Security Laboratory: Networking

This networking series will help the computer security manager understand the basics of an Internet Protocol network and give them the tools to help them manage those networks effectively.

View Archives »

Ethernet Security Considerations

Aug 3rd, 2007
By Stephen Northcutt

As a security manager, the most important media access protocol is Ethernet, the IEEE 802.3 standards. If you have a Local Area Network with physical media, the odds are it runs Ethernet. "In recent years, Wi-Fi, the wireless LAN standardized by IEEE 802.11, has been used instead of Ethernet for many home and small office networks and in addition to Ethernet in larger installations."[1]

History of Ethernet
Ethernet has its roots in the 1970s in a radio experiment called ALOHAnet, developed under the direction of Norman Abramson at the University of Hawaii.[2] And at about the same time, Xerox Corporation created a LAN with a data rate of 3 Mbps using a Carrier Sense Multiple Access Collision Detect protocol (CSMA/CD). In 1980 the 10-Mbps Ethernet Version 1.0 specification was jointly released by Digital Equipment Corporation, Intel Corporation, and Xerox Corporation. This was picked up by IEEE and became the 802.3 standard in 1983.[3]

Basics of Ethernet
Ethernet is a standards based media access protocol. This means it is very low level, it is the signaling layer on the media, and concerned with the connection of the computer to the LAN media. As we continue to study how networks work and how to manage them, we will layer several additional protocols on top of Ethernet in order to actually accomplish something useful on our networks. Ethernet's primary job is to move data around on the network at the electrical or optical level.

Ethernet is a short range protocol. It will get from you from Host to Router, Router to Router possibly even Host to Host if both hosts are on the same Ethernet segment. Media Access Controller (MAC), the addresses put on the Ethernet card by the manufacturer, are used by Ethernet to manage these short range connections.

A chunk of data transmitted by Ethernet over the wire is called a frame; when we talk about frames, we generally mean something that we would analyze with optical/electrical tools such as oscilloscopes. When we talk about packets, it is more of the logical representation of the same information as a frame. On an Ethernet network, only a single node should be transmitting a frame at any time. If multiple systems are transmitting simultaneously, a collision will occur, which can cause both signals to fail and require the systems to retransmit their frames. To keep the number of collisions to a minimum, a system is required to check whether anyone else is already transmitting before placing a frame on the wire. If another system's signal is already on the wire, the system is expected to listen, identify that traffic is on the wire, and wait according to an algorithm designed to give each node a fair shot at using the network. If the line is clear, the system generates the signals required to send a packet and monitors the transmission to make sure there was no collision. These properties are summarized under Ethernet's designation as a Carrier Sense Multiple Access/Collision Detection (CSMA/CD) protocol.

Ethernet specifications actually define more than just protocols for sending signals over the wire. Other properties include cabling requirements for transferring data at desired rates, and the maximum length of the wire segment. In addition, Ethernet standards specify which physical topology should be used for a particular type of Ethernet communications.

10Base5 Ethernet is dated and rarely seen on modern networks. It supports the data transfer rate of 10 Mbps and uses coaxial cable that is laid out according to a physical bus topology, a cable that the computers connect to at different points along the line. This would only be seen on a legacy system today and if you find one in your organization, it would be worth conducting a risk analysis of both the legacy Ethernet network and the systems connected to it. More contemporary Ethernet standards, such as 100BaseTX, support the rate of 100 Mbps and often rely on unshielded twisted pair (UTP) cable, or in Europe you might see shielded twisted pair (STP), that forms a physical star topology, normally extending from high-speed data switches. Gigabit Ethernet networks, commonly referred to as "Gig-E", offer rates of 1000 Mbps over fiber-optic and Category 5, 5 Enhanced, or 6 unshielded twisted pair cabling. Some very high-end optical networking switches offer speeds of 10,000 Mbps, used for network backbone connectivity.

The minimum size of an Ethernet packet is 46 bytes. Should you have a shorter packet than that such as a "ping" packet (ICMP Echo Request / ICMP Echo Reply), the system should pad the difference between the short packet and 46 bytes with NULL characters. A NULL character is simply the value of binary zero (all the bits are set to zero).

Ethernet runs over standard cables/media
The choice of media can have a significant impact on the cost of a networking installation. There are a number of factors including fiber versus copper, length of cable runs and environmental exposure. Historically, fiber has cost more to purchase and install, but copper is rising fast; it wouldn't seem possible for copper to be priced higher, but only time and demand will tell. There are also maximum lengths that segments can be stretched. 10BaseT category 5 or 6, the unshielded twisted pair copper wire that accounts for the majority of installations, has a maximum segment length of 100 meters.[4] In the same way, since the length of the cable is related to timing, there are also minimum cable lengths for many of the cabling standards. Finally, if the cable is run through ceilings and walls of a building, it must be plenum (fire retardant treatment to prevent the cable insulation from burning and releasing toxic gases in the building) rated. If the cable is exposed to the elements, again, it will require a special casing.

Other Ethernet Security Considerations
"The primary weakness with Ethernet is that it is a broadcast system. Every message sent out by any computer on a segment of Ethernet wiring reaches all parts of that segment and potentially could be read by any computer on the segment."[5] We will be learning about a commonly deployed device called a network switch that reduces the exposure to "packet sniffing" when we discuss network components.

In addition, a flaw in the device driver that runs the Ethernet card was reported by security researchers where the device driver was padding the frames with information it was copying from the system rather than generating nulls. "The researchers suggest that the easiest way to exploit this vulnerability is to send ICMP echo commands to a machine running a vulnerable driver, which will then return bits of kernel memory data to pad the reply. These, in turn, can be searched for valuable information using a packet sniffer."[6] Though this vulnerability was reported in 2003, this is the type of error that tends to continually reappear. It also supports the core axiom of organizational security. If you want to be secure, your organization must:
- Configure all operating systems properly and maintain proper configuration at all times
- Assess all network traffic entering and leaving your systems for security problems

Ethernet and the wise security manager
Ethernet (and Wi-Fi) is used so much today that we encourage you to read more about it. The Cisco link below is a great resource. Ask your network engineers if they are aware of any security considerations for Ethernet. If they say there are none, ask them to explain what "broadcast" is.


1. Wikipedia, June 27, 2007, http://en.wikipedia.org/wiki/Ethernet
2. Internet-description.com, Alohanet article, June 27, 2007, http://www.internet-description.com/a/alohanet.html
3. Cisco.com Ethernet description, June 27, 2007, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm
4. Computer Tech Doc is an Internet collection of computer, security and networking information, this is their Ethernet page. Visited June 27, 2006, http://www.comptechdoc.org/independent/networking/guide/nethwethernet.html
5. Oxford University Computing Services, June 27, 2007 http://www.oucs.ox.ac.uk/network/ethernet/securenet/index.xml.ID=WPTOHTML1
6. Author John McCormick, Tech Republic, Published: 27 Jan 2003, visited June 27, 2007, http://news.zdnet.co.uk/hardware/0,1000000091,2129369,00.htm

Questions?

Email us at info@sans.edu.

SANS Security West 2012 - San Diego

Featured Research

Student Presentations

Expanding Response: Deeper Analysis for Incident Handlers
By Russ McRee | Nov 2011 | 622 KB

Detecting and Responding to Data Link Layer Attacks with Scapy
By TJ O'Connor | Sep 2011 | 2.44 MB

Scoping Security Assessments: A Project Management Approach
By Ahmed Abdel-Aziz | Sep 2011 | 387 KB

View More Student Presentations »

Featured Student/Alumni

TJ O'Connor STI Alumn

TJ O'Connor

TJ O'Connor is a member of the US Department of Defense and a former faculty member at the US Military Academy, where he taught courses on forensics, exploitation, and information assurance.

Click here to read more »

 

Internet Storm Center

View our Site Directory

Contact Us

Phone: (720) 941-4932
Questions: info@sans.edu
Web: webmaster@sans.edu

"After starting the program, I was promoted to Information Security Officer. I believe my involvement in the program was a contributing factor in that happening."
- John Brozycki, Alumni of SANS Technology Institute

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute