Computer Security 101 - Part 4 - LAN

Continuing the outside-in approach to security, once you make it past all the routers, firewalls and Demilitarized Zones (DMZ) you eventually come upon the local area network, or LAN for short. Stop! Hold it! Router? DMZ? Why didn't this stuff get covered? How can we possibly move on when I just mentioned two things that were not covered on the way in from the Internet?

The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?

For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.

You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.

In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?

There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.

A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.

The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.

Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.

We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.

Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.

Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.

The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.

The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).

Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.

Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.