Products > Networking & Wireless

A simple Q on network security

(1/3) > >>

peter-h:
Let's say you have an ADSL line, ADSL modem, NAT router, a 16 port unmanaged switch.

Fairly common except of course most consumer routers combine the modem and the router.

Internal LAN is say 192.168.50.1 onwards and you have a load of devices on that, both fixed IP and DHCP.

Due to NAT, there is no way for somebody to place packets on that internal LAN. Well, only if they can find an open NAT channel. The router closes these after 180 seconds.

Now let's say you configure the router to route a second subnet, onto the internal LAN. The router is a "high end" (funny name for a chinese box full of bugs :) ) Draytek.

Now, if say you have a device on the LAN which responds to 100.101.102.103 then packets sent to that public IP will be placed on the internal LAN. And every device on the LAN potentially sees them. But in theory no other device will respond because they don't recognise that IP.

There is a security hazard, via malformed packets, etc.

But... the LAN is implemented via a 16 port switch. Surely, a switch (as opposed to a hub) builds a mapping table of IP versus port and, after a while of getting itself sorted out, it sends packets only to the devices being addressed. Only broadcast packets (255.255.255.255) get sent to everybody. Is this correct?

How would an attacker attack such a network?

Unfortunately the router doesn't have a facility for putting the 2nd subnet out on a separate RJ45.

Incidentally I don't think a Draytek firewall works on a 2nd subnet...

steenerson:
Unmanaged switches and home networking equipment in general (besides routers) don't know or care about IPs (layer 3), they work at the mac address / layer 2 level where packets just have source and destination mac addresses. The switch associates macs with ports to know where to send packets, which happens right when the port lights up, it doesn't take time to learn. Only certain things like multicasts should show up on all ports on a switched network, unlike hubs with all traffic mirrored on all ports.

If a device is on your local subnet and responding to a public IP, if local devices try to access that same IP they will:

1. Look up the IP in their routing table, and should find nothing more specific than their default route (0.0.0.0/0) , which is generally the router, so they send packets to the router.
2. The switch only checks source and destination MACs, so they should be sent only to the router and not directly to the local 100.101.102.103 device
3. The router gets the packets, and routes them according to it's routing table. If you give the router a second IP on the internal port in the same subnet (say, 100.101.102.102) it should be possible to route traffic to it.

Vlans would be the proper way to secure this, if your equipment supports it.

mk_:

--- Quote from: peter-h on February 15, 2020, 11:17:19 am ---
But... the LAN is implemented via a 16 port switch. Surely, a switch (as opposed to a hub) builds a mapping table of IP versus port and, after a while of getting itself sorted out, it sends packets only to the devices being addressed. Only broadcast packets (255.255.255.255) get sent to everybody. Is this correct?

--- End quote ---

No, a switch sees and acts with MAC-adress, IP-adresses are ignored.


--- Quote from: peter-h on February 15, 2020, 11:17:19 am ---How would an attacker attack such a network?


--- End quote ---
Your hacker don`t neeed to "attack", he is walking throu the draytek as you do when a door is wide open to welcome you.

mansaxel:

--- Quote from: peter-h on February 15, 2020, 11:17:19 am ---
How would an attacker attack such a network?


--- End quote ---

The hacker gets you or another user on the internal network to execute a trojan payload that opens an outgoing connection that the "firewall" will happily accept, NAT and forward.

Via this connection, other payloads are downloaded, placed in harder-to-eviscerate positions (with autostart, and in competent cases, on things like management and restore partitions, so that they will get reinstated also after you've panic'ed and reinstalled everything. )

Then the mapping of internal network resources including the management traffic to the "firewall" and your internal NAS's shares will start for real, including search for further persisting methods and interesting resources.

Why? Because your computers come with a broadband connection and free power. That, in volume, is a commodity worth having access to. People pay places like Amazon, Google and Microsoft good money to get computer time in the cloud. Here, they don't pay, and there are no terms of service, so storing contraband or mining cryptocurrency is all right. 

You are liable to get hit regardless of who you are, so saying "I'm not interesting and I've got nothing to hide" is only self-deception.

peter-h:
The Draytek (2955) suppors VLANs but I can see no way to configure them. It looks like an orphan / fossil function. This is the only area where I see any reference to VLANs



As you see, I enabled the feature, suspecting that perhaps one has to enable it here in order to expose config elsewhere. Here
https://www.draytek.co.uk/information/our-technology/vlans
under VLANs they show a config like above but with extra config to the right of it. Bizzare!!



Reading more, it looks like this is what it does (not sure if this URL is publically accessible without registration)
https://www.draytek.co.uk/support/guides/kb-vigor-vlan?highlight=WyJ2bGFuIl0=&return=9511632

This is the relevant bit


Basically it seems to be like client isolation in wifi APs. But no way to tie specific ports (RJ45s) to say the 2nd subnet.

Could a managed switch help? For example the router has two public IPs. One is the one which is NATed and is geneally used for outgoing traffic. The other is a subnet, say 100.101.102.103 and the next say 5 IPs.

The NATed one seems secure. Yes I know you can plant a trojan (via email, etc) which then makes outgoing connections, but that's another debate.

I would like to prevent packets arriving to the public IPs 100.101.102.103 etc being sent to everything on the internal LAN. I don't think there is any way anybody can *address* the devices on that LAN (e.g. no way to address 192.168.50.45 from the outside); is this correct? But the packets are present on the physical layer, so a malformed packet exploit would work.

Would a managed switch work? I have a Netgear JGS542E kicking around. It appears to support VLANs, based on port numbers.

The router has a firewall, which is set up to allow traffic to the subnet IPs to go to those devices only (they happen to be VOIP phones) but I don't think this is working properly, because the log in the phones shows "invalid packet" errors from various chinese IPs, so some stuff is coming though.

I don't want to change the router because it has a load of complex VPN etc config on it. We bought a "Cisco-labelled" £1000 one a year ago and after a day we gave up and sent it back...

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod