The Local Area Network Security

Published Date: 02 Nov 2017

Author: Priya Gupta

Table of Contents

Introduction

A LAN, or local area network, is a network of computers and network devices like printers connected to each other in a small geographic area such as an office complex, building, or campus.

Local area networks are an essential tool employed by various organizations to facilitate data and resource sharing, provide internet and communication services to its users. . In LAN, computers interconnect to each other to share resources like files, printers and services. LAN’s of various banks, financial institutes, and corporations store a lot of customer information like social security numbers, driver’s license and other sensitive information’s such as purchasing profiles. LAN’s not only interconnect the computers internally but also connect to the external public network . This connectivity to the internet exposes LAN to many threats from intruders (nist security handbook).Over the years, although network security has increased, the frequency of attacks on the network has also increased (vacca).In a corporate network LAN’s, securing the data is of paramount importance as the network is constantly under attack from hackers. Apart from the security threats by hackers there is also the threat of espionage by competitive companies. A competitor may hijack the resources such as web services; domain name services leading to Denial of Service.

When considering LAN security, three objectives should be addressed

Confidentiality: Only authorized users have access to the network.

Integrity: Data cannot be modified by unauthorized users.

Access: Security must be designed so that authorized users have uninterrupted access to data (vacca).

Threats and Vulnerabilities

An organization’s LAN is vulnerable to many threats that if realized could result in significant losses .A threat can be a person like trusted employee or an intruder, objects like file or data modification, or natural disaster events like fire that, if realized, would cause potential damage to the LAN. Threats can be malicious or accidental. Examples of malicious threats are unauthorized access, corruption of data or disruption of functionality. Accidental threats are errors and omissions caused by users, data entry clerks or programmers (nist handbook). The effect of various threats varies considerably: some affect the confidentiality or integrity of data while others affect the availability of a system (handbook). Vulnerabilities are the weaknesses or gaps in security of information systems that can be exploited by a threat resulting in loss. This paper lists the various security vulnerabilities in LAN and various security policies to mitigate these vulnerabilities.

Unauthorized LAN Access

Unauthorized access to LAN resources is one of the greatest LAN vulnerability. Unauthorized LAN access occurs when someone gains access to LAN resources like computer, network or system application without permissions.This unauthorized access can be internal or external(intruder). Password is the most common method of protecting data, system and network. An intruder can exploit the password vulnerabilities by capturing/guessing/sharing the passwords to gain unauthorized access to the network.. Poor password management , lack of identification and authentication scheme, storing passwords in a batch file without encryption makes LAN vulnerable to unauthorized access threats. Another vulnerability that unauthorized access can exploit is the network access. A network entry point and exit point are the most vulnerable network element. An unauthorized access to network nodes like switches, hubs or routers on LAN can be used by intruder to launch denial of service attacks The most common threats from network are hijacking f resources such as Domain Name Service, antivirus, web services leading to DoS or distributed DoS attacks.(vacca)

Loss of Data Confidentiality

Confidentiality is providing access and disclosure of information only to authorized user and preventing access to unauthorized users. In a LAN the data flows from the host computer to the destination. Any intermediate node in the LAN path can read or access the data even though the data is not addressed to it. The LAN traffic can be disclosed to an intruder if an intruder eavesdrops on the network. Transmitting data in plaintext over LAN and inadequate protection of LAN devices compromises LAN security (Goodrich). An intruder can eavesdrop on network to hijack passwords, sensitive information using packet analyzer tools.

Lack of encryption of LAN data and messages can cause a breach in data confidentiality. The loss of data confidentiality can cause a company not only financial expenses but can also cause it to lose its reputation resulting in loss of customers. Improper access control, lack of data encryption policy and general display of monitors or printouts are some of the vulnerability that an attacker can use to cause to disrupt an Organization’s information systems.

Loss of Data Integrity

When unauthorized changes are made to data or software it results in loss of data integrity (Fips). Data integrity is critical to any organization that maintains electronic records including: corporations, governmental agencies, non-profit organizations, service groups, medical practices and educational institutions. If the integrity of records is compromised, the impact on the organization could be horrific, resulting in financial records being exposed, the theft of customer or client identities, the exposure of strategic initiatives, loss of business, and even the malicious transfer of funds, all of which are potential outcomes, when an organization’s database technologies are compromised.(Hallman,Stahl and Ahmadov). Since LANs have internet component making it more vulnerable to malware attacks that affect the data integrity. Rootkits alter the system files , computer viruses perform malicious tasks as well as modify files. . Due to the resource sharing the malware propagates very fast on LAN .

Spoofing of LAN Traffic

It is important that the data transmitted over LAN is not modified in transit by the LAN itself or an unauthorized user. It is expected by LAN users the message sent, is received unmodified. Spoofing of LAN traffic involves an attacker masquerading as a legitimate endpoint and sending or receiving messages on LAN. For example an attacker can modify the ARP messages sent on a LAN to launch man-in-the-middle attack. The lack of message authentication or digital signature, timestamp and identification verification make LAN vulnerable to ARP spoofing kind of attacks.

Disruption of LAN Functions

A disruption of functionality occurs when the LAN functions are not available to an authorized user on timely basis leading to substantial loss. A disruption of LAN functionalities can occur due the data buffer overrun of LAN device, denial of service attack or hardware failure. The inability to detect unusual traffic patterns, lack of hardware redundancy , lack of physical security of LAN hardware make LAN services vulnerable to threats.

LAN Security Management

LAN security management requires a collection of mechanisms, procedures and policies to protect LAN from unauthorized access, modification or unavailability of system. This section examines the various security services that help to mitigate the LAN vulnerabilities. The security services discussed in this paper are:

Identification and authentication - is the security service that establishes the validity and proof of LAN users’s identity.

Access control - is the security service restricts the access of LAN resources to authorized users.

Data and message confidentiality - is the security service that helps ensure that LAN data, software and messages are disclosed only to authorized users.

Data and message integrity - is the security service that helps ensure that LAN data, software and messages are not corrupted by an unauthorized user during transmission or at reception.

Non-repudiation - is the security service by which the entities involved in a communication cannot deny the authenticity of their signature or sending of message that they originated.

Logging and Monitoring - is the security service by which intrusion can be detected and LAN can be audited for resource availability.

Identification and Authentication

User identification and authentication controls are used to verify the identity of a computer or user before allowing access to the system. Identification involves the identifier or name by which the user is known to the LAN in some manner. This is usually an assigned username. However a LAN user cannot be validated without being authenticated. Authentication is the process of "proving" that the individual is actually the person associated with the identifier. A user can be authenticated using various mechanisms such as passwords, biometrics or token. Passwords are the most common authentication method used to control LAN access. An organization must have a password policy established by management to prevent passwords from being guessed or cracked. Password policies like password expiration, no reusable passwords strong passwords policies are the first step in defense of network.

Password-only mechanisms are vulnerable to password cracking and password capturing attacks. Because of the vulnerabilities that still exist with the use of password-only mechanisms, it is advisable to use two factor authentications. Two factor authentications require a user to provide password as first step in authentication and second evidence like fingerprint. Two factor authentication usually uses passwords or PIN as first factor and unique physical token like smart tokens for second factor and biometrics being the third factor.(vacca)

Apart from initial authentication it is also important to lock devices, computers after a certain period of inactivity (nist handbook).The locking mechanisms help to prevent unauthorized user accessing a legitimate users log-in.

Access Control

Access control is the selective restriction of access to a place or other resource. Internal access controls define rules for accessing network resources among the LAN authorized users. A LAN administrator sets the access rights for users in different group by implementing user profiles ,capability lists and access control lists. A LAN administrator also sets the policy to ensure that whoever is connecting to within LAN complies with the minimum basic requirements of corporate security policy standards. This ensures that the laptops/computers are compliant with minimum patching level scans and antivirus definition levels before being allowed to connect to LAN.

The external access controls are used to control the interaction between the LAN and external network like internet. An entry point to the LAN is most vulnerable to intruder attack.Hence, it is important to secure the perimeter router by filtering the traffic passing through the router. Routers with Firewall capability are the first line of defense against malicious hackers. Firewalls block unwanted traffic by implementing black lists. Firewall also has capability to hide the network topology by implementing network address translation. (vacca)

Data and Message Confidentiality

To mitigate the disclosure of data to unauthorized user over LAN encryption technologies is used. In encryption the data is encoded using encryption algorithm making it unreadable. The encrypted data is then transferred from host machine to destination over LAN. The destination machine decrypts the data using a decryption key. Using encryption makes capturing and analyzing data in transit by an intruder difficult as the data is in unreadable format.

Data and Message Integrity

It is very important that the traffic flowing through the LAN is not modified in transit. The unauthorized modification can be intentional or accidental. It is not possible to stop the modification of data but it is possible to detect the modification using check-sums (fips).To protect the message integrity tools like message authentication code are used.MAC is a type of cryptographic checksum that accepts as input a secret key an arbitrary-length message to be authenticated, and outputs a tag which is the cryptographic checksum of key and message (vacca).The sender and receiver both share the symmetric key. Sender after tagging sends the message to receiver. The receiver verifies the message by recomputing the tag using key and message and comparing the result with the tag input. If they do not match an unauthorized modification is assumed else the message is declared authentic. The data and message integrity service also helps to ensure that a message is not altered, deleted or added to in any manner during transmission.

Non-repudiation

Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data. If two parties are exchanging some digital document like emails , it is important to protect data so that the recipient has confidence that the document was indeed created by the sender and was not altered in transit. The chief way that nonrepudiation property is achieved is through the use of digital signatures.

Logging and Monitoring

Detection controls monitor the network for any malicious activity on a network or computer that might constitute a breach of security (umuc). Intrusion detection system is a software or hardware system that collects information from various system and network resources to detect intrusion (vacca).In a LAN environment the IDS sits at the perimeter of a network and monitors the incoming and outgoing traffic patterns. IDS are designed to protect LAN from attacks such as port scans, denial of service attacks, malware attacks arp spoofing and dns cache poisoning (Goodrich).If such an activity occurs, the intrusion detection system and/or firewall first registers the attack and then sends an alert to notify the system administrator of the event.

Logging is an important consideration in security. Proper logging information not only helps in solving the intrusion problem but also provides the auditing mechanism for LAN. Depending on the extensiveness of the logging, the detected event should be traceable throughout the system. Some of the information that should be logged on LAN are failed authentication attempts, failed file or resource access attempts, modification of user and group accounts (vacca).

Conclusion

In an organization, LAN allows users to share information and resources resulting in increased productivity but also exposes much vulnerability to hacker which can result in financial losses for the organization. An organization must do the risk assessment of the various threats to the network and the responses to those identified threats. When desigining for the security of LAN prioritize the threats and design the network reflecting those rankings. Password management, encryption and IDS are some of techniques that that can employed by organization to protect its LAN.