Whether it's a web application timing problem, a wireless encryption issue or yet another problem with PDF files, everyone gets carried away with the latest and greatest vulnerability.

However, simple infrastructure issues, particularly at layer 2, often get overlooked. Ken Munro, Managing Director, SecureTest, examines some of the layer 2 vulnerabilities to be aware of and how to mitigate these.

External security threats such as hackers, viruses, worms and Trojans are permanent threats to any organisation. However, a huge majority of attacks actually come from within the network either due to ignorance, curiosity and intentional manipulation of data, and these can be just as serious as an external attack.

ARP spoofing

When an exchange of data takes place between two computers, data packets are sent to the respective logical IP addresses. Each IP address has a physical counterpart on the computer's network card called the MAC address. An ARP table shows the connection between an IP address and a MAC address.

Internal attacks are often carried out via ARP (address resolution protocol) spoofing, a popular method as it often goes undetected. The means by which to carry out an attack of this kind can be downloaded from the internet by anyone.

Spoofing enables an attacker virtually free reign over a network and is used as a way of exploiting the interaction between one computer to another. Through spoofing an attacker can divert all communications between two machines, so that all traffic is exchanged via the attacker's PC.

An attacker can send fake ARP communications to an Ethernet network, with the aim of associating the attacker's MAC address with the IP address of another computer. This is known as a man in the middle attack and enables the attacker to intercept data, collect passwords and interrupt traffic through a denial of service (DoS) attack.

An organisation may only realise that a spoofing attack has taken place when sensitive company information has been leaked, or after an online bank account is compromised, or employees' email accounts have been accessed.

There are several ways an organisation can keep track of ARP spoofing but only one way to prevent it from occurring completely, through the use of static ARP entries, and this isn't really practical for large network set-ups.

An organisation could keep track of ARP spoofing by ensuring that only specific IP addresses with specific MAC addresses on specific ports may access the network. This can be impractical, so one could take advantage of technologies such as Cisco's Port Security which goes some way to mitigating these attacks.

VLAN hopping

Through VLAN (virtual local area network) hopping, attackers can attack networked resources that would not normally be accessible, and intercept data from an end user's computer, such as log-in details, passwords and credit card details. Ultimately, they can disable any security measures users may have in place on the device. VLAN hopping can also be used to spread viruses or worms and other malicious programs such as malware and spyware.

Hopping is usually carried out in one of two ways, either through switch spoofing or through double tagging. In a switch spoofing attack, an attacking host imitates a trunking switch, enabling the attacking host to then access traffic for multiple VLANs. Double tagging occurs when an attacker sends data from one switch to another with two 802.1q packets, using one for the attacking switch and one for the other, the victim.

The answer to this problem is simple: be explicit in your switch config as to which ports are 'access' ports and which are 'trunking' ports.

Spanning-tree attacks

Spanning tree protocol (STP) is a link management protocol that enables for path redundancy while at the same time preventing undesirable loops in the network. In order for a network to work effectively, only one path can be active between two locations.

With more than one active path between two locations, loops can occur and create several problems. A single MAC address can be seen on multiple ports and therefore cause a MAC address table to fail. Also, broadcast packets can get caught up in an endless loop and create a broadcast storm between switches. A broadcast storm could be damaging as it can take up all available CPU resources.

It is possible to make a Spanning-tree attack impossible by preventing access to STP enabled ports to ordinary users. This can be done either by installing user port security, restricting physical access to network equipment or by simply disabling STP on access ports.


On an IP network, each machine is given a unique IP address when it connects to the Internet. Dynamic Host Configuration Protocol (DHCP) automatically generates and assigns the IP addresses, ensuring that there is no duplication and eliminating the time that would be needed to administer a large IP network manually.

Basic DHCP protocol is exposed to three potential security attacks: unauthorised DHCP servers; unauthorised clients; and, flooding.

The automation of the DHCP means that you can't specify the DHCP you want, this quite easily allows an unauthorised server to respond to requests and direct clients to a compromised server.

An unauthorised client could also access an otherwise inaccessible network by masquerading as a legitimate client. Or an attacker could disrupt network activity by flooding it the DHCP server with requests and using all of the IP addresses that are available.

In order to avoid these types of attacks, security measures must be installed around the DHCP server to only allow access to real clients and servers.

Another measure to implement is that, wherever possible, addresses assigned by DHCP should be linked to a secure DNS server, to prevent the use and accessibility of unknown addresses.

CAM overflow

The availability of MAC addresses is registered in a content addressable memory (CAM) table and these tables are limited in size.

An attacker wanting to gain access to the traffic within a network will flood the switch with as many invalid MAC addresses as they can to fill the table up. When that occurs, the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table.

There are two ways to avoid this. Firstly, configure port security on the switch and actually specify the MAC addresses for a switch or port. Or secondly, configure security around the number of MAC addresses that can be learned by a switch or port. Through both of these methods a switch can then either block an invalid MAC address or shut down the port.

Cisco Discovery Protocol information gathering

CDP sends updates every 60 seconds to a multicast address and due to insufficient security, it can very easily reveal information about network devices. But it is also highly regarded as a network management tool.

Using CDP, you can find out critical information about your direct-connect neighbour, including device name, connection details, box capabilities and hardware options; all useful information for an attacker seeking to exploit a neighbour's device.

The usual recommendation to protect against this type of information gathering is to disable CDP on WAN interfaces but keep it live on the LAN, presuming that LAN users are trustworthy and WAN users are not that is.

As the above scenarios show, network security isn't just about firewalls and protecting your organisation from the external threat. In any situation, organisations need to consider the threat from within and be aware of the problems a savvy employee, contractor or even cleaner could cause.
By reviewing your network infrastructure and considering some of the above advice it is possible to future-proof your network and prevent a problem before it occurs.