Vulnerabilities of Data on the Wire
Data on the wire is vulnerable to some very focused attacks. Data can be intercepted (sniffed). ARP attacks can be used to sniff information in a switched environment. ARP attacks can also be used to initiate "man in the middle" attacks that can allow an attacker to intercept and potentially modify information in transit.
Sniffing refers to a technique for capturing network traffic. While sniffing can be accomplished on both routed and switched networks, it's much easier in a routed environment:
Layer 3 devices, such as routers, send information by broadcasting it to every destination on the network, and the destination handles the problem of parsing out the specific information that's needed from the general broadcast.
In a switched environment, switches send traffic only to its intended host (determined by the destination information in each individual packet).
Operating in a switched environment doesn't totally alleviate the risk of sniffing, but it does mitigate that risk to a large degree.
Most networks today also utilize virtual LAN (VLAN) configurations to segment network traffic and further reduce the risk of sniffing. A VLAN is a switched network that's logically segmented. VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic-flow management.
Just as switches isolate collision domains for attached hosts and only forward appropriate traffic out a particular port, VLANs provide complete isolation between VLANs. None of the switches within the defined group will bridge any framesnot even broadcast framesbetween two VLANs. Thus, communication between VLANs is accomplished through routing, and the traditional security and filtering functions of the router can be used.
Segmentation can be organized in any manner: function, project team, application. This capability is especially useful for isolating network segments for security purposes. For example, you may place application servers on one VLAN and system administrators on another (management-level) VLAN, with access control lists to restrict administrative access to only that VLAN. This setup can be accomplished regardless of physical connections to the network or the fact that some users might be intermingled with other teams.
The Ethernet Address Resolution Protocol (ARP) enables systems to find the unique identifier (MAC address) of a destination machine. ARP attacks provide the means to either break or misuse the protocol, with the goal of redirecting traffic from its intended destination. In an ARP attack, the attacker can sniff, intercept, and even modify traffic on a compromised network segment.
The effectiveness of these attacks is limited in two ways:
Data on the wire is generally available only in small pieces. It's true that many systems and applications send login/password pairs in clear text (without any encryption). An attack may capture such small bits of data; it may even be possible over time to assemble enough useful information to make identity theft possible. However, the attacker must either be directly connected to the internal network, or have succeeded in compromising an internal system and installing some form of sniffer to gather information. For the effort to be worthwhile to the hacker, many small chunks would need to be captured and then filtered out of the massive volumes of traffic traversing most of today's networks; and then the captured data would have to be reassembled into meaningful information. This is a tremendous task with a potentially very small payoff.
Capturing data takes time. The longer the attacker is inside the network, the more likely he or she is to get caught. It's easier to get information at the source, rather than trying to capture and decode thousands of network packets.