Network Switches are not more secure than Network Hubs.  Some professionals evangelize: “Switches are more secure than hubs!”  This is patently false.  Switches are no more secure than hubs and in some cases they are actually worse!!

Network Switches Are Not More Secure than Hubs

Switches and hubs are used to build computer networks.  Computers are plugged into these devices via Ethernet cable.  Switches and hubs copy network traffic from one host and send it to others.  The difference between the two is that the hub broadcasts traffic to all of its ports.  This means that a computer’s network traffic will be sent to every computer connected to the hub.  It is up to the connected computer to disregard or accept that traffic based on the address.  Switches perform this filtering and only send traffic destined for specific addresses.  This is misleading and makes people think that switches are more secure than hubs.

Switches

Switches however, are certainly important to large organizations with a large number of employees.   Hubs may allow a knowledgeable employee to view their co-worker’s network traffic.  In this case, Human Resource records may be accessible to someone from a different department.  HR maintains records of sensitive personal employee information.  In the wrong hands, that information could be used to conduct credit fraud or create a harmful work environment.  A switch would help prevent this threat in a large network – but what about small networks like home offices and small businesses?

A lot of novice security professionals are misled and bullied into not securing their home networks.  They are told repeatedly by industry trainers, certification authorities, and the lot that they need to secure their home network with a switch.  This is ridiculous.  A switch is only secure so long as it is properly maintained, configured, and has advanced features that help protect the network.  Typical consumer switches are actually less secure than hubs.  This is the other reason switches are ideal for large enterprise networks.

Large corporations have System Administration staff that can maintain a switch.  Switches need regular maintenance.  They are much more complicated than a “dumb” hub.  They have to read addresses in packets and route them as appropriate. Switch firmware and software must be updated regularly.  Their configuration also has to be updated with changes in the network.  Some switches are difficult to work with and some vendors offer years of training and certifications to learn how to use a switch.

This is all overkill for home use.  How many people have a dedicated Network Staff and System Administrator for their home network? Alarmingly, a large number of cheap switches are sold for home use because “they are secure”.  When was the last time you updated the firmware in your switch? When was the last time your neighbor’s switch was upgraded? Never minding configuration, how secure are those switches? More importantly, cheap switches do not comprehensively offer a defensive solution.

Certainly, switches typically have a number of advanced features including defensive technologies.  Features include trunking, VLANS, and NAT.  These features have a performance cost as well as the human cost mentioned before.  The switch has to have enough processing power to support all of the feature use.  Quite often however, switches use slow processors.  Enabling more features means degraded performance.  How extreme is a gigabit switch if it crawls to 10Mbps when all of the features are enabled? The defensive features are modest on these switches.  Most switches usually support Network Address Translation.  That is good for a simple firewall, but it does not do state inspection or any other type of packet inspection.  That work is best reserved for a dedicated firewall.  These are features typically found in most switches, but most switches do not include the most important feature:  a Span Port.

The Span Port is one of the best ways to monitor traffic on the network.  Span ports copy traffic from all of the other ports on the switch.  This is how Intrusion Detection Systems, network analyzers, and other security tools protect the network.  Far too often, expensive switches do not have this option.  Rarely do cheap consumer switches have one.  If a switch does not have a Span Port, then another costly device known as a tap has to be purchased and used to protect the network.

A novice security professional, taking advice from a seasoned hacker, would buy a switch.  After connecting their IDS, they would think their network was indestructible.  The IDS would be as quiet as a mouse.  The only traffic the IDS would see is its own traffic!

Hubs

A hub is a perfect device for defending a home network or a small business with less than thirty computers.  It is an inexpensive device that allows Intrusion Detection Systems and other devices to be connected and protect the network.  It has the nice advantage of little to no maintenance.

A hub is inexpensive.  They typically do not require software updates because there really is not anything to update.  Hub software just broadcasts network traffic to all of its ports.  There is typically no advanced logic that a support staff has to update regularly.

Security Devices connected to a hub are able to see all traffic on the network.  The hub broadcasts all of the traffic on the network to every port.  This allows the security devices to see everything for every computer.  This is very different than a switch.

A switch is less secure in a small network because it hides hacker traffic!  Network traffic on small cable/DSL routers cannot be monitored.  There is no way to know whether or not malicious traffic or intruders are on your network!  The switch actually hides the bad traffic!! In this case, switches are actually the worse device to have on a network.  They are most certainly not more secure than a hub.

Conclusion

Switches are not more secure than a hub.  They can in fact be a hazard to the defense of a network.  Their ability to hide information is a doubled-edged sword that will easily cut their owner.  Use a hub to defend a network.  It is the cheapest and easiest way to see all network traffic.  Network defense devices may be connected to it they will be able to do their job.

Behind the Scenes

Today we present a behind the scenes look into how Dropped Packets is created. Leave a comment below if you enjoy what you see or get inspired to create your own webcomic.

Computer Network Defense is Serious Business

What gives Dropped Packets the right to make fun of computer network defense?  What is the relevancy of kaiju and ninjas with computer security?  Billions of dollars are lost each year to malware — that is no joking matter.  Real life hackers stealing data is not a punch line – it is a crime.  Today, people feel like victims.  Even the FBI thinks we are victim.  We are not victims.  Working together, we can protect ourselves.  The first serious step of Network Security is public awareness.

Headline reads, “Hacker causes <insert large number here> Billion Dollar Loss”.  How often does that Information Assurance headline show up in your local news outlet?  It does show up every time a hacker is in court.  It is certainly a good scary sensational headline.  Sometimes the large number comes from a Computer Security Consultant financed by the plaintiff to “assess” their losses from the incident.  That is a joke and not a funny one.

Corporations are shouting about dollars all the time.  Executive Management readily understands big scary losses.  Hired Network Security Consultants shout about billions of dollars in lost wages, potentially lost customers, and who knows what else for the scandal sheets.  How do you define a lost wage consistently in court across all jurisdictions and in the headlines?  Do these companies take their System Administrators to court when they misconfigure the web server?  These are very very bad jokes with no help and plenty of gloom and doom.  Everyday people read headlines from these “experts,” while facts are buried on government websites.

The Internet Crime Complaint Center reported that $559.7 Million US dollars were lost to web based scams and fraud alone (see http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf).  This value is a real number based on reports from agencies throughout the United States.  The median loss from 336, 655 reports was $575.  That alone is a serious amount of money to many people these days.  It is certainly no joking matter.  Spyware affects everyone.  Why joke about it?

It is important to understand basic Security Technology.  Public Security Awareness is critical to keeping that $575 in the pocket.  Dropped Packets is all about increasing awareness.  “I don’t understand what you’re saying half the time,” is familiar feedback here at Dropped Packets.  It is also a great quote.  That means that visitors are getting the other half.  Visitors are learning about Information Security.

Dropped Packets is not a new idea.  In fact, it has been used quite often.  Sourcefire has famously handed out comical calendars to its customers over the years.  OpenBSD, the free, functional, and secure operating system includes comical Puffy stickers with each purchased release.  These efforts are not profit driven marketing.  They increase Security Awareness and offer mechanisms to increase Security Compliance.

NFR Security, a long time ago, gave customer’s Security Management teams Network Traffic Tickets.  The tickets were a paper pad of pre-printed forms with comical snarky comments about common IT Policy violations.  Managers could tick check boxes to issue Security Policy violations to employees.  It was a terrific, comical, non-confrontational mechanism to conduct Information Assurance training.

Dropped Packets hopes to inspire visitors just as much.  Come back sometime in the future and you will definitely find a more practical, informative post.  Or, take a look at the posts from the past.  There might be something of interest there.

If you like what you see, please sign up for our mail list.  We notify subscribers when new strips are published via the mail list.  We also present offers on security tools that will most definitely help protect your computer.

If this is all too boring, and old news, try our sponsor Lomin Security’s blog.  There you will find detailed technical articles.

Would an IDS help with the Webcomic War?  An Intrusion Detection System could help identify overzealous participants in the Webcomic War.  (Dropped Packets has talked about IDS in the past, see Reg Asks What Is An IDS).  An IDS would not help win the Webcomic War.  An IDS however, would definitely help you respond to hackers on your network.  How hard is it to install an IDS?

The Webcomic War is a competition held by Webcomic Planet to help promote web comics on the Internet.  Dropped Packets is participating in the competition to spread subversively the “Network Defense” message.  The competition works by shamelessly promoting your web comic across the Internet.  Each promotion gives you points, which ultimately will be used in a “War” against other sites.  Hacking an opponent’s site would certainly distract them.

An overzealous participant could hack your web comic site and an IDS would be handy in this fictional scenario.  The IDS would be configured to recognize attacks against WordPress, Drupal, or custom software hosting the web comics.  The IDS would monitor traffic to the site and generate alerts.  Seeing an alert, you could block the offending host at the router.  Alternatively, you could find out who it was and drop a bomb on them.

Installing an IDS is not terribly difficult.  There are a few ways to easily try-out an IDS too.  Snort is a terrific open source IDS.  A lot of information may be found on its website.  There is plenty of documentation on how to install, configure, and use the system.  However, if you want to try out the system, use the Network Security Toolkit.  It is a CD with its own operating system.  You just slide it into your CDROM drive reboot and you can monitor your network.  Conversely, you could always contact our sponsor, Lomin Security for support.

A friend the other day said, “Turn off your computer when you are not using it.  Leaving it on 24/7 is good way to be hacked.  Plus, it is more environmentally friendly to not leave your gear on all the time.”  This is true.  Popular culture would have us believe that turning off computers is paramount to saving our planet.  Research the title of the article and see how many hits return about security.  Security should not be an afterthought on this matter.

There are plenty of reasons to leave your computer on.  Cycling the power on and off is a strain on systems – especially when you are fond of not shutting down properly.  The time of instantly accessibly operating systems disappeared in the early nineties.  Nowadays we have to be kind, gentle, and mind the hard drive platters as they spin and rattle inside our little machines.  Software updates hog system resources when they download and install.  Leaving the computer on at night saves that bother – let the computer sort out all of that when we sleep.  Some people are religious about turning their computers off at night.  That is great, but what about when you leave for work.

Evil lurks on the Internet at every turn and every hour.  That might be a too dramatic, but it is true.  People make a living off stolen information, but that has been addressed already (see Pirate Inlet).  Every time a computer is on a network, it is susceptible to attack.  A powered off computer is off the network.  Unplugging it from the network is a good idea too.  A computer is not much good without a network these days though.

So much so that people are interested in keeping computers attached to the network all the time.  Microsoft invested in some research on the matter (see Somniloquy external networking card lets PCS “sleep talk” essential connectivity functions).   The work was presented at the USENIX Symposium on Networked Systems Design and Implementation 2009.  This device was designed to help defend systems by patching system files and reducing the attack space a hacker may use by reducing the available number of processors (see Somniloquy: Augmenting Network Interfaces to Reduce PC Energy Usage).  All of this is debatable of course.  Marcus Ranum’s Ultimate Firewall would work just as well.

Scanning pirated software before installation does not protect a computer from viruses.  In fact, using pirated software tremendously increases the risk of computer infection.  There are many reasons why this is the case; not the least of which is hacker motivation, mechanics of pirate software, and the AV signature lifecycle.  The issue is deep and could be the basis for a good doctorate thesis.

Money motivates hackers as of late.  They earn money through various revenue generating schemes related to advertising (e.g. pop-up ads, spam, etc.) and stealing personal information (e.g. bank accounts, credit cards, etc.).  Thorsten Holz recently made a great presentation to the ICSI on the subject (http://honeyblog.org/archives/48-Studying-Aspects-of-the-Underground-Economy.html).  The accessible revenue to hackers is astounding.  The easiest way to get that money is to ask people to install a program.

Typically, people think of hackers working the late hours of night to break into computers.  Hackers do not typically do that.  Images built by Hollywood and news media outlets would have us believe that hackers sit in front of their computers with a can of Jolt Cola and breezing through the security of our computers.  Realistically, hackers are sitting there waiting for idiots to install their malicious software.  How many people do you know that clicked on the link in their email and whispered, “OOhhh, look at the pretty fireworks.”  Those idiots just hacked themselves, but just think of the sophisticated idiot.  This idiot runs his pirated software through the AV scanner and still installs it on their computer.

Sure, maybe it is a reasonable expectation not to be hacked.  AV Software protects us, right?  It is the first line of defense for our computers.  It does have its weakness (see The Contemporary antivirus industry and its problems:  http://www.viruslist.com/en/analysis?pubid=174405517), but it is our best host based defense.  So why does this article sound argumentative?  Because AV Scanners will never protect you from a virus they don’t know about.

The lifecycle of an AV signature begins with malicious software.  A signature cannot be built without malicious software.  Downloading a 0-day warez does not give enough time for anti-virus writers to create, distribute, and install a signature.  Some companies have trouble putting out signatures once a month (see AV.Test’s AV Signature Update Statistics:  http://www.av-test.org/numbers.php).  This does not take into account the ever-changing state of malicious software due to bug fixes and new features that change how the identifying signature.

Be smart; just buy your games instead of using pirated software.  There are plenty of venues where games may be purchased these days.  You can buy games online if you are lazy and do not want to go to Target.  I highly recommend it.  Steam (http://store.steampowered.com/news/) revolutionized the video game distribution world and many have followed their example.  You can watch videos, screenshots, and play demos of the games before you buy.  There is no reason to use pirated software – and if you are broke, why not get a job in network security to earn some money.  We need all the help we can get.

What is TDSS?  TDSS is a rootkit.  …but what is a rootkit?  Rootkits are a way to control another computer on the network.  This of course sounds very foreboding, and it is.  A number of commercial companies sell rootkits to help people.  These legitimate programs have recently made headline news.  Rootkits are very powerful and scary tools.

TDSS is a popular rootkit for Windows as of late.  The name comes from a string inserted into various places throughout the operating system (see TrendMicro).  This happened in earlier versions and that particular string’s use was discontinued in later versions of the program.  TDSS executes commands from a remote user to display popup advertisements, download other files, and prevent programs from running (e.g. av programs).  In other words, the TDSS rootkit allows someone else to control your computer.

There have been many different rootkits through the years.  Perhaps the most infamous rootkit was cDc’s BO (Cult of the Dead Cow’s Back Orfice) – of course, it was perhaps more controversial for its name alone.  Rootkits primarily do the same thing.  They let someone else remotely control a computer.  There are many different ways to do this.  Some rootkits install themselves into the operating system.  Others run as a regular program.  Most rootkits trick users into installing them under the guise of something useful.

In fact, many commercial companies do this.  As of late, gotomypc seems to be a very popular rootkit.  PC Anywhere used to be one of the most popular commercial rootkits.  It famously annoyed System Administrators when their users installed it at work to “control their computer at home.”  I wonder how often this was done by untrusting spouses to monitor their significant other’s activity.  I’m not joking.

Everyone should be familiar with the school that used similar software to photograph a student at home (see http://www.sfgate.com/cgi-bin/blogs/sfmoms/detail?entry_id=57750 or http://defense-rests.blogspot.com/2010/02/school-principal-spys-on-children-at.html).  The school alleged that the student was doing something inappropriate.  What is inappropriate and who has the right to come into another’s home like this? That’s a rootkit.

Rootkits usurp your personal life through technology.  They allow someone else to influence what you see, hear, and experience through your computer.  They use your computer to capture you doing whatever you do in front of your computer.  All the sudden, having a webcam and microphone to talk to Nana on the Internet doesn’t sound like a good idea anymore does it?

How many people out there have their home routers configured to save their log files?  “Chirp, chirp,” is that the sounds of crickets?  It is understandable for non-technical people to be quiet.  However, most of the people that follow this parcel of the Internet know a little bit about technology.  Why are you not logging your traffic?

You might be wondering, “What is a home router?”  The home router is that little box with the blinky lights that separates your computer from SBC, Comcast, Road Runner, Verizon, or whatever ISP you are using.  You are in big trouble if you are not using a blinky box.  The home router provides rudimentary protection for malevolent forces on the Internet.  Let us save the gory details for another time.  Suffice to say, you should have a home router.

Most, if not all home routers, provide some basic logging capability.  Sometimes you have to log into the router to get the data.  Usually the router may be configured to send the data to a real computer.  That makes things a lot easier.  Logs may be kept longer.  There are many tools available to analyze or quickly report the status of your network.  All of this is very useful when it comes time to analyze activity on your computers and network.

Each piece of information on your network is part of an integral puzzle — especially when there is an intrusion.  Where did the hacker come from?  What vector did the virus use?  The home router log files help answer these questions in conjunction with other things on the network.  So why don’t people use these useful devices?

The answer is most likely two-fold:  ignorance and laziness.  Many do not know what their home router can do for them.  Figuring it out means cracking open a user manual and actually fiddling around with the settings.  It also means having a way to receive, analyze, and review the logs once they are collected.  Then what happens if something actually happens?  You have to look through everything to find out what happened.  That sounds a lot like work.  Who wants to do work when they are safe at home?

Face the situation and setup log collection anyway.  It is very important.  Yes, it is work, but it is necessary.  You’ll never know what’s happening on your network if you don’t bother to look.

IDS detect hackers on computer networks.  IDS is an acronym for Intrusion Detection System.  The system works by analyzing captured data flowing through the network.  Unfortunately, IDS are confusing to some and quite worrisome to others.   IDS however are very valuable.

Intrusion Detection Systems monitor network traffic to identify threats on the network.  The IDS is plugged into the network to capture data.  After it has the data, it analyzes it similarly to the way an anti-virus program uses its signatures.  The IDS signatures trigger alerts on malevolent behavior.  These alerts inform administrators when something bad is on the network.  IDS however are not perfect.

IDS have an unfortunate name and they cause a lot of work.  That does not sound particularly problematic, but for some reason it troubles people greatly.  Physical security companies use IDS’ to monitor the entry ways to various buildings.  How on earth are the customers of the world supposed to discriminate between the two? This may sound like sarcasm, but I can assure you that it is not.  Perhaps more understandably worrisome is the amount of work IDS generate.  IDS signatures are created for a large number of activities on the network.  Time needs to be spent reviewing IDS results:  to determining which are genuine, and which are absolute threats.  This is a problem for short staffed system administrators who have pressing phone calls from the vice president’s administrative assistant who consistently has troubles with Microsoft Office.  These problems must be overlooked though.

Enterprise organizations operating on the Internet need to have IDS.  The level of risk to their operation from competitors, foreign nationals, and restless outliers is significant.   Peter Mudge most recently wrote about how Electric Companies are vulnerable to a network attack (Oram, Viega, 2009).  He argued that their lack of defense is a result of a business strategy – or lack thereof.  60 Minutes documented the threat to electric companies by quoting unattributable government sources describing how two Brazilian power stations were shutdown.  There are many other real and unimagined threats faced on the Internet that affect people on a regular basis.   All of these threats need to be mitigated in some capacity.

IDS are valuable to detect these threats.  It is impossible to protect yourself when you are blissfully unaware of what’s happening on your network.  Personal, human time needs to be spent reviewing IDS alerts.  It is a necessary risk needed to ensure that networks are safe, unaffected by malicious behavior, and safe for everyone to use.

References
Oram & Viega, Beautiful Security, 1^st Edition, O’Reilly Media, Inc. April 28, 2009.

Are there Filipino hackers? Probably.  Marc Roger’s old paper on demographics of hackers would have us believe that.  Demographics aside, it is fun to think about how hacker’s respond to bizarre unintentional downloads.

Regarding demographics, Marc Rogers’ research for his doctorate involved the psychology of the hacker.  You can find some of his work here:  http://homes.cerias.purdue.edu/~mkr/.  This work however is far from current.  Does anyone know of a more up-to-date public resource?

Popular research indicates that hackers are typically males between the ages of twelve and 28, but there seems to be no publicly available break-down on hackers by nation states.  This is interesting with all the talk of hackers from China (http://www.time.com/time/nation/article/0,8599,1098371,00.html).  How many hackers are in China? A better question might be “How many males between the ages of twelve and 28 have computers in China? What would happen in a country where a large part of the population is female?