From a network operation perspective, switches are layer two devices and routers are layer three devices (though as technology advances, switches are being built with capabilities at all seven layers of the OSI model).

Switches are the evolving descendents of the network hub. Hubs were dumb devices used to transmit packets between devices connected to them, and they functioned by retransmitting each and every packet received on one port out through all of its other ports. This created scalability problems, because as the number of connected workstations and volume of network communications increased, collisions became more frequent, degrading performance. A collision occurs when two devices transmit a packet onto the network at almost the exact same moment, causing them to overlap and thus mangling them. When this happens, each device must detect the collision and then retransmit their packet in its entirety. As more and more devices are attached to the same hub, and more hubs are interconnected, the chance that two nodes transmit at the same time increases, and collisions became more frequent. In addition, as the size of the network increases, the distance and time a packet is in transit over the network also increases, making collisions more likely again. Thus, it is necessary to keep the size of such networks very small to achieve acceptable levels of performance.

To overcome the performance shortcomings of hubs, switches were developed. Switches are intelligent devices that learn the various MAC addresses of connected devices and will only transmit packets to the devices they are specifically addressed to. Since each packet is not rebroadcast to every connected device, the likelihood that two packets will collide is significantly reduced. In addition, switches provide a security benefit by reducing the ability to monitor or “sniff” another workstation’s traffic. With a hub, every workstation would see all traffic on that hub; with a switch, every workstation will only see its own traffic.

A switched network cannot absolutely eliminate the ability to sniff traffic. A hacker can trick a local network segment into sending it another workstation’s traffic with an attack known as ARP poisoning. ARP poisoning works by forging replies to ARP broadcasts. For example, suppose malicious workstation Attacker wishes to monitor the traffic of workstation Victim, another host on the local switched network segment. To accomplish this, Attacker would broadcast an ARP packet onto the network containing Victim’s IP address but Attacker’s MAC address. Any workstation that receives this broadcast would update its ARP tables and thereafter would send all of Victim’s traffic to Attacker. This ARP packet is commonly called a gratuitous ARP and is used to announce a new workstation attaching to the network. To avoid alerting Victim that something is wrong, Attacker would immediately forward any packets received for Victim to Victim. Otherwise Victim would soon wonder why network communications weren’t working. The most severe form of this attack is where the Victim is the local router interface. In this situation, Attacker would receive and monitor all traffic entering and leaving the local segment. While ARP poisoning attacks appear complicated, there are several tools available that automate the attack process, such as Ettercap shown in Figure 10-1 (http://ettercap.sourceforge.net) and HUNT (http://lin.fsid.cvut.cz/~kra/index.html#HUNT). The figure shows an attacker using Ettercap to ARP poison the local segments default gateway on a switched network.

To reduce a network’s exposure to ARP poisoning attacks, segregate sensitive hosts between layer three devices or use virtual LAN (VLAN) functionality on switches. For highly sensitive hosts, administrators may wish to statically define important MAC entries, such as the default gateway. Statically defined MAC entries will take precedence over MAC entries that are learned via ARP.

FIGURE 1: Ettercap spoofing the default gateway