The module for this lesson is still under development. Please contact us if you have any questions.


Physical Security and Man-in-the-Middle Attack

1. Read Background
2. How can i avoid man-in-the-middle attack
3. Complete Security Checklist


Although often overlooked, physical security has been described as the weakest link in network security. This is because the network’s underlying communication mediais sometimes directly accessible to unauthorized individuals, or can be made accessible through light social engineering techniques.


Physical security addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization. It includes the physical protection of people, hardware, and the supporting system elements and resources that control information in all its states (transmission, storage, and processing).
Layer1(the Physical Layer) of the Open Systems Interconnection (OSI) modelconsists of the basic hardware transmission technologies of a network. The OSI Reference Model is a set of seven layers that defines the different stages that data must navigate to travel from one device to another over a communication network. Cabling technologies, such as fiber optic, coax, Ethernet, and T1 are defined here. Each of these communication technologies is vulnerable to attack. Fiber is among the hardest media types to break into because it is noticeable and the equipment is expensive. Most intercity connections are implemented via fiber.Coax cable is easy to break into, but not very prevalent. Ethernet (10, 100, 1000BaseT) is the most widely used in network closets and can easily be intercepted without notice.T1 is the easiest Layer 1 hacking target. Since it consist of two simple pairs of wires, T1 links are easy to listen in on.

Risk– How it happens ?

Man-in-the-middle (MITM) is an attack in which the abuser records data packets from the network, modifies them, and inserts them back into the network. Under the right conditions, an attacker could insert a MITM device, capturing all outside connections. Shared phone closets are an easy target, and provide the anonymous access a hacker seeks. Figure 2 illustrates how the area of the network of Fig. 1 comprising of the Channel Service Unit/Data Service Unit (CSU/DSU) can be manipulated to cause a MITM attack. With a low-end 1600 Cisco router, aphysical MITM device can be created. In many cases, closet circuits are labeled with company name and circuit ID. By using a small router device with two CSUs/DSUs and one Ethernet interface, a hacker can insert a simple MITM bridge with only five to ten seconds of downtime that more than likely would be invisible to the end user.With a MITM in progress, traffic can be sniffed and parsed out. Although secure protocols might be partially safe, any normal traffic could be manipulated.T1 links are often deployed for point-to-point interoffice communication, but are prone to MITM attack. Man-in-the-middle attack on an internal office T1 allows an attacker full access to internal network.

Example of Occurrence:

A security researcher for InfoSec Institute has outlined a scenario in which an attacker could launch a man-in-the-middle attack over an IPv6 network. The attacker would essentially overlay a parasitic IPv6 network on top of the targeted IPv4 network to intercept Internet traffic. His proof-of-concept attack is considered only Windows 7 systems, but is assumed to work for Windows Vista, Windows 2008 Server and operating systems with IPv6 enable by default.
If the attack is tobe successful, the attacker would need physical access to the targeted network long enough to connect an IPv6 router.In the case of a corporate network, the attacker would need to connect the IPv6 router to an existing IPv4 hub.

Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks

How can I avoid man-in-the-middle attcks?

Although there are a variety of controls for physical security, including guards, locks and mantraps,the challenge of securing a network increases as the network scales up in terms of either size or complexity. The following are twelve of the physical and environmental controls for a computer room and wiring closet:

  • Card keys for building and entrance to work area;
  • 24-hour guards at all entrances and exits;
  • Controlled access to file server room;
  • Closed circuit television monitors;
  • Cipher lock on computer room door;
  • Raised floor in computer room;
  • Dedicated cooling system;
  • Emergency lighting in computer room;
  • Smoke water and heat detectors;
  • Power strips and suppressors for peripherals and computers;
  • Smoke, water and head detectors;
  • Uninterruptable power supply for LAN servers

Example: Physical man-in-the-middle attack
An example of a physical MITM attack is depicted in Fig. 2. The entry point is the CSU/DSU of Fig. 1. A detail explanation is provided in the section, Risk—How it Happens.

Lab assignment

Complete the following:

    1. Use NS-3 ( or NS-2 ( to simulate the network in Fig. 1. (Alternatively, if you have access to all the devices in the Figure or to other network simulators, please feel free to use them instead).

    2. Modify the network to illustrate the MITM attack of Fig. 2

    3. Show and discuss your results.

Security Checklist

Security checklist


Man-in-the-middle attack



Answer the following questions to determine if your server room or wiring closet has some of the important physical protections against man-in-the-middle attacks.

Yes/No – describe

1. Are cards keys needed to gain access to building and entrance to work areas

2. Are 24- hours guards are posted at entrances and exits?

3. Is there controlled access to server rooms?

4. Are closed circuit television monitors installed?

5. Are there cipher lock on computer room doors?

If you answered no to any of the above questions, then your server room may be vulnerable to MITM attack.

Key Terms

    • Protected network—the sub-network in Fig. 1 that consists of all the components starting at Computer A proceeding right to include all components up to and including the NAT.
    • Firewall—sometimes called a packet filter, is designed to prevent malicious packets from entering a network or computer. Firewalls are typically located outside the network security perimeter as the first line of defense.
    • Intrusion Detection System—monitors activity on a network/computer and determines whether an intrusion has occurred.
    • Network Address Translation (NAT) Systems—hides the IP address of network devices from malicious hackers. The computers in a network using NAT are assigned special IP addresses. As a packet leaves the network, NAT removes the special IP address from the sender’s packet and replace it with an alias IP address.
    • Proxy Server—conceals the identity of the computers within a protected network. It functions similarly to a NAT but can also inspect packets and look for malicious content.
    • Demilitarized Zone (DMZ)—another network that sits outside the protected network perimeter. Outside users can access the DMZ but cannot enter the secure network.
    • Channel Service Unit/Data Service Unit (CSU/DSU)—translates between the digital representation of data used by the phone companies and the digital representation used by the computer industry.
    • PunchdownBlock—a type electrical connection often used in telephony. It is so named because the solid copper wires are “punched down” into short open-ended slots.

Copyright © Towson University