Data Link Layer¶
links: SPA TOC - Layered Security - Index
Data Link Layer¶
- Sends and receives frames between adjacent stations on the link
- Frames and addresses data
- Encapsulates data packets into frames
- Adds MAC address in frame header
- Provide error-free node-to-node connections and flow control
- Error detection protocol: Cyclic Redundancy Check (CRC)
- Flow control based on IEEE 802.3x standard (pause frames)
- VLANs using Q-Tag in header
- Flow control is often delegated to higher layers \(\rightarrow\) TCP
- Spanning Tree Protocol to avoid loops
- Mapping between network layer and data link layer
- Network component: Switch
- Relevant topics: Ethernet, Switches (vs. Hubs), Spanning Tree, VLAN, ARP
Vulnerabilities¶
- MAC address spoofing
- NIC configured to use MAC address of another device
- VLAN circumvention
- Configure NIC to tag traffic with a different VLAN ID to access different VLAN
- Spanning tree errors
- Misconfiguration causing switch to be elected as root bridge leading to suboptimal traffic flow or loops
- Free connection or weak authentication and encryption to access links
- Open wifi network allowing anyone to connect without password
- Wrong behaviour of network devices in overload situations
- Switch dropping packets or providing inconsistent connectivity when at capacity
Attacks¶
- Content-Addressable Memory (CAM) table overflow
- CAM table contains MAC \(\leftrightarrow\) Port Mapping and VLAN parameters
- Attacker floods the switch with invalid-source MAC addresses
- When the CAM table is full the switch starts behaving like a hub \(\rightarrow\) incoming packets are sent to all parts
- VLAN hopping
- Attacker in VLAN 1 sending packets to VLAN 2
- Tagging packets with different VLAN ID or behave like a switch and negotiate trunking
- Spanning-Tree Protocol manipulation
- Spam network with topology change bridge protocol data units to force spanning-tree recalculation
- Goal: Attacker becomes root bridge
- MAC address spoofing
- Attacker sends packet with MAC address of attacked host to make switch overwrite CAM table
- Attacker will receive data destined for attacked host until the attacked host sends a packet to the switch to rewrite CAM table again
- ARP attack
- Attacker sends unsolicited ARP reply packets to attacked device
- Attacked device updates ARP table which results in data being sent to the wrong device \(\rightarrow\) attacker
- Private VLAN
- Promiscuous port: can communicate with all interfaces in VLAN
- Community port: can communicate with all interface in community VLAN
- Proxy can be used to circumvent restrictions
Controls¶
- Disable / Shutdown unused switch ports
- Prevent attacker from connecting to network
- Implement MAC address filtering
- Restrict access to network to devices with approved MAC addresses
- Counters CAM table overflow attack
- Do not use VLAN assignments to enforce secure design
- to achieve secure isolation the networks should be physically isolated with policy engines (firewalls) in between
- Mitigates VLAN hopping attack
- Use security enhanced network devices
- IEEE 802.1X-2010 with port-based network access control
- IEEE 802.11i-2004 WiFi protected access with WPA2
- WPA3 with AES-GCM
- Use device built-in security features (encryption, authentication, MAC filtering)
- Use ARP / broadcast monitoring software
- Identify unknown devices
- Identify spoofed MAC addresses
- Use IPv6 secure neighbor discovery (SEND)
links: SPA TOC - Layered Security - Index