Network Security Data Link Layer - Network Security

What is Network Security Data Link Layer?

we have visible that rapid growth of internet has raised a major problem for network security. several techniques have been advanced to offer security within the utility, transport, or network layer of a network.

Many organizations include security features at better OSI layers, from application layer all the manner down to IP layer. but, one region generally left unattended is hardening of information link layer. this can open the network to a variety of assaults and compromises.

in this chapter, we can discuss security issues at information link Layer and techniques to counter them. Our discussion might be focused on Ethernet network.

Security Concerns in Data Link Layer

Data link Layer in Ethernet networks is rather prone to numerous assaults. The maximum common attacks are −

ARP Spoofing

Address resolution Protocol (ARP) is a protocol used to map an IP address to a physical system address recognizable in the local Ethernet. when a number device needs to find a physical Media access control (MAC) address for an IP address, it broadcasts an ARP request. the opposite host that owns the IP address sends an ARP reply message with its physical address.

Every host system on network continues a table, known as ‘ARP cache’. The table holds the IP address and related MAC addresses of other host on the network.

Since ARP is a stateless protocol, every time a host receives an ARP respond from another host, even though it has no longer sent an ARP request, it accepts that ARP access and updates its ARP cache. The technique of editing a target host’s ARP cache with a solid access referred to as ARP poisoning or ARP spoofing.

ARP spoofing may allow an attacker to masquerade as valid host and then intercept records frames on a network, regulate or prevent them. often the assault is used to launch other attacks including man-in-the-middle, session hijacking, or denial of service.

Network Security – Data Link Layer

MAC Flooding

Each switch in the Ethernet has a content-Addressable memory (CAM) table that stores the MAC addresses, transfer port numbers, and different data. The table has a fixed size. in the MAC flooding assault, the attacker floods the switch with MAC addresses using forged ARP packets till the CAM table is complete.

Once CAM is flooded, the switch goes into hub-like mode and begins broadcasting the traffic that do not have CAM access. The attacker who is on the equal network, now gets all the frames which were destined only for a selected host.

Port Stealing

Ethernet switches have the ability to analyze and bind MAC addresses to ports. whilst a transfer receives traffic from a port with a MAC supply address, it binds the port number and that MAC address.

The port stealing assault exploits this ability of the switches. The attacker floods the transfer with cast ARP frames with the target host’s MAC address because the source address. transfer is fooled to believe that the target host is on port, on which simply an attacker is connected.

Now all information frames intended for the targeted host are sent to the attacker’s transfer port and now not to the target host. therefore, the attacker now receives all of the frames which had been simply destined only for the goal host.

DHCP Attacks

Dynamic Host Configuration Protocol (DHCP) is not a datalink protocol but answers to DHCP attacks also are useful to thwart Layer 2 assaults.

DHCP is used to dynamically allocate IP addresses to computers for a selected term. it is possible to assault DHCP servers through causing denial of provider in the network or by impersonating the DHCP server. In a DHCP starvation attack, the attacker requests all the to be had DHCP addresses. This effects in a denial of carrier to the valid host at the network.

In DHCP spoofing attack, the attacker can install a rogue DHCP server to offer addresses to the customers. here, the attacker can offer the host machines with a rouge default gateway with the DHCP responses. information frames from the host are now guided to rouge gateway in which the attacker can intercept all package and respond to real gateway or drop them.

Other Attacks

In addition to above famous assaults, there are other assaults including Layer 2-based broadcasting, Denial of service (DoS), MAC cloning.

In the broadcasting attack, the attacker sends spoofed ARP replies to the hosts at the network. those ARP replies set the MAC address of the default gateway to the broadcast address. This causes all of the outbound traffic to get broadcast, allowing sniffing through the attacker sitting at the equal Ethernet. This form of assault also impacts the network capacity.

In the Layer 2-based DoS assaults, the attacker updates the ARP caches of hosts within the network with non-existent MAC addresses. The MAC address of every network interface card in a network is meant to be globally specific. but, it can easily be modified through allowing MAC cloning. The attacker disables the target host through DoS attack and then uses the IP and MAC addresses of the focused host.

The attacker executes the attacks to release the better stage attacks to be able to jeopardize the security of information traveling on network. He can intercept all of the frames and would be able to study the frame information. The attacker can act as a man-in-center and adjust information or simply drop the frame main to DoS. He can hijack the ongoing session between the target host and other machines, and communicate wrong data altogether.

Securing Ethernet LANs

We discussed a few widely known assaults at records link Layer in the previous section. numerous methods have been developed to mitigate those kinds of assaults. a number of the important methods are −

Port Security

It is a layer 2 safety function to be had on intelligent Ethernet switches. It entails tying a physical port of a transfer to a particular MAC address/es. anyone can get entry to an unsecure network by way of simply connecting the host to one of the to be had switch ports. but, port security can secure layer 2 access.

Network Security – Data Link Layer

By using default, port security limits the ingress MAC deal with count to one. however, it is possible to allow more than one legal host to connect from that port through configuration. Allowed MAC addresses consistent with interface may be statically configured. A convenient alternative is to allow "sticky" MAC address learning where MAC addresses will be dynamically learned by transfer port until the most limit for the port is reached.

To ensure security, reaction to the change in the specific MAC address/es on a port or excess addresses on a port may be managed in lots of unique methods. The port can be configured to shut down or block the MAC addresses that exceed a specific limit. The recommended fine practice is to close down the port. Port security prevents MAC flooding and cloning assaults.

DHCP Snooping

We have seen that DHCP spoofing is an assault where the attacker listens for DHCP requests from host at the network and solutions them with faux DHCP response before the legal DHCP reaction involves the host.

DHCP snooping can prevent such attacks. DHCP snooping is a transfer feature. switch may be configured to determine which transfer ports can reply to DHCP requests. transfer ports are recognized as trusted or untrusted ports.

Network Security – Data Link Layer

Only ports that connect to an authorized DHCP server are configured as “trusted”, and allowed to send all sorts of DHCP messages. All different ports on the transfer are untrusted and might send only DHCP requests. If a DHCP reaction is seen on an untrusted port, the port is shut down.

Preventing ARP Spoofing

The technique of port security can save you MAC flooding and cloning attacks. however, it does not prevent ARP spoofing. Port security validates the MAC source address inside the frame header, but ARP frames include a further MAC supply area inside the information payload, and the host uses this field to populate their ARP cache. a few methods to prevent ARP spoofing are listed as follows.

  • Static ARP − one of the endorsed action is to employ static ARP entries in the host ARP table. Static ARP entries are permanent entries in an ARP cache. but, this technique is impractical. also, it does not permit using some Dynamic Host Configuration Protocol (DHCP) as static IP desires for use for all host in the layer 2 network.
  • Intrusion Detection system − The technique of protection is to utilize Intrusion Detection system (IDS) configured to detect excessive amounts of ARP traffic. but, IDS is prone to reporting false positives.
  • Dynamic ARP Inspection − This technique of preventing ARP spoofing is similar to DHCP snooping. It uses trusted and untrusted ports. ARP replies are allowed into the transfer interface only on trusted ports. If an ARP respond involves the turn on an untrusted port, the contents of the ARP reply packet is compared to the DHCP binding table to confirm its accuracy. If the ARP reply is not legitimate, the ARP respond is dropped, and the port is disabled.

Securing Spanning Tree Protocol

Spanning Tree Protocol (STP) is a layer 2 link control protocol. the main reason of STP is to ensure that there are no information flow loops when network has redundant paths. commonly, redundant paths are built to offer reliability to the network. but they can form deadly loops that could lead to DoS attack inside the network.

Spanning Tree Protocol

If you want to offer desired path redundancy, as well as to avoid a loop circumstance, STP defines a tree that spans all the switches in a network. STP forces sure redundant records links into a blocked state and keeps other links in a forwarding state.

If a link in the forwarding state breaks down, STP reconfigures the network and redefines information paths through activating appropriate standby route. STP runs on bridges and switches deployed in the network. all the switches change data for root switch choice and for next configuration of the network. Bridge Protocol data units (BPDUs) carry this data. through change of BPDUs, all the switches in the network select a root bridge/transfer that turns into the focal point inside the network and controls the blocked and forwarded links.

Attacks on STP

  • Taking over the root Bridge. it is one of the most disruptive type of attack at layer 2. through default, a LAN transfer takes any BPDU sent from neighboring transfer at face value. incidentally, STP is trustful, stateless, and does not provide any sound authentication mechanism.
  • Once in root attack mode, the attacking transfer sends a BPDU every 2 sec with the same priority as the current root bridge, but with a slightly numerically decrease MAC address, which ensures its victory inside the root-bridge election system. The attacker switch can launch DoS assault either through not properly acknowledging different switches causing BPDU flooding or by subjecting switches to over-technique BPDUS by claiming to be root at one time and retracting in quick succession.
  • DoS using Flood of Configuration BPDU. The attacking switch does now not attempt to take over as root. instead, it generates massive quantity of BPDUs per second main to very excessive CPU utilization at the switches.

Preventing Attacks on STP

Fortunately, the countermeasure to a root takeover assault is easy and straightforward. functions assist in defeating a root takeover attack.

  • Root Guard − Root protect restricts the transfer ports out of which the root bridge can be negotiated. If a ‘root-guard-enabled’ port gets BPDUs that are superior to those who the modern root bridge is sending, then that port is moved to a root-inconsistent state, and no information traffic is forwarded across that port. Root protect is excellent deployed toward ports that connect to switches which are not expected to take over as the root bridge.
  • BPDU-Guard − BPDU protect is used to defend the network from the issues that can be caused by the receipt of BPDUs on get entry to ports. these are the ports that need to not be receiving them. BPDU protect is fine deployed toward user-facing ports to save you insertion of rogue transfer through an attacker.

Securing virtual LAN

In local networks, virtual local area Networks (VLANs) are sometimes configured as a security measure to limit the quantity of hosts susceptible to layer 2 assaults. VLANs create network boundaries, over which broadcast (ARP, DHCP) traffic can not cross.

Virtual Local Area Network

A network employing transfer/es supporting VLAN abilities can be configured to outline multiple VLANs over a single physical LAN infrastructure.

Network Security – Data Link Layer

The common shape of VLAN is a port-based VLAN. on this VLAN shape, the transfer ports are grouped into VLAN the use of switch control software. therefore a single physical transfer can act as multiple virtual switches.

Employment of VLANs offer traffic isolation. It divides the large broadcast layer 2 network into smaller logical layer 2 networks and therefore reduces the scope of attacks including ARP/DHCP Spoofing. information frames of one VLAN can pass from/to within ports belonging to the same VLAN best. The frames forwarding among two VLANs is performed through routing.

VLANs generally span multiple switches as proven in the diagram above. The link between trunk ports carry frames of all VLANs defined over multiple physical switches. as a result, VLAN frames forwarded among switches can’t be simple IEEE 802.1 Ethernet layout frames. because, those frame move on same physical link, they now need to carry VLAN identity data. IEEE 802.1Q protocol provides/removes additional header fields to plain Ethernet frames forwarded among trunk ports.

Network Security – Data Link Layer

When the field following the two IP addresses fields is 0x8100 (> 1500), the frame is recognized as 802.1Q frame. value of 2-byte Tag Protocol Identifier (TPI) is 81-00. TCI subject include 3-bit priority records, 1-bit Drop eligible indicator (DEI), and 12-bit VLAN id. This 3-bit priority field and DEI field are not relevant to VLANs. priority bits are used for provision of great of service.

When a frame does not belong to any VLAN, there's a default VLAN identity which the body is considered to be related to.

Attack on VLAN & Prevention Measures

In a VLAN hopping assault, an attacker on one VLAN can benefit access to the traffic on different VLANs that would commonly now not be available. it'd bypass a layer 3 device (router) when speaking from one VLAN to another, hence defeating the reason of VLAN introduction.

VLAN hopping may be carried out by techniques; transfer spoofing and double tagging.

Switch Spoofing

It could occur when the switch port, to which the attacker is connected, is either in ‘trunking’ mode or ‘auto-negotiation’ mode. The attacker acts as a transfer and adds 802.1Q encapsulation headers with VLAN tags for goal remote VLANs to its outgoing frames. The receiving switch translates the ones frames as sourced from another 802.1Q transfer, and forwards the frames into the target VLAN.

The two preventive measures against transfer spoofing assaults are to set edge ports to static access mode and to disable auto-negotiation on all ports.

Double Tagging

In this assault, an attacker related on local VLAN port of transfer prepends two VLAN tags inside the frame header. the primary tag is of local VLAN and second is for target VLAN. when the first switch receives the attacker’s frames, it removes the primary tag because frames of local VLAN are forwarded with out tag on trunk port.

  • Because the second tag become in no way removed by means of the first transfer, the receiving switch identifies the closing tag as the VLAN destination and forwards the frames to the goal host in that VLAN. The double tagging assault exploits the concept of native VLAN. considering VLAN 1 is the default VLAN for get right of entry to ports and the default local VLAN on trunks, it’s an easy target.
  • The first prevention measure is to remove all get right of entry to ports from the default VLAN 1 since the attacker’s port must fit that of the switch’s local VLAN. the second prevention degree is to assign the native VLAN on all transfer trunks to some unused VLAN, say VLAN id 999. And finally, all switches be configured to perform explicit tagging of local VLAN frames on the trunk port.

Securing wireless LAN

Wireless local region network is a network of wireless nodes within a limited geographic region, including an office building or school campus. Nodes are capable of radio communication.

Wireless LAN

Wireless LAN is usually applied as extensions of existing wired LAN to provide network get entry to with device mobility. The maximum widely carried out wireless LAN technology are based on the IEEE 802.11 preferred and its amendments.

The two major components in wireless LAN are −

  • Access Points (APs) − These are base stations for the wireless network. They transmit and receive radio frequencies to communicate with wireless clients.
  • Wireless Clients − These are computing devices which can be equipped with a wireless network Interface Card (WNIC). Laptops, IP phones, PDAs are usual examples of wireless clients.

Network Security – Data Link Layer

Many organizations have applied wireless LANs. these networks are developing phenomenally. it is therefore, important to recognize threats in wireless LANs and examine the common preventive measure to ensure network security.

Attacks in Wireless LAN

The typical attacks that are done on wireless LAN are −

  • Eavesdropping − The attacker passively monitors wireless networks for information, including authentication credentials.
  • Masquerading − The attacker impersonates an authorized consumer and gains access and privileges on wireless networks.
  • Traffic Analysis − The attacker monitors transmissions through wireless networks to identify communication patterns and individuals.
  • Denial of service − The attacker prevents or restricts the regular use or control of wireless LAN or network devices.
  • Message modification/Replay − The attacker alters or replies to a valid message sent through wireless networks by means of deleting, including to, changing, or reordering it.

Security Measures in Wireless LAN

Security measures offer way to defeat assaults and control risks to the networks. those are network management, operation, and technical measures. We describe below the technical measures followed to ensure confidentiality, availability, and integrity of information transmitted through wireless LANs.

In wireless LANs, all APs need to be configured to provide security through encryption and purchaser authentication. The forms of schemes used in wireless LAN to provide security are as follows −

Wired Equivalent Privacy (WEP)

It is an encryption algorithm built into the 802.11 standard to relaxed wireless networks. WEP encryption makes use of the RC4 (Rivest Cipher 4) stream cipher with 40-bit/104-bit keys and a 24-bit initialization vector. it could also provide endpoint authentication.

It is, but, the weakest encryption security mechanism, as a number of flaws had been observed in WEP encryption. WEP also does not have authentication protocol. hence, the usage of WEP is not highly recommended.

802.11i Protocol

In this protocol numerous and stronger kinds of encryption are possible. it's been developed to update weak WEP scheme. It presents key distribution mechanism. It helps one key consistent with station, and does now not use the equal key for all. It uses authentication server separate from the access point.

IEEE802.11i mandates the use of a protocol named Counter mode with CBC-MAC Protocol (CCMP). CCMP presents confidentiality and integrity of the information transferred and authenticity of the sender. it is based at the superior Encryption standard (AES) block cipher.

The IEEE802.11i protocol has four phases of operation.

Network Security – Data Link Layer

  • STA and AP communicate and discoverwi mutual protection abilities including supported algorithms.
  • STA and AS together authenticate and together generate master Key (MK). AP acts as “pass through”.
  • STA derives Pairwise master Key (PMK). AS derives equal PMK and sends to AP.
  • STA, AP use PMK to derive Temporal Key (TK) for use for message encryption and data integrity.

Other Standards

  • Wi-Fi Protected Access (WPA) − This protocol implements the majority of the IEEE 802.11i general. It existed before IEEE 802.11i and makes use of RC4 algorithm for encryption. It has two modes of operation. In ‘organization’ mode, WPA uses authentication protocol 802.1x to talk with authentication server, and hence pre-master keys (PMK) is wireless to client station. In ‘personal’ mode, it does now not use 802.1x, PMK is replaced by a pre-shared key, as used for Small wireless home wi-fi (SOHO) wireless LAN environments.

WPA also includes a sound message integrity check changing the Cyclic Redundancy test (CRC) that became used by the WEP preferred.

  • WPA2 − WPA2 changed the WPA. WPA2 implements all mandatory elements of IEEE 802.11i scheme. especially, it includes mandatory assist for CCMP, an AES-based encryption mode with strong security. therefore, as far as the attacks are concerned, WPA2 / IEEE802.11i presents adequate answers to protect in opposition to WEP weaknesses, man-in-the-middle assaults, forgery packets forgery, and replay attacks. but, DoS attack is not addressed properly and there are no solid protocols to prevent such assaults basically because such assaults target the physical layer like interfering with the frequency band.


In this chapter, we considered assaults and mitigation techniques assuming a switched Ethernet network running IP. if your network does now not use Ethernet as layer 2 protocol, a number of these assaults may not be relevant, but chances are such network is at risk of unique styles of attacks.

Security is best as strong because the weakest link. when it comes to networking, layer 2 can be a totally weak link. Layer 2 security measures stated on this chapter move a long manner toward protecting a network from many types of attacks.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Network Security Topics