we have visible that rapid growth of internet has raised a major problem for network security. several techniques have been advanced to offer security within the utility, transport, or network layer of a network.
Many organizations include security features at better OSI layers, from application layer all the manner down to IP layer. but, one region generally left unattended is hardening of information link layer. this can open the network to a variety of assaults and compromises.
in this chapter, we can discuss security issues at information link Layer and techniques to counter them. Our discussion might be focused on Ethernet network.
Data link Layer in Ethernet networks is rather prone to numerous assaults. The maximum common attacks are −
Address resolution Protocol (ARP) is a protocol used to map an IP address to a physical system address recognizable in the local Ethernet. when a number device needs to find a physical Media access control (MAC) address for an IP address, it broadcasts an ARP request. the opposite host that owns the IP address sends an ARP reply message with its physical address.
Every host system on network continues a table, known as ‘ARP cache’. The table holds the IP address and related MAC addresses of other host on the network.
Since ARP is a stateless protocol, every time a host receives an ARP respond from another host, even though it has no longer sent an ARP request, it accepts that ARP access and updates its ARP cache. The technique of editing a target host’s ARP cache with a solid access referred to as ARP poisoning or ARP spoofing.
ARP spoofing may allow an attacker to masquerade as valid host and then intercept records frames on a network, regulate or prevent them. often the assault is used to launch other attacks including man-in-the-middle, session hijacking, or denial of service.
Each switch in the Ethernet has a content-Addressable memory (CAM) table that stores the MAC addresses, transfer port numbers, and different data. The table has a fixed size. in the MAC flooding assault, the attacker floods the switch with MAC addresses using forged ARP packets till the CAM table is complete.
Once CAM is flooded, the switch goes into hub-like mode and begins broadcasting the traffic that do not have CAM access. The attacker who is on the equal network, now gets all the frames which were destined only for a selected host.
Ethernet switches have the ability to analyze and bind MAC addresses to ports. whilst a transfer receives traffic from a port with a MAC supply address, it binds the port number and that MAC address.
The port stealing assault exploits this ability of the switches. The attacker floods the transfer with cast ARP frames with the target host’s MAC address because the source address. transfer is fooled to believe that the target host is on port, on which simply an attacker is connected.
Now all information frames intended for the targeted host are sent to the attacker’s transfer port and now not to the target host. therefore, the attacker now receives all of the frames which had been simply destined only for the goal host.
Dynamic Host Configuration Protocol (DHCP) is not a datalink protocol but answers to DHCP attacks also are useful to thwart Layer 2 assaults.
DHCP is used to dynamically allocate IP addresses to computers for a selected term. it is possible to assault DHCP servers through causing denial of provider in the network or by impersonating the DHCP server. In a DHCP starvation attack, the attacker requests all the to be had DHCP addresses. This effects in a denial of carrier to the valid host at the network.
In DHCP spoofing attack, the attacker can install a rogue DHCP server to offer addresses to the customers. here, the attacker can offer the host machines with a rouge default gateway with the DHCP responses. information frames from the host are now guided to rouge gateway in which the attacker can intercept all package and respond to real gateway or drop them.
In addition to above famous assaults, there are other assaults including Layer 2-based broadcasting, Denial of service (DoS), MAC cloning.
In the broadcasting attack, the attacker sends spoofed ARP replies to the hosts at the network. those ARP replies set the MAC address of the default gateway to the broadcast address. This causes all of the outbound traffic to get broadcast, allowing sniffing through the attacker sitting at the equal Ethernet. This form of assault also impacts the network capacity.
In the Layer 2-based DoS assaults, the attacker updates the ARP caches of hosts within the network with non-existent MAC addresses. The MAC address of every network interface card in a network is meant to be globally specific. but, it can easily be modified through allowing MAC cloning. The attacker disables the target host through DoS attack and then uses the IP and MAC addresses of the focused host.
The attacker executes the attacks to release the better stage attacks to be able to jeopardize the security of information traveling on network. He can intercept all of the frames and would be able to study the frame information. The attacker can act as a man-in-center and adjust information or simply drop the frame main to DoS. He can hijack the ongoing session between the target host and other machines, and communicate wrong data altogether.
We discussed a few widely known assaults at records link Layer in the previous section. numerous methods have been developed to mitigate those kinds of assaults. a number of the important methods are −
It is a layer 2 safety function to be had on intelligent Ethernet switches. It entails tying a physical port of a transfer to a particular MAC address/es. anyone can get entry to an unsecure network by way of simply connecting the host to one of the to be had switch ports. but, port security can secure layer 2 access.
By using default, port security limits the ingress MAC deal with count to one. however, it is possible to allow more than one legal host to connect from that port through configuration. Allowed MAC addresses consistent with interface may be statically configured. A convenient alternative is to allow "sticky" MAC address learning where MAC addresses will be dynamically learned by transfer port until the most limit for the port is reached.
To ensure security, reaction to the change in the specific MAC address/es on a port or excess addresses on a port may be managed in lots of unique methods. The port can be configured to shut down or block the MAC addresses that exceed a specific limit. The recommended fine practice is to close down the port. Port security prevents MAC flooding and cloning assaults.
We have seen that DHCP spoofing is an assault where the attacker listens for DHCP requests from host at the network and solutions them with faux DHCP response before the legal DHCP reaction involves the host.
DHCP snooping can prevent such attacks. DHCP snooping is a transfer feature. switch may be configured to determine which transfer ports can reply to DHCP requests. transfer ports are recognized as trusted or untrusted ports.
Only ports that connect to an authorized DHCP server are configured as “trusted”, and allowed to send all sorts of DHCP messages. All different ports on the transfer are untrusted and might send only DHCP requests. If a DHCP reaction is seen on an untrusted port, the port is shut down.
The technique of port security can save you MAC flooding and cloning attacks. however, it does not prevent ARP spoofing. Port security validates the MAC source address inside the frame header, but ARP frames include a further MAC supply area inside the information payload, and the host uses this field to populate their ARP cache. a few methods to prevent ARP spoofing are listed as follows.
Spanning Tree Protocol (STP) is a layer 2 link control protocol. the main reason of STP is to ensure that there are no information flow loops when network has redundant paths. commonly, redundant paths are built to offer reliability to the network. but they can form deadly loops that could lead to DoS attack inside the network.
If you want to offer desired path redundancy, as well as to avoid a loop circumstance, STP defines a tree that spans all the switches in a network. STP forces sure redundant records links into a blocked state and keeps other links in a forwarding state.
If a link in the forwarding state breaks down, STP reconfigures the network and redefines information paths through activating appropriate standby route. STP runs on bridges and switches deployed in the network. all the switches change data for root switch choice and for next configuration of the network. Bridge Protocol data units (BPDUs) carry this data. through change of BPDUs, all the switches in the network select a root bridge/transfer that turns into the focal point inside the network and controls the blocked and forwarded links.
Fortunately, the countermeasure to a root takeover assault is easy and straightforward. functions assist in defeating a root takeover attack.
In local networks, virtual local area Networks (VLANs) are sometimes configured as a security measure to limit the quantity of hosts susceptible to layer 2 assaults. VLANs create network boundaries, over which broadcast (ARP, DHCP) traffic can not cross.
A network employing transfer/es supporting VLAN abilities can be configured to outline multiple VLANs over a single physical LAN infrastructure.
The common shape of VLAN is a port-based VLAN. on this VLAN shape, the transfer ports are grouped into VLAN the use of switch control software. therefore a single physical transfer can act as multiple virtual switches.
Employment of VLANs offer traffic isolation. It divides the large broadcast layer 2 network into smaller logical layer 2 networks and therefore reduces the scope of attacks including ARP/DHCP Spoofing. information frames of one VLAN can pass from/to within ports belonging to the same VLAN best. The frames forwarding among two VLANs is performed through routing.
VLANs generally span multiple switches as proven in the diagram above. The link between trunk ports carry frames of all VLANs defined over multiple physical switches. as a result, VLAN frames forwarded among switches can’t be simple IEEE 802.1 Ethernet layout frames. because, those frame move on same physical link, they now need to carry VLAN identity data. IEEE 802.1Q protocol provides/removes additional header fields to plain Ethernet frames forwarded among trunk ports.
When the field following the two IP addresses fields is 0x8100 (> 1500), the frame is recognized as 802.1Q frame. value of 2-byte Tag Protocol Identifier (TPI) is 81-00. TCI subject include 3-bit priority records, 1-bit Drop eligible indicator (DEI), and 12-bit VLAN id. This 3-bit priority field and DEI field are not relevant to VLANs. priority bits are used for provision of great of service.
When a frame does not belong to any VLAN, there's a default VLAN identity which the body is considered to be related to.
In a VLAN hopping assault, an attacker on one VLAN can benefit access to the traffic on different VLANs that would commonly now not be available. it'd bypass a layer 3 device (router) when speaking from one VLAN to another, hence defeating the reason of VLAN introduction.
VLAN hopping may be carried out by techniques; transfer spoofing and double tagging.
It could occur when the switch port, to which the attacker is connected, is either in ‘trunking’ mode or ‘auto-negotiation’ mode. The attacker acts as a transfer and adds 802.1Q encapsulation headers with VLAN tags for goal remote VLANs to its outgoing frames. The receiving switch translates the ones frames as sourced from another 802.1Q transfer, and forwards the frames into the target VLAN.
The two preventive measures against transfer spoofing assaults are to set edge ports to static access mode and to disable auto-negotiation on all ports.
In this assault, an attacker related on local VLAN port of transfer prepends two VLAN tags inside the frame header. the primary tag is of local VLAN and second is for target VLAN. when the first switch receives the attacker’s frames, it removes the primary tag because frames of local VLAN are forwarded with out tag on trunk port.
Wireless local region network is a network of wireless nodes within a limited geographic region, including an office building or school campus. Nodes are capable of radio communication.
Wireless LAN is usually applied as extensions of existing wired LAN to provide network get entry to with device mobility. The maximum widely carried out wireless LAN technology are based on the IEEE 802.11 preferred and its amendments.
The two major components in wireless LAN are −
Many organizations have applied wireless LANs. these networks are developing phenomenally. it is therefore, important to recognize threats in wireless LANs and examine the common preventive measure to ensure network security.
The typical attacks that are done on wireless LAN are −
Security measures offer way to defeat assaults and control risks to the networks. those are network management, operation, and technical measures. We describe below the technical measures followed to ensure confidentiality, availability, and integrity of information transmitted through wireless LANs.
In wireless LANs, all APs need to be configured to provide security through encryption and purchaser authentication. The forms of schemes used in wireless LAN to provide security are as follows −
It is an encryption algorithm built into the 802.11 standard to relaxed wireless networks. WEP encryption makes use of the RC4 (Rivest Cipher 4) stream cipher with 40-bit/104-bit keys and a 24-bit initialization vector. it could also provide endpoint authentication.
It is, but, the weakest encryption security mechanism, as a number of flaws had been observed in WEP encryption. WEP also does not have authentication protocol. hence, the usage of WEP is not highly recommended.
In this protocol numerous and stronger kinds of encryption are possible. it's been developed to update weak WEP scheme. It presents key distribution mechanism. It helps one key consistent with station, and does now not use the equal key for all. It uses authentication server separate from the access point.
IEEE802.11i mandates the use of a protocol named Counter mode with CBC-MAC Protocol (CCMP). CCMP presents confidentiality and integrity of the information transferred and authenticity of the sender. it is based at the superior Encryption standard (AES) block cipher.
The IEEE802.11i protocol has four phases of operation.
WPA also includes a sound message integrity check changing the Cyclic Redundancy test (CRC) that became used by the WEP preferred.
In this chapter, we considered assaults and mitigation techniques assuming a switched Ethernet network running IP. if your network does now not use Ethernet as layer 2 protocol, a number of these assaults may not be relevant, but chances are such network is at risk of unique styles of attacks.
Security is best as strong because the weakest link. when it comes to networking, layer 2 can be a totally weak link. Layer 2 security measures stated on this chapter move a long manner toward protecting a network from many types of attacks.
Network Security Related Interview Questions
|Networking Interview Questions||Verilog Interview Questions|
|Switching Interview Questions||Firewall Support Interview Questions|
|System Verilog Interview Questions||Penetration Testing Interview Questions|
|Cryptography Interview Questions||Firewall (computing) Interview Questions|
|Check Point Certified Security Administrator (CCSA) Interview Questions||CheckPoint Firewall Interview Questions|
|Digital Communication Interview Questions||Siemens PLC Interview Questions|
|ASIC Interview Questions||Information Security Analyst Interview Questions|
Network Security Related Practice Tests
|Networking Practice Tests||Verilog Practice Tests|
|Switching Practice Tests||Firewall Support Practice Tests|
|System Verilog Practice Tests||Cryptography Practice Tests|
|Firewall (computing) Practice Tests||Check Point Certified Security Administrator (CCSA) Practice Tests|
Network Security Tutorial
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.