04 - Data Link Layer Security (DLS).pdf

Full Transcript

CY 343
Network Security

Data Link Layer Security (DLS)

Dr. Qasem Abu Al-Haija,
Department of Cybersecurity, PSUT
Data Link Layer –
Revisited
 Data Link Layer (DL) - Revisit
2nd layer of the TCP/IP model; an intermediary between:
―Phy. Layer (actual transmission of raw bits) and
―Net. Layer (routing & addressing data across different networks).

It ensures reliable, error-free communication within a local
network segment and supports higher-level protocols and apps.

The main responsibilities of the DL Layer include:
―Framing, Physical Addressing, Media Access Control (MAC), Error
Detection and Correction, Flow Control, and Logical Link Control (LLC).
 Data Link Layer
The need for a Data Link layer

1.Communication circuits make errors occasionally.
2.Communication circuits have a limited data rate.

(LLC Sublayer)

(MAC Sublayer)

While both sublayers are integral parts of DL_Layer,
cyberattacks commonly target the MAC sublayer.
 Logical Link Control (LLC) Sublayer
It's important to note that attacks at LLC sublayer are often intertwined
with attacks targeting other layers of the networking stack.

While attacks specifically targeting LLC sublayer are less common,
some attacks can impact or exploit vulnerabilities at this layer:
― LLC Spoofing: forging LLC frames or manipulating LLC header.

― LLC DoS: Overwhelming LLC layer with a high volume of traffic.

― LLC Exploitation: Exploit weaknesses in implementing specific LLC
protocols to perform several malicious activities.
MAC Basics
 Multiple Access Links and Protocols
Three types of “links”:

❑ Point-to-point (single wire, e.g., PPP)

❑ Broadcast (shared wire or medium, e.g., Ethernet, Wavelan, etc.)

❑ Switched (e.g., switched Ethernet, ATM etc.)
 Multiple Access protocols
❑ Single shared communication channel

❑ Two or more simultaneous transmissions by nodes: interference
— Only one node can send successfully at a time

❑ Multiple Access protocol:
— Distributed algorithm that determines how stations share channel,
i.e., determine when the station can transmit
— Communication about channel sharing must use the channel itself!
— What to look for in multiple access protocols:
Synchronous or asynchronous
Information needed about other stations
Robustness (e.g., to channel errors)
Performance
 MAC Protocols: a taxonomy
Three broad classes:
❑ Channel Partitioning
― TDMA: time division multiple access
― FDMA: frequency division multiple access
― CDMA (Code Division Multiple Access) Read!

❑ Random Access
― Allow collisions
― “Recover” from collisions
― Examples: Slotted ALOHA, ALOHA, CSMA, CSMA/CD

❑ “Taking Turns.”
― Tightly coordinate shared access to avoid collisions
― Examples: Polling, Token-Passing

Goal: efficient, fair, simple, decentralized
 LAN Addresses and ARP
32-bit IP address:
❑ Network-layer address

❑ Used to get a datagram to the destination network (recall

IP network definition)

LAN (or MAC or physical) address:
❑ Used to get a datagram from one interface to another

physically-connected interface (same network)

❑ 48-bit MAC address (for most LANs) burned in the adapter

ROM
 LAN Addresses and ARP
Each adapter on LAN has unique LAN address
 LAN Address (more)
❑ MAC address allocation administered by IEEE

❑ Manufacturer buys a portion of MAC address space (to
assure uniqueness)

❑ Analogy:
(a) MAC address: like Social Security Number
(b) IP address: like postal address

❑ MAC flat address ⟹ portability
— Can move LAN card from one LAN to another

❑ IP hierarchical address NOT portable
— Depends on the network to which one attaches
 Recall Earlier Routing Discussion
Starting at A, given the IP A 223.1.1.1
datagram addressed to B:
223.1.2.1
Look up net. address of B, find B 223.1.1.2
on the same net. as A 223.1.1.4 223.1.2.9
B
Link layer sends the datagram 223.1.2.2
223.1.1.3 223.1.3.27 E
to B inside the link-layer frame
223.1.3.1 223.1.3.2

Frame source, Datagram source,
dest address dest address

B’s MAC A’s MAC A’s IP B’s IP
IP payload
addr addr addr addr

Datagram
Frame
ARP Protocol (Address Resolution Protocol)
❑ Enables network communications to reach a specific device on the network.
― ARP translates IP addresses to MAC addresses and vice versa.
― Hosts maintain an ARP cache, a mapping table between IP and MAC addresses, to
connect to destinations on the network.
― If the host doesn’t know the MAC address for a certain IP address, it sends out an ARP
request packet, asking other machines on the network for the matching MAC address.

❑ The ARP protocol was not designed for security.
― It does not verify that a response to an ARP request really comes from an authorized party.
― It allows hosts to accept ARP responses even if they never sent out a request.
― This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks.

❑ ARP only works with 32-bit IP addresses in the older IPv4 standard.
― Newer IPv6 protocol uses a different protocol, Neighbor Discovery Protocol (NDP),
which is secure and uses cryptographic keys to verify host identities.
― However, since most of the Internet still uses the older IPv4 protocol, ARP remains
widely used.
 ARP: Address Resolution Protocol

Question: how to determine ▪ Each IP node (Host, Router)
MAC address of B on LAN has an ARP module,
given B’s IP address? table
▪ ARP Table: IP/MAC address
mappings for some LAN
nodes
< IP address; MAC address; TTL>
< ………………………….. >
❑ TTL (Time To Live): Time after
which address mapping will be
forgotten (typically 20 min)
ARP protocol
❑ A knows B's IP address and wants to learn the physical
address of B

❑ A broadcasts ARP query pkt, containing B’s IP address
― All machines on LAN receive ARP query

❑ B receives the ARP packet and replies to A with its (B's)
physical layer address

❑ A caches (saves) IP-to-physical address pairs until
information becomes old (times out)
― Soft state: information that times out (goes away) unless refreshed
 Routing to another LAN
Walkthrough: routing from A to B via R

A

R
B

In the routing table at the source Host, find router 111.111.111.110

In the ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc
▪ A creates an IP packet with source A, destination B
▪ A uses ARP to get R’s physical layer address for 111.111.111.110
▪ A creates an Ethernet frame with R’s physical address as dest,
Ethernet frame contains A-to-B IP datagram
▪ A’s data link layer sends an Ethernet frame
▪ R’s data link layer receives an Ethernet frame
▪ R removes IP datagram from Ethernet frame, sees it destined to B
▪ R uses ARP to get B’s physical layer address
▪ R creates frame containing A-to-B IP datagram sends to B

A

R
B
Common Attacks Over
MAC Layer
 MAC Flooding Attack
❑ Problem: an attacker can cause the learning table to fill
o Generate many packets to varied (perhaps nonexistent) MAC addresses

❑ This harms efficiency
o Effectively transforms switch into hub
o Wastes bandwidth, end host CPU

❑ This harms privacy
o The attacker can eavesdrop by preventing the switch from learning the
destination of a flow

❑ Similarly, DHCP can be flooded with bogus IP “address
accepted by host” responses, deny IP connectivity to devices
MAC Flooding Attack: How Does it work
❑ An attacker floods a switch's MAC address table by sending
numerous fake Ethernet frames with different source MAC
addresses and the same destination MAC address.
― This aims to overload the table, forcing the switch into a fail-open
mode, which can lead to security vulnerabilities.
 MAC Flooding Attack: How Does it work
❑ The switch adds MAC addresses to its MAC Address Table as
it learns them. However, when an attacker sends numerous
fake addresses, the table quickly fills up.
― To succeed, the attacker must use many different MAC addresses;
otherwise, the table might not overflow if it can hold all the
addresses used.
 MAC Flooding Attack: How Does it work
❑ When the MAC address table is full, the switch enters a
“fail-open” mode, forwarding frames to all ports instead of
using the table to determine the correct port.
― Which causes network congestion and can disrupt network
communication.
 MAC Flooding Attack: How Does it work
❑ Once the attacker forces the switch into fail-open mode,
they can send frames to any device on the network,
― Potentially disrupting communications and intercepting sensitive info.
― The success of this attack depends on other network security
measures, such as packet encryption.
 MAC Spoofing Attack
❑ Host pretends to own the MAC address of another host

o Easy to do: most Ethernet adapters allow modifying their address.

o Powerful: can immediately cause complete DoS to spoofed host

– All learning table entries switch to point to the attacker

– All traffic redirected to the attacker

– Can enable the attacker to evade ACLs set based on MAC info.
MAC Spoofing Attack: How Does it Work
❑ The attacker monitors network traffic to identify a legitimate
device on the network that he wants to impersonate.
― This could be a device with elevated privileges or access to sensitive information
 MAC Spoofing Attack: How Does it Work
❑ The attacker spoofs MAC address of a legitimate device
and connects to the network,
― Can impersonate the device and potentially access its privileges or
sensitive information.
 MAC Spoofing Attack: How Does it Work
❑ By impersonating a legitimate device, the attacker can intercept
and modify network traffic intended for that device, allowing
them to read or alter the data in the frames.
 MAC Spoofing Attack: How Does it Work
❑ The attacker can also use this access to legitimate devices to
launch further attacks on other devices on the network.
― Injecting malicious code,
― Performing man-in-the-middle attacks,
― Trying to elevate device privileges,
― Gaining user access to servers or other machines and so on

❑ MAC Flooding and MAC Spoofing can be used in sequence.
― Success with one method can enable the attacker to use the other,
depending on their objectives for intercepting network traffic.
Countermeasures for MAC Flooding/Spoofing
❑ Network Access Control/MAC Address Filtering.
― Allowing only authorized devices and requiring mandatory authentication
before devices can join the network.

❑ Port security/VLANs.
― Port security limits the number of MAC addresses learned on a specific port,
― VLANs isolate sensitive traffic within a virtual network to protect it from
unauthorized devices.

❑ IDS/IPS systems
― Network administrators should also be aware of correctly configuring all
switches inside their networks, as it can be life-saving.
 ARP Spo o fing Attack (ARP Poisoning)
A type of MitM attack that allows attackers to intercept communication
between network devices

1. The attacker must have access to the network.
They scan the network to determine the IP
addresses of at least two devices (a workstation
and a router).

2. Attacker uses a spoofing tool (Arpspoof or
Driftnet) to send out forged ARP responses.

3. The forged responses mislead both devices
into believing the attacker's MAC address is
associated with both IP addresses.

4. The devices update their ARP cache to communicate with the attacker instead of directly
with each other.

5. The attacker is now secretly in the middle of all communications (intercepts and
manipulates all communications between the devices).
 ARP Spo o fing Atta ck (ARP Poisoning)

Host B
Host A 10.0.0.1 10.0.0.3
MAC: 0000:9f1e MAC:
0000:ccab

IP MAC Gratuitous ARP:
“My MAC is Attacker
10.0.0.3 0000:7ee5 0000:7ee5 and I 10.0.0.6
have IP address MAC:
10.0.0.3”
0000:7ee5

Attacker sends fake unsolicited ARP replies
– The attacker can intercept forward-path traffic
– Can intercept reverse-path traffic by repeating attacks for source
– Gratuitious ARPs make this easy
– Only works within the same subnet/VLAN

Source: M. Caesar (UIUC)
 ARP Spo o fing Attack (ARP Poisoning)
Once the attacker succeeds in an ARP spoofing attack, he can:

Continue routing the communications as-is
― the attacker can sniff the packets and steal data, except if transferred
over an encrypted channel like HTTPS.

Perform session hijacking
― if the attacker obtains a session ID, they can gain access to accounts the
user is currently logged into.

Alter communication
― for example, pushing a malicious file or website to the workstation.

DDoS
― the attackers can provide the MAC address of a server they wish to
attack with DDoS instead of their own machine.
― If they do this for a large number of IPs, the target server will be
bombarded with traffic.
Co unte rm e as ure s to ARP Spo o fing
❑ Ignore Gratuitous ARP
o By ignoring these unsolicited ARP messages, a device can prevent
potentially malicious updates to its ARP table, which helps reduce the
risk of being misled by spoofed ARP responses.

❑ Dynamic ARP Inspection (DAI)
o Switches record mappings learned from DHCP
messages, drop all mismatching ARP replies

❑ Intrusion detection systems (IDS)
o Monitor all mappings, signal alarms

❑ VLANs
o Partition Ethernet networks into “virtual” LANs that are disjoint
from each other
Final Remarks
❑ MAC protocols control access to physical network

resources for multiple clients (wired and wireless)

❑ Protocols not designed with security in mind

❑ Spoofing, flooding attacks possible against Ethernet,

802.11 networks

❑ Devices can be fingerprinted based on MAC layer

characteristics
Network Access
Control
 Network Access
Control (NAC)
An umbrella term for managing access to a network

NAC: The process of authenticating users/entities
logging into the network and determining what data
they can access and what actions they can perform

Also examines the health of the user’s computer or
mobile device
 Outline

Network Access Control
Elements of a Network Access Control System
Network Access Enforcement Methods

Extensible Authentication Protocol (EAP)
Authentication Methods, EAP Exchanges

IEEE 802.1X Port-Based Network Access Control
NAC systems deal with three
categories of components:
Access requester (AR) Policy server Network access server (NAS)
Node that is attempting to Determines what Functions as an access
access the network and may access should be control point for users in
be any device that is granted to the AR remote locations connecting
managed by the NAC Often relies on to an enterprise’s internal
system, including backend systems to network
workstations, servers, help determine the Also called a media gateway,
printers, cameras, and other AR’s remote access server (RAS), or
IP-enabled devices condition/health policy server
Also referred to as May include its own
supplicants, or clients authentication services or
rely on a separate
authentication service from
the policy server
 Health checks

Aka suitability, screening, or assessment checks

The policy server or a supporting server will perform
checks on the AR to determine if it should be
permitted interactive remote access connectivity.

These checks require software on the user’s system
to verify compliance with certain requirements from
the organization’s secure configuration baseline.
 Network Access
Enforcement Methods
The actions that are applied to ARs to regulate access
to the enterprise network
Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the
configuration by using one or a combination of methods

Common NAC enforcement methods:

IEEE 802.1X
Virtual local area networks (VLANs)
Firewall
DHCP management
 Extensible Authentication
Protocol (EAP)
EAP (RFC 3748) provides a generic transport service for
the exchange of authentication information between a
client system and an authentication server.

The basic EAP transport service is extended by using a
specific authentication protocol that is installed in both
the EAP client and the authentication server.

Commonly supported EAP methods:

EAP Transport Layer Security
EAP Tunneled TLS
EAP Generalized Pre-Shared Key
EAP-IKEv2
EAP applicability
 EAP Layering

EAP is extensible; that is,
it can encapsulate various
authentication methods
to be used between a
client and an
authentication server.

It can operate over a
variety of network and
link level facilities,
including point-to-point
links, LANs, and other
networks.
 Pass-through
authenticator
When operating as a "pass-through authenticator", an
authenticator performs checks on the Code, Identifier,
and Length fields.

It forwards EAP packets received from the peer and
destined to its authenticator layer to the backend
authentication server; packets received from the
backend authentication server destined to the peer are
forwarded to it.
 IEEE 802.1x
an IEEE Standard for port-based Network Access
Control (PNAC).

It provides an authentication mechanism to devices wishing to
attach to a LAN or a WLAN.

It is part of the IEEE 802.1 group of networking protocols.

IEEE 801.1x EAP
Supplicant Peer
Network access point Authenticator
Authentication server Authentication server
 IEEE 802.1x
Authentication of supplicants:
Until the AS authenticates a supplicant, the authenticator only passes control and
authentication messages between the supplicant and the AS; the 802.1X control
channel is unblocked, but the 802.1X data channel is blocked.
Once a supplicant is authenticated and keys are provided, the authenticator can
forward data from the supplicant. Under these circumstances, the data channel is
unblocked.

The essential element defined in 802.1X is a protocol known as EAPOL (EAP
over LAN).
EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as
Ethernet or Wi-Fi, at the link level.
EAPOL enables a supplicant to communicate with an authenticator and supports the
exchange of EAP packets for authentication.
 An uncontrolled port allows the exchange of protocol data units (PDUs) between
the supplicant and the AS, regardless of the authentication state of the supplicant.

A controlled port allows the exchange of PDUs between a supplicant and other
systems on the network only if the current state of the supplicant authorizes such
an exchange.
 Source: https://en.wikipedia.org/wiki/IEEE_802.1X

EAP data is first encapsulated in EAPOL frames between the Supplicant and
Authenticator, then re-encapsulated between the Authenticator and the
Authentication server using RADIUS or Diameter.

Recall Figure 5.3
 IEEE 802.1X-2020: IEEE Standard for Local and Metropolitan Area
Networks--Port-Based Network Access Control

Source: https://standards.ieee.org/ieee/802.1X/7345/

Port-based network access control allows a network administrator to
restrict the use of IEEE 802(R) LAN service access points (ports) to
secure communication between authenticated and authorized devices.

This standard specifies a common architecture, functional elements, and
protocols that support mutual authentication between the clients of ports
attached to the same LAN and that secure communication between the
ports, including the media access method independent protocols that are
used to discover and establish the security associations used by IEEE
802.1AE MAC Security.
 Table 5.1

Terminology
Related to
IEEE 802.1X

(Table can be found on page 152 in textbook)
The EAPOL packet format includes the following fields:

Protocol version: version of EAPOL.

Packet type: indicates start, EAP, key, logoff, etc.

Packet body length: If the packet includes a body, this field indicates the body
length.

Packet body: The payload for this EAPOL packet. An example is an EAP packet.

Table 5.2 Common EAPOL Frame/Packet Types
 Sequence diagram of the 802.1X progression
(Source: https://en.wikipedia.org/wiki/IEEE_802.1X)
 Summary
Network access control
Elements of a network access control system
Network access enforcement methods

Extensible authentication protocol
Authentication methods
EAP exchanges
IEEE 802.1X port-based network access control