Data Link Layer Security (DLS) PDF
Document Details
Uploaded by NicerSloth1430
PSUT
Dr. Qasem Abu Al-Haija
Tags
Summary
These lecture notes cover Data Link Layer Security (DLS) for a CY 343 Network Security course at PSUT. The document discusses the Data Link Layer, its role in the TCP/IP model, its key responsibilities, and common attacks targeting the MAC sublayer. It also presents a discussion of multiple access protocols for communication channels and related terminologies, such as ARP (Address Resolution Protocol) and MAC Spoofing Attacks.
Full Transcript
CY 343 Network Security Data Link Layer Security (DLS) Dr. Qasem Abu Al-Haija, Department of Cybersecurity, PSUT Data Link Layer – Revisited Data Link Layer (DL) - Revisit 2nd layer of the TCP/IP model; an intermediary between: ―Phy. Layer (actual transmis...
CY 343 Network Security Data Link Layer Security (DLS) Dr. Qasem Abu Al-Haija, Department of Cybersecurity, PSUT Data Link Layer – Revisited Data Link Layer (DL) - Revisit 2nd layer of the TCP/IP model; an intermediary between: ―Phy. Layer (actual transmission of raw bits) and ―Net. Layer (routing & addressing data across different networks). It ensures reliable, error-free communication within a local network segment and supports higher-level protocols and apps. The main responsibilities of the DL Layer include: ―Framing, Physical Addressing, Media Access Control (MAC), Error Detection and Correction, Flow Control, and Logical Link Control (LLC). Data Link Layer The need for a Data Link layer 1.Communication circuits make errors occasionally. 2.Communication circuits have a limited data rate. (LLC Sublayer) (MAC Sublayer) While both sublayers are integral parts of DL_Layer, cyberattacks commonly target the MAC sublayer. Logical Link Control (LLC) Sublayer It's important to note that attacks at LLC sublayer are often intertwined with attacks targeting other layers of the networking stack. While attacks specifically targeting LLC sublayer are less common, some attacks can impact or exploit vulnerabilities at this layer: ― LLC Spoofing: forging LLC frames or manipulating LLC header. ― LLC DoS: Overwhelming LLC layer with a high volume of traffic. ― LLC Exploitation: Exploit weaknesses in implementing specific LLC protocols to perform several malicious activities. MAC Basics Multiple Access Links and Protocols Three types of “links”: ❑ Point-to-point (single wire, e.g., PPP) ❑ Broadcast (shared wire or medium, e.g., Ethernet, Wavelan, etc.) ❑ Switched (e.g., switched Ethernet, ATM etc.) Multiple Access protocols ❑ Single shared communication channel ❑ Two or more simultaneous transmissions by nodes: interference — Only one node can send successfully at a time ❑ Multiple Access protocol: — Distributed algorithm that determines how stations share channel, i.e., determine when the station can transmit — Communication about channel sharing must use the channel itself! — What to look for in multiple access protocols: Synchronous or asynchronous Information needed about other stations Robustness (e.g., to channel errors) Performance MAC Protocols: a taxonomy Three broad classes: ❑ Channel Partitioning ― TDMA: time division multiple access ― FDMA: frequency division multiple access ― CDMA (Code Division Multiple Access) Read! ❑ Random Access ― Allow collisions ― “Recover” from collisions ― Examples: Slotted ALOHA, ALOHA, CSMA, CSMA/CD ❑ “Taking Turns.” ― Tightly coordinate shared access to avoid collisions ― Examples: Polling, Token-Passing Goal: efficient, fair, simple, decentralized LAN Addresses and ARP 32-bit IP address: ❑ Network-layer address ❑ Used to get a datagram to the destination network (recall IP network definition) LAN (or MAC or physical) address: ❑ Used to get a datagram from one interface to another physically-connected interface (same network) ❑ 48-bit MAC address (for most LANs) burned in the adapter ROM LAN Addresses and ARP Each adapter on LAN has unique LAN address LAN Address (more) ❑ MAC address allocation administered by IEEE ❑ Manufacturer buys a portion of MAC address space (to assure uniqueness) ❑ Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address ❑ MAC flat address ⟹ portability — Can move LAN card from one LAN to another ❑ IP hierarchical address NOT portable — Depends on the network to which one attaches Recall Earlier Routing Discussion Starting at A, given the IP A 223.1.1.1 datagram addressed to B: 223.1.2.1 Look up net. address of B, find B 223.1.1.2 on the same net. as A 223.1.1.4 223.1.2.9 B Link layer sends the datagram 223.1.2.2 223.1.1.3 223.1.3.27 E to B inside the link-layer frame 223.1.3.1 223.1.3.2 Frame source, Datagram source, dest address dest address B’s MAC A’s MAC A’s IP B’s IP IP payload addr addr addr addr Datagram Frame ARP Protocol (Address Resolution Protocol) ❑ Enables network communications to reach a specific device on the network. ― ARP translates IP addresses to MAC addresses and vice versa. ― Hosts maintain an ARP cache, a mapping table between IP and MAC addresses, to connect to destinations on the network. ― If the host doesn’t know the MAC address for a certain IP address, it sends out an ARP request packet, asking other machines on the network for the matching MAC address. ❑ The ARP protocol was not designed for security. ― It does not verify that a response to an ARP request really comes from an authorized party. ― It allows hosts to accept ARP responses even if they never sent out a request. ― This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks. ❑ ARP only works with 32-bit IP addresses in the older IPv4 standard. ― Newer IPv6 protocol uses a different protocol, Neighbor Discovery Protocol (NDP), which is secure and uses cryptographic keys to verify host identities. ― However, since most of the Internet still uses the older IPv4 protocol, ARP remains widely used. ARP: Address Resolution Protocol Question: how to determine ▪ Each IP node (Host, Router) MAC address of B on LAN has an ARP module, given B’s IP address? table ▪ ARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> < ………………………….. > ❑ TTL (Time To Live): Time after which address mapping will be forgotten (typically 20 min) ARP protocol ❑ A knows B's IP address and wants to learn the physical address of B ❑ A broadcasts ARP query pkt, containing B’s IP address ― All machines on LAN receive ARP query ❑ B receives the ARP packet and replies to A with its (B's) physical layer address ❑ A caches (saves) IP-to-physical address pairs until information becomes old (times out) ― Soft state: information that times out (goes away) unless refreshed Routing to another LAN Walkthrough: routing from A to B via R A R B In the routing table at the source Host, find router 111.111.111.110 In the ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc ▪ A creates an IP packet with source A, destination B ▪ A uses ARP to get R’s physical layer address for 111.111.111.110 ▪ A creates an Ethernet frame with R’s physical address as dest, Ethernet frame contains A-to-B IP datagram ▪ A’s data link layer sends an Ethernet frame ▪ R’s data link layer receives an Ethernet frame ▪ R removes IP datagram from Ethernet frame, sees it destined to B ▪ R uses ARP to get B’s physical layer address ▪ R creates frame containing A-to-B IP datagram sends to B A R B Common Attacks Over MAC Layer MAC Flooding Attack ❑ Problem: an attacker can cause the learning table to fill o Generate many packets to varied (perhaps nonexistent) MAC addresses ❑ This harms efficiency o Effectively transforms switch into hub o Wastes bandwidth, end host CPU ❑ This harms privacy o The attacker can eavesdrop by preventing the switch from learning the destination of a flow ❑ Similarly, DHCP can be flooded with bogus IP “address accepted by host” responses, deny IP connectivity to devices MAC Flooding Attack: How Does it work ❑ An attacker floods a switch's MAC address table by sending numerous fake Ethernet frames with different source MAC addresses and the same destination MAC address. ― This aims to overload the table, forcing the switch into a fail-open mode, which can lead to security vulnerabilities. MAC Flooding Attack: How Does it work ❑ The switch adds MAC addresses to its MAC Address Table as it learns them. However, when an attacker sends numerous fake addresses, the table quickly fills up. ― To succeed, the attacker must use many different MAC addresses; otherwise, the table might not overflow if it can hold all the addresses used. MAC Flooding Attack: How Does it work ❑ When the MAC address table is full, the switch enters a “fail-open” mode, forwarding frames to all ports instead of using the table to determine the correct port. ― Which causes network congestion and can disrupt network communication. MAC Flooding Attack: How Does it work ❑ Once the attacker forces the switch into fail-open mode, they can send frames to any device on the network, ― Potentially disrupting communications and intercepting sensitive info. ― The success of this attack depends on other network security measures, such as packet encryption. MAC Spoofing Attack ❑ Host pretends to own the MAC address of another host o Easy to do: most Ethernet adapters allow modifying their address. o Powerful: can immediately cause complete DoS to spoofed host – All learning table entries switch to point to the attacker – All traffic redirected to the attacker – Can enable the attacker to evade ACLs set based on MAC info. MAC Spoofing Attack: How Does it Work ❑ The attacker monitors network traffic to identify a legitimate device on the network that he wants to impersonate. ― This could be a device with elevated privileges or access to sensitive information MAC Spoofing Attack: How Does it Work ❑ The attacker spoofs MAC address of a legitimate device and connects to the network, ― Can impersonate the device and potentially access its privileges or sensitive information. MAC Spoofing Attack: How Does it Work ❑ By impersonating a legitimate device, the attacker can intercept and modify network traffic intended for that device, allowing them to read or alter the data in the frames. MAC Spoofing Attack: How Does it Work ❑ The attacker can also use this access to legitimate devices to launch further attacks on other devices on the network. ― Injecting malicious code, ― Performing man-in-the-middle attacks, ― Trying to elevate device privileges, ― Gaining user access to servers or other machines and so on ❑ MAC Flooding and MAC Spoofing can be used in sequence. ― Success with one method can enable the attacker to use the other, depending on their objectives for intercepting network traffic. Countermeasures for MAC Flooding/Spoofing ❑ Network Access Control/MAC Address Filtering. ― Allowing only authorized devices and requiring mandatory authentication before devices can join the network. ❑ Port security/VLANs. ― Port security limits the number of MAC addresses learned on a specific port, ― VLANs isolate sensitive traffic within a virtual network to protect it from unauthorized devices. ❑ IDS/IPS systems ― Network administrators should also be aware of correctly configuring all switches inside their networks, as it can be life-saving. ARP Spo o fing Attack (ARP Poisoning) A type of MitM attack that allows attackers to intercept communication between network devices 1. The attacker must have access to the network. They scan the network to determine the IP addresses of at least two devices (a workstation and a router). 2. Attacker uses a spoofing tool (Arpspoof or Driftnet) to send out forged ARP responses. 3. The forged responses mislead both devices into believing the attacker's MAC address is associated with both IP addresses. 4. The devices update their ARP cache to communicate with the attacker instead of directly with each other. 5. The attacker is now secretly in the middle of all communications (intercepts and manipulates all communications between the devices). ARP Spo o fing Atta ck (ARP Poisoning) Host B Host A 10.0.0.1 10.0.0.3 MAC: 0000:9f1e MAC: 0000:ccab IP MAC Gratuitous ARP: “My MAC is Attacker 10.0.0.3 0000:7ee5 0000:7ee5 and I 10.0.0.6 have IP address MAC: 10.0.0.3” 0000:7ee5 Attacker sends fake unsolicited ARP replies – The attacker can intercept forward-path traffic – Can intercept reverse-path traffic by repeating attacks for source – Gratuitious ARPs make this easy – Only works within the same subnet/VLAN Source: M. Caesar (UIUC) ARP Spo o fing Attack (ARP Poisoning) Once the attacker succeeds in an ARP spoofing attack, he can: Continue routing the communications as-is ― the attacker can sniff the packets and steal data, except if transferred over an encrypted channel like HTTPS. Perform session hijacking ― if the attacker obtains a session ID, they can gain access to accounts the user is currently logged into. Alter communication ― for example, pushing a malicious file or website to the workstation. DDoS ― the attackers can provide the MAC address of a server they wish to attack with DDoS instead of their own machine. ― If they do this for a large number of IPs, the target server will be bombarded with traffic. Co unte rm e as ure s to ARP Spo o fing ❑ Ignore Gratuitous ARP o By ignoring these unsolicited ARP messages, a device can prevent potentially malicious updates to its ARP table, which helps reduce the risk of being misled by spoofed ARP responses. ❑ Dynamic ARP Inspection (DAI) o Switches record mappings learned from DHCP messages, drop all mismatching ARP replies ❑ Intrusion detection systems (IDS) o Monitor all mappings, signal alarms ❑ VLANs o Partition Ethernet networks into “virtual” LANs that are disjoint from each other Final Remarks ❑ MAC protocols control access to physical network resources for multiple clients (wired and wireless) ❑ Protocols not designed with security in mind ❑ Spoofing, flooding attacks possible against Ethernet, 802.11 networks ❑ Devices can be fingerprinted based on MAC layer characteristics Network Access Control Network Access Control (NAC) An umbrella term for managing access to a network NAC: The process of authenticating users/entities logging into the network and determining what data they can access and what actions they can perform Also examines the health of the user’s computer or mobile device Outline Network Access Control Elements of a Network Access Control System Network Access Enforcement Methods Extensible Authentication Protocol (EAP) Authentication Methods, EAP Exchanges IEEE 802.1X Port-Based Network Access Control NAC systems deal with three categories of components: Access requester (AR) Policy server Network access server (NAS) Node that is attempting to Determines what Functions as an access access the network and may access should be control point for users in be any device that is granted to the AR remote locations connecting managed by the NAC Often relies on to an enterprise’s internal system, including backend systems to network workstations, servers, help determine the Also called a media gateway, printers, cameras, and other AR’s remote access server (RAS), or IP-enabled devices condition/health policy server Also referred to as May include its own supplicants, or clients authentication services or rely on a separate authentication service from the policy server Health checks Aka suitability, screening, or assessment checks The policy server or a supporting server will perform checks on the AR to determine if it should be permitted interactive remote access connectivity. These checks require software on the user’s system to verify compliance with certain requirements from the organization’s secure configuration baseline. Network Access Enforcement Methods The actions that are applied to ARs to regulate access to the enterprise network Many vendors support multiple enforcement methods simultaneously, allowing the customer to tailor the configuration by using one or a combination of methods Common NAC enforcement methods: IEEE 802.1X Virtual local area networks (VLANs) Firewall DHCP management Extensible Authentication Protocol (EAP) EAP (RFC 3748) provides a generic transport service for the exchange of authentication information between a client system and an authentication server. The basic EAP transport service is extended by using a specific authentication protocol that is installed in both the EAP client and the authentication server. Commonly supported EAP methods: EAP Transport Layer Security EAP Tunneled TLS EAP Generalized Pre-Shared Key EAP-IKEv2 EAP applicability EAP Layering EAP is extensible; that is, it can encapsulate various authentication methods to be used between a client and an authentication server. It can operate over a variety of network and link level facilities, including point-to-point links, LANs, and other networks. Pass-through authenticator When operating as a "pass-through authenticator", an authenticator performs checks on the Code, Identifier, and Length fields. It forwards EAP packets received from the peer and destined to its authenticator layer to the backend authentication server; packets received from the backend authentication server destined to the peer are forwarded to it. IEEE 802.1x an IEEE Standard for port-based Network Access Control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or a WLAN. It is part of the IEEE 802.1 group of networking protocols. IEEE 801.1x EAP Supplicant Peer Network access point Authenticator Authentication server Authentication server IEEE 802.1x Authentication of supplicants: Until the AS authenticates a supplicant, the authenticator only passes control and authentication messages between the supplicant and the AS; the 802.1X control channel is unblocked, but the 802.1X data channel is blocked. Once a supplicant is authenticated and keys are provided, the authenticator can forward data from the supplicant. Under these circumstances, the data channel is unblocked. The essential element defined in 802.1X is a protocol known as EAPOL (EAP over LAN). EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level. EAPOL enables a supplicant to communicate with an authenticator and supports the exchange of EAP packets for authentication. An uncontrolled port allows the exchange of protocol data units (PDUs) between the supplicant and the AS, regardless of the authentication state of the supplicant. A controlled port allows the exchange of PDUs between a supplicant and other systems on the network only if the current state of the supplicant authorizes such an exchange. Source: https://en.wikipedia.org/wiki/IEEE_802.1X EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter. Recall Figure 5.3 IEEE 802.1X-2020: IEEE Standard for Local and Metropolitan Area Networks--Port-Based Network Access Control Source: https://standards.ieee.org/ieee/802.1X/7345/ Port-based network access control allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE MAC Security. Table 5.1 Terminology Related to IEEE 802.1X (Table can be found on page 152 in textbook) The EAPOL packet format includes the following fields: Protocol version: version of EAPOL. Packet type: indicates start, EAP, key, logoff, etc. Packet body length: If the packet includes a body, this field indicates the body length. Packet body: The payload for this EAPOL packet. An example is an EAP packet. Table 5.2 Common EAPOL Frame/Packet Types Sequence diagram of the 802.1X progression (Source: https://en.wikipedia.org/wiki/IEEE_802.1X) Summary Network access control Elements of a network access control system Network access enforcement methods Extensible authentication protocol Authentication methods EAP exchanges IEEE 802.1X port-based network access control