Link layer security

This sandbox is in the article namespace. Either move this page into your userspace, or remove the {{User sandbox}} template. Network Interface Layer Security

The network interface layer, also commonly referred to as the data link layer or link layer, is the lowest layer in the TCP/IP network model stack. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

Transmission Control Protocol/Internet Protocol (TCP/IP) is the communications protocol developed for data communications over the internet. Like most communications protocols it is designed in a layered fashion with data from the highest layer passing through each subsequent layer down to the lowest level of the stack on the transmitting side and then travelling up through the stack on the receiving side. The TCP/IP protocol contains four layers: the application layer, transport layer, internetwork layer and network interface layer.^[1]

The application layer contains the actual application residing on the host system that is communicating, over the network, with an application residing on a physically separated host system. The output flowing from this layer can be considered as raw data. ^[2]

The transport layer is responsible for end-to-end delivery of the data from one application to another. The most common transport layer protocol is the Transmission Control Protocol. This protocol establishes a connection between the communicating applications, ensures that data packets are transmitted reliably, drops duplicate data transmissions and controls the flow of data traffic when multiple applications are communicating. ^[2]

The internetwork layer, also referred to as the internet layer, encapsulates the data into datagrams for transmission over the internet. This layer is responsible for ensuring that the data packets are properly routed from the source to the destination. Internet protocol, or IP, is the most common protocol used at this layer.^[2]

The network interface layer, commonly referred to as the data link layer, is the physical interface between the host system and the network hardware. It defines how data packets are to be formatted for transmission and routings. Some common link layer protocols include IEEE 802.2 and X.25.^[2] The data link layer and its associated protocols govern the physical interface between the host computer and the network hardware. The goal of this layer is to provide reliable communications between hosts connected on a network. Some of the services provided by this layer of the network stack include:^[3]

Data Framing - Breaking up the data stream into individual frames or packets.

Checksums - Sending checksum data for each frame to enable the receiving node to determine whether or not the frame was received error-free.

Acknowledgment - Sending either a positive (data was received) or negative (data was not received but expected) acknowledgement from receiver to sender to ensure reliable data transmission.

Flow Control - Buffering data transmissions to ensure that a fast sender does not overwhelm a slower receiver.

The data link layer addresses data packets based on the destination hardware’s physical Media Access Control (MAC) address. Switches within the network maintain Content Address Tables (CAMs) that maps the switch’s ports to specific MAC addresses. These tables allow the switch to securely deliver the packet to its intended physical address only. Using the switch to connect only the systems that are communicating provides much greater security than a network hub, which broadcasts all traffic over all ports,^[4] allowing an eavesdropper to intercept and monitor all network traffic. A CAM Table Exhaustion Attack basically turns a switch into a hub.^[5] The attacker floods the CAM table with new MAC-to-port mappings until the table’s fixed memory allotment is full. At this point the switch no longer knows how to deliver traffic based on a MAC-to-port mapping, and defaults to broadcasting traffic over all ports. An adversary is then able to intercept and monitor all network traffic traversing the switch to include passwords, emails, instant messages, etc.^[6]

The CAM table-overflow attack can be mitigated by configuring port security on the switch. This option provides for either the specification of the MAC addresses on a particular switch port or the specification of the number of MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port, the switch can either block the offending MAC address or shut down the port.^[7]

At the data link layer a logical IP address assigned by the network layer is translated into a physical MAC address. In order to ensure reliable data communications all switches in the network must maintain up-to-date tables for mapping logical (IP) to physical (MAC) addresses. If a client or switch is unsure of the IP-to-MAC mapping of a data packet it receives it will send an Address Resolution Protocol (ARP) message to the nearest switch asking for the MAC address associated with the particular IP address. Once this is accomplished the client or switch will update its table to reflect the new mapping. In an ARP spoofing attack the adversary broadcasts the IP address of the machine to be attacked along with its own MAC address. All neighboring switches will then update their mapping tables and begin transmitting data destined to the attacked system’s IP address to the attacker’s MAC address.^[5] Such an attack is commonly referred to as a “man in the middle” attack.

Defenses against ARP spoofing generally rely on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are blocked. These techniques may be integrated with the Dynamic Host Configuration Protocol(DHCP) server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment.^[8]

When a client system without an IP address enters a network it will request an IP address from the resident DHCP server. The DHCP server will respond with an IP address for the device as well as a lease identifying how long the address will be valid. In a DHCP starvation attack the adversary floods the DHCP server with IP address requests until all addresses within the server’s address space have been exhausted. At this point any hosts wishing to utilize the network will be denied access, resulting in a denial of service. The adversary can then set up a rogue DHCP server so that clients receive incorrect network settings and as a result transmit data to an attacker’s machine.^[9]

One method for mitigating this type of attack is to use the IP source guard feature available on many ethernet switches. The IP guard initialy blocks all traffic except DHCP packets. When a client receives a valid IP address from the DHCP server the IP address and switch port relationship are bound in an Access Control List (ACL). The ACL then restricts traffic only to those IP addresses configured in the binding.^[10]

In a wireless network many hosts or nodes are sharing a common medium. If nodes A and B are both wireless laptop computers communicating in an office environment their physical separation may require that they communicate through a wireless access point. But only one device can transmit at a time in order to prevent packet collisions. Prior to transmitting, Node A sends out a Ready to Send (RTS) signal. If it is not receiving any other traffic the access point will broadcast a Clear to Send (CTS) signal over the network. Node A will then begin transmitting while Node B knows to hold off transmitting it’s data for the time being. Even though it cannot directly communicate with Node A, i.e. Node A is hidden, it knows to wait based on its communication with the access point. An attacker can exploit this functionality by flooding the network with CTS messages. Then every node assumes there is a hidden node trying to transmit and will hold its own transmissions, resulting in a denial of service.^[11]

Preventing hidden node attacks requires a network tool such as NetEqualizer. ^[11] Such a tool monitors access point traffic and develops a baseline level of traffic. Any spikes in RTS signals are assumed to be the result of a hidden node attack and are subsequently blocked.

Any client entering a wireless network must first authenticate with an access point (AP) and is thereafter associated with that access point. When the client leaves it sends a deauthentication, or deauth, message to disassociate itself with the access point. An attacker can send deauth messages to an access point tied to client IP addresses thereby knocking the users off-line and requiring continued re-authenticate, giving the attacker valuable insight into the reauthentication handshaking that occurs.^[12]

To mitigate such an attack the access point can be set up to delay the effects of deauthentication or disassociation requests (e.g., by queuing such requests for 5-10 seconds) thereby giving the access point an opportunity to observe subsequent packets from the client. If a data packet arrives after a deauthentication or disassociation request is queued, that request is discarded since a legitimate client would never generate packets in that order.^[13]