COMP4337/9337: Securing Fixed and Wireless Networks
WK05-02: Link Layer Security (additional foils) Professor Sanjay K. Jha
Link Layer Security
Copyright By PowCoder代写 加微信 powcoder
Ø 802.1X Port based Authentication
Ø Security issues in Ethernet switched LAN Ø Security issues in Wireless LAN
These extra foils are examinable but left as self-reading. Reference: Cybok Network Security KA Section 17.6 https://www.cybok.org/knowledgebase/
Link Layer Security (Covered in WK05-01)
Ø 802.1X Port based Authentication
o For both wired and wireless networks
o A station (supplicant) must authenticate with the switch or Access Point (AP) (Authenticator) before connecting
o The Authentication Server (AS) and authenticator can be co-located or if separate preconfigured with a shared
Authentication Server
RADIUS,LDAP , Active Directory
Authenticator
Protected Infrastructure
Supplicant
Supplicant
Ethernet Switched LANs
Ø Ethernet switched LANs operate on self-learning and configuring protocols; various attacks are possible
Ø Switch Poisoning Attack: The attacker fills up the switching table with bogus MAC addresses forcing the switch to broadcast all incoming data frames to all outgoing ports
o Attacker controls a device attached to one of the port
Ø MAC Spoofing: Attacker uses a legitimate MAC address by snooping and flooding the network directing all traffic to itself destined for the target machine
Ø ARP Spoofing: Attacker sends fake ARP messages binding the target’s IP address to its own MAC address
o ARP spoofing can also be used for DoS attacks by populating the ARP table with multiple IP addresses corresponding to a single MAC address of a target server
Ethernet Switched LANs
Ø VLAN Hopping: VLAN hopping attacks allow an attacking host on a VLAN to gain access to resources on other VLANs that would normally be restricted
o In a switch spoofing attack, an attacking host impersonates a trunking switch responding to the tagging and trunking protocols (e.g., IEEE 802.1Q or Dynamic Trunking Protocol) typically used in a VLAN environment.
§ The attacker can access traffic for multiple VLANs
o In a double tagging attack, an attacker succeeds in sending its frame to more than one VLAN by inserting two VLAN tags to a frame it transmits.
§ This attack does not allow the attacker to receive a response
Link Layer Security
Ø Various attacks on Switched Ethernet LANs
Counter measure
Switch poisoning attack
Authenticating MAC addresses from some local database of legitimate addresses
MAC spoofing
802.1X based authentication
ARP spoofing
Limit number of per port addresses,
Trusted binding table for verification
VLAN Hopping
Switch configurations to limit ports participation in trunking protocols,
Disable automatic trunk negotiation
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com