LAN data link layer network security

Each layer of communication has its own unique security problems. Communication connections at the second protocol layer of the data link layer are relatively weak in terms of security. Network security issues should be addressed at multiple protocol layers for different vulnerabilities. In this article, we will focus on security issues related to wired LAN.
In the communication at the second protocol layer, vswitches are key components and are also used for communication at the third protocol layer. For many attacks and many unique network attacks on the same third protocol layer, they and routers are sensitive. These attacks include:

Content addressing memory CAM) Table flooding:The CAM table in the vswitch contains information such as the MAC address provided by the physical port of the specified vswitch and related VLAN parameters. A typical network attacker will provide a large number of invalid MAC source addresses to the switch until the CAM table is filled up. When this happens, the switch sends the transmitted information to all ports, because the switch cannot find the port number of a specific MAC address from the CAM table. If the CAM table is drowned, the switch sends information everywhere within the local VLAN range. Therefore, the attacker can only see the information in the local VLAN that he is connected.
VLAN relay:VLAN relay is a network attack in which a terminal system sends packets with the target address of the system located on different VLANs. However, the system cannot be connected using conventional methods. This information is appended with tags different from the network vlan id of the terminal system. Or the system that initiates the attack disguised as a switch and processes the relay, so that the attacker can send and receive communications between other VLANs.
Manipulate the Spanning Tree Protocol:The Spanning Tree Protocol can be used for switching networks to prevent bridging loops in Ethernet topologies. Through the attack Spanning Tree Protocol, network attackers want to disguise their systems as the root bridge in the topology. To achieve this goal, network attackers need to broadcast the Spanning Tree Protocol configuration/topology to change the Bridge Protocol Data Unit BPDU) in an attempt to force the Spanning Tree to re-calculate. The BPDU issued by the Network Attacker system claim that the bridge with the attack has a low priority. If successful, attackers can obtain various data frames.
Media Access Control address MAC) Spoofing:In the process of MAC spoofing attacks, it is known that the MAC address of another host is used to enable the target switch to forward data frames with the target address to the attacker. By sending a single data frame with the host's Ethernet source address, network attackers rewrite entries in the CAM table so that the switch forwards packets with the host's destination address to the attacker. The host will not receive any information unless it sends it out. When the host sends information to the outside, the corresponding entries in the CAM table will be rewritten again so that it can be restored to the original port.
Address Resolution Protocol ARP) Attacks:ARP maps IP addresses to MAC addresses in the LAN of hosts in the same subnet. An ARP attack occurs when someone tries to change the information in the ARP table of the MAC and IP addresses without authorization. In this way, hackers can forge MAC or IP addresses to launch two types of attacks: Service Denial and man-in-the-middle attacks.
Dedicated VLAN:A dedicated VLAN works by limiting the ports in a VLAN that can communicate with other ports in the same VLAN. An isolated port in a VLAN can only communicate with a hybrid port. The hybrid port can communicate with any port. For attacks that can bypass the security measures of a dedicated VLAN, use a proxy that bypasses the access restriction of the dedicated VLAN.
DHCP depletion:DHCP depletion attacks are carried out by using forged MAC addresses to broadcast DHCP requests. This situation can be easily caused by attacks such as gobbler. If enough requests are sent, network attackers can exhaust the address space provided to the DHCP server within a period of time. This is a simple attack method for resource depletion, just like SYN flood. Then, network attackers can establish fake DHCP servers in their own systems to respond to new DHCP requests from customers on the network.
Reduce LAN security risks

Configuring port security options on a vswitch can prevent flooding attacks on the CAM table. This option can either provide a description of the MAC address of a specific switch port or a description of the number of MAC addresses that a switch port can acquire. When an invalid MAC address is detected on the port, the switch can either block the provided MAC address or disable the port.

A few changes to the VLAN settings can prevent VLAN relay attacks. The main point is that dedicated VLAN IDs must be used on all trunk ports. Disable all unused vswitch ports and arrange them in unused VLANs. By explicitly disabling DTP on all user ports, you can set all ports to non-relay mode.

To prevent attacks that manipulate the Spanning Tree Protocol, you need to use the root directory protection and BPDU protection enhanced command to keep the location of the main bridge in the network unchanged, at the same time, the domain boundary of the Spanning Tree Protocol can be enhanced. The root directory protection function provides a way to keep the location of the main bridge unchanged. Spanning Tree Protocol (BPDU) protection enables network designers to maintain the predictability of the active network topology. Although BPDU protection may seem unnecessary because the administrator can set the network priority to 0, it cannot be guaranteed that it will be selected as the master bridge, because there may be a bridge with a priority of 0 but a lower ID. In user-oriented ports, BPDU protection can be used best to prevent attackers from using forged switches for network expansion.

Use port security commands to prevent MAC spoofing attacks. Port Security commands can be used to connect a specified system MAC address to a specific port. When the port security is damaged, this command can also provide the ability to specify the measures to be taken. However, it is difficult to specify a MAC address on each port just like to prevent the CAM table Flooding attack. In the interface settings menu, select the timing function and set the duration of an entry in the ARP cache to prevent ARP spoofing.

Configure the access control list acl of the vro port to prevent attacks by using the dedicated VLAN. Virtual ACLs can also be used to eliminate the impact of dedicated VLAN attacks.

By limiting the number of MAC addresses on the vswitch port, the technology that prevents the CAM table from being drowned can also prevent DHCP depletion. As RFC 3118 performs DHCP message verification, DHCP depletion attacks become increasingly difficult.

In addition, IEEE802.1X can monitor basic network access at the data link layer. It is a standard for transmitting scalable authentication protocol EAP in wired and wireless networks. If the verification is not completed, access to the network is denied at 801.1X, which can prevent attacks on the basic network devices and rely on the basic IP connection. The initial goal of 802.1X is to use the Point-to-Point Protocol PPP in the dial-up connection and remote access network). It now supports the use of EAP, including wireless LAN, in the LAN environment. Related Articles]

• Lecture 4: understanding the data link layer

• ATM Tutorial: data link layer

• Adjustment idea: Use vswitches to solve LAN security