Home »
Network Security Tutorial
Network Security - Data Link Layer
By IncludeHelp Last updated : July 25, 2024
There is no denying that Network Security is an important aspect of protecting data integrity, confidentiality, and availability. While most organisations focus on securing higher layers of the OSI model, the Data Link Layer often remains overlooked.
This tutorial will explain the Data Link Layer, its functions, and common security issues with relevant examples.
What is a Data Link Layer?
The data link layer (DLL) is the second layer in the OSI (Open System Interconnection) network architecture model.
The data link layer is further divided into 2 sub-layers -
1. Logical Link Control (LLC)
This layer handles multiplexing, data flow, error messages, and acknowledgements.
For example, if you have several apps running on your computer (like a web browser, email, and a file download), the LLC sub-layer helps to identify and manage the data. It ensures that each app's data goes to the right place without getting mixed up.
2. Media Access Control (MAC)
The MAC sublayer manages how devices communicate on the network. It gives each device a unique address and controls when it can send data, ensuring it reaches the correct destination.
Let's say a Wi-Fi network in a coffee shop where multiple devices (laptops, smartphones, tablets) are connected. Each device has a unique MAC address. The MAC sub-layer in the Wi-Fi router handles communication with each device by using these addresses.
Functions of the Data Link Layer
The functions of this layer are as follows:
- This layer adds a header to the frame to include the sender's and receiver's MAC addresses.
- It divides data into frames for easier handling.
- It helps to identify and correct errors that occur during data transmission.
- It Manages the rate of data transmission to prevent buffer overflow.
Data Link Protocols
Data link protocols are as follows:
- Ethernet: A widely used protocol for wired local area networks (LANs) that controls how data packets are formatted and transmitted.
- PPP (Point-to-Point Protocol): A protocol to establish a direct connection between two network nodes.
- FDDI (Fiber Distributed Data Interface): A protocol for transmitting data over fiber optic cables in high-speed networks.
- Token Ring: A protocol where devices in a network pass a token around; only the device with the token can send data.
Types of Attacks at Data Link Layer
The types of attacks of data link layer are as follows:
1. ARP Spoofing
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses.
Example
Suppose person X and Y are communicating over a network. Z, an attacker, wants to interrupt their communication through ARP Spoofing.
- Person Z sends forged ARP messages to Person X, making it appear that Z's MAC address is Y's IP address.
- Person X updates her ARP cache with this incorrect mapping, thinking Person Z is Person Y.
- Y sends the data intended for Person X to Person Z instead.
- Person Z can now read and manipulate the data before forwarding it to Person Y.
2. MAC Flooding
In a MAC flooding attack, an attacker floods a switch with packets containing different MAC addresses.
A company's network switch is designed to handle a limited number of MAC addresses in its table.
Example
- Seema, an attacker, sends packets with different fake MAC addresses to the switch.
- The switch's MAC address table becomes full.
- Unable to keep track of the correct addresses, the switch broadcasts all incoming traffic to all ports.
- Seema can now access sensitive data that was not meant for her.
3. Port Stealing
Attackers use fake ARP messages to trick a switch into sending data to the wrong place. This lets the attacker see and change network traffic.
A switch in an office network sends traffic to specific ports based on MAC addresses.
Example
- Rony, an attacker, sends a fake message to the switch, pretending to be someone else.
- The switch gets confused and updates its records, linking Rony's address to the other person's connection.
- The messages meant for the other person go to Rony instead.
- Rony can read and change these messages before sending them to the correct person.
4. DHCP Attacks
Dynamic Host Configuration Protocol (DHCP), which assigns IP addresses to devices on a network, can be attacked in two main ways:
- An attacker requests all the available IP addresses, leaving none for others, causing the network to stop working for legitimate users.
- An attacker sets up a fake DHCP server that gives out bad IP settings to devices, redirecting their traffic or blocking their access.
How to Protect against Data Link Layer Attacks?
The following are the various ways, by using them, you can protect again data link layer attacks:
1. Port Security
Port security restricts how many devices (MAC addresses) can connect to a single switch port. This feature can prevent MAC flooding and cloning attacks.
2. DHCP Snooping
DHCP snooping is a security feature that prevents unauthorised DHCP servers from responding to DHCP requests. It labels switch ports as either trusted (for real DHCP servers) or untrusted (for regular devices), and stops DHCP responses on untrusted ports.
3. Dynamic ARP Inspection (DAI)
DAI (Dynamic ARP Inspection) stops ARP spoofing by checking ARP packets against a list of known connections from DHCP snooping. It only lets through ARP responses that match this list, dropping any that don't.
4. Securing Spanning Tree Protocol (STP)
STP (Spanning Tree Protocol) stops network loops when there are backup paths. To secure STP:
- Root Guard: Only lets specific switches become root bridges, reducing the chance of unexpected changes.
- BPDU Guard: Blocks ports from getting unexpected data that could be from unauthorized switches, keeping the network safe from rogue devices.
5. VLAN Security
VLANs divide network traffic, mitigating attacks like ARP spoofing to spread. To secure VLANs:
- Switch Spoofing Prevention: Stop unauthorised devices from pretending to be switched by turning off trunking on regular ports and setting fixed assignments for ports.
- Double Tagging Prevention: Make sure attackers can't sneak in by changing the default VLAN to one that's not used and always clearly label frames from the default VLAN.