In this post, we will cover the question along with its relevant answer related to network security.
Question
Due to the tremendous growth of the organization, the number of LAN and IoT devices is increasing. They are now facing challenges to maintain increasing layer 2 security issues. Discuss five different kinds of L2 security challenges and their mitigation techniques.
Answer
The five different types of L2 security challenges with their mitigation techniques are listed below in brief:
1. VLAN Attacks
The term "virtual local area network" refers to a network that is made up of one or more local area networks which enable the merging of devices from many networks into a single logical network and the attack was done in this type of network is VLAN attacks.
VLAN attacks can be done in several ways. Some of them are described below:
❖ VLAN hopping attack
In this attack the switch enters trunking mode after faking DTP messages from the attacking host and trunking is enabled where a rogue switch is also added.
It gives the attacker access to all VLANs on the network.
❖ Double tagging VLAN attack
It is also called a double-encapsulated VLAN hopping attack.
The double tagging VLAN exploit exploits a flaw in the 802.1q VLAN protocol, allowing an attacker to bypass network segmentation and spoof VLAN traffic by altering an Ethernet packet to include two 802.1q VLAN tags.
Mitigation for VLAN attacks.
❖ VLAN Hopping attack.
✓ Only enable the ports which specifically require trunking and turn off all the unwanted/unused ports.
✓ Use only the dedicated VLAN ID for all trunk ports.
❖ Double tagging VLAN attack
✓ Double tagging attacks can be avoided by keeping the trunk ports' native VLAN separate from the user VLANs.
✓ The native VLAN should not be assigned to any port for added security.
2. LAN Storms
A LAN storm occurs when packets flood the LAN, causing excessive traffic and degrading network performance.
It occurs due to mistakes in network configurations and the occurrence of errors during the implementation of the protocol stack.
Mitigation for LAN Storms
✓ Excessive broadcast, multicast, and unicast frames can be reduced through storm control. ✓ Storm control prevents a broadcast, multicast, or unicast storm on one of the physical interfaces from disrupting traffic on a LAN.
3. Spanning Tree Protocol Manipulation
In an STP attack, the attacker spoofs the topology's root bridge.
To cause an STP recalculation, the attacker broadcasts an STP configuration/topology change BPDU.
According to the BPDU sent out, the attacker's system has a lower bridge priority.
As a result, the attacker has access to a variety of frames sent to it by other switches. All three security objectives such as confidentiality, integrity, and availability can be defeated by this type of attack.
Mitigation for Spanning Tree Manipulation
✓ Port should be enabled.
✓ Root guard should be enabled.
✓ BPDU guard should be enabled.
4. MAC address table overflow
MAC address table overflow is a network attack in which an attacker connected to a switch port sends a large number of Ethernet messages with different bogus source MAC addresses to the switch interface.
When this happens, the switch considers the frame as an unknown unicast and floods all incoming data from all VLAN ports, bypassing the MAC table.
Mitigation for MAC address table overflow
✓ Port security must be implemented by network administrators on the switch.
✓ With port security, the administrator can either directly specify the MAC addresses on a switch port or enable the switch to learn a predetermined number of MAC addresses dynamically.
5. MAC address spoofing
In this attack, the impostor or hacker searches the network for valid and original MAC addresses while avoiding access control mechanisms, giving the hacker the benefit of posing as one of the valid MAC addresses.
Mitigation for MAC address spoofing.
✓ The firewall should be installed and enabled in networks.
✓ VPNs should be used.
✓ Packet filtering should be done.
0 Comments
Feel Free To Ask Any Queries?