Security Protocols in the Data Link Layer
By Graciela Martínez, Head of LACNIC CSIRT
We have often heard about in-depth security or layered security in reference to the different levels of protection that surround the critical assets of an organization’s core network.
In this article we will focus on the data link layer and some of the security protocols we can implement there.
As a quick overview, let’s briefly recall that the data link layer —known as layer 2 in the Open Systems Interconnection model (OSI model)— is responsible for connecting the physical layer with the layers above it. In this layer, the information travels in the form of datagrams or frames.
THE OSI MODEL
|Application layer |
Network services to applications
|Presentation layer |
|Session layer |
Communication between network devices
|Transport layer |
End-to-end connection and datareliability
|Network layer |
Logical routing and addressing
|Data link layer |
Physical addressing (MAC and LLC)
|Physical layer |
Binary signal and transmission
This layer performs several functions, all or part of which may be implemented depending on the protocol that is used:
- It controls access to the physical medium through which connected devices share and transmit information.
- It detects and potentially corrects errors, for example, in the event of interference or signal attenuation.
- It delivers data to the corresponding device based on its physical address, known as English Media Access Control address (MAC address).
- It controls the flow between two devices to avoid information loss and frame collision.
The data link layer is not immune to attacks.
In addition to the attacks on certain vulnerabilities typical of incorrectly configured and/or updated systems, certain attacks are associated with LAN networks. Some of these attacks are mentioned below.
- Spoofing. Spoofing is an identity theft technique used by an attacker who impersonates a trusted entity, in this case, another device on the network, by changing its MAC address.
- Denial of Service (DoS). This technique attempts to prevent or limit access to a network device by saturating some of its resources, for example, by flooding the target device with unwanted traffic.
- Sniffing. The attacker listens to the transmitted traffic, but takes no action.
- DHCP Spoofing. The attacker places a fake DHCP server in the network to issue fake network information to clients.
- ARP poisoning. The attacker’s goal is to modify the information in the ARP table where the IP address associated with a device’s MAC address is temporarily stored and replace it with its own MAC address for the purpose of redirecting traffic.
As we can see, some of the attacks mentioned above may also occur in other network layers.
These attacks pose a risk to the confidentiality, availability, and integrity of the information being transmitted.
The IEEE has developed the 802 family of protocols for LAN and WAN networks. These protocols are designed to enable interoperability among devices and the networks that support them. They can be implemented on an Ethernet network that supports this type of frame.
The primary goal of implementing these technologies in network devices is to protect the confidentiality, integrity, and availability of the information that is transmitted.
Below is a description of some layer 2 security protocols:
- Spanning Tree Protocol (STP) – 802.1D and Shortest Path Bridging (SPB) – 802.1aq
- Prevents loops by enabling a single path between devices (bridge priority).
- Protects against bandwidth flood attacks with specific layer 2 packets, such as fraudulent broadcast requests or Bridge Protocol Data Unit frames (BPDU frames).
- Port Security – 802.1x Protocol extension
- Allows only authorized devices to access a port, as the port is only enabled once authentication against the authentication server has been successful.
- MACsec – Media Access Control Security – 802.1AE
- Confidentiality: the information is transmitted with encryption, which prevents its interception (sniffing)
- Authentication: guarantees that the source is who it claims to be
- Checks the integrity of transmitted data
- DHCP Snooping
- DHCP Snooping operates at layer 2 by filtering unauthorized DHCP traffic. This prevents DHCP Spoofing attacks, where an attacker impersonates a DHCP server on the network. It also prevents unauthorized devices from fraudulently obtaining IP addresses.
The final protocol we will mention is 802.1q, which is the protocol that devices supporting VLANs must comply with.. Although 802.1q was not originally designed with security as its primary focus, thanks to its functionalities it contributes to enhancing security.
A VLAN allows defining logical network segments and effectively separating different types of traffic. This segmentation contributes to network security, as it reduces the attack surface, prevents unauthorized devices from intercepting network traffic, and minimizes the risk of lateral attacks between VLANs.
Finally, here are some basic security measures that should be considered:
- Close any unused ports.
- Make sure that the device can only be accessed through a secure protocol, such as SSH, never via Telnet.
- Change the default passwords of all network devices.
- Monitor the devices and centralize alerts to allow event correlation.
- Configure log settings to allow event traceability.
- Maintain external backups of device configuration.
- Analyze and implement the security protocols discussed above.
We also recommend considering whether the following measures are necessary:
- Configure MAC addresses statically to ensure that a device can access the network, even though this may be more difficult to maintain.
- Configure the DHCP service to assign IP addresses statically to each of the network’s MAC addresses, as this facilitates traceability.
802.1D – 2004 https://ieeexplore.ieee.org/document/1309630
802.1AE: MAC Security (MACsec) https://1.ieee802.org/security/802-1ae/
DHCP Snooping https://study-ccna.com/dhcp-snooping/