LAN Security

Welcome to LAN Security Concepts!

As Network administrators we routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. We use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure. The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.

MAC Address Table Flooding

We begin with MAC address flooding attacks, all MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. MAC address flooding attacks take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full. When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. This condition now allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN.

What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack very quickly. For instance, a Catalyst 2950 switch can store 8,189 MAC addresses in its MAC address table. A tool such as macof can flood a switch with up to 8,000 bogus frames per second; creating a MAC address table overflow attack in a matter of a few seconds. Another reason why these attack tools are dangerous is because they not only affect the local switch, they can also affect other connected Layer 2 switches. When the MAC address table of a switch is full, it starts flooding out all ports including those connected to other Layer 2 switches.


Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic within the local LAN or VLAN to which the threat actor is connected.

The next video demonstration shows how a threat actor can easily use the network attack tool macof to overflow a MAC address table.

MAC Address Table Attack Mitigation

Thankfully, mitigating MAC address table overflow attacks is easy, we must implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port. The next video demonstration shows how we can implement port security and some Cisco port security helpful features.

Mitigate Layer 2 attacks on Cisco switches.