Frame - MAC Address Threats & Vulnerabilities

745 views

Published on

Ethernet Frames - MAC Sublayer - 802.3
ARP spoofing / ARP pollution example

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
745
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Frame - MAC Address Threats & Vulnerabilities

  1. 1. FRAME - MAC ADDRESS THREATS & VULNERABILITIES ETHERNET FRAMES - MAC SUBLAYER - 802.3 By Marc-Andre Heroux CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM V. 1.0 Security & Compliance Advisor
  2. 2. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME  In this demonstration, we have the machine2.mydomain.net (IP: 10.0.0.2) sending to machine3.mydomain.net (IP: 10.0.1.2).  Router/firewall uses datagrams at layer 3 with two components: a header and a payload. Ethernet works at layer 2 with frames (data link layer) and Address Resolution Protocol (ARP) is used (e.g.: MAC address resolution). All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.0.2 What is MAC address of 10.0.1.2? 10.0.1.2 Initial transmission request Frame sent to all ports Broadcasting
  3. 3. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME MAC ADDRESS DESCRIPTION All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
  4. 4. HOW FRAMES ARE SENT? MAN-IN-THE-MIDDLE ATTACK  If the switch ARP cache table does not contain any entry for 10.0.1.2, the frame is sent to all ports. If any IP address corresponds to 10.0.1.2, the ARP reply will contain the destination MAC. If not found at the switch level, the frame will sent to all ports. If a switch or a router is connected, they will receive the ARP request. 10.0.0.2 What is MAC address of 10.0.1.2? Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses it’s own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting MAC not found
  5. 5. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME  The router will then respond with it's MAC and the switch will update it’s table, a new MAC header will usually be created and frames will be sent to router and the discovery/transmission will continue to the next hop. In our example, we have many organizational routable subnets divided by routers and connected to various switches. 10.0.0.2 What is MAC address of 10.0.1.2? MAC not found Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses is own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting
  6. 6. CONCLUSION  Prevent threat agent to connect to your local network and avoid many incidents against Ethernet frame;  Detect and stop abnormal activities;  Most networks are running IPV4 and uses ARP. The same principles exist for IPV6 and Neighbor Discovery Protocol (NDP). Monitoring Logging Detection Correlation Alerting Correction All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0

×