Your SlideShare is downloading. ×
Frame - MAC Address Threats & Vulnerabilities
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Frame - MAC Address Threats & Vulnerabilities

371
views

Published on

Ethernet Frames - MAC Sublayer - 802.3 …

Ethernet Frames - MAC Sublayer - 802.3
ARP spoofing / ARP pollution example

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
371
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. FRAME - MAC ADDRESS THREATS & VULNERABILITIES ETHERNET FRAMES - MAC SUBLAYER - 802.3 By Marc-Andre Heroux CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM V. 1.0 Security & Compliance Advisor
  • 2. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME  In this demonstration, we have the machine2.mydomain.net (IP: 10.0.0.2) sending to machine3.mydomain.net (IP: 10.0.1.2).  Router/firewall uses datagrams at layer 3 with two components: a header and a payload. Ethernet works at layer 2 with frames (data link layer) and Address Resolution Protocol (ARP) is used (e.g.: MAC address resolution). All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.0.2 What is MAC address of 10.0.1.2? 10.0.1.2 Initial transmission request Frame sent to all ports Broadcasting
  • 3. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME MAC ADDRESS DESCRIPTION All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
  • 4. HOW FRAMES ARE SENT? MAN-IN-THE-MIDDLE ATTACK  If the switch ARP cache table does not contain any entry for 10.0.1.2, the frame is sent to all ports. If any IP address corresponds to 10.0.1.2, the ARP reply will contain the destination MAC. If not found at the switch level, the frame will sent to all ports. If a switch or a router is connected, they will receive the ARP request. 10.0.0.2 What is MAC address of 10.0.1.2? Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses it’s own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting MAC not found
  • 5. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME  The router will then respond with it's MAC and the switch will update it’s table, a new MAC header will usually be created and frames will be sent to router and the discovery/transmission will continue to the next hop. In our example, we have many organizational routable subnets divided by routers and connected to various switches. 10.0.0.2 What is MAC address of 10.0.1.2? MAC not found Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses is own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting
  • 6. CONCLUSION  Prevent threat agent to connect to your local network and avoid many incidents against Ethernet frame;  Detect and stop abnormal activities;  Most networks are running IPV4 and uses ARP. The same principles exist for IPV6 and Neighbor Discovery Protocol (NDP). Monitoring Logging Detection Correlation Alerting Correction All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0