[SCADASEC] Shedding light onf the Layer 2 OSI protocol

David Barroso dbarroso at s21sec.com
Mon Feb 18 11:59:22 CST 2008 

Just to add more information, with a simple Spanning Tree attack in a  
non-secured spanning tree implementation (a normal scenario nowadays),  
an attacker can smash down the entire network in less than a minute:  
you will start seeing looped packets until the network is totally  
unusable. It is not tightly related to SCADA but more and more SCADA  
gear run over Layer 2 protocols like Spanning Tree and similar.

David

El 18/02/2008, a las 18:44, Bob Radvanovsky escribió:

> One of you had brought up a good question about why I thought that  
> posting about the Cisco vulnerability was relevant to SCADA.   
> Simple.  Cisco products are utilized as enterprise switches and  
> routers (either combined or separately) within these environments.   
> It might not affect control systems devices directly, but  
> indirectly, they could be compromised.
>
> The Layer 2 protocol is part of the OSI network protocol, and is  
> utilized for all sorts of functions within and through a networked  
> enterprise, including: L2TP VPN tunneling, spanning tree protocol  
> (STP), VLANs and more.  Layer 2 is referred to as the "Data Layer",  
> consisting of two (2) sublayers beneath it:  The Logical Link  
> Control Sublayer and the Media Access Control Sublayer.  The term  
> "media access control", as many of you know, is the MAC address for  
> a NIC card, so this is *very* important esp. when switching packets  
> across a switched network.
>
> More about the sublayers is shown below:
>
> Logical Link Control Sublayer
>
> The uppermost sublayer is Logical Link Control (LLC). This sublayer  
> multiplexes protocols running atop the data link layer, and  
> optionally provides flow control, acknowledgment, and error  
> recovery. The LLC provides addressing and control of the data link.  
> It specifies which mechanisms are to be used for addressing stations  
> over the transmission medium and for controlling the data exchanged  
> between the originator and recipient machines.
>
> Media Access Control Sublayer
>
> The sublayer below it is Media Access Control (MAC). Sometimes this  
> refers to the sublayer that determines who is allowed to access the  
> media at any one time (usually CSMA/CD). Other times it refers to a  
> frame structure with MAC addresses inside. There are generally two  
> forms of media access control: distributed and centralized. Both of  
> these may be compared to communication between people:
>
>    * In a network made up of people speaking, i.e. a conversation,  
> we look for clues from our fellow talkers to see if any of them  
> appear to be about to speak. If two people speak at the same time,  
> they will back off and begin a long and elaborate game of saying  
> "no, you first".
>
> The Media Access Control sublayer also determines where one frame of  
> data ends and the next one starts. In a snail-mail network, each  
> letter is one frame of data, and one can tell where it begins and  
> ends because it is inside an envelope. One might also specify that a  
> letter will begin with a phrase like "Dear Sir", and ends with a  
> phrase like "Yours faithfully".
>
> ======================
>
> URL on Data Layer:            http://en.wikipedia.org/wiki/Data_link_layer
> URL about OSI network model:  http://en.wikipedia.org/wiki/OSI_model
> URL on Cisco L2TP:            http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/l2tpT.html
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec

More information about the scadasec mailing list