This design provides for a single physical switch existing within a zone of
trust. Only traffic belonging to one user group traverses the switch. An
example of such a design would be a switch within a network DMZ created between
an edge router and a corporate firewall as shown in Figure
. In this design
all systems within the security zone are on the same VLAN.
Vulnerabilities
The primary Layer 2 vulnerabilities in this
design include the following:
- MAC spoofing
- CAM table overflow
Mitigation
Use the mitigation techniques described in
Figures
through
to secure the
Layer 2 environment in this design. Port security may be administratively
appropriate in this case because of the limited size of the design. The Layer 2
switches are a part of the security perimeter between the zones of trust and
should be managed as securely as possible including the use of SSH for command
line management, Simple Network Management Protocol Version 3 (SNMPv3) for
remote management, configuration audits and regular penetration testing of each
VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff.
An equally effective and less administratively taxing approach would be to use
dynamic port security through the application of DHCP snooping and Dynamic ARP
Inspection as shown in Figure
.