This scenario represents a slightly more complex case than the previous
case. This design, shown in Figure
, represents one
where high-availability is a factor as well as the need to trunk information
between the switch devices. In addition, the direction of travel for the
network traffic as determined through STP requires additional considerations
when determining some of the more specific mitigation techniques. VLANs are
used to provide traffic segmentation between the various user groups.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing
- CAM table overflow
- VLAN hopping
- STP attacks
Mitigation
If the security zone is small enough, use port
security to help mitigate the CAM table overflow vulnerability as well as the
MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined in this module. If
necessary, deploy 802.1x authentication to prevent unauthorized access to the
security zone from an attacker who may physically connect to a switch in the
design. As with the previous cases, the switches must be managed as securely as
possible and tested on a regular basis.