The design shown in Figure
represents the
most complex of the series. It is very similar to the previous scenario by
having multiple user groups within the data center each requiring their own
level of security for their systems. Instead of all the user groups connecting
to a single central switch, there are multiple switches operating at both Layer
2 and Layer 3 throughout the design. VLANs can be used to provide traffic
segregation between the security zones. The need to provide high security in
some of the zones may require additional measures.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing, within VLANs
- CAM table overflow, through per VLAN traffic flooding
- VLAN hopping
- STP attacks
- VTP attacks
If private VLANs are implemented within each VLAN, this design may also
be vulnerable to a private VLAN proxy attack. Additionally, if one of the VLANs
is large and DHCP is used for address management, then this design may be
vulnerable to DHCP starvation attacks.
Mitigation
If the
security zones are small enough, use port security to help mitigate CAM table
overflow vulnerabilities as well as the MAC spoofing vulnerability.
Additionally, mitigation of VLAN hopping can be accomplished by following the
VLAN best practices outlined within this module. If necessary, deploy 802.1x
authentication to prevent unauthorized access to each of the security zones
from an attacker who may physically connect to a switch in the design. Another
possible mitigation method would be to add a firewall within the data center
design and integrate it into the one or more of the switches, similar to that
employed in the case #6 design. The firewall enforces additional Layer 3
traffic segregation between the various user groups. As with the previous
cases, the switches must be managed as securely as possible and tested on a
regular basis.