The design shown in Figure
is very similar
to the previous scenario by having multiple user groups within the data center,
each requiring their own level of security for their systems. However in this
case, all of the user groups connect to a single central switch. VLANs can be
used to provide traffic segregation between the security zones.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing, within VLANs
- CAM table overflow, through per VLAN traffic flooding
- VLAN hopping
- Private VLAN attacks, on a per VLAN basis
Mitigation
If the security zones are small enough, use port
security to help mitigate CAM table overflow vulnerabilities as well as the MAC
spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined within this module.
If necessary, deploy 802.1x authentication to prevent unauthorized access to
each of the security zones from an attacker who may physically connect to a
switch in the design. Another possible mitigation method would be to add a
firewall within the data center design and integrate it into the central switch
similar to that employed in the previous design. The firewall enforces
additional Layer 3 traffic segregation between the various user groups. As with
the previous cases, the switches must be managed as securely as possible and
tested on a regular basis.