Layer 2 Security Best Practices
Single security zone, multiple user groups, multiple physical switches

This scenario represents a slightly more complex case than the previous case. This design, shown in Figure , represents one where high-availability is a factor as well as the need to trunk information between the switch devices. In addition, the direction of travel for the network traffic as determined through STP requires additional considerations when determining some of the more specific mitigation techniques. VLANs are used to provide traffic segmentation between the various user groups.

Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:

  • MAC spoofing
  • CAM table overflow
  • VLAN hopping
  • STP attacks

Mitigation
If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to the security zone from an attacker who may physically connect to a switch in the design. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.