Layer 2 Security Best Practices
Single security zone, one user group, multiple physical switches

This design provides for multiple physical switches existing within a single zone of trust. Only traffic from one user group traverses the switch. This can be represented by a very large DMZ as shown in Figure , or a DMZ with multiple VLANs all existing within a single security zone of trust. Additionally, this could also be represented as a Layer 3 switch within the DMZ to provide inter-VLAN routing.

Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:

  • MAC spoofing
  • CAM table overflow
  • VLAN hopping
  • Spanning tree attacks, in networks with multiple switches.

Mitigation
If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. BPDU guard and root guard can be used to mitigate attacks against the Spanning Tree Protocol (STP).

The Layer 2 switches are a part of the security perimeter between zones of trust and should be managed as securely as possible including the use of SSH for command line management, SNMPv3 for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff.