Layer 2 Security Best Practices
Single security zone, one user group, single physical switch

This design provides for a single physical switch existing within a zone of trust. Only traffic belonging to one user group traverses the switch. An example of such a design would be a switch within a network DMZ created between an edge router and a corporate firewall as shown in Figure . In this design all systems within the security zone are on the same VLAN.

Vulnerabilities
The primary Layer 2 vulnerabilities in this design include the following:

  • MAC spoofing
  • CAM table overflow

Mitigation
Use the mitigation techniques described in Figures through to secure the Layer 2 environment in this design. Port security may be administratively appropriate in this case because of the limited size of the design. The Layer 2 switches are a part of the security perimeter between the zones of trust and should be managed as securely as possible including the use of SSH for command line management, Simple Network Management Protocol Version 3 (SNMPv3) for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff. An equally effective and less administratively taxing approach would be to use dynamic port security through the application of DHCP snooping and Dynamic ARP Inspection as shown in Figure .


Web Links