This design provides for multiple physical switches existing within a single
zone of trust. Only traffic from one user group traverses the switch. This can
be represented by a very large DMZ as shown in Figure
, or a DMZ with
multiple VLANs all existing within a single security zone of trust.
Additionally, this could also be represented as a Layer 3 switch within the DMZ
to provide inter-VLAN routing.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing
- CAM table overflow
- VLAN hopping
- Spanning tree attacks, in networks with multiple switches.
Mitigation
If the security zone is small enough, use port
security to help mitigate the CAM table overflow vulnerability as well as the
MAC spoofing vulnerability. BPDU guard and root guard can be used to mitigate
attacks against the Spanning Tree Protocol (STP).
The Layer 2 switches
are a part of the security perimeter between zones of trust and should be
managed as securely as possible including the use of SSH for command line
management, SNMPv3 for remote management, configuration audits and regular
penetration testing of each VLAN using tools capable of exploiting Layer 2
vulnerabilities such as Dsniff.