Layer 2 Security Best Practices
Multiple security zones, one user group, single physical switch

This design provides for a single physical switch existing in two security zones of trust. Only traffic from one user group traverses the switch. An example of such a design would be a switch which is configured for double-duty on both DMZ and internal interfaces of a firewall. VLANs separate traffic on a single physical LAN into multiple logical LANs through the use of VLAN tags. The use of VLANs can be considered as a possible way of segmenting multiple interfaces of a firewall on a single switch as shown in Figure . In this example both the external network, the DMZ, and the internal network utilize the same switch for Layer 2 connectivity. The external network traffic is tagged as VLAN ID 100 while the internal network traffic is tagged with VLAN ID 200. While it is technically feasible to make this design secure, there are significant ramifications should the switch be compromised.

Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:

  • MAC spoofing, within VLANs
  • CAM table overflow, through per VLAN traffic flooding
  • VLAN hopping

Mitigation
If the security zones are small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.

In the design shown in Figure , another mitigation approach would be to split the Layer 2 functionality of the switch to two separate physical switches. If this is done, the mitigation techniques described in case #1 would apply to both distinct security zones.

If private VLANs (PVLANs) are employed in any of the VLANs, consideration must be given to the possibility of private VLAN attacks. If the VLANs utilize DHCP for address assignment then DHCP starvation by an attacker and needs to be considered.