Much industry attention surrounds security attacks from outside the walls of
an organization and at the upper OSI layers. Network security coverage often
focuses on edge-routing devices and the filtering of packets based upon Layer 3
and 4 headers, ports, stateful packet inspection, etc. This includes all issues
surrounding Layer 3 and above as traffic makes its way into the campus network
from the Internet. Campus Access devices and Layer 2 communication are left
largely unconsidered in most security discussions.
The default state of
networking equipment highlights this focus on external protection and internal
open communication. Firewalls, placed at the organizational borders, arrive in
a secure operational mode and allow no communication, until configured to do
so. Routers and switches placed internal to an organization and designed to
accommodate communication, delivering needful campus traffic, have a default
operational mode that forwards all traffic unless configured otherwise. Their
function as devices to facilitate communication often results in minimal
security configuration and renders them as targets for malicious attacks. If an
attack is launched at Layer 2 on an internal campus device, the rest of the
network can be quickly compromised, often without detection.
Switches
and routers have many security features available, but they must be enabled to
be effective. As was the case with security having to be tightened on Layer 3
devices within the campus as malicious activity increased that compromised this
layer, now security measures must be taken to guard against malicious activity
at Layer 2. A new area of security focus centers on attacks launched by
maliciously leveraging normal Layer 2 switch operations. Security features
exist to protect switches and Layer 2 operations but, as with ACLs for upper
layer security, a policy must be established, and appropriate features
configured, to protect against the potential of malicious acts while
maintaining daily network operations.