Switch Security Issues
Overview of switch security concerns

Much industry attention surrounds security attacks from outside the walls of an organization and at the upper OSI layers. Network security coverage often focuses on edge-routing devices and the filtering of packets based upon Layer 3 and 4 headers, ports, stateful packet inspection, etc. This includes all issues surrounding Layer 3 and above as traffic makes its way into the campus network from the Internet. Campus Access devices and Layer 2 communication are left largely unconsidered in most security discussions.

The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication, until configured to do so. Routers and switches placed internal to an organization and designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless configured otherwise. Their function as devices to facilitate communication often results in minimal security configuration and renders them as targets for malicious attacks. If an attack is launched at Layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection.

Switches and routers have many security features available, but they must be enabled to be effective. As was the case with security having to be tightened on Layer 3 devices within the campus as malicious activity increased that compromised this layer, now security measures must be taken to guard against malicious activity at Layer 2. A new area of security focus centers on attacks launched by maliciously leveraging normal Layer 2 switch operations. Security features exist to protect switches and Layer 2 operations but, as with ACLs for upper layer security, a policy must be established, and appropriate features configured, to protect against the potential of malicious acts while maintaining daily network operations.


Web Links