1. Home
  2. Networking
  3. Integrated cisco and unix network architectures

A Few Words on Layer 2 Security

Although security considerations are explicitly not part of this book, the following brief discussion of Layer 2 security is the famous exception to the rule. To put things into perspective, just consider the following statements and suggestions when dealing with Layer 2 security:

  • In essence, VLANs are not impenetrable, and neither are VLAN trunks.

  • STP is slowly converging. If failing, it effectively brings down entire switched networks.

  • The more performing a device is, the more it is vulnerable to denial of service (DoS) attacks, and the more disastrous the effects get. If you do not believe this statement, try a debug all on a Cisco 12000 backbone router.

  • Always configure passwords when using VTP.

  • Protect important devices (gateways) with permanent (static) MAC entries.

  • Spoofing attacks work using three hooks on several layers:

    - ARP protocol/caches

    - IP source address spoofing

    - DNS resolution

Possible attack patterns include the following:

  • Switch saturation might lead to VLAN leaking

  • Broadcast and multicast issues

  • ARP cache poisoning

  • VLAN hopping (forged VLAN identifiers)

  • VTP attacks

  • STP attacks (BPDUs)



    		Command Syntax Conventions
    		Chapter 1. Operating System Issues and Features-The Big Picture
    		Chapter 2. User-Space Routing Software
    		Chapter 3. Kernel Requirements for a Full-Featured Lab
    		Chapter 4. Gateway WAN/Metro Interfaces
    		Chapter 5. Ethernet and VLANs
    		Ethernet NICs
    		Hubs, Bridges, and Multilayer Switches
    		Access Ports, Uplinks, Trunks, and EtherChannel Port Groups
    		Alias Interfaces
    		VLAN Configurations
    		A Few Words on Cabling
    		Lab 5-1: FreeBSD Bridge Cluster Lab
    		Lab 5-2: Linux Bridging and the Spanning Tree
    		Lab 5-3: OpenBSD Bridging and Spanning Tree
    		A Few Words on Layer 2 Security
    		Exercise 5-1: Linux/FreeBSD Ethernet Channel Bonding
    		Exercise 5-2: STP Operation
    		Summary
    		Recommended Reading
    		Chapter 6. The Analyzer Toolbox, DHCP, and CDP
    		Chapter 7. The UNIX Routing and ARP Tables
    		Chapter 8. Static Routing Concepts
    		Chapter 9. Dynamic Routing Protocols-Interior Gateway Protocols
    		Chapter 10. ISP Connectivity with BGPv4-An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing
    		Chapter 11. VPN Technologies, Tunnel Interfaces, and Architectures
    		Chapter 12. Designing for High Availability
    		Chapter 13. Policy Routing, Bandwidth Management, and QoS
    		Chapter 14. Multicast Architectures
    		Chapter 15. Network Address Translation
    		Appendix A. UNIX Kernel Configuration Files
    		Appendix B. The FreeBSD Netgraph Facility