A Few Words on Layer 2 Security

Although security considerations are explicitly not part of this book, the following brief discussion of Layer 2 security is the famous exception to the rule. To put things into perspective, just consider the following statements and suggestions when dealing with Layer 2 security:

  • In essence, VLANs are not impenetrable, and neither are VLAN trunks.

  • STP is slowly converging. If failing, it effectively brings down entire switched networks.

  • The more performing a device is, the more it is vulnerable to denial of service (DoS) attacks, and the more disastrous the effects get. If you do not believe this statement, try a debug all on a Cisco 12000 backbone router.

  • Always configure passwords when using VTP.

  • Protect important devices (gateways) with permanent (static) MAC entries.

  • Spoofing attacks work using three hooks on several layers:

    - ARP protocol/caches

    - IP source address spoofing

    - DNS resolution

Possible attack patterns include the following:

  • Switch saturation might lead to VLAN leaking

  • Broadcast and multicast issues

  • ARP cache poisoning

  • VLAN hopping (forged VLAN identifiers)

  • VTP attacks

  • STP attacks (BPDUs)