Tuesday, June 5, 2012

Layer 2 Security

  • general characterizations of the switch ports:
    • unused ports: which are not connected to any device
    • user ports: ports cabled to end user devices
    • trusted ports or trunk ports: ports connected to fully trusted devices, like connected other known secured switches.
  • Securing Used & Unused ports:
    • Disable unneeded dynamic protocols like CDP & DTP.
    • Disable trunking by configuring these ports as access ports.
    • Enable BPDU Guard & Root Guard to prevent STP attacks & keep a stable STP technology.
    • Use either dynamic ARP inspection (DAI) or private VLANs to prevent frame sniffing.
    • Enable port security to at least limit the number of allowed MAC addresses, & possibly restrict the port to use only specific MAC addresses
    • Use 802.1X user authentication.
    • Use DHCP snooping & IP source Guard to prevent DHCP DoS & man in the middle attacks.
  • Cisco SAFE blueprint made additional recomendations:
    • For any port (including trusted ports), consider the general use of private VLANs to further protect the network from sniffing, including preventing routers or L3switches from routing packets between devices in the private VLAN.
    • Configure VTP authentication globally on each switch to prevent Dos attacks.
    • Disable unused switch ports & place them in an unused VLAN.
    • Avoid using VLAN 1.
    • For trunks, do not use the native VLAN.
    • Limiting the actual MAC address associated with the port, based on three methods:
      • Static configuration of the allowed MAC addresses
      • Dynamic learning of MAC addresses, up to the defined maximum, where dynamic entries are lost upon reload.
      • Dynamically learning but with the switch saving those entries in the configuration( called sticky learning)