Network Security v1.0 - Module 14 (Layer 2 Security Considerations)

Module 14: Layer 2 Security Considerations

Layer 2 Vulnerabilities:
  • MAC Table Attacks:

    • MAC Table Overflow: Flooding a switch's MAC table with fake addresses to exhaust its resources, causing it to broadcast frames to all ports.

    • Port Security: Prevent MAC table attacks by limiting the number of MAC addresses allowed on a port and using static or sticky MAC address assignments.

  • VLAN Hopping:

    • VLAN Hopping Attack: Involves exploiting a switch’s default configuration to create trunk links with unauthorized devices, enabling attackers to access multiple VLANs.

    • Prevention: Disable DTP (Dynamic Trunking Protocol) on non-trunking ports and set the native VLAN to something other than VLAN 1.

  • Private VLANs (PVLANs):

    • Provide isolation between ports within the same VLAN. This prevents one device from sniffing traffic on another device's port within the same broadcast domain.

    • PVLAN Edge Feature: Ensures no Layer 2 communication between protected ports on the same switch.

Mitigating DHCP Attacks:
  • DHCP Starvation: Attackers send a flood of DHCP requests to exhaust the DHCP server’s pool of IP addresses.

    • Mitigation: Use DHCP Snooping to validate DHCP messages and block untrusted DHCP servers from assigning IPs.

  • DHCP Spoofing: A rogue DHCP server assigns incorrect IP addresses to clients.

    • Mitigation: Use DHCP snooping to trust only authorized DHCP servers and limit the rate of DHCP discovery messages on untrusted ports.

robot