Network Security v1.0 - Module 14 (Layer 2 Security Considerations)

Module 14: Layer 2 Security Considerations

Layer 2 Vulnerabilities:

• MAC Table Attacks:

  • MAC Table Overflow: Flooding a switch's MAC table with fake addresses to exhaust its resources, causing it to broadcast frames to all ports.

  • Port Security: Prevent MAC table attacks by limiting the number of MAC addresses allowed on a port and using static or sticky MAC address assignments.

• VLAN Hopping:

  • VLAN Hopping Attack: Involves exploiting a switch’s default configuration to create trunk links with unauthorized devices, enabling attackers to access multiple VLANs.

  • Prevention: Disable DTP (Dynamic Trunking Protocol) on non-trunking ports and set the native VLAN to something other than VLAN 1.

• Private VLANs (PVLANs):

  • Provide isolation between ports within the same VLAN. This prevents one device from sniffing traffic on another device's port within the same broadcast domain.

  • PVLAN Edge Feature: Ensures no Layer 2 communication between protected ports on the same switch.

Mitigating DHCP Attacks:

• DHCP Starvation: Attackers send a flood of DHCP requests to exhaust the DHCP server’s pool of IP addresses.

  • Mitigation: Use DHCP Snooping to validate DHCP messages and block untrusted DHCP servers from assigning IPs.

• DHCP Spoofing: A rogue DHCP server assigns incorrect IP addresses to clients.

  • Mitigation: Use DHCP snooping to trust only authorized DHCP servers and limit the rate of DHCP discovery messages on untrusted ports.