Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 14: Layer 2 Security Considerations - Coggle Diagram
Module 14: Layer 2 Security Considerations
Layer 2 threats and vulnerabilities
Networks at Layer 2 are exposed to attacks such as MAC address spoofing, which allows attackers to impersonate devices, and VLAN hopping, enabling unauthorized access to other VLANs.
Additional threats include ARP poisoning (disrupting communication by sending false ARP messages), DHCP attacks (e.g., rogue servers or DHCP starvation), and Spanning Tree Protocol (STP) manipulation to take control of network topology.
Security Mechanisms and Countermeasures
Port Security: Limits MAC addresses on switch ports to authorized devices.
Dynamic ARP Inspection (DAI): Validates ARP packets to prevent ARP spoofing.
DHCP Snooping: Monitors DHCP traffic to block rogue servers and invalid responses.
BPDU Guard: Protects STP integrity by disabling ports receiving unauthorized BPDUs.
Storm Control: Prevents network flooding by limiting broadcast, multicast, and unknown unicast traffic.
VLAN Segmentation and Management
Use private VLANs to isolate sensitive traffic.
Separate management VLANs from user data to reduce risks.
Avoid using VLAN 1 for production traffic to enhance security and simplify network management.
Implement inter-VLAN routing controls to manage communication between VLANs effectively.
Access Control and Network Maintenance
Deploy 802.1X authentication to ensure only authenticated devices can connect to the network.
Regularly monitor traffic using syslog, SNMP, or other tools to detect anomalies or attacks.
Apply firmware updates and patches to switches to address known vulnerabilities.
Conduct periodic audits of Layer 2 security configurations to ensure adherence to best practices and identify potential risks.