This topic identify Layer 2 vulnerabilities. Start learning CCNA 200-301 for free right now!!
Note: Welcome: This topic is part of Module 10 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.
Table of Contents
Layer 2 Vulnerabilities
The previous two topics discussed securing endpoints. In this topic, you will continue to learn about ways to secure the LAN by focusing on the frames found in the data link layer (Layer 2) and the switch.
Recall that the OSI reference model is divided into seven layers which work independently of each other. The figure shows the function of each layer and the core elements that can be exploited.
Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.
Switch Attack Categories
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.
The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.
Attacks against the Layer 2 LAN infrastructure are described in the table and are discussed in more detail later in this module.
Layer 2 Attacks
MAC Table Attacks
Includes MAC address flooding attacks.
Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN.
Includes DHCP starvation and DHCP spoofing attacks.
Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks
Includes MAC address and IP address spoofing attacks.
Includes Spanning Tree Protocol manipulation attacks.
Switch Attack Mitigation Techniques
The table provides an overview of Cisco solutions to help mitigate Layer 2 attacks.
Layer 2 Attack Mitigation
Prevents many types of attacks including MAC address flooding attacks and DHCP starvation attacks.
Prevents DHCP starvation and DHCP spoofing attacks.
Dynamic ARP Inspection (DAI)
Prevents ARP spoofing and ARP poisoning attacks.
IP Source Guard (IPSG)
Prevents MAC and IP address spoofing attacks.
These Layer 2 solutions will not be effective if the management protocols are not secured. For example, the management protocols Syslog, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP), telnet, File Transfer Protocol (FTP) and most other common protocols are insecure; therefore, the following strategies are recommended:
Always use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
Consider using out-of-band management network to manage devices.
Use a dedicated management VLAN where nothing but management traffic resides.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.