January 31st, 2007
Layer 2 security; the forgotten front
One of the fastest ways for hackers to breech security systems is to circumvent Layer 2 which is your LAN switching infrastructure. Unfortunately that also happens to be one of the most overlooked aspects of Information Security with most security audits focusing on policy and compliance issues on the upper layers of the stack. The vast majority of networks large or small that I have come across in my past career as an IT consultant lacked most of the basic defenses on their LAN switching infrastructure.
To help fix this situation, I created this free comprehensive guide "Essential lockdowns for Layer 2 switch security" to address all of the following issues.
- Enable SSH and disable TELNET
- Lock down VTP and SNMP security
- Basic port lockdown
- VLAN trunking lockdown
- STP BPDU and Root guard
- Prevent CAM table and DHCP bombing
- Prevent DHCP, MAC, and IP spoofing
- Limit the size of STP domains
- Maintain the switch software to the latest stable build
- A look at the future: 802.1x and NAP/NAC
A PDF version is also available for (free) registered users for offline viewing.
The consequences for not deploying these security mechanisms means that hackers who manage to break in to a single computer on your network will be able to expand their reach. They'll be able to:
- Sniff your internal LAN for passwords and break in to other critical systems
- Crash your LAN and lock it up indefinitely
- Nuke your LAN configuration and shut your whole network down
- Take your phone system down if you're using IP Telephony
Loading ...George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
