There are many layer-2 security features available but unfortunately in a large dynamic environment they are typically difficult to deploy. Chapter 2 from Network Security Technologies and Solutions (CCIE Professional Development Series) book by Cisco Publishing gives the reader a rundown of all the technologies at your disposal (when using a Cisco Catalyst switch of course!).
What did I learn?
Being a former switch jockey myself (and being security conscience of course) I was pretty familiar with most of the topics covered in this chapter. However, that isn't to say I know everything and there were definitely topics that I was either unfamiliar with or learned more about while reading.
The port-level controls is standard fair with a new twist (for me) I hadn't heard of the Protected Ports (PVLAN Edge) feature with basically prevents ports within the same VLAN from communicating with each other. This feature would allow you to forgo VLAN-ACL's if you didn't want any communication between ports to occur.
The rest of the chapter is spent on some of the lesser-known security controls available to network and security professionals. DHCP Snooping, Dynamic ARP Inspection, and Control Plane Policing (CoPP) are just a few of the subjects covered. Pretty paranoid stuff and most likely not deployed in most of your larger, non-ISP shops (in my experience, YMMV).
The article also gives us a list of best practices to follow for effective L2 security. I will list a few of these best practices but I recommend you click on the link above and read the article yourself as you will most likely learn something interesting and useful.
- Always use a dedicated VLAN ID for all trunk ports.
- Be skeptical; avoid using VLAN 1 for anything.
- Disable DTP on all non-trunking access ports.
- Use MD5 authentication where applicable.
- Disable CDP where possible.
- Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.
No comments:
Post a Comment