Protecting Layer 2 Using Cisco Best Practices
The Data Link layer (Layer 2 of the OSI model) is used to transfer data between network entities with interoperability and interconnectivity to other layers. Therefore, it is the most important layer to be secured from a network perspective and is highly vulnerable to attacks. As we commonly say; “Network security is only as strong as the weakest link” – and Layer 2 is no exception. If the hacker is able to access Layer 2 then communication may be compromised without the other layers being aware of the problem.
There is a high level of security designed for all the upper layers (OSI Layers 3 and above), however, it does not help if Layer 2 is compromised. The following is a general security checklist recommended by the Systems and Network Attack Center (SNAC) for Cisco IOS switches at every layer (e.g., core, distribution, access) for every type of network traffic (e.g., data, voice, video). PEI implements the following best practices in accordance with SNAC standards in order to avoid any possible attacks on the Layer 2 device.
• Install the latest stable version of the IOS on each switch.
• Create an “enable secret” password.
• Set timeouts for sessions and configure privilege levels.
• Configure a banner to state that unauthorized access is prohibited.
• Disable unnecessary network services (e.g., tcp small servers, HTTP).
• Enable necessary network services and configure these services securely.
• Utilize SSH instead of telnet and set a strong password for SSH.
• If SNMP is necessary, set a strong community string for SNMP.
• Implement port security to limit access based on MAC address. Disable auto-trunking on ports.
• Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
• Assign Spanning-Tree Protocol Features (BPDU Guard, Root Guard, EtherChannel Guard & Loop Guard)
• Always use a dedicated VLAN ID for all trunk ports and avoid using VLAN 1 for anything.
• Limit the VLANs that can be transported over a trunk to only those that are necessary.
• If possible, disable VTP. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
• Enable logging and send logs to a dedicated, secure log host.
• Configure logging to include accurate time information, using NTP and timestamps.
• Review logs for possible incidents and archive them in accordance with the security policy.
• Use AAA features for local and remote access to switch.
• Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.
• Limit access to the device to only authorized administrators. The configuration file should contain descriptive comments for the different settings to provide perspective.
The implementation of the above steps would help in protecting the Layer 2 device from an attacker.