Network Security Principles and Practices: Secure LAN switching
This book excerpt offers steps you can take to make Layer 2 environments and switches more secure, including permit lists, protocol filtering and VLANs.
Network Security Principles and Practices
Secure LAN Switching
This excerpt is reprinted with permission from Cisco Press. For more information or to order the book, visit the Cisco Press Web site.
This chapter covers the following key topics:
- General Switch and Layer 2 Security—This section discusses some of the basic steps you can take to make Layer 2 environments and switches more secure.
- Port Security—This section discusses how to restrict access on a port basis.
- IP Permit Lists—This section talks about using IP permit lists to restrict access to the switch for administrative purposes.
- Protocol Filtering and Controlling LAN Floods—This section talks about controlling floods on LANs.
- Private VLANs on Catalyst 6000—This section deals with setting up private VLANs on Catalyst 6000 switches to provide Layer 2 isolation to connected devices.
- Port Authentication and Access Control Using the IEEE 802.1x Standard—This section talks about how the 802.1x protocol can be used to improve security in a switched environment by providing access control on devices attaching to various ports.
In order to provide comprehensive security on a network, it is important take the concept of security to the last step and ensure that the Layer 2 devices such as the switches that manage the LANs are also operating in a secure manner.
This chapter focuses on the Cisco Catalyst 5000/5500 series switches. We will discuss private VLANs in the context of the 6000 series switches. Generally, similar concepts can be implemented in other types of switches (such as the 1900, 2900, 3000, and 4000 series switches) as well.
Security on the LAN is important because some security threats can be initiated on Layer 2 rather than at Layer 3 and above. An example of one such attack is one in which a compromised server on a DMZ LAN is used to connect to another server on the same segment despite access control lists on the firewall connected on the DMZ. Because the connection occurs at Layer 2, without suitable measures to restrict traffic on this layer, this type of access attempt cannot be blocked.
This chapter is posted in full as a pdf file. To continue reading, click here.