Securing your Layer 2 network: Don't overlook the basics

Before dropping substantial cash on a fancy surveillance system, most sensible home owners would ensure that their doors and windows were locked. Similarly, there are simple security measures you can take to configure your systems for Layer 2 security.

Every day, urgent reports outline the newest threat, worm or virus to hit the Internet. Companies spend millions...

of dollars each year on intrusion detection systems (IDS), firewalls and client software to defend against attacks and potential attackers. While these measures are important and deserve significant dialogue, in this article I am going to outline what most engineers forget to master: the basics -- the simple mechanisms that have been around the longest to help secure the Layer 2 (Data Link layer) devices in your network.

The simple things
One of the first things we learn about as network engineers is the concept of broadcast domains. A broadcast domain is the logical space where all users share a "connection" and all hosts have the ability to hear each other's conversations. This concept is a prelude to the introduction of both routers and switches and how they can manipulate the boundaries of these domains. From the switching or Layer 2 perspective, virtual LANs (VLANs) can be used to break up broadcast domains for the purposes of minimizing traffic, separating business units or, more importantly, securing sections of your network from local threats.

As an associate engineer, you are taught that one of the primary reasons for VLANs is "to enforce better security by keeping sensitive devices on a separate VLAN" (as explained in the CCNA INTRO Exam Certification Guide, Chapter 10). This statement should be telling you that it's probably not a good idea to put your financial servers on the same VLAN as un-trusted hosts. Logical segmentation is one of the first and simplest steps to creating a secure Layer 2 environment.

To take it one step further, we can secure our Layer 2 environment by restricting host access to our individual VLANs. Allowing access to a VLAN based on MAC address is done by implementing port security. Port security allows only certain pre-authorized hosts to access the VLANs you've created. If an unauthorized host accesses the network, the port to which it's connected can automatically be shut down for a pre-determined time period. Port security is a good security tool, although tedious to maintain from an operations standpoint.

To configure a switch for port security follow the steps below:

Switch(config)#interface FastEthernet1/0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security <------Enables port security 
     with the default settings
Switch(config-if)#switchport port-security violation {protect | restrict 
     | shutdown}

'Triple A' network protection
Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

Monitoring Layer 2 access via port security addresses the issue of unauthorized hosts from being a part of VLANs and subsequent networks, but doesn't address the issue of administrators making configuration changes to VLANs and/or your Layer 2 devices. Monitoring administrator access via RADIUS or TACACS+ is another way to secure your network. One of the most dangerous things within a networking environment is allowing an administrator to make unauthorized or unchallenged changes to devices throughout the network. Implementing "jump" stations, or "accounting" stations, can make administrators liable for any rogue configuration changes. It is wise to implement centralized change control within your network.

Another simple mechanism which is becoming popular among administrators is the implementation of port-based authentication using 802.1x. This protocol enforces authentication of each host who wishes to join a particular LAN. While 802.1X is useful for instances such as local and remote users, it presents the same issue as port-security: operations management. For larger companies it can become tedious to manage authentication and access for multiple users. The operation of 802.1x is beyond the scope of this article, but further information can be found here.

The implementation of things such as VLANs, device access control and 802.1x can help secure your Layer 2 environment. Most engineers overlook the importance these most basic of security principles. The important thing is to not overlook the basics in Layer 2 security, but to learn about why and how these things are implemented. Filters, ACLs and DoS-specific modules and methods can be better implemented if a solid foundation is established.

Doug Downer (CCIE #9848 and JNCIS #881) is a Sr. Consultant with Callisma, Inc., a wholly owned subsidiary of SBC Communications. Doug has over seven years' experience in the industry and currently provides high-level business and technology consulting for various federal clients in the Washington D.C. area.

The "protect" option drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. The "restrict" option drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. Finally, the "shutdown" option (default) puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

Dig Deeper on Network Infrastructure

Unified Communications
Mobile Computing
Data Center