Layer 2 Vulnerabilities
Recall that the OSI reference model is divided into seven layers which work independently of each other. The figure shows the function of each layer.
Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD (Bring Your Own Device) and more sophisticated attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.
Attacks against the Layer 2 LAN infrastructure are described in the table
|MAC Table Attacks||MAC address flooding attacks|
|ARP Attacks||ARP spoofing|
|STP Attacks||Spanning Tree Protocol manipulation attacks|
|DHCP Attacks||DHCP spoofing attacks|
|VLAN Attacks||VLAN hopping and VLAN double-tagging attacks|
|Address Spoofing Attacks||MAC and IP addresses spoofing attacks|
To improve layer 2 security, it is recommended to:
- Use ACLs to filter unwanted access
- Use a dedicated management VLAN
- Use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS
- Consider using out-of-band management network to manage devices
|Dynamic ARP Inspection||Prevents ARP spoofing|
|Port Security||Prevents many types of attacks including MAC address flooding attacks|
|DHCP Snooping||Prevents DHCP spoofing attacks|
|IP Source Guard||Prevents MAC and IP address spoofing attacks|