- Version
- Download 9
- File Size 1.58 MB
- File Count 1
- Create Date March 31, 2023
- Last Updated March 31, 2023
Much industry attention surrounds security attacks from outside the walls of an organization and at the upper Open Systems Interconnection (OSI) layers.
Network security often focuses on edge routing devices and the filtering of packets based upon Layer 3 and Layer 4 headers, ports, stateful packet
inspection, and so forth. This includes all issues surrounding Layer 3 and above, as traffic makes its way into the campus network from the Internet.
Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions. The default state of networking equipment highlights this focus on external protection and internal open communication.
Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication, until configured to do so. Routers and switches that are internal to an organization and designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless configured otherwise. Their function as devices that facilitate communication often results in minimal security configuration and renders them targets for malicious attacks. If an attack is launched at Layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection.
Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as malicious activity that compromised this layer increased, now security measures must be taken to guard against malicious activity at Layer 2.
A new security focus centers on attacks launched by maliciously leveraging normal Layer 2 switch operations. Security features
exist to protect switches and Layer 2 operations. However, as with access control lists (ACLs) for upper-layer security, a policy must be established and
appropriate features configured to protect against potential malicious acts while maintaining daily network operations.