This resource is no longer available
Securing Layer 2
For many years network administrators have expected security breaches to come from outside an organization or at the upper layers of the OSI model. For this purpose, firewalls are implemented at the edge of a network. While the default state of a firewall does not allow communication between an organization and networks beyond the organizational borders, routers and switches were designed to enable communication.
A firewall needs to be configured specifically to allow IP packets to traverse it. By default, routers do not filter traffic; however, they can be configured to filter traffic based on inspecting values in layer 3 and layer 4 IP headers. Switches can also be configured to thwart attacks launched at the LAN layer.
In recent years, Cisco has expanded its focus beyond a perimeter type of security that is obtained through firewalls and Intrusion Detection (or Prevention) Systems (IDS or IPS) at the edge of the network. In addition to the Enterprise Edge, the access, distribution, and core layers of the enterprise campus or WAN need to be secured. Cisco calls this the self-defending network, where each piece of the network is secured independently as well as at the Enterprise Edge. This change of focus is because many attacks originate from the inside of the enterprise infrastructure. This paper will focus on securing layer 2 switching at the access layer through port security and preventing denial of service (DoS) attacks at layer 2.