Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Protect, detect, and respond—Dataprise keeps your business secure.
Maximize uptime with with industry-leading DRaaS.
Swiftly mitigate cyber threats and restore security.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Empower Your Municipality with Secure, Reliable IT Services
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Grow through acquisition and partnership with Dataprise.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Explore our trusted partnerships with leading tech innovators.
Posts
By: Dataprise
Table of content
Protecting Layer 2 Using Cisco Best Practices
The Data Link layer (Layer 2 of the OSI model) is used to transfer data between network entities with interoperability and interconnectivity to other layers. Therefore, it is the most important layer to be secured from a network perspective and is highly vulnerable to attacks. As we commonly say; “Network security is only as strong as the weakest link” – and Layer 2 is no exception. If the hacker is able to access Layer 2 then communication may be compromised without the other layers being aware of the problem.
There is a high level of security designed for all the upper layers (OSI Layers 3 and above), however, it does not help if Layer 2 is compromised. The following is a general security checklist recommended by the Systems and Network Attack Center (SNAC) for Cisco IOS switches at every layer (e.g., core, distribution, access) for every type of network traffic (e.g., data, voice, video). PEI implements the following best practices in accordance with SNAC standards in order to avoid any possible attacks on the Layer 2 device.
• Install the latest stable version of the IOS on each switch.
• Create an “enable secret” password.
• Set timeouts for sessions and configure privilege levels.
• Configure a banner to state that unauthorized access is prohibited.
• Disable unnecessary network services (e.g., tcp small servers, HTTP).
• Enable necessary network services and configure these services securely.
• Utilize SSH instead of telnet and set a strong password for SSH.
• If SNMP is necessary, set a strong community string for SNMP.
• Implement port security to limit access based on MAC address. Disable auto-trunking on ports.
• Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
• Assign Spanning-Tree Protocol Features (BPDU Guard, Root Guard, EtherChannel Guard & Loop Guard)
• Always use a dedicated VLAN ID for all trunk ports and avoid using VLAN 1 for anything.
• Limit the VLANs that can be transported over a trunk to only those that are necessary.
• If possible, disable VTP. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
• Enable logging and send logs to a dedicated, secure log host.
• Configure logging to include accurate time information, using NTP and timestamps.
• Review logs for possible incidents and archive them in accordance with the security policy.
• Use AAA features for local and remote access to switch.
• Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.
• Limit access to the device to only authorized administrators. The configuration file should contain descriptive comments for the different settings to provide perspective.
The implementation of the above steps would help in protecting the Layer 2 device from an attacker.
Nikhil Kallat, PEI
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.