Layer 2 Switch Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The layer 2 switch must implement Rapid STP where VLANs span multiple switches with redundant links.
Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to ...Rule Medium Severity -
SRG-NET-000512
Group -
The layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such...Rule Medium Severity -
SRG-NET-000512
Group -
SRG-NET-000512
Group -
The layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.Rule Medium Severity -
SRG-NET-000512
Group -
The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Pr...Rule Medium Severity -
SRG-NET-000512
Group -
SRG-NET-000512
Group -
The layer 2 switch must not use the default VLAN for management traffic.
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Tru...Rule Medium Severity -
SRG-NET-000512
Group -
SRG-NET-000512
Group -
The layer 2 switch must not have any switch ports assigned to the native VLAN.
Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim’s MAC address and with the victim attached to...Rule Low Severity -
SRG-NET-000512
Group -
The layer 2 switch must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the network device to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security base...Rule Medium Severity -
SRG-NET-000705
Group -
The layer 2 switch must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth...Rule Medium Severity -
SRG-NET-000715
Group -
The layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic o...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.