Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Saturday, October 04, 2008

New Protocols Secure Layer 2

Physical layer security is viewed by most IT professionals as a low-priority problem because cables are run behind walls or in ceilings, beyond the accessibility of most people.  Wiring closets and data centers often are locked, and anyway, there are easier ways to subvert a network than by recabling it.  That said, if you could protect traffic on the wire with no hit to performance, would you do so?  You’ll be answering that question in the next few years as two new network security protocols come to a switch near you.  Together, these two protocols—IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV—will help secure Layer 2 traffic on the wire.

802.1AE is a completed standard and will be appearing soon in hardware.

Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt.  We say “in theory” because of the potential performance impact encryption has on switch capacity and delay.

The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards.  802.1AE implementations must conform to performance characteristics defined in the standard. 

The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.

802.1X-REV builds on 802.1X to support features like authentication of multiple devices on a single switch port and key distribution for 802.1AE devices.  Rather than manually creating and installing keys in network devices, 802.1X-REV makes key management part of the protocol in a fashion similar to 802.11i or WPA/WPA2.

Many organizations’ physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis.  However, it’s now common for sites to have multiple hosts per port.  For example, voice-over-IP phones have their own LAN port to plug into a desktop or laptop, which means two network devices per port.  Recognizing this is a problem, switch vendors provide workarounds such as allowing one unauthenticated device to be placed on a specific virtual LAN, but a subsequent device has to authenticate before getting access to the network.  Cisco allows its Cisco Discover Protocol to pass through an 802.1X port, which allows discovered devices to access a designated VLAN.  Switches such as the HP ProCurve allow multiple hosts to authenticate, and the switch creates virtual ports based on a device’s MAC address and authentication state.  If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation’s MAC address and connect to the network through that VoIP phone.

If your company is in the planning stages of a switch upgrade, it might be a good idea to put off deploying the access layer until your chosen vendor supports 802.1AE and 802.1X-REV.  Like all encryption technologies, 802.1AE will have an impact on network design.

Switches can send duplicate frames to a mirror port on a switch so that packet analyzers and intrusion-detection systems can process the frames, but that is not a perfect solution.  For example, a full-duplex 1-Gbps link is capable of sending and receiving 1 Gbps simultaneously, for a total capacity of 2 Gbps.

Posted on 10/04