New Protocols Secure Layer 2

Physical layer security is viewed by most IT professionals as a low-priority problem because cables are run behind walls or in ceilings, beyond the accessibility of most people. Wiring closets and data centers often are locked, and anyway, there are easier ways to subvert a network than by recabling it.

That said, if you could protect traffic on the wire with no hit to performance, would you do so?

You'll be answering that question in the next few years as two new network security protocols come to a switch near you. Together, these two protocols--IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV--will help secure Layer 2 traffic on the wire. 802.1AE is a completed standard and will be appearing soon in hardware. 802.1X-REV could be ratified as early as the first quarter of next year.

Cisco's December 2007 announcement of its network-wide security program, dubbed TrustSec, brought the 802.1AE protocol into the limelight. 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE.

802.1AE protects data in transit on a hop-by-hop basis (see diagram, "Security In Short Hops", below), ensuring that the frames are not altered between Layer 2 devices such as switches, routers, and hosts. Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt. We say "in theory" because of the potential performance impact encryption has on switch capacity and delay.

The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards. 802.1AE implementations must conform to performance characteristics defined in the standard. 802.1AE doesn't specify hard times--rather, the maximum delay of 802.1AE processing is relative based on the time it takes to spit the bits onto the wire. On a 100-Mbps network, that's less than a millisecond for a 1,500-byte frame. Cumulatively, the impact should be negligible.

The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.

802.1AE isn't a replacement for Layer 3 VPNs, such as IPsec or PPTP. 802.1AE ensures that frames are protected from eavesdropping and manipulation at Layer 2 between peers. All traffic passing between two switches is protected using the same security parameters.

THE REST OF THE STORY
802.1AE is only half the story, however, because it deals only with encryption and integrity--both of which require keys. 802.1X-REV provides key management--creation, distribution, deletion, and renewal of encryption keys.

802.1X-REV builds on 802.1X to support features like authentication of multiple devices on a single switch port and key distribution for 802.1AE devices. Rather than manually creating and installing keys in network devices, 802.1X-REV makes key management part of the protocol in a fashion similar to 802.11i or WPA/WPA2. 802.1AE also is extensible in that a vendor can add optional information into the 802.1AE header.

Many organizations' physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis. However, it's now common for sites to have multiple hosts per port. For example, voice-over-IP phones have their own LAN port to plug into a desktop or laptop, which means two network devices per port. If there is only one port, it can be in only one of two states: authenticated (open) or unauthenticated (closed).

If the VoIP phone authenticates to the port, there's no point in using 802.1X because the port is always authenticated. If the desktop authenticates to the switch port, the port will be unauthorized and the phone will be cut when the desktop fails to authenticate.

Recognizing this is a problem, switch vendors provide workarounds such as allowing one unauthenticated device to be placed on a specific virtual LAN, but a subsequent device has to authenticate before getting access to the network. Cisco allows its Cisco Discover Protocol to pass through an 802.1X port, which allows discovered devices to access a designated VLAN. Switches such as the HP ProCurve allow multiple hosts to authenticate, and the switch creates virtual ports based on a device's MAC address and authentication state.

802.1X-REV addresses these issues by allowing multiple hosts to authenticate on a port. But authenticating multiple hosts isn't enough. If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation's MAC address and connect to the network through that VoIP phone. The bogus workstation would have network access until 802.1X required a reauthentication.

Pairing 802.1X-REV with a workstation NIC that supports 802.1AE enables multiple hosts to be authenticated simultaneously, and each host can have its own encrypted session. More important, bogus workstations can't simply plug in, because the impersonators won't have the encryption keys and therefore can't communicate with the switch.

GET READY TO UPGRADE
Like all encryption technologies, 802.1AE will have an impact on network design. The new protocol will require hardware upgrades on your switches and, optionally, on network devices such as workstations, printers, and VoIP phones. In addition, 802.1AE's impact on passive monitoring is significant. If you use in-line taps to send network frames to a network analysis device like a packet analyzer or intrusion-detection system, 802.1AE encryption will render those monitoring devices blind. The only data available to the analysis device will be the MAC addresses and the security tag that's inserted between the MAC addresses and the encrypted Ethernet payload, called the MACsec Protocol Data Unit.

Switches can send duplicate frames to a mirror port on a switch so that packet analyzers and intrusion-detection systems can process the frames, but that is not a perfect solution. A mirror port can only transmit half the capacity of a full-duplex link. For example, a full-duplex 1-Gbps link is capable of sending and receiving 1 Gbps simultaneously, for a total capacity of 2 Gbps. But a mirror port can only transmit at 1 Gbps. If your combined send/receive traffic is greater than 1 Gbps, your analysis equipment will see dropped frames.

In addition, because everything in the original Ethernet frame except the MAC addresses are hidden from view, bump-in-the-wire network devices like transparent firewalls, traffic shapers, load balancers, and WAN optimizers won't be able to process the 802.1AE-protected frames.

In cases where access to Layer 2 data and above is required by a bump-in-the-wire device for network analysis, the alternatives are either not to use 802.1AE on that link, so the frames are unprotected, or for the device to have the same keys as the switches.