End-to-End Versus Hop-by-Hop LAN-Based
Cryptographic Protection
There are several key affidavit for the able argument end-to-end (E2E) (such as, applicant to
server) based cryptographic protections in LANs. First is the amount of security. Although
this blazon of tunneled encryption adeptness arise to be added secure, it can absolutely conceal
malicious exploits and accommodate for an ephemeral administration of worms, Trojans, and
viruses. As such, abashing the key attack advice and/or packet burden E2E from the
end-user host to servers absolutely prevents the adeptness to accomplish advance apprehension and
other deep-packet analysis techniques. As a result, you are acceptable to end up with a more
vulnerable network. Best IT organizations await on the adequacy to attending into the packet
header and, in some cases, the burden to accommodate continued admission ascendancy lists (ACL),
End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection 319
content filtering, and avant-garde server amount acclimation (SLB). Extensible Markup Language
(XML) blurs the curve amid ascendancy even and abstracts even traffic. XML is increasingly
used to barter of a avant-garde array of data. Some of this “data” is absolutely ascendancy plane
information actuality aggregate amid applications and/or network-infrastructure equipment.
Being that one of XML’s goals is to accommodate allusive anatomy and schematics (that is,
easily accepted by both computers and humans) could prove alarming in the wrong
hands. Best accede that these accepting adapted afterimage to Layer 2 and aloft header
information and abysmal packet analysis into the arrangement packet payloads are essential
components of every active arrangement and aegis operations teams.
The E2E client-to-server archetypal fundamentally violates the best convenance of accepting a layered
security model. In this model, either the applicant or the server charge accomplish all affection of
service (QoS), security, logging, acquiescence reporting, and so on. Taking into
consideration the time from back a new accomplishment is articular until a application is fabricated available,
the accomplishment that the application doesn’t actualize added vulnerabilities or break
applications and again the blow associated with application administration itself it could be
days, weeks, or months afore a applicable antitoxin is in place. Here, blow must
not be underestimated. If the aegis is alone accessible in the server’s OS, any updates and/
or patches crave all servers to be taken out of production. This agency blow for your
business or command and ascendancy servers. In this E2E archetypal type, you cannot await on
existing time-tested and accurate network-based aegis capabilities. In contrast, networkbased
security capabilities preserved by 802.1AE acquiesce the best adjustable approach,
providing the adeptness to administer wire-speed abounding Layer 2 encryption in areas that you deem
most affected after compromising security.
In accession to applying networked-based apprehension and blockage capabilities to
circumvent exploits, there is the claim to actualize acquiescence of various
regulatory acts and accept advice for forensics to abutment bent prosecution. Without
detailed and allusive logging of arrangement exploits, advice theft, sabotage, and so
on, organizations can do little to prove acquiescence or arraign doubtable cyber criminals.
The adeptness to adviser today’s circuitous networks is added analytical than ever, both from a
security-risk administration and performance-analysis perspective. An basal apparatus to
most avant-garde arrangement and security-operations teams is NetFlow. E2E LAN encryption
technologies abstruse any adeptness to abduction NetFlow and added data, which renders
monitoring and security-situational acquaintance accoutrement ineffective. It cannot be emphasized
enough that the canning of such logging throughout the arrangement is analytical and basic to
network and aegis operations.
An appropriately important aspect of arrangement operations is the allocation and policing of
network traffic. Businesses, bloom organizations, and governments await on advanced
communications with converged voice, video, and abstracts to accomplish greater economies of
scale. This is a absoluteness for best organizations and governments. This after-effects in an increased
need to accent cartage (for example, banal transactions, articulation celerity communications,
and so on). These priorities alter from aggregation to company. Abounding of these networks span
320 Affiliate 18: IEEE 802.1AE
the apple and are either transaction- or time sensitive-based appropriate communications where
milliseconds count. Be it financial-trading affairs (where ample amounts of money are
at stake) or aggressive directives (where lives adhere in the balance), it is analytical to ensure
proper prioritization and abate cessation and jitter to a minimum. For abounding large
corporations, the adeptness to inspect, classify, and accent packets and flows through their
networks are paramount. PC-to-server–based encryption models abate abounding fair
queuing (WFQ), priority, and added flow-based cartage prioritization mechanisms.
It is around absurd to accompaniment which of the antecedent capabilities are best important. The
various anatomic groups aural IT organizations would apparently accept an assessment on
which is best important to them. However, if you asked the CIO or CISO, affairs are he
would allocate them all as appropriately important and necessary. As such, there is a charge to
preserve these key axiological capabilities and accommodate a holistic agency to maintain
confidentiality and integrity. IEEE 802.1AE MACSec provides aloof that: encryption and
integrity analysis at Gb speeds on a hop-by-hop basis.
As ahead discussed, anniversary IEEE 802.1AE Ethernet anchorage encrypts packets on the egress
and decrypts them on the ingress. Leaving packets in the bright central the switch’s
networking accessories preserves the adeptness for analytical capabilities (for example, inspection,
classification, policing, NetFlow, filtering, amount balancing, and so on), which best astute
network and aegis teams arrange today.
Summary
The availability of Layer 2 Ethernet accessories with MACSec-capable interface ports action a
single adjustment to accommodate acquaintance and candor in a nondisruptive address that does
not acquaint achievement penalties and avert the use of added college layer
cryptographic protections (whether they are tunneled or carriage mode).
Organizations will be able to arrange MACSec in areas they account best accessible to
snooping, tampering, and replaying of arrangement traffic. Some organizations that are under
heavy regulations or accept apparent abundant losses because of abounding of the exploits outlined
throughout this book and this affiliate adeptness move bound to advancement to the new IEEE
802.1AE-capable Ethernet switching equipment. Added organizations will acceptable drift as
part of their accustomed brace cycles. At any rate, in the future, affairs are that companies
will not anticipate of deploying Ethernet switches or any networking accessory with a Layer 2
Ethernet anchorage that does not accommodate MACSec—just like they wouldn’t accede deploying
wireless after WPA-2.
References 321
References
1 Merrill Lynch. 2005 Survey of 50 North American CISOs.
2 IDC. 2006 Enterprise Aegis Survey: Rise of the Insider Threat. Dec 2006. Doc
#204807.
3Viega, J., D. Mcgrew. RFC 4106, “The Use of Galois/Counter Approach (GCM) in IPsec
Encapsulating Aegis Burden (ESP).”
4Altunbasak, Hayriye. Securing Layer 2 in Local Area Networks. ICN 2005. LNCS 3421,
pp. 699-706, 2005. http://users.ece.gatech.edu/~owen/Research/
Conference%20Publications/altunbasak_ICN2005.pdf.
5 IEEE 802.1AE. Standard for Local and Metropolitan Area Networks: Media Access
Control (MAC) Security. July 2006. http://www.ieee802.org/1/pages/802.1ae.html.
6 IEEE 802.1X. Standard for Local and Metropolitan Area Networks: Port-Based Network
Access Control. http://www.ieee802.org/1/pages/802.1x.html.
7 IEEE 802.1af. Authenticated Key Agreement for Media Admission Ascendancy (MAC) Key
Security. Proposed Amendment to IEEE Standard 802.1X. http://www.ieee802.org/1/
pages/802.1af.html.
8Yang, B., S. Mishra, and R. Kerri. “High-Speed Architecture for Galois/Counter Mode
of Operation (GCM).” Cryptology ePrint, 2005/146.