Enterprise Trends and Challenges
Many of you ability admiration why wire-rate encryption for Layer 2 Ethernet LAN networks?
Aren’t the concrete aegis practices and Layer 7 appliance aegis measures abundant to
address the vulnerability of crooked admission to acute information? The reality: No.
Throughout this book, you’ve apprehend that there are abundant agency in which a would-be
malicious user can accommodation or avoid absolute vulnerabilities in arrangement protocols,
operating systems (OS), and applications. It is accurate with anniversary new arrangement protocol
vulnerability discovered; the industry creates point-specific countermeasures. It’s aloof like
getting cut and applying a cast to the wound.
To abide with the “bandage” analogy, you could abrasion a clothing of armor to assure yourself
from approaching cuts. However, a added accepted holistic agency is bare to abode currently
known and potentially approaching apparent LAN agreement vulnerabilities. Layer 2 protections are
a cogent allotment of a defense-in-depth strategy. Although accurate applications, such as
secure telephony, account from application-level security, Layer 2 is the best abode to protect
against abounding added telephony attacks. For example, although defended VoIP applications can
protect a buzz call’s privacy, they do not adumbrate the facts, such as anecdotic which phone
calls, which phone, or which alarm administrator is in use.
Attackers use concern to accretion advice and accomplish a cartage assay of encrypted
calls, and they use the advice gleaned in this way to barrage abnegation of account (DoS)
attacks. 802.1AE is the best aegis adjoin attacks on Layer 2 networks (for example,
spanning tree) and on protocols that do not use IP (such as Abode Resolution Protocol
[ARP], Internetwork Packet Exchange [IPX], NetBIOS Extended User Interface
[NetBEUI], and so on). (These are aloof a few high-level examples; elaborating on each
protocol and appliance is all-encompassing and above this chapter’s scope.)
306 Chapter 18: IEEE 802.1AE
NOTE For added advice on these high-level agreement examples, go to http://en.wikipedia.org/
wiki/Communications_protocol.
Layer 2 is the actual abode to accommodate ample protections adjoin snooping, spoofing,
tampering, replay, and crooked cartage assay on LANs.