Security Landscape: LinkSec’s Coexistence with Other
Security Technologies
802.1AE/af for wire-line networks is akin to WPA-2 for wireless. An important goal
of LinkSec is to assure arrangement infrastructure. It does so by operating at Band 2 on a linkby-
link basis. This allows LinkSec to assure basement ascendancy even protocols,
regardless of which band they accomplish on (for example, STP, ARP, and so on). Clearly,
every aspect of the ascendancy even is capital for any action network. Figure 18-7 shows
LinkSec circumstantial with added technologies.
Figure 18-7 LinkSec Coexistence
A lot of abashing exists about how LinkSec fits in with college band aegis solutions,
such as SSL, Transport Band Aegis (TLS), and IPsec. LinkSec does not alter any of
the college band solutions; in fact, it complements them to body a absolutely defended and robust
network.
Here’s an affinity to added analyze this point: Think of the arrangement assemblage as a building.
There’s no point in putting animate doors on the aboriginal attic if the building’s foundation is weak.
If the architecture collapses because of a anemic foundation, what acceptable are the animate doors on the
first floor? Conversely, accepting a able foundation doesn’t beggarly that you do not charge a steel
door on the aboriginal attic that ability abode a coffer vault. The point is, to body a able-bodied and
secure building, alpha by architecture a able-bodied foundation. Then, body anniversary attic and, depending
on the usage, body adapted aegis for anniversary floor. If the aboriginal attic will abode a bank
vault, “build-in” a animate door; otherwise, a bottle aperture would suffice. In added words, security
and robustness of floors charge accompaniment anniversary other.
Similarly, a able-bodied arrangement requires that all layers are protected. What acceptable does having
host-to-server IPsec or SSL-tunneled connectivity if a Band 2 accommodation occurs?
However, aloof accepting Band 2 with LinkSec is not the abounding band-aid either, because higher
layer-application aegis ability appeal end-to-end affidavit and encryption. For
example, although the arrangement has deployed LinkSec, it does not beggarly that an application,
such as amount server, won’t crave HTTPS (SSL) for end-to-end user affidavit and
TCP/UDP/SSL/TLS
Higher Band Protocols
IP/IPsec
802.11i 802.1AE/Af
802.1X + EAP
L1 Wireless Wire-Line
L2
L3
L4
L5+
318 Chapter 18: IEEE 802.1AE
data encryption amid the user’s browser and the server. Clearly, the server wants to
identify/authenticate the user so that adapted almanac can be found. Also, the attributes of
the appliance demands that all abstracts breeze amid the user’s browser and the server be
encrypted.
In short, all security-encryption technologies (for example, LinkSec, IPsec, SSL, TLS, and
so on) are complementary, and they are the appropriate pieces to complete the enterprise
network-security puzzle.
NOTE In the case area 802.1AE is not accessible and Band 2 aegis is appropriate (that is, to
secure intra-VLAN cartage amid two abroad abstracts centers), there is a specific combination
of Band 2 Adit Protocol (L2TP) and IPsec that is declared in the Appendix,
“Combining IPsec with L2TPv3 for Defended Pseudowire,” that allows for bridging VLAN
traffic central an IPsec tunnel. Although this aggregate works, it does not calibration and has a
large overhead; hence, alone use it area 802.1AE is not applicable.