A Survey of Ethernet LAN Security

Ethernet is the survivor of the LAN wars. It is hard to find an IP packet that has not passed over an Ethernet segment. One important reason for this is Ethernet's simplicity and ease of configuration. However, Ethernet has always been known to be an insecure technology. Recent successful malware attacks and the move towards cloud computing in data centers demand that attention be paid to the security aspects of Ethernet. In this paper, we present known Ethernet related threats and discuss existing solutions from business, hacker, and academic communities. Major issues, like insecurities related to Address Resolution Protocol and to self-configurability, are discussed. The solutions fall roughly into three categories: accepting Ethernet's insecurity and circling it with firewalls; creating a logical separation between the switches and end hosts; and centralized cryptography based schemes. However, none of the above provides the perfect combination of simplicity and security befitting Ethernet.

[1]  David A. Maltz,et al.  Network-Wide Decision Making: Toward A Wafer-Thin Control Plane , 2004 .

[2]  M. S. Iqbal,et al.  Design of a physical layer security mechanism for CSMA/CD networks , 1992 .

[3]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[4]  Ofir Arkin,et al.  EtherLeak: Ethernet frame padding information leakage , 2003 .

[5]  Joseph D. Touch,et al.  Transparent interconnection of lots of links (TRILL): problem and applicability statement , 2022 .

[6]  Sukumar Nandi,et al.  Detecting ARP Spoofing: An Active Technique , 2005, ICISS.

[7]  Stephen J. Nadas,et al.  Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 , 2010, RFC.

[8]  Martín Casado,et al.  Rethinking enterprise network control , 2009, TNET.

[9]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[10]  Danilo Bruschi,et al.  S-ARP: a secure address resolution protocol , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[12]  Scott D. Lathrop A Survey of 802.11a Wireless Security Threats and Security Mechanisms , 2003 .

[13]  Sebastian Gunreben,et al.  Ethernet – A Survey on its Fields of Application , 2010, IEEE Communications Surveys & Tutorials.

[14]  Abhishek Singh,et al.  Vulnerability Analysis for RPC , 2008 .

[15]  Dan Romascanu,et al.  Remote Network Monitoring MIB Extensions for Switched Networks Version 1.0 , 1999, RFC.

[16]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[17]  H. Altunbasak,et al.  An architectural framework for data link layer security with security inter-layering , 2007, Proceedings 2007 IEEE SoutheastCon.

[18]  Dan Simon,et al.  Extensible Authentication Protocol (eap) Key Management Framework , 2007 .

[19]  Guillermo Mario Marro Attacks at the Data Link Layer , 2003 .

[20]  Russell J. Clark,et al.  Pushing Enterprise Security Down the Network Stack , 2009 .

[21]  Ieee P . ad Virtual Bridged Local Area Networks-Amendment 4 : Provider Bridges , 2003 .

[22]  Gordon Bell,et al.  Ethernet: Distributed Packet Switching for Local Computer Networks , 1976 .

[23]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[24]  Brad Cain,et al.  Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Protocol Version 2 (MLDv2) for Source-Specific Multicast , 2006, RFC.

[25]  Weisong Shi,et al.  Wireless Sensor Network Security: A Survey , 2006 .

[26]  José Luis Melús-Moreno,et al.  A particular solution to provide secure communications in an Ethernet environment , 1993, CCS '93.

[27]  Tony Li,et al.  Cisco Hot Standby Router Protocol (HSRP) , 1998, RFC.

[28]  Ryan Spangler Packet Sniffing on Layer 2 Switched Local Area Networks , 2003 .

[29]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[30]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 , 1998 .

[31]  Jennifer Rexford,et al.  Floodless in seattle: a scalable ethernet architecture for large enterprises , 2008, SIGCOMM '08.

[32]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[33]  Sanjib HomChaudhuri,et al.  Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment , 2010, RFC.

[34]  William L. Simon,et al.  The Art of Intrusion , 2005 .

[35]  Santosh Biswas,et al.  An Active Intrusion Detection System for LAN Specific Attacks , 2010, AST/UCMA/ISA/ACN.

[36]  Russ Housley Encapsulation Security Protocol Design for Local Area Networks , 1989, LANSEC.

[37]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[38]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[39]  Dimitri Papadimitriou,et al.  Generalized Multi-Protocol Label Switching (GMPLS) Extensions for Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) Control , 2004, RFC.

[40]  Khan Ferdous Wahid Rethinking the link security approach to manage large scale Ethernet network , 2010, 2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).

[41]  Rute C. Sofia A survey of advanced ethernet forwarding approaches , 2009, IEEE Communications Surveys & Tutorials.

[42]  Eric Vyncke,et al.  LAN Switch Security: What Hackers Know About Your Switches , 2007 .

[43]  David J. Smith,et al.  Router Security Strategies: Securing IP Network Traffic Planes , 2007 .

[44]  Steven Waldbusser Remote Network Monitoring Management Information Base Version 2 , 2006, RFC.

[45]  Greg King A survey of commercially available secure LAN products , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[46]  Tuomas Aura,et al.  Cryptographically Generated Addresses (CGA) , 2005, ISC.

[47]  Cristina L. Abad,et al.  An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[48]  Larry J. Blunk,et al.  PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[49]  Eugene Ch'ng,et al.  Rethinking the service model: Scaling Ethernet to a million nodes , 2004 .

[50]  Jochen Grimminger,et al.  Securing Layer 2 in Local Area Networks , 2005, ICN.

[51]  Jennifer Seberry,et al.  Fundamentals of Computer Security , 2003, Springer Berlin Heidelberg.

[52]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[53]  Jukka Manner,et al.  Minimizing ARP Broadcasting in TRILL , 2009, 2009 IEEE Globecom Workshops.

[54]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[55]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[56]  Nick McKeown,et al.  Architecting for innovation , 2011, CCRV.

[57]  Heba Kamal Aslan,et al.  Implementation of a hybrid encryption scheme for Ethernet , 1995, Proceedings IEEE Symposium on Computers and Communications.

[58]  Steven Waldbusser Remote Network Monitoring Management Information Base , 1991, RFC.

[59]  Jason Poon,et al.  Application-based TCP hijacking , 2009, EUROSEC '09.