Security Basics mailing list archives
Re: Layer 2 crypto device needed.
From: "Mitchell Rowton" <mrowton () bdo com>
Date: Wed, 31 Mar 2004 15:53:39 -0500
I think this will be difficult to do without using a layer three device. The military uses layer 2 devices like this, but at some point during the encrypt/decrypt process it needs to be translated to a serial pipe. So even though it is layer two encryption, we had to use routers to translate serial to ethernet at some point in the process. And if you have to use routers anyway... Could you just use a VPN? Mind you, there may be new spiffy technologies that translate strait ethernet, but they are at least not common. Another point is that the STP will only be passing data when the fiber is down. I assume this won't happen often, and therefore your exposure is lower than if the primary path was also STP. Now if an attacker knew this they could cut the fiber link in order to sniff the STP, I would assume someone would start tracing this cable fairly quickly to figure out what the problem is, and thus find the attacker. Bottom line is that I would also consider the following three options (1) Using routers / VPN (2) Using another fiber run as backup and removing the bridges (3) Accepting the risk -- Mitchell
Oleksandr Darchuk <o.darchuk () wucb lviv net> 03/31/04 09:53AM >>>
Hello, list There are 2 remote offices and 2 links betwen them: fiber-optic and twisted pair. And there are 2 separate VLANs in both offices, that's why remote offices communicate on Layer 2 (Ethernet frame, especially 802.1q). The "primary" line is fibe-optic. I want to create backup line for fiber-optic using twisted pair. Fiber-optic link is terminated on switch, so I think that best way to set-up backup line is to terminate twisted pair (using Ethernet bridges) on the same switch and use STP for backup. But I think it's not secure sending Ethernet frames through twisted pair. So the question is: does anyone know Layer 2 devices (like Ethernet bridges) with any crypto algs (with pre-shred key or smart card or anything else). I googled some time, but didn't find anything. Thanks for all advises. NOTICE: The contents of this email and any attachments to it may contain privileged and confidential information from BDO Seidman, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies thereof. If you have received this e-mail in error, please notify BDO Seidman, LLP by e-mail immediately. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Layer 2 crypto device needed. Mitchell Rowton (Apr 01)