Re: Layer 2 crypto device needed.

["Mitchell Rowton" <mrowton () bdo com>]

I think this will be difficult to do without using a layer three device.
 The military uses layer 2 devices like this, but at some point during
the encrypt/decrypt process it needs to be translated to a serial pipe. 
So even though it is layer two encryption, we had to use routers to
translate serial to ethernet at some point in the process.  And if you
have to use routers anyway...  Could you just use a VPN?  Mind you,
there may be new spiffy technologies that translate strait ethernet, but
they are at least not common.

Another point is that the STP will only be passing data when the fiber
is down.  I assume this won't happen often, and therefore your exposure
is lower than if the primary path was also STP.  Now if an attacker knew
this they could cut the fiber link in order to sniff the STP, I would
assume someone would start tracing this cable fairly quickly to figure
out what the problem is, and thus find the attacker.  Bottom line is
that I would also consider the following three options (1) Using routers
/ VPN  (2) Using another fiber run as backup and removing the bridges 
(3) Accepting the risk

--
Mitchell

> > > Oleksandr Darchuk <o.darchuk () wucb lviv net> 03/31/04 09:53AM >>>
Hello, list

There are 2 remote offices and 2 links betwen them: fiber-optic and
twisted pair. And there are 2 separate VLANs in both offices, that's
why
remote offices communicate on Layer 2 (Ethernet frame, especially
802.1q). The "primary" line is fibe-optic.
I want to create backup line for fiber-optic using twisted pair.
Fiber-optic link is terminated on switch, so I think that best way to
set-up backup line is to terminate twisted pair (using Ethernet
bridges)
on the same switch and use STP for backup. But I think it's not secure

sending Ethernet frames through twisted pair.

So the question is: does anyone know Layer 2 devices (like Ethernet 
bridges) with any crypto algs (with pre-shred key or smart card or 
anything else). I googled some time, but didn't find anything.

Thanks for all advises.



NOTICE:
The contents of this email and any attachments to it may contain privileged and confidential information from BDO 
Seidman, LLP.  This information is only for the viewing or use of the intended recipient.  If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in 
reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly 
prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO 
Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately 
deleted from your computer without making any copies thereof.  If you have received this e-mail in error, please notify 
BDO Seidman, LLP by e-mail immediately.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------