Securing wireless Local Area Network interconnections with Layer 2 encryptionStory
July 14, 2010
Enabling military and civilian government operations to dynamically interconnect Local Area Networks (LANs), wireless technologies are a lifesaver in environments where wired connections are cost-prohibitive or just not practical. However, transmitting sensitive information over the airwaves presents security challenges including passive attacks and active attacks. Enter Layer 2 encryption, which can effectively thwart these security challenges. (U.S. Air Force photo by Senior Airman Julianne Showalter)
Wireless technologies enable military and civilian government operations to dynamically interconnect Local Area Networks (LANs) quickly and reliably in environments where wired connections are impractical and cost-prohibitive. This connection of LANs over the air without the use of a fixed, wired medium is typically referred to as wireless interconnectivity. Under this umbrella, a number of specific connection technologies are used including radio frequency, microwave, and free-space optics.
While popular from an operational perspective, as mentioned, wireless LAN interconnections suffer significant drawbacks when it comes to security. As with any open medium, ensuring the confidentiality and integrity of sensitive data traveling across these networks is of paramount importance, particularly in government and military applications. These security challenges incurred by transmission of sensitive information over the airwaves include both passive and active attacks. Passive attacks occur when perpetrators collect and read sensitive data, whereas active attacks occur when perpetrators inject new traffic and network integrity is breached.
To provide insight into remedying these challenges in a government arena, the following discussion examines LAN operational advantages and associated vulnerabilities – and explores Layer 2 versus Layer 3 alternatives for enhanced security.
Wireless technologies for LANs
The proliferation of wireless LAN interconnections within government and enterprise has come as a result of LAN flexibility, ease of deployment, and cost savings. As alluded to previously, outdoor wireless interconnections over radio frequency, microwave, and free-space optic mediums allow system architects to connect LANs dynamically without having to physically lay cable or provision a service. In military environments in particular, wireless LAN interconnections can be established and dismantled at a moment’s notice in accordance with changing tactical and strategic battlefield conditions. Examples of this include forward-deployed tactical units and strategic intra-base virtual campus topologies such as military clinics and hospitals. A schematic representation of this environment is shown in Figure 1.
Figure 1: Wireless LAN interconnection in a forward-deployed tactical battlefield environment
(Click graphic to zoom by 1.9x)
While providing quick setup and complete ownership of the backbone wireless LAN links, the connections offer no inherent level of security. Wireless LAN interconnections are vulnerable to interception, and therefore, must be secured to ensure the confidentiality and integrity of the data traveling across them. As a result of this vulnerability, the U.S. government has developed regulations to mitigate the threat of interception and specifies encryption as the preferred mechanism for protecting sensitive data. Within the Department of Defense (DoD), directives DoDD 8500.2 and DoDD 8100.2 mandate that Sensitive But Unclassified (SBU) data be encrypted using FIPS 140-2 approved equipment employing the Advanced Encryption Standard (AES) algorithm when employing wireless systems.
In theory, encryption across LANs can be done at any of the seven layers defined by the Open System Interconnection (OSI) model for data networking (Figure 2). The OSI architecture model defines the functions and components that establish a data connection. Depending on where encryption is employed in the layered model, the more transparent and therefore effective it can become. Higher in the model (at Layer 7), specific applications are considered, while at the bottom (Layer 1), the general physical medium is addressed. Data encryption is generally done at the frame (Ethernet Layer 2) or packet (IP Layer 3) levels.
Figure 2: OSI reference model for data networking
(Click graphic to zoom by 1.4x)
Layer 2 versus Layer 3: Advantages and vulnerabilities
While the application of encryption technologies to protect LAN interconnections can thus be made at either Layer 2 or Layer 3, with the proliferation of the Internet, most encryption devices available in the market until just recently were packet encryptors operating strictly at IP Layer 3 using the IP Security (IPsec) encryption standard. However, with increased traffic volumes and growing use of latency-sensitive applications such as voice, video, and multimedia, IPsec has shown significant limitations that impact operational performance. Given the nature of deployed battlefield communications, Layer 3 interconnections using IPsec encryption have proven impractical.
Also, unlike Virtual Private Networks (VPNs) that use IPsec with intricate security associations, Layer 2 makes the process simple and independent of complex routing tables that add unnecessary overhead to the operation. By creating “tunnels” across the LANs being interconnected, private traffic is segregated and protected on the otherwise open medium.
Additionally, Layer 2 establishes the physical connection between the local telecommunication devices and remote destinations, and defines the data frame as the physical transmission medium between nodes. Layer 2 connections are primarily used for high-speed/high-data throughput applications between telecommunication facilities. When this layer is used to connect telecommunications facilities on high-speed lines, encryption mechanisms encapsulate all higher-level protocols crossing the link.
Delving deeper in our discussion, Layer 2 encryption typically is performed either in bulk where the entire medium is encrypted, or in a tunneled mode where only the data payload of the Ethernet frame is secured. Wireless point-to-point applications are typically bulk encrypted as they usually only connect two discrete sites. Applications where a switched network is employed use tunneling to maintain the frame header information in the clear while encrypting the rest of the payload.
Compared to Layer 3 IPsec encryption – which significantly impacts throughput – Layer 2 encryption offers the best performance. Ethernet bulk mode yields full throughput with no frame expansion. Tunneling typically expands frames no more than 22 bytes. When comparing the performance offered by Layer 2 encryption versus Layer 3, throughput for small frame/packet size (64 byte – typically employed in applications such as voice over IP, video, and multimedia) can be improved as much as 60 percent versus Layer 2 encryption, as illustrated in Figure 3.
Figure 3: Throughput comparison (Mbps) between Layer 3 IPsec and Layer 2 Ethernet encryption (Source: Rochester Institute of Technology)
(Click graphic to zoom by 1.9x)
Latency, the amount of time needed for data to go through an encryption device, varies depending on the frame sizes utilized and generally decreases as the frame size increases. Depending on line speeds, Layer 2 tunneling will normally vary between 4 and 40 microseconds. IPsec, on the other hand, can add millisecond latencies, severely impacting performance.
In contrast to IPsec, encryption of the Ethernet frame over Layer 2 solves many of these challenges, providing line-speed encryption with minimum frame expansion and delay. Besides these advantages, Layer 2 encryption also eliminates the need for complex router and configuration management, and can be deployed as a “bump-in-the wire” security solution allowing higher-level protocols to be encapsulated within the encrypted Ethernet frame. Because of this characteristic, Layer 2 encryption can typically fit within the existing IT infrastructure, requiring minimal incremental resources and training to operate.
Enhancing LAN security
LANs are known for their ease-of-use and quick setup. However, LAN security is only as good as the weakest links that tie the wireless network together. Numerous protection challenges including strong access control mechanisms, intrusion detection and prevention systems, firewalls, malware removal, and encryption are often employed within LANs. However, if these methodologies are not connected securely, tremendous data compromise and interception vulnerabilities will result.
However, there is hope. Deployment of wireless LAN interconnectivity using Layer 2 cryptography allows government, military, and civilian organizations to implement robust (meaning: secure) encryption quickly and with minimal network disruption, while typically preserving current investments. Layer 2 also enables military organizations to protect sensitive information exchanged across wireless LANs without affecting operational performance. To meet security requirements and reduce overall network complexity, wireless LAN interconnections operating at speeds up to 10 Gbps using Layer 2 security are becoming increasingly popular.
Juan Asenjo is a Senior Product Marketing Manager at Thales e- Security, where he manages the company’s network security product line. Juan has worked in the information security field for 24 years, including more than 10 years in government and military environments. He has degrees in Engineering and Business, and is a Certified Information System Security Professional (CISSP). Juan can be contacted at [email protected].
Thales e-Security 954-888-6200 http://iss.thalesgroup.com