In this technical deep dive, Emil Isaakian will explain the details of the protocol, cryptography, key management and vulnerabilities mitigated by MACSec/ESS. Additionally he’ll show use cases to show how to succesfully deploy MACSec/ESS technologies (Network Encryptors + NVF) to protect your WAN (MPLS, PBBN, Carrier Ethernet), LAN and cloud infrastructure.
(Source: RSA Conference USA 2017)
17. #RSAC
Network Vulnerability Mitigated
17
Attack/Vulnerability Description
Does MAC-SEC
Protect against
Does ESS Protect
against this?
Description of protection
Application Level
DOS/DDOS
Denial Of Service, Distributed Denial Of Service attacks where
large volumes (Floods) of packets are directed at servers to
overload network
Yes Yes
Packets that are not encrypted/authenticated are dropped at the link layer
preventing application services from seeing the large volume of traffic
preventing DOS.
L2 MAC Address Tables
DOS
Denial Of Service targeting Router/Switch by sending large
volumes (Floods) of packets with different MAC Addresses
Yes Yes
Line rate classification of L2 packets forces dropping of all un-authorized L2
packets on ingress (e.g. non-MAC-SEC Frames).
Spanning Tree Protocol
DOS
Denial Of Service targeting Router by sending large volumes
(Floods) of STP packets (BPDUs) to cause Router control plane
overload.
Yes Yes
Line rate classification of L2 packets forces dropping of all un-authorized L2
packets on ingress (e.g. non-MAC-SEC Frames)
ARP Poisoning/Man in
the Middle
Eavesdropping
Malicious ARP responses from compromised or unsecure end
devices can poison the ARP cache causing traffic to be
redirected
Yes Yes
Un-authorized devices cannot communicate on a MAC-SEC
authenticated/encrypted network
Port Mirroring
Eavesdropping
Reconfiguration or physical tapping of a switch/router port Yes Yes
Un-authorized devices cannot decrypt data sent on a MAC-SEC
authenticated/encrypted network
Replay
A adversary/malicious user can capture valid
authenticated/encrypted traffic and replay (re-send) it.
Partial Partial
MAC-SEC provides anti-replay protection via a authenticated window
(configurable) mechanism that discards packets with sequence numbers that
are out of the replay window.
Traffic Flow Analysis
Even without being able to decrypt and recover a packets Plain-
Text, inspection of the MAC source/destination addresses can
allow a adversary to map a networks topology and gain
intelligence on end-points, communication activity, etc.
No Yes
ESS Provides continous fixed frame sizes encapsulating the underlying
network packets preventing analysis
Covert Channels
A compromised end-point, or malicious user or application can
indirectly create a un-secured covert communications channel
over a secure network by varying packet sizes, rates, source-
dest addresses of transmitted packets.
No Yes
ESS Provides continous fixed frame sizes encapsulating the underlying
network packets preventing analysis
Repudiation
Sending secure (or un-secure) packets and later dis-avowing
that the packets were sent from the specified end device.
Partial Partial
Since MAC-SEC provides confidentiality and authentication with a anti-replay
window there is inherently some protection against repudiation depending on
how many end-devices are assigned to a SA.
MAC Address Spoofing
A unsecure end-device can masquerade as a trusted devices
MAC Address both to re-route traffic for DOS attacks and
potentially eavesdrop on communications.
Yes Yes
Un-authorized devices cannot communicate on a MAC-SEC
authenticated/encrypted network so will be unable to eavesdrop.