A survey of ethernet LAN security

IEEE Communications Surveys and Tutorials

Volumn 15, Issue 3, 2013, Pages 1477-1491

  Kiravuo, Timo ^a   Sarela, Mikko ^a   Manner, Jukka ^a  

^a AALTO UNIVERSITY   (Finland)

Author keywords

Data security; Ethernet networks; Security

Indexed keywords

ACADEMIC COMMUNITY; ADDRESS RESOLUTION PROTOCOL; DATA CENTERS; ETHERNET NETWORKS; MALWARE ATTACKS; SECURITY; SECURITY ASPECTS; THREE CATEGORIES;

PERSONAL COMPUTING; SECURITY OF DATA;

ETHERNET;

EID: 84881317767     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/SURV.2012.121112.00190     Document Type: Review

References (82)

1. N. Falliere, L. Murchu, and E. Chien, "W32.Stuxnet dossier." Symantec Security Response, 2010, retrieved Oct 24, 2011 Online: http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 stuxnet dossier.pdf.
2. J. Sommer, S. Gunreben, F. Feller, M. Kohn, A. Mifdaoui, D. Sass, and J. Scharf, "Ethernet-a survey on its fields of application," IEEE Commun. Surveys Tuts., vol. 12, no. 2, pp. 263-284, 2010.
3. R. Metcalfe and D. Boggs, "Ethernet: Distributed packet switching for local computer networks," Communications of the ACM, vol. 19, no. 7, pp. 395-404, July 1976.
4. R. Sofia, "A survey of advanced ethernet forwarding approaches," IEEE Commun. Surveys Tuts., vol. 11, no. 1, pp. 92-115, 2009.
5. G. King, "A survey of commercially available secure LAN products," in Computer Security Applications Conference, 1989., Fifth Annual, 1989, pp. 239-247. (Pubitemid 20700755)
6. R. Housley, "Encapsulation security protocol design for local area networks," in Local Area Network Security, ser. Lecture Notes in Computer Science, T. Berson and T. Beth, Eds. Springer Berlin Heidelberg, 1989, vol. 396, ch. chapter 10, pp. 103-109.
7. F. Poon and M. Iqbal, "Design of a physical layer security mechanism for CSMA/CD networks," Communications, Speech and Vision, IEE Proceedings I, vol. 139, no. 1, pp. 103-112, Feb 1992.
8. M. Soriano, J. Forńe, F. Recacha, and J. L. Meĺus, "A particular solution to provide secure communications in an Ethernet environment," in CCS '93: Proc. 1st ACM conference on Computer and communications security. New York, NY, USA: ACM Press, 1993, pp. 17-25.
9. M. El-Hadidi, N. Hegazi, and H. Aslan, "Implementation of a hybrid encryption scheme for Ethernet," in Computers and Communications, 1995. Proceedings., IEEE Symposium on. IEEE Comput. Soc. Press, Jul 1995, pp. 150-156.
10. M. Bishop, Introduction to Computer Security. Pearson Education, 2005.
11. R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. Wiley Publishing, 2008.
12. W. Stallings and L. Brown, Computer Security: Principles and Practice, 2nd ed. Pearson Education, 2012.
13. J. Pieprzyk, T. Hardjono, and J. Seberry, Fundamentals of Computer Security. Springer-Verlag, 2003.
14. A. Singh, B. Singh, and H. Joseph, Vulnerability Analysis and Defence for the Internet, ser. Advances in Information Security. Springer US, 2008, vol. 37.
15. S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed, 10th ed. McGraw-Hill, 2009.
16. E. Vyncke and C. Paggen, Lan switch security: what hackers know about your switches. Cisco Press, 2007.
17. G. Schudel and D. J. Smith, Router Security Strategies: Securing IP Network Traffic Planes. Cisco Press, 2008.
18. J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, "Wireless sensor network security: A survey," in Security in Distributed, Grid, and Pervasive Computing. CRC Press: Boca Raton, FL, USA, 2007.
19. D. J. Welch and S. D. Lathrop, "A survey of 802.11a wireless security threats and security mechanisms," United States Military Academy, West Point, 2003.
20. Media access control (MAC) Bridges, IEEE Std. 802.1D, 2004.
21. R. Droms, "Dynamic Host Configuration Protocol," RFC 2131 (Draft Standard), Internet Engineering Task Force, Mar. 1997, updated by RFCs 3396, 4361, 5494.
22. D. Plummer, "Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware," RFC 826 (Standard), Internet Engineering Task Force, Nov. 1982, updated by RFCs 5227, 5494.
23. T. Narten, E. Nordmark, W. Simpson, and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)," RFC 4861 (Draft Standard), Internet Engineering Task Force, Sep. 2007, updated by RFC 5942.
24. R. Droms, J. Bound, B. Volz, T. Lemon, C. Perkins, and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)," RFC 3315 (Proposed Standard), Internet Engineering Task Force, Jul. 2003, updated by RFCs 4361, 5494, 6221, 6422.
25. E. Mannie and D. Papadimitriou, "Generalized Multi-Protocol Label Switching (GMPLS) Extensions for Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) Control," RFC 4606 (Proposed Standard), Internet Engineering Task Force, Aug. 2006, updated by RFC 6344.
26. H. Holbrook, B. Cain, and B. Haberman, "Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Protocol Version 2 (MLDv2) for Source-Specific Multicast," RFC 4604 (Proposed Standard), Internet Engineering Task Force, Aug. 2006.
27. "VLAN security white paper," 2002. [Online]. Available: http://www.cisco.com/en/US/products/hw/switches/ps708/products white paper09186a008013159f.shtml
28. Virtual Bridged Local Area Networks, IEEE Std. 802.1Q, 2005.
29. Virtual Bridged Local Area Networks-Amendment 4: Provider Bridges, IEEE Std. 802.1ad, 2005.
30. Multiple Registration Protocol, IEEE Std. 802.1AK, 2007.
31. T. Li, B. Cole, P. Morton, and D. Li, "Cisco Hot Standby Router Protocol (HSRP)," RFC 2281 (Informational), Internet Engineering Task Force, Mar. 1998.
32. S. Nadas, "Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6," RFC 5798 (Proposed Standard), Internet Engineering Task Force, Mar. 2010.
33. Station and Media Access Control Connectivity Discover, IEEE Std. 802.1AB, 2009.
34. Link Aggregation, IEEE Std. 802.1AX, 2008.
35. K. D. Mitnick, The Art of Intrusion. Wiley, 2005, page 127.
36. S. Stasiukonis, "Social engineering, the USB way," June 2006, retrieved Jan 17, 2011. [Online]. Available: http://www.darkreading.com/ security/article/208803634/index.html
37. T. Koponen, S. Shenker, H. Balakrishnan, N. Feamster, I. Ganichev, A. Ghodsi, P. B. Godfrey, N. McKeown, G. Parulkar, B. Raghavan, J. Rexford, S. Arianfar, and D. Kuptsov, "Architecting for innovation," SIGCOMM Comput. Commun. Rev., vol. 41, no. 3, pp. 24-36, Jul 2011.
38. "Global security report 2011," white paper, Trustwave, 2011. [Online]. Available: https://www.trustwave.com/downloads/Trustwave WP Global Security Report 2011.pdf
39. S. Convery, "Hacking layer 2: Fun with Ethernet switches," Black Hat USA, August 2002, retrieved Feb 15, 2011. [Online]. Available: http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
40. A. A. Vladimirov, "Making unidirectional VLAN and PVLAN jumping bidirectional," Full-disclosure mailing list, Dec 2005, retrieved May 15, 2011. [Online]. Available: http://lists.grok.org.uk/pipermail/fulldisclosure/ 2005-December/040333.html
41. "Catalyst 3550 multilayer switch software configuration guide, 12.1(19)ea1," Manual, Cisco Inc, Oct 2003.
42. "VoIP hopper software," Online, 2009, retrieved May 15, 2011. [Online]. Available: http://voiphopper.sourceforge.net/
43. O. Arkin and J. Anderson, "Etherleak: Ethernet frame padding information leakage," Online: http://www.rootsecure.net/content/downloads/ pdf/atstake etherleak report.pdf, 2003, retrieved Feb 3, 2011.
44. R. Spangler, "Packet sniffing on layer 2 switched local area networks," December 2003, retrieved Feb 10, 2011. [Online]. Available: http://packetwatch.net/documents/papers/layer2sniffing.pdf
45. A. Coffman, "Simple DNS man in the middle attack for password phishing," October 2011, retrieved Oct 24, 2011. [Online]. Available: http://thecoffman.com/2011/10/20/simple-dns-manin-the-middle-attack-for- password-phishing/
46. C. Abad and R. Bonilla, "An analysis on the schemes for detecting and preventing ARP cache poisoning attacks," in Distributed Computing Systems Workshops, 2007. ICDCSW '07. 27th International Conference on. IEEE, Jun 2007, p. 60.
47. M. Marro, "Attacks at the data link layer," Master's thesis, University of California Davis, 2003. [Online]. Available: http://seclab.cs. ucdavis.edu/papers/Marro masters thesis.pdf
48. E. Norris, "Analysis of a telnet session hijack via spoofed MAC addresses and session resynchronization," Mar 2001, retrieved Feb 10, 2011. [Online]. Available: http://www.scribd.com/doc/18397013/Analysis-of-a-Telnet- Session-Hijack-via-Spoofed-MAC-Addresses
49. O. Zheng, J. Poon, and K. Beznosov, "Application-based TCP hijacking," in Proc. Second European Workshop on System Security, ser. EUROSEC '09. New York, NY, USA: ACM Press, 2009, pp. 9-15.
50. S. HomChaudhuri and M. Foschiano, "Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment," RFC 5517 (Informational), Internet Engineering Task Force, Feb. 2010.
51. "Port-Based Network Access Control," IEEE Std. 802.1X, 2010.
52. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, "Extensible Authentication Protocol (EAP)," RFC 3748 (Proposed Standard), Internet Engineering Task Force, Jun. 2004, updated by RFC 5247.
53. B. Aboba, D. Simon, and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework," RFC 5247 (Proposed Standard), Internet Engineering Task Force, Aug. 2008.
54. S. Riley, "Mitigating the threats of rogue machines802.1X or IPsec?" Microsoft TechNet, August 2005, retrieved Oct 11, 2011. [Online]. Available: http://technet.microsoft.com/en-us/library/cc512611.aspx
55. "ProCurve series 6120 switches access security guide," Manual, Hewlett-Packard Development Company, 2009.
56. I. Dubrawsky, "Safe layer 2 security in-depth," white paper, Cisco Inc, 2004. [Online]. Available: http://www.cisco.com/warp/public/cc/so/ cuso/epso/sqfr/sfblu wp.pdf
57. M. Casado, T. Garfinkel, A. Akella, M. Freedman, D. Boneh, N. McKeown, and S. Shenker, "SANE: A protection architecture for enterprise networks," in USENIX Security Symposium, 2006.
58. M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. Gude, N. McKeown, and S. Shenker, "Rethinking enterprise network control," IEEE/ACM Trans. Netw., vol. 17, no. 4, pp. 1270-1283, Aug 2009.
59. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow, enabling innovation in campus networks," SIGCOMM Comp Commun Rev, vol. 38, no. 2, pp. 69-74, Mar 2008.
60. N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker, "NOX, towards an operating system for networks," SIGCOMM Comp Commun Rev, vol. 38, no. 3, pp. 105-110, Jul 2008.
61. R. Clark, N. Feamster, A. Nayak, and A. Reimers, "Pushing enterprise security down the network stack," Georgia Tech, Tech. Rep., 2009. [Online]. Available: http://hdl.handle.net/1853/30782
62. T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski, M. Zhu, R. Ramanathan, Y. Iwata, H. Inoue, T. Hama, and S. Shenker, "Onix: a distributed control platform for large-scale production networks," in Proc. 9th USENIX conference on Operating systems design and implementation, ser. OSDI'10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1-6.
63. "Media Access Control (MAC) Security," IEEE Std. 802.1AE, 2006.
64. H. Altunbasak and H. Owen, "An architectural framework for data link layer security with security inter-layering," in SoutheastCon, 2007. Proceedings. IEEE. IEEE, Mar 2007, pp. 607-614. (Pubitemid 47208374)
65. H. Altunbasak, S. Krasser, H. Owen, J. Grimminger, H. Huth, and J. Sokol, "Securing layer 2 in local area networks," Networking-ICN 2005, vol. 3421, pp. 699-706, 2005. (Pubitemid 41452174)
66. "Hardening ProCurve swtiches," white paper, Hewlett-Packard Development Company, 2007.
67. D. Bruschi, A. Ornaghi, and E. Rosti, "S-ARP: a secure address resolution protocol," in Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, Dec 2003, pp. 66-74.
68. K. Wahid, "Rethinking the link security approach to manage large scale Ethernet network," in Local and Metropolitan Area Networks (LANMAN), 2010 17th IEEE Workshop on, 5-7 2010.
69. S. Waldbusser, "Remote Network Monitoring Management Information Base," RFC 2819 (Standard), Internet Engineering Task Force, May 2000.
70. , "Remote Network Monitoring Management Information Base Version 2," RFC 4502 (Draft Standard), Internet Engineering Task Force, May 2006.
71. R. Waterman, B. Lahaye, D. Romascanu, and S. Waldbusser, "Remote Network Monitoring MIB Extensions for Switched Networks Version 1.0," RFC 2613 (Draft Standard), Internet Engineering Task Force, Jun. 1999.
72. V. Ramachandran and S. Nandi, "Detecting ARP spoofing: An active technique," in Information Systems Security, ser. Lecture Notes in Computer Science, S. Jajodia and C. Mazumdar, Eds. Springer Berlin Heidelberg, 2005, vol. 3803, ch. chapter 18, pp. 239-250, 10.1007/11593980 18. (Pubitemid 43775411)
73. N. Hubballi, S. Roopa, R. Ratti, F. A. Barbhuiya, S. Biswas, A. Sur, S. Nandi, and V. Ramachandran, "An active intrusion detection system for LAN specific attacks," in Proc. 2010 international conference on Advances in computer science and information technology, ser. AST/UCMA/ISA/ACN'10. Berlin, Heidelberg: Springer-Verlag, 2010, pp. 129-142.
74. S. Convery and B. Trudel, "SAFE: A security blueprint for enterprise networks, white paper," white paper, Cisco Inc, 2000. [Online]. Available: http://www.cisco.com/en/US/prod/collateral/wireless/wirelssw/ps1953/product implementation design guide09186a00800a3016.pdf
75. C. Kim, M. Caesar, and J. Rexford, "Floodless in SEATTLE, a scalable Ethernet architecture for large enterprises," SIGCOMM Comput. Commun. Rev., vol. 38, no. 4, pp. 3-14, Oct 2008.
76. N. Varis and J. Manner, "Minimizing ARP broadcasting in TRILL," in GLOBECOM Workshops, 2009 IEEE. IEEE, Nov 2009, pp. 1-6.
77. J. Rexford, A. Greenberg, G. Hjalmtysson, D. Maltz, A. Myers, G. Xie, J. Zhan, and H. Zhang, "Network-wide decision making: Toward a wafer-thin control plane," in Proc. HotNets. ACM Sigcomm, 2004, pp. 59-64.
78. A. Myers, E. Ng, and H. Zhang, "Rethinking the service model: Scaling Ethernet to a million nodes," in Proc. HotNets. ACM Sigcomm, 2004.
79. T. Aura, "Cryptographically Generated Addresses (CGA)," RFC 3972 (Proposed Standard), Internet Engineering Task Force, Mar. 2005, updated by RFCs 4581, 4982.
80. T. Ylonen and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture," RFC 4251 (Proposed Standard), Internet Engineering Task Force, Jan. 2006.
81. F. Stajano and R. Anderson, "The resurrecting duckling: Security issues for ad-hoc wireless networks," in Security Protocols, ser. Lecture Notes in Computer Science, J. Malcolm, B. Christianson, B. Crispo, and M. Roe, Eds. Springer Berlin/Heidelberg, 1999, vol. 1796, pp. 172-182, 10.1007/10720107 24.
82. J. Touch and R. Perlman, "Transparent Interconnection of Lots of Links (TRILL): Problem and Applicability Statement," RFC 5556 (Informational), Internet Engineering Task Force, May 2009.