DESIGN AND IMPLEMENTATION OF A TRANSPARENT SECURE LAN
Main Article Content
Abstract
Many attacks may be carried out against communications in Local Area Networks (LANs). However, these attacks can be prevented, or detected, by providing confidentiality, authentication, and data integrity security services to the exchanged data. This paper introduces a security system that protects a LAN from security attacks. On each host in the protected LAN, the security system transparently intercepts each outbound IP (Internet Protocol) packet, and inserts a crypto header between the packet IP header and payload. This header is used to detect any modification to the content of the packet in transit, and to detect replayed packets. Then, the system encrypts the IP packet payload and some fields of the inserted crypto header. On the other hand, the system transparently intercepts each inbound IP packet, decrypts its encrypted portions, and then uses its crypto header to authenticate the packet. If the packet is properly authenticated, thesystem indicates it to upper protocols. To be transparent to applications, the security system part that processes inbound and outbound IP packets was implemented as a NDIS (Network Driver Interface Specification) intermediate driver that resides between the LLC (Logical Link Control) and MAC (Medium Access Control) data link sublayers.
Article Details
How to Cite
Publication Dates
References
[ALL01] J. H. Allen, "The CERT Guide to System and Network Security Practices", Addison Wesley Professional, June 2001.
[DDK00] Microsoft Corporation, Microsoft Windows 2000 Driver Development Kit, "Network Drivers", 2000.
[GAN00] A. Ganz, S. H. Park, and Z. Ganz, "Security Broker for Multimedia Wireless LANs", Elsevier Science B.V., 2000.
[HOR84] C. Hornig, “A Standard for the Transmission of IP Datagrams over Ethernet Networks”, RFC 894, April 1984.
[MAC00] D. MacDonald and W. Barkley, "Microsoft Windows 2000 TCP/IP Implementation Details", Microsoft Corporation, 2000.
[MOG90] J. Mogul and S. Deering, “Path MTU Discovery”, RFC 1191, November 1990.
[MSP01] Microsoft Corporation, Microsoft Development Network, Windows 2000 Resource Kit Reference, "Windows 2000 Performance Counters Reference", April 2001.
[NUO02] A. Nuopponen and S. Vaarala, "Attacking Predictable IPsec ESP Initialization Vectors", Helsinki University of Technology, 2002.
[RAD01] E. Rademer and S. D. Wolthusen, "Transparent Access to Encrypted Data Using Operating System Network Stack Extensions", Mitsubishi Corporation and Fraunhofer-IGD, 2001.
[SCH99] B. Schneier and N. Ferguson, "A Cryptographic Evaluation of IPSec", Counterpane Internet Security, Inc., 1999.
[SDK01] Microsoft Corporation, Microsoft Development Network, Platform SDK Documentation, April 2001.
[SHA02] B. S. Shaker, "Design and Implementation of an Online Cryptography System for LANs", M.Sc. thesis, College of Engineering, Al-Nahrain University, 2002.
[STA99] W. Stallings, "Cryptography and Network Security: Principles and Practice", Second Edition, Prentice Hall, 1999.
[TRC99] D. Trcek, T. Klobucar, B. Jerman-Blazic, and F. Bracun, "CA-Browsing System - a Supporting Application for Global Security Services", a white paper, Jozef Stefan Institute, 1999.