Carrier networks vulnerable to MAC address spoofing should look to Ethernet over SDH, writes Ralph Santitoro, director of product line management at Turin Networks.
Information privacy and protection are significant concerns for all enterprise network managers, especially when traffic traverses the wide area network. That’s why for years they have trusted their TDM-based private lines, transported over dedicated SDH channels. So far many network managers have been reluctant to run private data over a packet-switched public Ethernet network.
Ethernet has been augmented in recent years to improve security and privacy. However, standards for virtual LANs, (VLANs) authentication and network access controls have brought added complexity and are not necessarily suited to the WAN.
VLANs can expose the enterprise subscriber’s host MAC addresses even though the Ethernet frame’s IP payload may be encrypted. This leaves the network vulnerable to external threats such as MAC address spoofing, passive monitoring, man-in-the-middle attacks and MAC denial of service (DoS) attacks.
Service providers can mitigate these risks by delivering Ethernet services over next-generation SDH using the Generic Framing Procedure (GFP), Virtual Concatenation (VCAT) and Generalized MPLS (GMPLS) technologies. Ethernet private line (EPL) services, which connect the enterprise’s equipment to the public network with a dedicated SDH channel, offers the high availability, reliability, quality of service and security that enterprises have become accustomed to with their TDM private line services - but with
Ethernet’s flexibility to meet growing bandwidth demands within their opex budgets. Enterprises are now being attracted to Ethernet Private LAN (EPLAN) services which can provide the same secure benefits of EPL but provide any-to-any connectivity for multiple sites. The security, QoS, reliability and availability are assured by SDH encapsulation.
By using Ethernet-over-SDH, service providers can use dedicated and diversely routed channels for transporting point-to-point EPL services or multipoint EPLAN services across the public WAN infrastructure with the highest possible level of security. Next generation SDH encapsulates the enterprise’s Ethernet frames using GFP and diversely routes them across non-contiguous SDH channels using VCAT. GMPLS enables the dynamic assignment of SDH channels as new services are activated.
These technologies “scramble” the enterprise’s Ethernet frames across the SDH network, making it impossible to eavesdrop, reassemble or redirect them...
... even if monitoring test equipment is placed in the SDH optical path, only Ethernet service frame fragments can be recovered.
Ethernet services delivered over SDH let enterprises receive the highest service availability and QOS, along with the bandwidth scalability and ubiquity of Ethernet. Despite the security concerns that have been associated with Ethernet, service providers can leverage and extend their existing SDH infrastructure to provide secure, end-to-end Ethernet services.
Read more on THE METRO SERVICE EDGE - Imtech Telecom UK Technology Partner- Turin Networks here...