Home / server / Questions / 805842
In Process
pQd
Asked: 2016-09-29 04:23:21 +0800 CST

encrypting network traffic passing over 'untrusted' segment of Ethernet cable

  • 772

let's say i have two office spaces in a multi-tenant building. landlord was kind enough to provide me with copper cat 6 cable connecting both of the disjoint spaces.

i could just attach network switches at both ends and create a flat L2 network. but i'd like to be sure that other tenants cannot easily tap into the cable and eavesdrop on the traffic passing between two of my offices.

what solution would you propose here? ideally it should provide a transparent L2 connectivity and handle few hundreds of mbit/s. i'd prefer off-the-shelf devices that can be easily replaced.

with encrypted home-plug gear or wireless access points providing wpa2-psk - seems like the encryption hardware is available.

some of my ideas:

  • use proper hardware ethernet encryption device like this; unfortunately those seem to be quite expensive
  • put two linux servers on both ends of the connection and run openvpn on them to provide transparent l2 bridge with encryption of traffic crossing the 'untrusted' segment

thanks for any suggestions!

security network-security

2 Answers

  1. I see two idea.

    • First is like your openvpn's idea, as treat your line like a normal wan link, and put some router there to do a site-to-site vpn.

    • Second idea, never used it, but I would try MACsec between the two switch uplink;

    MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).

    Cisco TrustSec Switch-to-Switch Link Security Configuration Example

    This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example, ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.

    • 2

  2. I would use pfSense https://www.pfsense.org on both sides to establish an IPSec- or OpenVPN-Tunnel. pfSense is OSS, easy to use, and you can also buy specialised devices, professional support or even use it in a Hypervisor.

    A very minimal device is available at https://www.pfsense.org/products/ with two Ethernet-Ports for 150 US-$ each.

    We use pfSense in a VMWare-Hypervisor to provide a Captive-Portal for our Guest-WiFi and it works very well.

    SaPl

    • 0