Design and implementation of a transparent secure Lan

Abstract EN

Many attacks may be carried out against communications in Local Area Networks (LANs).

However, these attacks can be prevented, or detected, by providing confidentiality, authentication, and data integrity security services to the exchanged data.

This paper introduces a security system that protects a LAN from security attacks.

On each host in the protected LAN, the security system transparently intercepts each outbound IP (Internet Protocol) packet, and inserts a crypto header between the packet IP header and payload.

This header is used to detect any modification to the content of the packet in transit, and to detect replayed packets.

Then, the system encrypts the IP packet payload and some fields of the inserted crypto header.

On the other hand, the system transparently intercepts each inbound IP packet, decrypts its encrypted portions, and then uses its crypto header to authenticate the packet.

If the packet is properly authenticated, the system indicates it to upper protocols.

To be transparent to applications, the security system part that processes inbound and outbound IP packets was implemented as a NDIS (Network Driver Interface Specification) intermediate driver that resides between the LLC (Logical Link Control) and MAC (Medium Access Control) data link sublayers.