Methods and technologies for computer networks protection (the physical and data link layers)

Abstract

Standard solutions that are supported by manufacturers of equipment for computer networks (switches the 2nd and 3rd levels, routers), implemented in the operating systems and protocols, and can be used for the development and implementation of integrated corporate network protection systems are considered in this article. The article is the first of a series of articles devoted to the analysis of methods and technologies of protection. The typical threats to computer network at the physical (physical damage of the data channels, unauthorized changes in the functional environment, disabling physical data channels, setting noise over the entire bandwidth of the channel) and data link (the generation of broadcasting frames to overload the data channels and switching equipment, the substitution of nodes MAC address, attacks on ARP and Spanning-Tree protocols) layers of OSI model are given and the features of methods and technologies to protect are analyzed. The features of use of limited and unlimited signal transmission media in terms of information security are considered at the physical level and a number of additional measures top prevent unauthorized changes in the functional medium networks are given (such as: the limitation of physical access to cable channels, switching nodes and data centers, the development and implementation of a policy of remote access to network equipment, deployment of auxiliary video surveillance and access control systems, redundancy of the most critical channels, network devices and servers). At the data link layer are analyzed such functions of switches as Port security, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard; segmenting the network into separate zones using the technology of Virtual Local Area Network to broadcast restrictions and improving information security; implementation of network access control system with authentication and authorization at the data link layer. To implement the access control systems of the channel level the features of the 802.1x protocol are considered and its main disadvantage (the lack of data encryption, which may lead to data interception and the implementation of DoS attacks) is determined. To build more secure solutions are proposed to use the combination of IPSec and 802.1x or new IEEE 802.1AE protocols (MACsec protocols that solve privacy and data integrity problems) and the IEEE 802.1AR standard, which defines a unique secure device identifier for their authorization. Analysis of methods and protection technologies at the physical and data link levels of the OSI model which was conducted in work allows making informed decisions about choosing methods to protect networks for different purposes and with different requirements regarding data protection.References 17, Tables 1.