Local Area Networks
Marshall D. Abrams and Harold J. Podell
Local area network (LAN) communications security is addressed in this essay. LANs are introduced as providing: (1) a private communications facility, (2) services over a relatively limited geographic area, (3) a high data rate for computer communications, and (4) common access to a wide range of devices and services. Security issues pertinent to LANs are discussed. For example, LANs share many security problems and approaches for their solutions with point-to-point conventional communications systems. In addition, LANs have some unique problems of their own: (1) universal data availability, (2) passive and active wiretap threats, (3) end-to-end access control, and (4) security group control. Countermeasures include physical protection, and separation by physical, logical, and encryption methods. Trusted Network Interface Units, encryption, and key distribution are also discussed. Examples are discussed to illustrate the different approaches to LAN security. The examples in this essay are a composite of several existing product features, selected to demonstrate the use of encryption for confidentiality, and trusted system technology for a local area network.
Local area network technology/topology overview
This essay addresses LAN security from the viewpoint of open systems interconnection (OSI). That is, we focus on the seven-layer OSI protocols (illustrated in Figure 1); in fact, we concentrate on the lower layers. This focus follows the history of LANs; that is, the OSI communications problems had to be solved before open systems could be addressed. It is usually not good form to start an essay by discussing what is not covered, but that is necessary in this case. Some people think of LANs in terms of the services they provide to users. This viewpoint is essentially looking at a LAN as a distributed system, with emphasis on the dis-
Local Area Networks
tributed operating system and the service it provides. This essay does not address this distributed processing within the terminals, workstations, and hosts connected to the LAN. That is another subject for another essay.
Figure 1. Seven-layer ISO protocol model.
Malicious software such as Trojan horses and worms can attack LANs. In fact, the physical distribution of any network increases the difficulty of protection. Malicious software is discussed in Essay 4. LANs connect computers, terminals, workstations, and other data terminal equipment (DTE). In this essay we will use “DTE” to refer to whatever is connected to the LAN when it is not important what function it serves. The distinction between a personal computer and a workstation is not important for the purposes of this essay. Let’s start with a functional definition. A LAN is a private communications facility, usually owned by the organization that uses it. The cost of
using the LAN is fixed, independent of level of usage. LANs provide an opportunity for the owning organization to customize its communications capabilities in many ways, such as carrying audio, video, and data traffic; providing multiple simultaneous connections; and providing security services. A LAN generally serves a limited geographic area, such as a single building or a campus, providing a high communications rate or bandwidth and common access to a wide range of devices and services. In general, LANs may be partitioned or zoned. The zones usually correspond to geographic or work units. Bridges or gateways between zones provide connectivity. Zones at physically separate locations can be connected, using wide area networks or private high-bandwidth circuits, to provide LAN services that attempt to be transparent to the physical separation.
Figure 2. Geographic separation and data rate.
A more technical definition can be found in [PADL82], which we paraphrase as follows: A LAN is a communications mechanism using...