1. Field of the Invention
The present invention relates generally to providing link layer address transparency for security devices installed in Internet-connected local area networks, and more particularly to an apparatus and method for changing the Ethernet Media Access Control (MAC) address at each port of a two-port device to match those of neighboring devices connected to the opposite port.
2. Related Art
A local area network (LAN) may have a number of network nodes, such as personal computers, connected through an Ethernet data transmission line. The network may be connected, through a router, to a wide area network (WAN) to allow sharing of information with other computers or networks. An example of a WAN to which many LANs are connected is the Internet, which is presently the largest WAN in the world.
A LAN typically will include security devices, e.g., a firewall, to protect the network from unauthorized access and other forms of electronic intrusion or attack. Advances in the techniques used to electronically attack Internet-connected networks, however, has led to the need for multi-layered security systems between the router, which connects the network to the Internet, and the firewall, which is connected to the network server. This portion of the network (including the router) usually is not secure and therefore may be subject to unauthorized monitoring.
Many types of electronic attack begin with the monitoring of network traffic in this unsecure portion of the network. In general, as data packets travel through the network, each device replaces its hardware address in the address header of received data packets with the hardware address of the next device in the network. The hardware address of the device is referred to as a link-layer address, which may be, for example, an Ethernet MAC address. An adversary can monitor the addresses contained in the data packets to identify any changes in the network, such as the addition of a new security device.
For example, an adversary may monitor network traffic for an extended period of time. If a new security device is added to the network, the adversary may detect the new Ethernet address corresponding to the new device. From this, the adversary may surmise that the network administrator has detected the unauthorized monitoring and has added a new security device in response. Moreover, the adversary then will know that the network in question is capable of supporting such security devices and therefore is relatively sophisticated. From this, the adversary may surmise that the network contains valuable information. Consequently, it is desirable to provide a means for preventing the unauthorized detection of network security devices through Ethernet address monitoring.
In another application, it may be desirable to add monitoring devices to a network without these devices being detected by the LAN users and administrators. For example, law enforcement may be authorized to install a device to monitor LAN traffic. In such a case, it is desirable for the monitoring device to have the capability to prevent detection through address monitoring.
It is a general object of the present invention to provide a means for preventing the unauthorized detection of network security devices through Ethernet address monitoring.
It is another object of the present invention to provide a method of hiding a device in a local network segment by assimilating the link-layer addresses of its immediate peer devices, thereby preventing the detection of the device itself or the detection of any alterations to the existing network.
It is another object of the present invention to use the Dynamic Ethernet MAC Addressing (DEMA) technique in an Ethernet network-based bastion device to dynamically reconfigure its Ethernet MAC addresses to match those of the nearest neighbors and thereby appear transparent to the surrounding network infrastructure.
It is another object of the present invention to allow monitoring devices to be added to a network without these devices being detected by the LAN users and administrators.
One aspect of the present invention provides an apparatus for adapting a link layer address of a network device. The apparatus includes a first port connected to receive data from a first network node. The first port has a link layer address and is configurable to one of a plurality of link layer addresses. A second port is connected to output the data to a second network node. The second port has a link layer address and is configurable to one of a plurality of link layer addresses. A processor adapts the link layer address of the first port to correspond to a link layer address of the second network node.
Embodiments of the present invention may include one or more of the following features. The link layer address of first port may be an Ethernet MAC address. The processor may query the second network node to obtain the link layer address of the second network node. The processor may query the second network node to obtain the link layer address of the second network node using Ethernet address resolution protocol. The link layer address of the second network node may be stored in a memory of the processor.
The processor may adapt the link layer address of the second port to correspond to a link layer address of the first network node. The link layer address of the second port may be an Ethernet MAC address. The processor may query the first network node to obtain the link layer address of the first network node. The processor may query the first network node to obtain the link layer address of the first network node using Ethernet address resolution protocol. The link layer address of the first network node may be stored in a memory of the processor.
Another aspect of the present invention provides an apparatus for adapting a link layer address of a network node. The apparatus includes a bus for carrying data. The apparatus further includes a first interface card connected to receive the data from a first network node and output the data to the bus. The first interface card has a link layer address and is configurable to one of a plurality of link layer addresses.
A second interface card is connected to receive the data from the bus and output the data to a second network node. The second interface card has a link layer address and is configurable to one of a plurality of link layer addresses.
A processor is connected to the first and second interface cards. The processor adapts the link layer address of the first interface card to correspond to a link layer address of the second network node.
Embodiments of the present invention may include one or more of the following features. The processor may query the second network node to obtain the link layer address of the second network node. The processor may adapt the link layer address of the second interface card to correspond to a link layer address of the first network node.
These and other objects, features and advantages will be apparent from the following description of the preferred embodiments of the present invention.