Hardware Implementation of a Secure Bridge in Ethernet Environments zyxw J. FornC, M. Soriano, J. L. Mel6s, F. Recacha Polytechnic Univesity of Catalonia zyxwv (U.P.C.), Barcelona (Spain) ABSTRACT zyxwvutsrqp In this paper we present a solution providing secure communications over an extended Ethernet LAN. This solution, proposed by the Applied Mathematics and Telemtics Depariment of the Polytechnic University of Catalonia, is based on a set of secure bridges, called CryptoNets, and a Supervision and Administration Center (SAC), which takes charge of the r e m t e management of the work of these devices. A first version of the physical and functional architecture zyxwvut of these secure bridges was presenied in zyxwvutsrqp [I], [2], 131. Here we will describe a modification of the initial architecture, in order to improve substantially its performance, both the typical funciions of a classical bridge (filtering frame speed) and the specific functions of ciphering. Furthermore, it allows us to build more integrated equipment, with larger number of functions and at a lower cost. zyxwvutsr 1. Introduction Each day, the bulk of information that goes through computer networks is greater. For one part of this information, its diffusion or modification can provide a high cost for the network user. The problem is worsened with the network complexity, because the difficulty of its control is increased. That is the reason why we are trying to find a mechanism that guarantees a good security level, with low cost, on these networks. zyxwvutsrqpo b y zyxwvutsrqponmlkjihgfed day device (Repeater. Bndgs. elc zyxwvutsrqponmlk ) FIG. 1: UPC.NETSTRUCTURE In the U.P.C. (Polytechnic University of Catalonia), there is an extended Ethemet network. This network is built connecting together several Ethemet segments through a main segment, called the backbone (Figure 1). As first premise, it is considered that security is guarantied inside each segment. Consequently,it can be implemented in the device that connects each segment to the backbone. 0-7803-0917-0/93$03.00 Q 1993 IEEE As can be seen in [l], [2], [3], the main results obtained are the followings: - The design of a security system to protect communications over UPCNET (U.P.C. network). This design is also suitable for several networks with similar features. - The implementation of two prototypes of thc ciphering device. [l], [2] show why this device must be a learning bridge and replace the relays that join each segment to the backbone. It has to carry out the own functions of a classic bridge and implement a set of cryptographic functions, related with the security system. With these two prototypes, many tests have been carried out and the validity of the system has been proved. However, the cost of them is high and some of its capabilities can be improved, due to the use of commercial boards not specially designed for this application. Furthermore, an efficient method is needed by means of which the network Administrator were able of shaping each secure bridge in the security system remotely. Now the work is focused on the development of a second part of this project to optimize the results obtained during the first part. For this, two tasks are mainly being carried out: 1) Implementation and integration of a Supervision and a) To allow the Administrator a remote and secure management b) To supervise and operate the security system automatically. 2) To achieve a low cost design for the CryptoNet hardware, and to increase its capabilities. In the second section the general structure of the security system is shown. The third section presents the new physical and functional architecture of the secure bridge. Firstly, the features of the first prototype are reviewed, discussing the points where the design can be improved. Secondly, the second prototype in which we are working is studied. In the fourth section the data transference among the CryptoNet boards is detailed. Finally, the conclusions are shown in section 5. Administration Center (SAC), which main tasks are: of the CryptoNets installed on the network. 2. The securitv svs tem As can be seen in [l], [2], [3], the security system is built by two types of entities. First, there is a set of ciphering devices (secure bridges), connecting secure networks through an insecure backbone. On the other hand the SAC supervises the work of the secure bridges. Two of the most important characteristics of this system are that it allows a gradual installation and the coexistence of ciphered and unciphered traffic [ 11. 177